diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0326ad7..54839a1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -29,7 +29,7 @@ build: - docker push us.gcr.io/blockstream-store/ionosphere-sse:$CI_COMMIT_SHA - docker push us.gcr.io/blockstream-store/ionosphere-sse:latest -plan: +plan_satapi: stage: plan only: - branches@satellite/ionosphere @@ -37,6 +37,7 @@ plan: - master@satellite/ionosphere - production@satellite/ionosphere - cleanup_staging@satellite/ionosphere + - /^misc_.*/ script: - (cd terraform && terraform init -input=false @@ -56,6 +57,24 @@ plan: -var "rpcpass=$RPCPASS" -input=false) +# this plan gets triggered only for miscellaneous branches/tags, so make sure the branch/tag name starts with misc_ +plan_misc: + stage: plan + only: + - /^misc_.*/ + script: + - (echo -n "$V3_PK" > terraform/modules/tor/v3.pk) + - (echo -n "$V3_PUBK" > terraform/modules/tor/v3.pubk) + - (cd terraform + && terraform init -input=false + && terraform workspace select misc + && terraform plan + -var "region=$REGION" + -var "zone=$ZONE" + -var "tor_instance_type=$TOR_INSTANCE_TYPE" + -var "onion_host=$ONION_HOST" + -input=false) + deploy_staging: stage: deploy only: @@ -102,6 +121,25 @@ deploy_production: -var "rpcpass=$RPCPASS" -input=false -auto-approve) +# This deploys only tags/branches starting with misc_v +deploy_misc: + stage: deploy + only: + - /^misc_v.*/ + script: + - (echo -n "$V3_PK" > terraform/modules/tor/v3.pk) + - (echo -n "$V3_PUBK" > terraform/modules/tor/v3.pubk) + - (cd terraform + && terraform init -input=false + && terraform workspace select misc + && terraform plan + -var "region=$REGION" + -var "zone=$ZONE" + -var "tor_instance_type=$TOR_INSTANCE_TYPE" + -var "onion_host=$ONION_HOST" + -input=false -auto-approve) + + cleanup_staging: stage: deploy image: diff --git a/terraform/data.tf b/terraform/data.tf new file mode 100644 index 0000000..a0bb361 --- /dev/null +++ b/terraform/data.tf @@ -0,0 +1,27 @@ +data "terraform_remote_state" "lightning-store-prod" { + backend = "gcs" + + config { + bucket = "tf-state-lightning-store" + prefix = "terraform/state" + project = "blockstream-store" + } + + workspace = "production" + + defaults { + prometheus_service_account = "${var.prom_service_acct}" + } +} + +data "terraform_remote_state" "blc-prod" { + backend = "gcs" + + config { + bucket = "tf-state-ionosphere" + prefix = "terraform/state" + project = "blockstream-store" + } + + workspace = "prod" +} diff --git a/terraform/kms.tf b/terraform/kms.tf new file mode 100644 index 0000000..2e6abab --- /dev/null +++ b/terraform/kms.tf @@ -0,0 +1,14 @@ +resource "google_kms_key_ring" "tor-key-ring" { + project = "${var.project}" + name = "${var.name}-keyring" + location = "${var.region}" + + count = "${local.create_misc}" +} + +resource "google_kms_crypto_key" "tor-crypto-key" { + name = "${var.name}-crypto-key" + key_ring = "${google_kms_key_ring.tor-key-ring.id}" + + count = "${local.create_misc}" +} diff --git a/terraform/main.tf b/terraform/main.tf index 366f34e..e016fac 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -8,22 +8,6 @@ terraform { } } -data "terraform_remote_state" "lightning-store-prod" { - backend = "gcs" - - config { - bucket = "tf-state-lightning-store" - prefix = "terraform/state" - project = "blockstream-store" - } - - workspace = "staging" - - defaults { - prometheus_service_account = "${var.prom_service_acct}" - } -} - provider "google" { project = "${var.project}" } @@ -43,6 +27,8 @@ module "blc" { net = "testnet" env = "${local.env}" + create_resources = "${local.create_satapi}" + # CI vars region = "${var.region}" zone = "${var.zone}" @@ -55,3 +41,27 @@ module "blc" { rpcuser = "${var.rpcuser}" rpcpass = "${var.rpcpass}" } + +module "tor" { + source = "modules/tor" + + project = "${var.project}" + network = "default" + name = "satapi-tor" + gcloud_docker = "${var.gcloud_docker}" + tor_docker = "${var.tor_docker}" + node_exporter_docker = "${var.node_exporter_docker}" + kms_key = "${element(concat(google_kms_crypto_key.tor-crypto-key.