Merge pull request #918 from near/sig-migration

Feat: Migrate Infra from Pagoda to Sig Network

.github/workflows/multichain-deploy-dev-nodes.yml

@@ -42,4 +42,4 @@ jobs:
       - id: 'auth'
         uses: 'google-github-actions/auth@v2'
         with:
-          credentials_json: '${{ secrets.SIG_CREDENTIALS_DEV }}'
+          credentials_json: '${{ secrets.SIG_CREDENTIALS_DEV }}'

.github/workflows/multichain-update-prod-nodes.yml

@@ -20,10 +20,17 @@ jobs:
       - uses: actions/checkout@v3
         name: "Checkout mpc-recovery"
 
-      - name: Login to GCP Artifact Registry
-        run: echo "$GOOGLE_CREDENTIALS" | docker login -u _json_key --password-stdin https://us-east1-docker.pkg.dev
+      - name: Login to GCP Artifact Registry Mainnet
+        if: github.event.inputs.network == 'mainnet'
+        run: echo "$GOOGLE_CREDENTIALS" | docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev
         env:
-          GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_PROD }}
+          GOOGLE_CREDENTIALS: ${{ secrets.SIG_CREDENTIALS_MAINNET }}
+
+      - name: Login to GCP Artifact Registry Testnet
+        if: github.event.inputs.network == 'testnet'
+        run: echo "$GOOGLE_CREDENTIALS" | docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev
+        env:
+          GOOGLE_CREDENTIALS: ${{ secrets.SIG_CREDENTIALS_TESTNET }}
 
         # Since the Mainnet and Testnet nodes are polling this image repository, only the image needs to be updated in order to trigger a deployment
       - name: Build Docker image and deploy partner nodes
@@ -32,4 +39,4 @@ jobs:
         with:
           push: true
           file: ./Dockerfile.multichain
-          tags: "us-east1-docker.pkg.dev/pagoda-discovery-platform-prod/multichain-public/multichain-${{ github.event.inputs.network }}:latest"
+          tags: "europe-west1-docker.pkg.dev/near-cs-${{ github.event.inputs.network }}/multichain-public/multichain-${{ github.event.inputs.network }}:latest"

infra/modules/leader/main.tf

@@ -11,7 +11,7 @@ resource "google_cloud_run_v2_service" "leader" {
 
     vpc_access {
       connector = var.connector_id
-      egress    = "PRIVATE_RANGES_ONLY"
+      egress    = "ALL_TRAFFIC"
     }
 
     scaling {

infra/modules/signer/main.tf

@@ -13,7 +13,7 @@ resource "google_cloud_run_v2_service" "signer" {
       for_each = var.connector_id == null ? [] : [1]
       content {
         connector = var.connector_id == null ? null : var.connector_id
-        egress    = "PRIVATE_RANGES_ONLY"
+        egress    = "ALL_TRAFFIC"
       }
     }
 

infra/mpc-recovery-dev/terraform-dev.auto.tfvars

@@ -0,0 +1,24 @@
+env          = "dev"
+project      = "near-cs-dev"
+docker_image = "europe-west1-docker.pkg.dev/near-cs-dev/mpc-recovery/mpc-recovery-dev:bcef52a5f9ecb19930642887006af50b1b2bff9f"
+
+account_creator_id           = "mpc-recovery-dev-creator.testnet"
+account_creator_sk_secret_id = "mpc-recovery-account-creator-sk-dev"
+fast_auth_partners_secret_id = "mpc-fast-auth-partners-dev"
+signer_configs = [
+  {
+    cipher_key_secret_id = "mpc-cipher-0-dev"
+    sk_share_secret_id   = "mpc-sk-share-0-dev"
+  },
+  {
+    cipher_key_secret_id = "mpc-cipher-1-dev"
+    sk_share_secret_id   = "mpc-sk-share-1-dev"
+  },
+  {
+    cipher_key_secret_id = "mpc-cipher-2-dev"
+    sk_share_secret_id   = "mpc-sk-share-2-dev"
+  }
+]
+jwt_signature_pk_url = "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
+otlp_endpoint        = "https://otel.dev.api.pagoda.co:443/v1/traces"
+opentelemetry_level  = "debug"

infra/mpc-recovery-prod/main.tf

@@ -1,6 +1,6 @@
 terraform {
   backend "gcs" {
-    bucket = "mpc-recovery-terraform-prod"
+    bucket = "near-multichain-state-mainnet"
     prefix = "state/mpc-recovery"
   }
 
@@ -13,9 +13,6 @@ terraform {
 }
 
 locals {
-  credentials  = var.credentials != null ? var.credentials : file(var.credentials_file)
-  client_email = jsondecode(local.credentials).client_email
-  client_id    = jsondecode(local.credentials).client_id
 
   workspace = {
     near_rpc          = "https://rpc.mainnet.near.org"
@@ -28,7 +25,6 @@ data "external" "git_checkout" {
 }
 
 provider "google" {
-  credentials = local.credentials
 
   project = var.project
   region  = var.region
@@ -43,14 +39,6 @@ resource "google_service_account" "service_account" {
   display_name = "MPC Recovery mainnet Account"
 }
 
