Merge pull request #39 from everclearorg/main

feat: sync mainnet-prod

Author: LayneHaber

ops/mainnet/prod/config.tf

@@ -1,12 +1,46 @@
 locals {
+  prometheus_config = <<-EOT
+    global:
+      scrape_interval: 15s
+      evaluation_interval: 15s
+
+    scrape_configs:
+      - job_name: 'prometheus'
+        static_configs:
+          - targets: ['localhost:9090']
+
+      - job_name: 'pushgateway'
+        honor_labels: true
+        static_configs:
+          - targets: ['mark-pushgateway-${var.environment}-${var.stage}.mark.internal:9091']
+
+      - job_name: 'mark-poller'
+        honor_labels: true
+        metrics_path: /metrics
+        static_configs:
+          - targets: ['mark-pushgateway-${var.environment}-${var.stage}.mark.internal:9091']
+    EOT
+
   prometheus_env_vars = [
+    {
+      name  = "PROMETHEUS_CONFIG"
+      value = local.prometheus_config
+    },
     {
       name  = "ENVIRONMENT"
       value = var.environment
     },
     {
       name  = "STAGE"
       value = var.stage
+    },
+    {
+      name  = "PROMETHEUS_STORAGE_PATH"
+      value = "/prometheus"
+    },
+    {
+      name  = "PROMETHEUS_LOG_LEVEL"
+      value = "debug"
     }
   ]
 
@@ -36,8 +70,8 @@ locals {
     ENVIRONMENT                   = var.environment
     STAGE                         = var.stage
     CHAIN_IDS                     = var.chain_ids
-    PUSH_GATEWAY_URL              = "http://${module.mark_pushgateway.service_url}:9091"
-    PROMETHEUS_URL                = "http://${module.mark_pushgateway.service_url}:9091"
+    PUSH_GATEWAY_URL              = "http://mark-pushgateway-${var.environment}-${var.stage}.mark.internal:9091"
+    PROMETHEUS_URL                = "http://mark-prometheus-${var.environment}-${var.stage}.mark.internal:9090"
     PROMETHEUS_ENABLED            = true
     DD_LOGS_ENABLED               = true
     DD_ENV                        = "${var.environment}-${var.stage}"

ops/mainnet/prod/main.tf

@@ -74,6 +74,7 @@ module "mark_web3signer" {
   cluster_id          = module.ecs.ecs_cluster_id
   vpc_id              = module.network.vpc_id
   lb_subnets          = module.network.private_subnets
+  task_subnets        = module.network.private_subnets
   docker_image        = "ghcr.io/connext/web3signer:latest"
   container_family    = "mark-web3signer"
   container_port      = 9000
@@ -82,6 +83,7 @@ module "mark_web3signer" {
   instance_count      = 1
   service_security_groups = [module.sgs.web3signer_sg_id]
   container_env_vars  = local.web3signer_env_vars
+  zone_id             = var.zone_id
 }
 
 module "mark_prometheus" {
@@ -94,15 +96,42 @@ module "mark_prometheus" {
   execution_role_arn      = data.aws_iam_role.ecr_admin_role.arn
   cluster_id              = module.ecs.ecs_cluster_id
   vpc_id                  = module.network.vpc_id
-  lb_subnets              = module.network.private_subnets
+  lb_subnets              = module.network.public_subnets
+  task_subnets            = module.network.private_subnets
   docker_image            = "prom/prometheus:latest"
   container_family        = "mark-prometheus"
   container_port          = 9090
   cpu                     = 512
   memory                  = 1024
   instance_count          = 1
   service_security_groups = [module.sgs.prometheus_sg_id]
-  container_env_vars      = local.prometheus_env_vars
+  container_env_vars      = concat(
+    local.prometheus_env_vars,
+    [
+      {
+        name  = "PROMETHEUS_CONFIG"
+        value = local.prometheus_config
+      }
+    ]
+  )
+  entrypoint = [
+    "/bin/sh",
+    "-c",
+    "mkdir -p /etc/prometheus && echo \"$PROMETHEUS_CONFIG\" > /etc/prometheus/prometheus.yml && chmod 644 /etc/prometheus/prometheus.yml && exec /bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus --web.enable-lifecycle"
+  ]
+  cert_arn                = var.cert_arn
+  ingress_cdir_blocks     = ["0.0.0.0/0"]
+  ingress_ipv6_cdir_blocks = []
+  create_alb              = true
+  zone_id                 = var.zone_id
+  health_check_settings   = {
+    path                = "/-/healthy"
+    matcher             = "200"
+    interval            = 30
+    timeout             = 5
+    healthy_threshold   = 2
+    unhealthy_threshold = 3
+  }
 }
 
