From 9ff173195575894b3db1defe38671d18005b4425 Mon Sep 17 00:00:00 2001 From: carlomazzaferro Date: Fri, 6 Oct 2023 15:17:48 +0100 Subject: [PATCH 1/5] feat: flow logs + networking improvements --- ops/modules/ecs/variables.tf | 10 ------ ops/modules/iam/vpc.tf | 21 +++++++++++ ops/modules/lambda/main.tf | 2 +- ops/modules/lambda/variables.tf | 7 +--- ops/modules/networking/main.tf | 20 +++++++++++ ops/modules/s3/vpc.tf | 28 +++++++++++++++ ops/modules/service/main.tf | 5 +-- ops/modules/service/variables.tf | 4 --- ops/testnet/staging/backend/main.tf | 5 --- ops/testnet/staging/core/main.tf | 56 ++++++++--------------------- 10 files changed, 89 insertions(+), 69 deletions(-) create mode 100644 ops/modules/iam/vpc.tf create mode 100644 ops/modules/s3/vpc.tf diff --git a/ops/modules/ecs/variables.tf b/ops/modules/ecs/variables.tf index 314f5b1417..072313a89b 100755 --- a/ops/modules/ecs/variables.tf +++ b/ops/modules/ecs/variables.tf @@ -1,16 +1,6 @@ variable "ecs_cluster_name_prefix" { } -variable "private_subnets" { - type = list(string) -} - -variable "public_subnets" { - type = list(string) -} - -variable "vpc_id" {} - variable "domain" { description = "domain of deployment" } diff --git a/ops/modules/iam/vpc.tf b/ops/modules/iam/vpc.tf new file mode 100644 index 0000000000..52e724b168 --- /dev/null +++ b/ops/modules/iam/vpc.tf @@ -0,0 +1,21 @@ +resource "aws_iam_role" "vpc_flow_logs" { + name = "vpc_flow_logs" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "vpc.amazonaws.com" + } + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "vpc_flow_logs" { + policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" + role = aws_iam_role.vpc_flow_logs.name +} \ No newline at end of file diff --git a/ops/modules/lambda/main.tf b/ops/modules/lambda/main.tf index 359290d2ad..e741c99240 100644 --- a/ops/modules/lambda/main.tf +++ b/ops/modules/lambda/main.tf @@ -55,7 +55,7 @@ resource "aws_lambda_function" "executable" { dynamic "vpc_config" { for_each = var.lambda_in_vpc ? [1] : [] content { - subnet_ids = var.private_subnets + subnet_ids = var.subnet_ids security_group_ids = var.lambda_security_groups } } diff --git a/ops/modules/lambda/variables.tf b/ops/modules/lambda/variables.tf index f155f9f0c3..2ba41c7634 100644 --- a/ops/modules/lambda/variables.tf +++ b/ops/modules/lambda/variables.tf @@ -56,12 +56,7 @@ variable "lambda_in_vpc" { default = false } -variable "public_subnets" { - type = list(string) - default = [] -} - -variable "private_subnets" { +variable "subnet_ids" { type = list(string) default = [] } diff --git a/ops/modules/networking/main.tf b/ops/modules/networking/main.tf index 3dfc7ad361..42582b76d2 100755 --- a/ops/modules/networking/main.tf +++ b/ops/modules/networking/main.tf @@ -1,5 +1,17 @@ data "aws_availability_zones" "available" {} +data "aws_iam_role" "vpc_flow_logs" { + name = "vpc_flow_logs" +} + +data "aws_s3_bucket" "vpc_flow_logs_bucket" { + bucket = "all-vpcs-flow-logs-bucket" +} + +data "aws_iam_role" "ecr_admin_role" { + name = "vpc_flow_logs" +} + resource "aws_vpc" "main" { cidr_block = var.cidr_block enable_dns_hostnames = true @@ -117,3 +129,11 @@ resource "aws_security_group" "allow_tls" { cidr_blocks = ["0.0.0.0/0"] } } + + +resource "aws_flow_log" "vpc_flow_logs" { + iam_role_arn = data.aws_iam_role.vpc_flow_logs.arn + log_destination = data.aws_s3_bucket.vpc_flow_logs_bucket.arn + traffic_type = "ALL" + vpc_id = aws_vpc.my_vpc.id +} diff --git a/ops/modules/s3/vpc.tf b/ops/modules/s3/vpc.tf new file mode 100644 index 