diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 266ebd5..0f1821f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -77,7 +77,6 @@ plan_satapi: -var "zone=$ZONE" -var "instance_type=$INSTANCE_TYPE" -var "host=$HOST_STAGING" - -var "ssl_cert=$SSL_CERT_STAGING" -var "public_bucket_url=$PUBLIC_BUCKET_URL" -var "letsencrypt_email=$LE_EMAIL" -var "timeout=$TIMEOUT" @@ -153,7 +152,6 @@ deploy_staging: -var "zone=$ZONE" -var "instance_type=$INSTANCE_TYPE" -var "host=$HOST_STAGING" - -var "ssl_cert=$SSL_CERT_STAGING" -var "public_bucket_url=$PUBLIC_BUCKET_URL" -var "letsencrypt_email=$LE_EMAIL" -var "timeout=$TIMEOUT" @@ -179,7 +177,6 @@ deploy_production: -var "zone=$ZONE" -var "instance_type=$INSTANCE_TYPE" -var "host=$HOST" - -var "ssl_cert=$SSL_CERT" -var "public_bucket_url=$PUBLIC_BUCKET_URL" -var "letsencrypt_email=$LE_EMAIL" -var "timeout=$TIMEOUT" @@ -205,7 +202,6 @@ deploy_staging_testnet: -var "zone=$ZONE" -var "instance_type=$INSTANCE_TYPE" -var "host=$HOST_STAGING" - -var "ssl_cert=$SSL_CERT_STAGING" -var "public_bucket_url=$PUBLIC_BUCKET_URL" -var "letsencrypt_email=$LE_EMAIL" -var "timeout=$TIMEOUT" @@ -231,7 +227,6 @@ deploy_production_testnet: -var "zone=$ZONE" -var "instance_type=$INSTANCE_TYPE" -var "host=$HOST" - -var "ssl_cert=$SSL_CERT" -var "public_bucket_url=$PUBLIC_BUCKET_URL" -var "letsencrypt_email=$LE_EMAIL" -var "timeout=$TIMEOUT" diff --git a/terraform/main.tf b/terraform/main.tf index aa145f9..3413b83 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -30,6 +30,7 @@ module "blc-mainnet" { certbot_docker = var.certbot_docker net = "mainnet" env = local.env + target_pool = google_compute_target_pool.blc-pool[0].self_link create_resources = local.create_mainnet @@ -38,7 +39,6 @@ module "blc-mainnet" { zone = var.zone instance_type = var.instance_type[0] host = var.host - ssl_cert = var.ssl_cert timeout = var.timeout prom_service_acct = var.prom_service_acct opsgenie_key = var.opsgenie_key @@ -63,6 +63,7 @@ module "blc-testnet" { certbot_docker = var.certbot_docker net = "testnet" env = local.env + target_pool = google_compute_target_pool.blc-pool[0].self_link create_resources = local.create_testnet @@ -71,7 +72,6 @@ module "blc-testnet" { zone = var.zone instance_type = var.instance_type[0] host = var.host - ssl_cert = var.ssl_cert timeout = var.timeout prom_service_acct = var.prom_service_acct opsgenie_key = var.opsgenie_key diff --git a/terraform/modules/blc/cloud-init/blc.yaml b/terraform/modules/blc/cloud-init/blc.yaml index 4f7e93f..2ffc6fd 100644 --- a/terraform/modules/blc/cloud-init/blc.yaml +++ b/terraform/modules/blc/cloud-init/blc.yaml @@ -32,7 +32,7 @@ write_files: permissions: 0644 owner: root content: | - log_format withtime '$remote_addr - $remote_user [$time_local] ' + log_format withtime '$remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; @@ -43,7 +43,7 @@ write_files: access_log /var/log/nginx/access-def.log withtime; error_log /var/log/nginx/error-def.log; - server_name _; + server_name ${host}; listen 80; server_tokens off; proxy_set_header X-Forwarded-For 0.0.0.0; @@ -51,7 +51,11 @@ write_files: location /.well-known { auth_basic off; allow all; # Allow all to see content - proxy_pass ${public_bucket_url}certs/.well-known; + proxy_pass ${public_bucket_url}/certs/.well-known; + } + + location /healthz { + return 200; } location / { @@ -63,7 +67,7 @@ write_files: permissions: 0644 owner: root content: | - log_format withtime '$remote_addr - $remote_user [$time_local] ' + log_format withtime '$remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; @@ -184,7 +188,7 @@ write_files: --name=nginx-tls \ --log-opt max-size=200m \ --log-opt max-file=3 \ - -v /home/bs/space.conf:/etc/nginx/conf.d/space.conf:ro \ + -v /home/bs/space.conf:/etc/nginx/conf.d/default.conf:ro \ -v /home/bs/index.html:/usr/share/nginx/html/index.html:ro \ -v /home/bs/certs:/etc/nginx/certs:ro \ "nginx:latest" diff --git a/terraform/modules/blc/firewall.tf b/terraform/modules/blc/firewall.tf index 11dbbaa..69a3b91 100644 --- a/terraform/modules/blc/firewall.tf +++ b/terraform/modules/blc/firewall.tf @@ -5,7 +5,7 @@ resource "google_compute_firewall" "blc" { allow { protocol = "tcp" - ports = ["18333", "8333", "9735", "80"] + ports = ["18333", "8333", "9735", "80", "443"] } target_service_accounts = [ diff --git a/terraform/modules/blc/gcs.tf b/terraform/modules/blc/gcs.tf index 923b1d4..c73a82a 100644 --- a/terraform/modules/blc/gcs.tf +++ b/terraform/modules/blc/gcs.tf @@ -12,21 +12,11 @@ resource "google_storage_bucket" "blc-public" { } resource "google_storage_bucket_acl" "blc-public-acl" { - bucket = replace(google_storage_bucket.blc-public[count.index].url, "gs://", "") + bucket = google_storage_bucket.blc-public[count.index].name predefined_acl = "publicread" count = var.create_resources } -resource "google_storage_bucket_iam_binding" "blc-public-binding" { - bucket = replace(google_storage_bucket.blc-public[count.index].url, "gs://", "") - role = "roles/storage.admin" - count = var.create_resources - - members = [ - "serviceAccount:${google_service_account.blc[count.index].email}", - ] -} - # Private bucket (server certs) resource "google_storage_bucket" "blc-private" { name = "${var.name}-certs-${var.env}" @@ -40,12 +30,8 @@ resource "google_storage_bucket" "blc-private" { } } -resource "google_storage_bucket_iam_binding" "blc-private-binding" { - bucket = replace(google_storage_bucket.blc-private[count.index].url, "gs://", "") - role = "roles/storage.admin" - count = var.create_resources - - members = [ - "serviceAccount:${google_service_account.blc[count.index].email}", - ] +resource "google_storage_bucket_acl" "blc-private-acl" { + bucket = google_storage_bucket.blc-private[count.index].name + predefined_acl = "projectprivate" + count = var.create_resources } diff --git a/terraform/modules/blc/main.tf b/terraform/modules/blc/main.tf index 80a703c..ed44126 100644 --- a/terraform/modules/blc/main.tf +++ b/terraform/modules/blc/main.tf @@ -1,9 +1,10 @@ # Instance group resource "google_compute_instance_group_manager" "blc" { - name = "${var.name}-ig-${var.net}-${var.env}" - count = var.create_resources - project = var.project - provider = google-beta + name = "${var.name}-ig-${var.net}-${var.env}" + target_pools = [var.target_pool] + project = var.project + provider = google-beta + count = var.create_resources base_instance_name = "${var.name}-ig-${var.net}-${var.env}" zone = var.zone diff --git a/terraform/modules/blc/network.tf b/terraform/modules/blc/network.tf index ca66695..3338b80 100644 --- a/terraform/modules/blc/network.tf +++ b/terraform/modules/blc/network.tf @@ -21,7 +21,7 @@ resource "google_compute_backend_service" "blc" { protocol = "HTTP" port_name = "http" timeout_sec = var.timeout - project = var.project + project = var.project count = var.create_resources backend { diff --git a/terraform/modules/blc/variables.tf b/terraform/modules/blc/variables.tf index 3aaf649..6107e31 100644 --- a/terraform/modules/blc/variables.tf +++ b/terraform/modules/blc/variables.tf @@ -48,7 +48,7 @@ variable "net" { type = string } -variable "ssl_cert" { +variable "target_pool" { type = string } diff --git a/terraform/network.tf b/terraform/network.tf index c7a27bd..fbeb671 100644 --- a/terraform/network.tf +++ b/terraform/network.tf @@ -1,99 +1,54 @@ # IP address -resource "google_compute_global_address" "lb" { +resource "google_compute_address" "lb" { name = "satellite-api-client-lb-${local.env}" + region = var.region project = var.project