 module "mark_pushgateway" {
@@ -116,6 +145,7 @@ module "mark_pushgateway" {
   cluster_id              = module.ecs.ecs_cluster_id
   vpc_id                  = module.network.vpc_id
   lb_subnets              = module.network.private_subnets
+  task_subnets            = module.network.private_subnets
   docker_image            = "prom/pushgateway:latest"
   container_family        = "mark-pushgateway"
   container_port          = 9091
@@ -124,6 +154,7 @@ module "mark_pushgateway" {
   instance_count          = 1
   service_security_groups = [module.sgs.prometheus_sg_id]
   container_env_vars      = local.pushgateway_env_vars
+  zone_id                 = var.zone_id
 }
 
 module "mark_poller" {
@@ -147,4 +178,4 @@ module "iam" {
 
 module "ecr" {
   source = "../../modules/ecr"
-}
+}

ops/mainnet/prod/outputs.tf

@@ -26,4 +26,9 @@ output "lambda_function_name" {
 output "ecs_cluster_name" {
   description = "Name of the ECS cluster"
   value       = module.ecs.ecs_cluster_name
+}
+
+output "prometheus_debug_info" {
+  description = "Debug information for Prometheus service"
+  value       = module.mark_prometheus.debug_info
 }

ops/mainnet/prod/variables.tf

@@ -19,7 +19,7 @@ variable "stage" {
 variable "domain" {
   description = "Domain name"
   type        = string
-  default     = "mark"
+  default     = "everclear.ninja"
 }
 
 variable "cidr_block" {
@@ -117,3 +117,14 @@ variable "alchemy_key" {
   type      = string
   sensitive = true
 }
+
+
+variable "zone_id" {
+  description = "Route 53 hosted zone ID for the everclear.ninja domain"
+  default     = "Z0605920184MNEP9DVKIX"
+}
+
+variable "cert_arn" {
+  description = "ACM certificate"
+  default = "arn:aws:acm:ap-northeast-1:679752396206:certificate/0c43e36e-702c-4623-94d1-4d2a1cdfa302"
+}

ops/modules/service/main.tf

@@ -23,6 +23,7 @@ resource "aws_ecs_task_definition" "service" {
       image        = var.docker_image
       essential    = true
       environment  = concat(var.container_env_vars, [{ name = "DD_SERVICE", value = var.container_family }])
+      entrypoint   = var.entrypoint
       portMappings = [
         {
           containerPort = var.container_port
@@ -103,7 +104,16 @@ resource "aws_ecs_service" "service" {
 
   network_configuration {
     security_groups = var.service_security_groups
-    subnets         = var.lb_subnets
+    subnets         = var.task_subnets
+  }
+
+  dynamic "load_balancer" {
+    for_each = var.create_alb ? [1] : []
+    content {
+      target_group_arn = aws_alb_target_group.front_end[0].arn
+      container_name   = var.container_family
+      container_port   = var.container_port
+    }
   }
 