0000000000..5c80976c12 --- /dev/null +++ b/ops/modules/s3/vpc.tf @@ -0,0 +1,28 @@ +resource "aws_s3_bucket" "vpc_flow_logs" { + bucket = "all-vpcs-flow-logs-bucket" + acl = "private" + + versioning { + enabled = true + } + + lifecycle { + prevent_destroy = true + + rule { + id = "expire-old-logs" + status = "Enabled" + prefix = "" + enabled = true + + transitions { + days = 30 + storage_class = "GLACIER" + } + + expiration { + days = 365 + } + } + } +} diff --git a/ops/modules/service/main.tf b/ops/modules/service/main.tf index 4a31cb0377..de8272bccf 100755 --- a/ops/modules/service/main.tf +++ b/ops/modules/service/main.tf @@ -125,8 +125,9 @@ resource "aws_ecs_service" "service" { task_definition = "${aws_ecs_task_definition.service.family}:${max("${aws_ecs_task_definition.service.revision}", "${aws_ecs_task_definition.service.revision}")}" network_configuration { - security_groups = flatten([var.service_security_groups, aws_security_group.lb.id]) - subnets = var.private_subnets + security_groups = flatten([var.service_security_groups, aws_security_group.lb.id]) + subnets = var.lb_subnets + assign_public_ip = var.internal_lb ? false : true } load_balancer { diff --git a/ops/modules/service/variables.tf b/ops/modules/service/variables.tf index 2a4486560f..5f7137a8f2 100755 --- a/ops/modules/service/variables.tf +++ b/ops/modules/service/variables.tf @@ -2,10 +2,6 @@ variable "execution_role_arn" {} variable "cluster_id" {} variable "vpc_id" {} -variable "private_subnets" { - type = list(string) -} - variable "lb_subnets" { type = list(string) } diff --git a/ops/testnet/staging/backend/main.tf b/ops/testnet/staging/backend/main.tf index f96d2182f7..24c3d62e2c 100755 --- a/ops/testnet/staging/backend/main.tf +++ b/ops/testnet/staging/backend/main.tf @@ -73,7 +73,6 @@ module "postgrest" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = "postgrest/postgrest:v10.0.0.20221011" @@ -102,7 +101,6 @@ module "sdk-server" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = var.full_image_name_sdk_server @@ -254,7 +252,4 @@ module "ecs" { environment = var.environment domain = var.domain ecs_cluster_name_prefix = "nxtp-ecs" - vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets - public_subnets = module.network.public_subnets } diff --git a/ops/testnet/staging/core/main.tf b/ops/testnet/staging/core/main.tf index 39cd68eabc..92d585a5f8 100755 --- a/ops/testnet/staging/core/main.tf +++ b/ops/testnet/staging/core/main.tf @@ -32,7 +32,6 @@ module "router_subscriber" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = var.full_image_name_router_subscriber @@ -62,7 +61,6 @@ module "router_publisher" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = var.full_image_name_router_publisher @@ -92,7 +90,6 @@ module "router_executor" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = var.full_image_name_router_executor @@ -122,7 +119,6 @@ module "router_web3signer" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets docker_image = "ghcr.io/connext/web3signer:latest" container_family = "router-web3signer" @@ -167,7 +163,6 @@ module "sequencer_server" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets docker_image = var.full_image_name_sequencer_server container_family = "sequencer-server" @@ -196,7 +191,6 @@ module "sequencer_publisher" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets docker_image = var.full_image_name_sequencer_publisher container_family = "sequencer-publisher" @@ -236,7 +230,6 @@ module "sequencer_subscriber" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = var.full_image_name_sequencer_subscriber @@ -262,8 +255,8 @@ module "sequencer_subscriber_auto_scaling" { domain = var.domain ecs_service_name = module.sequencer_subscriber.service_name ecs_cluster_name = module.ecs.ecs_cluster_name - min_capacity = 10 - max_capacity = 300 + min_capacity = 5 + max_capacity = 5 } module "sequencer_web3signer" { @@ -277,8 +270,7 @@ module "sequencer_web3signer" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets - lb_subnets = module.network.public_subnets + lb_subnets = module.network.private_subnets docker_image = "ghcr.io/connext/web3signer:latest" container_family = "sequencer-web3signer" health_check_path = "/upcheck" @@ -307,7 +299,6 @@ module "lighthouse_prover_subscriber" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets internal_lb = false docker_image = var.full_image_name_lighthouse_prover_subscriber @@ -326,26 +317,16 @@ module "lighthouse_prover_subscriber" { container_env_vars = concat(local.lighthouse_prover_subscriber_env_vars, [{ name = "LIGHTHOUSE_SERVICE", value = "prover-sub" }]) } module "lighthouse_prover_subscriber_auto_scaling" { - source = "../../../modules/auto-scaling" - stage = var.stage - environment = var.environment - domain = var.domain - ecs_service_name = module.lighthouse_prover_subscriber.service_name - ecs_cluster_name = module.ecs.ecs_cluster_name - min_capacity = 10 - max_capacity = 300 -} - -module "lighthouse_prover_cron" { - source = "../../../modules/lambda" - ecr_repository_name = "nxtp-lighthouse" - docker_image_tag = var.lighthouse_image_tag - container_family = "lighthouse-prover" - environment = var.environment - stage = var.stage - container_env_vars = merge(local.lighthouse_env_vars, { LIGHTHOUSE_SERVICE = "prover" }) - schedule_expression = "rate(30 minutes)" - memory_size = 512 + source = "../../../modules/auto-scaling" + stage = var.stage + environment = var.environment + domain = var.domain + ecs_service_name = module.lighthouse_prover_subscriber.service_name + ecs_cluster_name = module.ecs.ecs_cluster_name + min_capacity = 2 + max_capacity = 5 + avg_cpu_utilization_target = 10 + avg_mem_utilization_target = 15 } module "lighthouse_process_from_root_cron" { @@ -396,7 +377,6 @@ module "relayer" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets docker_image = var.full_image_name_relayer container_family = "relayer" @@ -426,8 +406,7 @@ module "relayer_web3signer" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets - lb_subnets = module.network.public_subnets + lb_subnets = module.network.private_subnets docker_image = "ghcr.io/connext/web3signer:latest" container_family = "relayer-web3signer" health_check_path = "/upcheck" @@ -456,7 +435,6 @@ module "watcher" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets lb_subnets = module.network.public_subnets docker_image = var.full_image_name_watcher container_family = "watcher" @@ -486,8 +464,7 @@ module "watcher_web3signer" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets - lb_subnets = module.network.public_subnets + lb_subnets = module.network.private_subnets docker_image = "ghcr.io/connext/web3signer:latest" container_family = "watcher-web3signer" health_check_path = "/upcheck" @@ -530,9 +507,6 @@ module "ecs" { environment = var.environment domain = var.domain ecs_cluster_name_prefix = "nxtp-ecs" - vpc_id = module.network.vpc_id - private_subnets = module.network.private_subnets - public_subnets = module.network.public_subnets } module "sequencer_cache" { From 