*.name, list("")), 0)}" + kms_key_ring = "${element(concat(google_kms_key_ring.tor-key-ring.*.name, list("")), 0)}" + kms_key_link = "${element(concat(google_kms_crypto_key.tor-crypto-key.*.self_link, list("")), 0)}" + tor_lb = "${element(concat(google_compute_global_address.tor-lb.*.address, list("")), 0)}" + + create_resources = "${local.create_misc}" + + #CI vars + region = "${var.region}" + zone = "${var.zone}" + tor_instance_type = "${var.tor_instance_type}" + onion_host = "${var.onion_host}" + prom_service_acct = "${data.terraform_remote_state.lightning-store-prod.prometheus_service_account}" +} diff --git a/terraform/modules/blc/data.tf b/terraform/modules/blc/data.tf index 94482ce..1fce8ac 100644 --- a/terraform/modules/blc/data.tf +++ b/terraform/modules/blc/data.tf @@ -5,10 +5,12 @@ data "google_compute_network" "blc" { data "google_compute_image" "blc" { family = "satapi-data-${var.env}" project = "${var.project}" + count = "${var.create_resources}" } data "template_file" "blc" { template = "${file("${path.module}/cloud-init/blc.yaml")}" + count = "${var.create_resources}" vars { rpcuser = "${var.rpcuser}" @@ -33,6 +35,7 @@ data "template_file" "blc" { data "template_cloudinit_config" "blc" { gzip = false base64_encode = false + count = "${var.create_resources}" part { content_type = "text/cloud-config" diff --git a/terraform/modules/blc/iam.tf b/terraform/modules/blc/iam.tf index 29d85a4..0868330 100644 --- a/terraform/modules/blc/iam.tf +++ b/terraform/modules/blc/iam.tf @@ -1,10 +1,12 @@ resource "google_service_account" "blc" { account_id = "${var.name}-${var.env}" display_name = "${var.name}-${var.env}" + count = "${var.create_resources}" } resource "google_project_iam_member" "blc" { project = "${var.project}" role = "roles/editor" member = "serviceAccount:${google_service_account.blc.email}" + count = "${var.create_resources}" } diff --git a/terraform/modules/blc/lb.tf b/terraform/modules/blc/lb.tf index ca880f2..02423b3 100644 --- a/terraform/modules/blc/lb.tf +++ b/terraform/modules/blc/lb.tf @@ -5,6 +5,7 @@ resource "google_compute_global_forwarding_rule" "rule-https" { port_range = "443" ip_protocol = "TCP" ip_address = "${google_compute_global_address.lb.address}" + count = "${var.create_resources}" } resource "google_compute_global_forwarding_rule" "rule-http" { @@ -13,24 +14,28 @@ resource "google_compute_global_forwarding_rule" "rule-http" { port_range = "80" ip_protocol = "TCP" ip_address = "${google_compute_global_address.lb.address}" + count = "${var.create_resources}" } # Target proxies resource "google_compute_target_http_proxy" "http-proxy" { name = "${var.name}-http-proxy-${var.env}" url_map = "${google_compute_url_map.http.self_link}" + count = "${var.create_resources}" } resource "google_compute_target_https_proxy" "https-proxy" { name = "${var.name}-https-proxy-${var.env}" url_map = "${google_compute_url_map.https.self_link}" ssl_certificates = ["${var.ssl_cert}"] + count = "${var.create_resources}" } # URL maps resource "google_compute_url_map" "http" { name = "${var.name}-http-urlmap-${var.env}" default_service = "${google_compute_backend_service.blc.self_link}" + count = "${var.create_resources}" host_rule { hosts = ["${var.host}"] @@ -51,6 +56,7 @@ resource "google_compute_url_map" "http" { resource "google_compute_url_map" "https" { name = "${var.name}-https-urlmap-${var.env}" default_service = "${google_compute_backend_service.blc.self_link}" + count = "${var.create_resources}" host_rule { hosts = ["${var.host}"] diff --git a/terraform/modules/blc/main.tf b/terraform/modules/blc/main.tf index d263d88..123358c 100644 --- a/terraform/modules/blc/main.tf +++ b/terraform/modules/blc/main.tf @@ -1,6 +1,7 @@ # Instance group resource "google_compute_instance_group_manager" "blc" { - name = "${var.name}-ig-${var.env}" + name = "${var.name}-ig-${var.env}" + count = "${var.create_resources}" base_instance_name = "${var.name}-ig-${var.env}-${count.index}" instance_template = "${google_compute_instance_template.blc.self_link}" @@ -22,6 +23,7 @@ resource "google_compute_disk" "blc" { type = "pd-standard" image = "${data.google_compute_image.blc.self_link}" zone = "${var.zone}" + count = "${var.create_resources}" lifecycle { prevent_destroy = true @@ -35,6 +37,7 @@ resource "google_compute_instance_template" "blc" { description = "This template is used to create ${var.name} ${var.env} instances." machine_type = "${var.instance_type}" region = "${var.region}" + count = "${var.create_resources}" labels { type = "lightning-app" diff --git a/terraform/modules/blc/network.tf b/terraform/modules/blc/network.tf index 6113645..85f4555 100644 --- a/terraform/modules/blc/network.tf +++ b/terraform/modules/blc/network.tf @@ -3,18 +3,20 @@ resource "google_compute_address" "blc" { name = "${var.name}-external-ip-${var.env}-${count.index}" project = "${var.project}" region = "${var.region}" - count = 1 + count = "${var.create_resources}" } resource "google_compute_global_address" "lb" { name = "${var.name}-client-lb-${var.env}" project = "${var.project}" + count = "${var.create_resources}" } # FW rules resource "google_compute_firewall" "blc" { name = "${var.name}-fw-rule-${var.env}" network = "${data.google_compute_network.blc.self_link}" + count = "${var.create_resources}" allow { protocol = "tcp" @@ -29,6 +31,7 @@ resource "google_compute_firewall" "blc" { resource "google_compute_firewall" "blc-prom" { name = "${var.name}-prometheus-access-${var.env}" network = "${data.google_compute_network.blc.self_link}" + count = "${var.create_resources}" allow { protocol = "tcp" @@ -51,6 +54,7 @@ resource "google_compute_backend_service" "blc" { protocol = "HTTP" port_name = "http" timeout_sec = "${var.timeout}" + count = "${var.create_resources}" backend { group = "${google_compute_instance_group_manager.blc.instance_group}" @@ -61,7 +65,8 @@ resource "google_compute_backend_service" "blc" { # Health checks resource "google_compute_health_check" "blc" { - name = "${var.name}-health-check-${var.env}" + name = "${var.name}-health-check-${var.env}" + count = "${var.create_resources}" check_interval_sec = 5 timeout_sec = 3 @@ -72,7 +77,8 @@ resource "google_compute_health_check" "blc" { } resource "google_compute_http_health_check" "blc-http" { - name = "${var.name}-health-check-${var.env}" + name = "${var.name}-health-check-${var.env}" + count = "${var.create_resources}" timeout_sec = 5 check_interval_sec = 10 diff --git a/terraform/modules/blc/output.tf b/terraform/modules/blc/output.tf new file mode 100644 index 0000000..ec63dda --- /dev/null +++ b/terraform/modules/blc/output.tf @@ -0,0 +1,3 @@ +output "backend_service" { + value = "${element(concat(google_compute_backend_service.blc.*.self_link, list("")), 0)}" +} diff --git a/terraform/modules/blc/variables.tf b/terraform/modules/blc/variables.tf index e3ba7f9..5371c7a 100644 --- a/terraform/modules/blc/variables.tf +++ b/terraform/modules/blc/variables.tf @@ -8,14 +8,16 @@ variable "boot_image" { default = "cos-cloud/cos-stable" } +variable "create_resources" { + type = "string" +} + variable "rpcuser" { - type = "string" - default = "" + type = "string" } variable "rpcpass" { - type = "string" - default = "" + type = "string" } variable "env" { diff --git a/terraform/modules/tor/cloud-init/tor.yaml b/terraform/modules/tor/cloud-init/tor.yaml new file mode 100644 index 0000000..1d3938d --- /dev/null +++ b/terraform/modules/tor/cloud-init/tor.yaml @@ -0,0 +1,161 @@ +users: + - name: bs + uid: 2000 + +write_files: + - path: /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc.b64 + permissions: 0600 + owner: root + content: | + ${v3_pubk} + + - path: /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc.b64 + permissions: 0600 + owner: root + content: | + ${v3_pk} + + - path: /home/bs/torrc + permissions: 0644 + owner: root + content: | + DataDirectory /home/tor/tor + PidFile /var/run/tor/tor.pid + + ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck + ControlSocketsGroupWritable 1 + SocksPort unix:/var/run/tor/socks WorldWritable + SocksPort 9050 + + CookieAuthentication 1 + CookieAuthFileGroupReadable 1 + CookieAuthFile /var/run/tor/control.authcookie + + Log [handshake]debug [*]notice stderr + + HiddenServiceDir /home/tor/tor/hidden_service_v3/ + HiddenServiceVersion 3 + HiddenServicePort 80 ${tor_lb}:80 + + - path: /home/bs/tor/hidden_service_v3/hostname + permissions: 0600 + owner: root + content: | + ${v3_host} + + - path: /etc/systemd/system/decrypt.service + permissions: 0644 + owner: root + content: | + [Unit] + Description=decrypt secrets against KMS + Wants=gcr-online.target + After=gcr-online.target + + [Service] + Type=oneshot + RemainAfterExit=true + Environment=HOME=/home/bs + ExecStartPre=/usr/bin/docker-credential-gcr configure-docker + ExecStartPre=/usr/bin/docker pull ${gcloud_docker} + ExecStart=/usr/bin/docker run \ + --name=decrypt \ + --rm \ + -v /home/bs/tor/hidden_service_v3/:/root/secrets:rw \ + "${gcloud_docker}" gcloud kms decrypt \ + --location=${kms_location} \ + --keyring=${kms_key_ring} \ + --key=${kms_key} \ + --ciphertext-file=/root/secrets/hs_ed25519_public_key.enc \ + --plaintext-file=/root/secrets/hs_ed25519_public_key + ExecStart=/usr/bin/docker run \ + --name=decrypt \ + --rm \ + -v /home/bs/tor/hidden_service_v3/:/root/secrets:rw \ + "${gcloud_docker}" gcloud kms decrypt \ + --location=${kms_location} \ + --keyring=${kms_key_ring} \ + --key=${kms_key} \ + --ciphertext-file=/root/secrets/hs_ed25519_secret_key.enc \ + --plaintext-file=/root/secrets/hs_ed25519_secret_key + ExecStartPost=-/bin/rm /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc.b64 + ExecStartPost=-/bin/rm /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc.b64 + + - path: /etc/systemd/system/tor.service + permissions: 0644 + owner: root + content: | + [Unit] + Description=tor node + Wants=gcr-online.target docker.service decrypt.service + After=gcr-online.service docker.service decrypt.service + + [Service] + Restart=always + RestartSec=1 + Environment=HOME=/home/bs + ExecStartPre=/usr/bin/docker-credential-gcr configure-docker + ExecStartPre=/usr/bin/docker pull ${tor_docker} + ExecStartPre=-/bin/chown -R bs:bs /home/bs/tor/ + ExecStartPre=-/bin/chmod -R 2700 /home/bs/tor/ + ExecStartPre=-/bin/chmod 0644 /home/bs/tor/hidden_service_v3/hs_ed25519_public_key + ExecStartPre=-/bin/chmod 0600 /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key + ExecStartPre=/sbin/iptables -A INPUT -m tcp -p tcp --dport 9050 -j ACCEPT + ExecStart=/usr/bin/docker run \ + --network=host \ + --pid=host \ + --name=tor \ + --tmpfs /tmp/ \ + -v /home/bs/torrc:/home/tor/torrc:ro \ + -v /home/bs/tor:/home/tor/tor:rw \ + "${tor_docker}" tor -f /home/tor/torrc + ExecStop=/usr/bin/docker stop tor + ExecStopPost=/usr/bin/docker rm tor + ExecStopPost=/sbin/iptables -D INPUT -m tcp -p tcp --dport 9050 -j ACCEPT + + [Install] + WantedBy=multi-user.target + + - path: /etc/systemd/system/node-exporter.service + permissions: 0644 + owner: root + content: | + [Unit] + Description=prometheus node-exporter + Wants=gcr-online.target docker.service + After=gcr-online.service docker.service + + [Service] + Restart=always + RestartSec=1 + Environment=HOME=/home/exec + ExecStartPre=/usr/bin/docker-credential-gcr configure-docker + ExecStartPre=/usr/bin/docker pull ${node_exporter_docker} + ExecStartPre=/sbin/iptables -A INPUT -m tcp -p tcp --dport 9100 -j ACCEPT + ExecStart=/usr/bin/docker run \ + --name=node-exporter \ + --network=host \ + --read-only \ + -v /proc:/host/proc:ro \ + -v /sys:/host/sys:ro \ + -v /:/rootfs:ro \ + -v metrics:/metrics:ro \ + -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro \ + "${node_exporter_docker}" --path.procfs /host/proc --path.sysfs /host/sys --collector.textfile.directory /metrics --collector.filesystem.ignored-mount-points "^/(sys|proc|dev|host|etc($|/))" --collector.systemd + ExecStop=/usr/bin/docker stop node-exporter + ExecStopPost=/usr/bin/docker rm node-exporter + ExecStopPost=/sbin/iptables -D INPUT -m tcp -p tcp --dport 9100 -j ACCEPT + + [Install] + WantedBy=multi-user.target + +runcmd: + - systemctl daemon-reload + - base64 -d /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc.b64 > /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc + - base64 -d /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc.b64 > /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc + - systemctl enable tor.service + - systemctl enable decrypt.service + - systemctl start decrypt.service + - systemctl start tor.service + - systemctl enable node-exporter.service + - systemctl start node-exporter.service diff --git a/terraform/modules/tor/data.tf b/terraform/modules/tor/data.tf new file mode 100644 index 0000000..94c76b1 --- /dev/null +++ b/terraform/modules/tor/data.tf @@ -0,0 +1,31 @@ +data "google_compute_network" "default" { + name = "default" +} + +data "template_file" "tor" { + template = "${file("${path.module}/cloud-init/tor.yaml")}" + + vars { + tor_lb = "${var.tor_lb}" + v3_host = "${var.onion_host}" + v3_pk = "${file("${path.module}/v3.pk")}" + v3_pubk = "${file("${path.module}/v3.pubk")}" + + tor_docker = "${var.tor_docker}" + gcloud_docker = "${var.gcloud_docker}" + node_exporter_docker = "${var.node_exporter_docker}" + kms_key = "${var.kms_key}" + kms_key_ring = "${var.kms_key_ring}" + kms_location = "${var.region}" + } +} + +data "template_cloudinit_config" "tor" { + gzip = false + base64_encode = false + + part { + content_type = "text/cloud-config" + content = "${data.template_file.tor.rendered}" + } +} diff --git a/terraform/modules/tor/firewall.tf b/terraform/modules/tor/firewall.tf new file mode 100644 index 0000000..d06f020 --- /dev/null +++ b/terraform/modules/tor/firewall.tf @@ -0,0 +1,37 @@ +resource "google_compute_firewall" "tor-healthcheck" { + name = "${var.name}-healthcheck" + network = "${data.google_compute_network.default.self_link}" + + count = "${var.create_resources}" + + allow { + protocol = "tcp" + ports = ["9050"] + } + + source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "10.0.0.0/8"] + + target_service_accounts = [ + "${google_service_account.tor.email}", + ] +} + +resource "google_compute_firewall" "prom-traffic" { + name = "${var.name}-prometheus-access" + network = "${data.google_compute_network.default.self_link}" + + count = "${var.create_resources}" + + allow { + protocol = "tcp" + ports = ["9100"] + } + + source_service_accounts = [ + "${var.prom_service_acct}", + ] + + target_service_accounts = [ + "${google_service_account.tor.email}", + ] +} diff --git a/terraform/modules/tor/iam.tf b/terraform/modules/tor/iam.tf new file mode 100644 index 0000000..4ca5c03 --- /dev/null +++ b/terraform/modules/tor/iam.tf @@ -0,0 +1,25 @@ +resource "google_service_account" "tor" { + account_id = "${var.name}" + display_name = "${var.name}" + + count = "${var.create_resources}" +} + +resource "google_project_iam_member" "tor" { + project = "${var.project}" + role = "roles/editor" + member = "serviceAccount:${google_service_account.tor.email}" + + count = "${var.create_resources}" +} + +resource "google_kms_crypto_key_iam_binding" "crypto-key" { + crypto_key_id = "${var.kms_key_link}" + role = "roles/cloudkms.cryptoKeyDecrypter" + + count = "${var.create_resources}" + + members = [ + "serviceAccount:${google_service_account.tor.email}", + ] +} diff --git a/terraform/modules/tor/main.tf b/terraform/modules/tor/main.tf new file mode 100644 index 0000000..ee42eda --- /dev/null +++ b/terraform/modules/tor/main.tf @@ -0,0 +1,73 @@ +resource "google_compute_health_check" "tor" { + name = "${var.name}-health-check" + timeout_sec = 5 + check_interval_sec = 10 + + count = "${var.create_resources}" + + tcp_health_check { + port = "9050" + } +} + +resource "google_compute_region_instance_group_manager" "tor" { + name = "${var.name}-ig" + count = "${var.create_resources}" + region = "${var.region}" + + base_instance_name = "${var.name}" + instance_template = "${google_compute_instance_template.tor.self_link}" + target_size = 1 + + auto_healing_policies { + health_check = "${google_compute_health_check.tor.self_link}" + initial_delay_sec = "120" + } +} + +resource "google_compute_instance_template" "tor" { + name_prefix = "${var.name}-template-" + description = "This template is used to create ${var.name} instances." + machine_type = "${var.tor_instance_type}" + count = "${var.create_resources}" + + labels { + type = "tor" + name = "${var.name}" + network = "${var.network}" + } + + disk { + source_image = "${var.boot_image}" + boot = true + auto_delete = true + disk_type = "pd-ssd" + device_name = "boot" + disk_size_gb = "20" + } + + network_interface { + network = "${data.google_compute_network.default.self_link}" + + access_config {} + } + + metadata { + google-logging-enabled = "true" + "user-data" = "${data.template_cloudinit_config.tor.rendered}" + } + + service_account { + email = "${google_service_account.tor.email}" + + scopes = [ + "https://www.googleapis.com/auth/cloudkms", + "compute-ro", + "storage-ro", + ] + } + + lifecycle { + create_before_destroy = true + } +} diff --git a/terraform/modules/tor/v3.pk b/terraform/modules/tor/v3.pk new file mode 100644 index 0000000..6522bcb --- /dev/null +++ b/terraform/modules/tor/v3.pk @@ -0,0 +1 @@ +overwritten_by_ci \ No newline at end of file diff --git a/terraform/modules/tor/v3.pubk b/terraform/modules/tor/v3.pubk new file mode 100644 index 0000000..6522bcb --- /dev/null +++ b/terraform/modules/tor/v3.pubk @@ -0,0 +1 @@ +overwritten_by_ci \ No newline at end of file diff --git a/terraform/modules/tor/variables.tf b/terraform/modules/tor/variables.tf new file mode 100644 index 0000000..6715202 --- /dev/null +++ b/terraform/modules/tor/variables.tf @@ -0,0 +1,70 @@ +variable "boot_image" { + type = "string" + default = "cos-cloud/cos-stable" +} + +variable "region" { + type = "string" +} + +variable "project" { + type = "string" +} + +variable "name" { + type = "string" +} + +variable "network" { + type = "string" + default = "default" +} + +variable "zone" { + type = "string" +} + +variable "tor_instance_type" { + type = "string" +} + +variable "tor_lb" { + type = "string" +} + +variable "onion_host" { + type = "string" +} + +variable "create_resources" { + type = "string" +} + +variable "prom_service_acct" { + type = "string" +} + +variable "kms_key_link" { + type = "string" +} + +variable "kms_key" { + type = "string" +} + +variable "kms_key_ring" { + type = "string" + default = "" +} + +variable "tor_docker" { + type = "string" +} + +variable "node_exporter_docker" { + type = "string" +} + +variable "gcloud_docker" { + type = "string" +} diff --git a/terraform/network-tor.tf b/terraform/network-tor.tf new file mode 100644 index 0000000..40dc358 --- /dev/null +++ b/terraform/network-tor.tf @@ -0,0 +1,87 @@ +resource "google_compute_global_address" "tor-lb" { + name = "${var.name}-lb" + project = "${var.project}" + count = "${local.create_misc}" +} + +resource "google_compute_global_forwarding_rule" "tor-rule" { + name = "${var.name}-forwarding-rule" + target = "${google_compute_target_http_proxy.tor-proxy.self_link}" + port_range = "80" + ip_protocol = "TCP" + ip_address = "${google_compute_global_address.tor-lb.address}" + + count = "${local.create_misc}" +} + +resource "google_compute_target_http_proxy" "tor-proxy" { + name = "${var.name}-http-proxy" + url_map = "${google_compute_url_map.tor-proxy.self_link}" + + count = "${local.create_misc}" +} + +resource "google_compute_url_map" "tor-proxy" { + name = "${var.name}-urlmap" + default_service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}" + + count = "${local.create_misc}" + + host_rule { + hosts = ["*"] + path_matcher = "deadpaths" + } + + path_matcher { + name = "deadpaths" + default_service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}" + + path_rule { + paths = ["/*"] + service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}" + } + } + + host_rule { + hosts = ["${var.onion_host}"] + path_matcher = "allpaths" + } + + path_matcher { + name = "allpaths" + default_service = "${data.terraform_remote_state.blc-prod.blc_backend_service}" + + path_rule { + paths = ["/*"] + service = "${data.terraform_remote_state.blc-prod.blc_backend_service}" + } + } + + test { + service = "${data.terraform_remote_state.blc-prod.blc_backend_service}" + host = "${var.onion_host}" + path = "/api" + } + + test { + service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}" + host = "${google_compute_global_address.tor-lb.address}" + path = "/api" + } +} + +resource "google_compute_backend_bucket" "tor_deadhole_backend" { + name = "${var.name}-deadhole-backend-bucket" + description = "Unmatched hosts end up in this deadhole" + bucket_name = "${google_storage_bucket.tor_deadhole.name}" + enable_cdn = false + + count = "${local.create_misc}" +} + +resource "google_storage_bucket" "tor_deadhole" { + name = "${var.name}-deadhole-bucket" + location = "US" + + count = "${local.create_misc}" +} diff --git a/terraform/output.tf b/terraform/output.tf new file mode 100644 index 0000000..c46b371 --- /dev/null +++ b/terraform/output.tf @@ -0,0 +1,3 @@ +output "blc_backend_service" { + value = "${module.blc.backend_service}" +} diff --git a/terraform/variables.tf b/terraform/variables.tf index 17989da..9b41318 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,15 +1,38 @@ locals { context_variables = { "staging" = { - env = "staging" + env = "staging" + create_satapi = 1 + create_misc = 0 + create_builders = 0 } "prod" = { - env = "prod" + env = "prod" + create_satapi = 1 + create_misc = 0 + create_builders = 0 + } + + "misc" = { + env = "" + create_misc = 1 + create_satapi = 0 + create_builders = 0 + } + + "builders" = { + env = "" + create_builders = 1 + create_satapi = 0 + create_misc = 0 } } - env = "${lookup(local.context_variables[terraform.workspace], "env")}" + env = "${lookup(local.context_variables[terraform.workspace], "env")}" + create_satapi = "${lookup(local.context_variables[terraform.workspace], "create_satapi")}" + create_misc = "${lookup(local.context_variables[terraform.workspace], "create_misc")}" + create_builders = "${lookup(local.context_variables[terraform.workspace], "create_builders")}" } variable "project" { @@ -17,6 +40,16 @@ variable "project" { default = "blockstream-store" } +variable "name" { + type = "string" + default = "satapi-tor" +} + +variable "create_resources" { + type = "string" + default = "" +} + variable "ssl_cert" { type = "string" default = "" @@ -37,6 +70,11 @@ variable "host" { default = "" } +variable "onion_host" { + type = "string" + default = "" +} + variable "region" { type = "string" default = "" @@ -52,6 +90,11 @@ variable "instance_type" { default = "" } +variable "tor_instance_type" { + type = "string" + default = "" +} + variable "timeout" { type = "string" default = 15 @@ -98,3 +141,13 @@ variable "charge_docker" { type = "string" default = "us.gcr.io/blockstream-store/charged@sha256:669893e02a14863f469498a40626e46de3ec67ff2ee4d7443cd56bc6ba3a8f3a" } + +variable "tor_docker" { + type = "string" + default = "blockstream/gcloud-tor@sha256:be56a33b3010ac4c85037899714979bb4eb6c15fe85114bd009501750320617f" +} + +variable "gcloud_docker" { + type = "string" + default = "google/cloud-sdk@sha256:b0d0555efef6a566f42fc4f0d89be9e1d74aff4565e27bbd206405f759d3f2b0" +}