   service_registries {
@@ -119,6 +129,104 @@ resource "aws_ecs_service" "service" {
   lifecycle {
     create_before_destroy = true
   }
+
+  depends_on = [
+    aws_cloudwatch_log_group.service,
+    aws_alb.lb,
+    aws_alb_target_group.front_end
+  ]
+}
+
+resource "aws_alb" "lb" {
+  count                      = var.create_alb ? 1 : 0
+  name                       = "${var.container_family}-${var.environment}-${var.stage}"
+  internal                   = var.internal_lb
+  security_groups            = [aws_security_group.lb[0].id]
+  subnets                    = var.lb_subnets
+  enable_deletion_protection = false
+  idle_timeout               = var.timeout
+  
+  tags = {
+    Name        = "${var.container_family}-${var.environment}-${var.stage}"
+    Environment = var.environment
+    Stage       = var.stage
+    Domain      = var.domain
+  }
+}
+
+resource "aws_alb_target_group" "front_end" {
+  count       = var.create_alb ? 1 : 0
+  name        = "${var.container_family}-${var.environment}-${var.stage}"
+  port        = var.loadbalancer_port
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+
+  health_check {
+    path                = var.health_check_settings.path
+    matcher             = var.health_check_settings.matcher
+    interval            = var.health_check_settings.interval
+    timeout             = var.health_check_settings.timeout
+    healthy_threshold   = var.health_check_settings.healthy_threshold
+    unhealthy_threshold = var.health_check_settings.unhealthy_threshold
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_alb.lb]
+}
+
+resource "aws_lb_listener" "https" {
+  count             = var.create_alb ? 1 : 0
+  load_balancer_arn = aws_alb.lb[0].arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = var.cert_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.front_end[0].arn
+  }
+
+  depends_on = [aws_alb.lb, aws_alb_target_group.front_end]
+}
+
+resource "aws_security_group" "lb" {
+  count       = var.create_alb ? 1 : 0
+  name        = "${var.container_family}-alb-${var.environment}-${var.stage}"
+  description = "Controls access to the ALB"
+  vpc_id      = var.vpc_id
+
+  # Allow all egress
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name        = "${var.container_family}-alb-${var.environment}-${var.stage}"
+    Environment = var.environment
+    Stage       = var.stage
+    Domain      = var.domain
+  }
+}
+
+resource "aws_route53_record" "alb" {
+  count   = var.create_alb ? 1 : 0
+  zone_id = var.zone_id
+  name    = "${var.container_family}.${var.domain}"
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.lb[0].dns_name
+    zone_id               = aws_alb.lb[0].zone_id
+    evaluate_target_health = true
+  }
 }
 
 data "aws_service_discovery_dns_namespace" "namespace" {
@@ -146,3 +254,36 @@ resource "aws_service_discovery_service" "service" {
     create_before_destroy = true
   }
 }
+
+resource "aws_security_group_rule" "alb_https" {
+  count             = var.create_alb ? 1 : 0
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = var.ingress_cdir_blocks
+  security_group_id = aws_security_group.lb[0].id
+  description       = "Allow HTTPS inbound traffic"
+}
+
+resource "aws_security_group_rule" "alb_to_container" {
+  count                    = var.create_alb ? 1 : 0
+  type                     = "egress"
+  from_port                = var.container_port
+  to_port                  = var.container_port
+  protocol                 = "tcp"
+  source_security_group_id = var.service_security_groups[0]
+  security_group_id        = aws_security_group.lb[0].id
+  description             = "Allow outbound traffic to container"
+}
+
+resource "aws_security_group_rule" "container_from_alb" {
+  count                    = var.create_alb ? 1 : 0
+  type                     = "ingress"
+  from_port                = var.container_port
+  to_port                  = var.container_port
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.lb[0].id
+  security_group_id        = var.service_security_groups[0]
+  description             = "Allow inbound traffic from ALB"
+}

ops/modules/service/outputs.tf

@@ -10,5 +10,34 @@ output "task_definition_arn" {
 
 output "service_url" {
   description = "URL of the service"
-  value       = "${aws_service_discovery_service.service.name}.${data.aws_service_discovery_dns_namespace.namespace.name}"
+  value       = var.create_alb ? "${var.container_family}.${var.domain}" : "${aws_service_discovery_service.service.name}.${data.aws_service_discovery_dns_namespace.namespace.name}"
+}
+
+output "alb_dns_name" {
+  description = "DNS name of the ALB"
+  value       = var.create_alb ? aws_alb.lb[0].dns_name : null
+}
+
+output "alb_zone_id" {
+  description = "Zone ID of the ALB"
+  value       = var.create_alb ? aws_alb.lb[0].zone_id : null
+}
+
+output "route53_debug" {
+  description = "Debug information for Route53"
+  value = {
+    zone_id = var.zone_id
+    domain = var.domain
+    alb_dns_name = var.create_alb ? aws_alb.lb[0].dns_name : null
+    alb_zone_id = var.create_alb ? aws_alb.lb[0].zone_id : null
+    record_name = var.create_alb ? "${var.container_family}.${var.domain}" : null
+  }
+}
+
+output "debug_info" {
+  description = "Debug information"
+  value = {
+    alb_sg_id = var.create_alb ? aws_security_group.lb[0].id : null
+    ecs_sg_id = var.service_security_groups[0]
+  }
 }