-resource "google_service_account_iam_binding" "serivce-account-iam" {
-  service_account_id = google_service_account.service_account.name
-  role               = "roles/iam.serviceAccountUser"
-
-  members = [
-    "serviceAccount:${local.client_email}"
-  ]
-}
 
 resource "google_project_iam_member" "service-account-datastore-user" {
   project = var.project
@@ -91,11 +79,11 @@ resource "google_secret_manager_secret_iam_member" "fast_auth_partners_secret_ac
 
 module "mpc-leader-lb-mainnet" {
   source        = "../modules/internal_cloudrun_lb"
-  name          = "mpc-prod-leader-mainnet"
+  name          = "mpc-leader-mainnet"
   network_id    = data.google_compute_network.prod_network.id
   subnetwork_id = data.google_compute_subnetwork.prod_subnetwork.id
   project_id    = var.project
-  region        = "us-east1"
+  region        = var.region
   service_name  = "mpc-recovery-leader-mainnet"
 }
 

infra/mpc-recovery-prod/variables.tf

@@ -1,20 +1,16 @@
 variable "project" {
 }
 
-variable "credentials_file" {
-  default = null
-}
-
 variable "credentials" {
   default = null
 }
 
 variable "region" {
-  default = "us-east1"
+  default = "europe-west1"
 }
 
 variable "zone" {
-  default = "us-east1-c"
+  default = "europe-west1-b"
 }
 
 variable "docker_image" {
@@ -48,18 +44,18 @@ variable "signer_configs" {
 }
 
 variable "prod-connector" {
-  default = "projects/pagoda-shared-infrastructure/locations/us-east1/connectors/prod-us-east1-connector"
+  default = "projects/sig-shared-network/locations/europe-west1/connectors/prod-eu-west1-connector"
 }
 
 data "google_compute_subnetwork" "prod_subnetwork" {
-  name    = "cloudrun-main-prod-us-east1"
-  project = "pagoda-shared-infrastructure"
-  region  = "us-east1"
+  name    = "cloudrun-main-prod-europe-west1"
+  project = "sig-shared-network"
+  region  = "europe-west1"
 }
 
 data "google_compute_network" "prod_network" {
   name    = "prod"
-  project = "pagoda-shared-infrastructure"
+  project = "sig-shared-network"
 }
 
 variable "jwt_signature_pk_url" {
@@ -73,3 +69,7 @@ variable "otlp_endpoint" {
 variable "opentelemetry_level" {
   type = string
 }
+
+variable "env" {
+  type = string
+}

infra/mpc-recovery-testnet/main.tf

@@ -1,7 +1,7 @@
 terraform {
   backend "gcs" {
-    bucket = "mpc-recovery-terraform-prod"
-    prefix = "state/mpc-recovery"
+    bucket = "near-multichain-state-testnet"
+    prefix = "state/mpc-recovery-testnet"
   }
 
   required_providers {
@@ -13,9 +13,6 @@ terraform {
 }
 
 locals {
-  credentials  = var.credentials != null ? var.credentials : file(var.credentials_file)
-  client_email = jsondecode(local.credentials).client_email
-  client_id    = jsondecode(local.credentials).client_id
 
   workspace = {
     near_rpc          = "https://rpc.testnet.near.org"
@@ -28,7 +25,6 @@ data "external" "git_checkout" {
 }
 
 provider "google" {
-  credentials = local.credentials
 
   project = var.project
   region  = var.region
@@ -43,14 +39,6 @@ resource "google_service_account" "service_account" {
   display_name = "MPC Recovery testnet Account"
 }
 
-resource "google_service_account_iam_binding" "serivce-account-iam" {
-  service_account_id = google_service_account.service_account.name
-  role               = "roles/iam.serviceAccountUser"
-
-  members = [
-    "serviceAccount:${local.client_email}",
-  ]
-}
 
 resource "google_project_iam_member" "service-account-datastore-user" {
   project = var.project
@@ -91,11 +79,11 @@ resource "google_secret_manager_secret_iam_member" "fast_auth_partners_secret_ac
 
 module "mpc-leader-lb-testnet" {
   source        = "../modules/internal_cloudrun_lb"
-  name          = "mpc-prod-leader-testnet"
+  name          = "mpc-leader-testnet"
   network_id    = data.google_compute_network.prod_network.id
   subnetwork_id = data.google_compute_subnetwork.prod_subnetwork.id
   project_id    = var.project
-  region        = "us-east1"
+  region        = "europe-west1"
   service_name  = "mpc-recovery-leader-testnet"
 }
 

infra/mpc-recovery-testnet/variables.tf

@@ -1,4 +1,5 @@
 variable "project" {
+  default = "near-cs-testnet"
 }
 
 variable "credentials_file" {
@@ -10,11 +11,11 @@ variable "credentials" {
 }
 
 variable "region" {
-  default = "us-east1"
+  default = "europe-west1"
 }
 
 variable "zone" {
-  default = "us-east1-c"
+  default = "europe-west1-b"
 }
 
 variable "docker_image" {
@@ -48,18 +49,18 @@ variable "signer_configs" {
 }
 
 variable "prod-connector" {
-  default = "projects/pagoda-shared-infrastructure/locations/us-east1/connectors/prod-us-east1-connector"
+  default = "projects/sig-shared-network/locations/europe-west1/connectors/prod-eu-west1-connector"
 }
 
 data "google_compute_subnetwork" "prod_subnetwork" {
-  name    = "cloudrun-main-prod-us-east1"
-  project = "pagoda-shared-infrastructure"
-  region  = "us-east1"
+  name    = "cloudrun-main-prod-europe-west1"
+  project = "sig-shared-network"
+  region  = "europe-west1"
 }
 
 data "google_compute_network" "prod_network" {
   name    = "prod"
-  project = "pagoda-shared-infrastructure"
+  project = "sig-shared-network"
 }
 
 variable "jwt_signature_pk_url" {