count = local.create_mainnet } # Forwarding rules -resource "google_compute_global_forwarding_rule" "rule-https" { +resource "google_compute_forwarding_rule" "rule-https" { name = "satellite-api-https-forwarding-rule-${local.env}" - target = google_compute_target_https_proxy.https-proxy[0].self_link + target = google_compute_target_pool.blc-pool[0].self_link port_range = "443" ip_protocol = "TCP" - ip_address = google_compute_global_address.lb[0].address + ip_address = google_compute_address.lb[0].address + region = var.region project = var.project count = local.create_mainnet } -resource "google_compute_global_forwarding_rule" "rule-http" { +resource "google_compute_forwarding_rule" "rule-http" { name = "satellite-api-http-forwarding-rule-${local.env}" - target = google_compute_target_http_proxy.http-proxy[0].self_link + target = google_compute_target_pool.blc-pool[0].self_link port_range = "80" ip_protocol = "TCP" - ip_address = google_compute_global_address.lb[0].address + ip_address = google_compute_address.lb[0].address + region = var.region project = var.project count = local.create_mainnet } -# Target proxies -resource "google_compute_target_http_proxy" "http-proxy" { - name = "satellite-api-http-proxy-${local.env}" - url_map = google_compute_url_map.http[0].self_link +resource "google_compute_target_pool" "blc-pool" { + name = "satellite-api-target-pool-${local.env}" + region = var.region project = var.project count = local.create_mainnet + + health_checks = [ + google_compute_http_health_check.blc-health[0].self_link + ] } -resource "google_compute_target_https_proxy" "https-proxy" { - name = "satellite-api-https-proxy-${local.env}" - url_map = google_compute_url_map.https[0].self_link - ssl_certificates = [var.ssl_cert] - project = var.project - count = local.create_mainnet +resource "google_compute_http_health_check" "blc-health" { + name = "satellite-api-http-health-${local.env}" + project = var.project + count = local.create_mainnet + + timeout_sec = 5 + check_interval_sec = 10 + + host = "${local.env == "staging" ? "staging-" : ""}api.blockstream.space" + port = "80" + request_path = "/healthz" } - -# URL maps -resource "google_compute_url_map" "http" { - name = "satellite-api-http-urlmap-${local.env}" - default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet - project = var.project - count = local.create_mainnet - - host_rule { - hosts = [var.host] - path_matcher = "allpaths" - } - - path_matcher { - name = "allpaths" - default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet - - path_rule { - paths = ["/*"] - service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet - } - - path_rule { - paths = ["/testnet", "/testnet/*", "/api", "/api/*"] - service = data.terraform_remote_state.blc-testnet.outputs.blc_backend_service_testnet - } - } -} - -resource "google_compute_url_map" "https" { - name = "satellite-api-https-urlmap-${local.env}" - default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet - project = var.project - count = local.create_mainnet - - host_rule { - hosts = [var.host] - path_matcher = "allpaths" - } - - path_matcher { - name = "allpaths" - default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet - - path_rule { - paths = ["/*"] - service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet - } - - path_rule { - paths = ["/testnet", "/testnet/*", "/api", "/api/*"] - service = data.terraform_remote_state.blc-testnet.outputs.blc_backend_service_testnet - } - } -} - diff --git a/terraform/variables.tf b/terraform/variables.tf index ab0551e..cfc259e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -53,7 +53,7 @@ variable "create_resources" { default = "" } -variable "ssl_cert" { +variable "target_pool" { type = string default = "" }