1234b069849890a4d619cbcf57e6b5242d3ef287 Mon Sep 17 00:00:00 2001 From: carlomazzaferro Date: Fri, 6 Oct 2023 15:41:00 +0100 Subject: [PATCH 2/5] fix: roll back minor changes --- ops/testnet/staging/core/main.tf | 35 +++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/ops/testnet/staging/core/main.tf b/ops/testnet/staging/core/main.tf index 92d585a5f8..e9fb65e01b 100755 --- a/ops/testnet/staging/core/main.tf +++ b/ops/testnet/staging/core/main.tf @@ -255,8 +255,8 @@ module "sequencer_subscriber_auto_scaling" { domain = var.domain ecs_service_name = module.sequencer_subscriber.service_name ecs_cluster_name = module.ecs.ecs_cluster_name - min_capacity = 5 - max_capacity = 5 + min_capacity = 10 + max_capacity = 300 } module "sequencer_web3signer" { @@ -316,17 +316,28 @@ module "lighthouse_prover_subscriber" { cert_arn = var.certificate_arn_testnet container_env_vars = concat(local.lighthouse_prover_subscriber_env_vars, [{ name = "LIGHTHOUSE_SERVICE", value = "prover-sub" }]) } + module "lighthouse_prover_subscriber_auto_scaling" { - source = "../../../modules/auto-scaling" - stage = var.stage - environment = var.environment - domain = var.domain - ecs_service_name = module.lighthouse_prover_subscriber.service_name - ecs_cluster_name = module.ecs.ecs_cluster_name - min_capacity = 2 - max_capacity = 5 - avg_cpu_utilization_target = 10 - avg_mem_utilization_target = 15 + source = "../../../modules/auto-scaling" + stage = var.stage + environment = var.environment + domain = var.domain + ecs_service_name = module.lighthouse_prover_subscriber.service_name + ecs_cluster_name = module.ecs.ecs_cluster_name + min_capacity = 10 + max_capacity = 300 +} + +module "lighthouse_prover_cron" { + source = "../../../modules/lambda" + ecr_repository_name = "nxtp-lighthouse" + docker_image_tag = var.lighthouse_image_tag + container_family = "lighthouse-prover" + environment = var.environment + stage = var.stage + container_env_vars = merge(local.lighthouse_env_vars, { LIGHTHOUSE_SERVICE = "prover" }) + schedule_expression = "rate(30 minutes)" + memory_size = 512 } module "lighthouse_process_from_root_cron" { From 57aeb37dc91eba39e5aa1e597e894b6498fd8b9b Mon Sep 17 00:00:00 2001 From: carlomazzaferro Date: Wed, 11 Oct 2023 14:02:55 +0100 Subject: [PATCH 3/5] fix: vpc flow logs improvements --- ops/infra/outputs.tf | 5 +++- ops/modules/iam/outputs.tf | 4 +++ ops/modules/iam/vpc.tf | 52 +++++++++++++++++++++++----------- ops/modules/networking/main.tf | 17 ++++------- ops/modules/s3/vpc.tf | 28 ------------------ 5 files changed, 49 insertions(+), 57 deletions(-) delete mode 100644 ops/modules/s3/vpc.tf diff --git a/ops/infra/outputs.tf b/ops/infra/outputs.tf index e7eeb0640d..8551ae7f29 100644 --- a/ops/infra/outputs.tf +++ b/ops/infra/outputs.tf @@ -1,4 +1,7 @@ - output "ecr_admin_role" { value = module.iam.execution_role_arn } + +output "vpc_flow_logs_role" { + value = module.iam.vpc_flow_logs_role_arn +} diff --git a/ops/modules/iam/outputs.tf b/ops/modules/iam/outputs.tf index 21345e30fb..903eb56e64 100755 --- a/ops/modules/iam/outputs.tf +++ b/ops/modules/iam/outputs.tf @@ -1,3 +1,7 @@ output "execution_role_arn" { value = aws_iam_role.ecr_admin_role.arn } + +output "vpc_flow_logs_role_arn" { + value = aws_iam_role.vpc_flow_logs_role.arn +} diff --git a/ops/modules/iam/vpc.tf b/ops/modules/iam/vpc.tf index 52e724b168..622fbf6f42 100644 --- a/ops/modules/iam/vpc.tf +++ b/ops/modules/iam/vpc.tf @@ -1,21 +1,39 @@ -resource "aws_iam_role" "vpc_flow_logs" { - name = "vpc_flow_logs" +data "aws_iam_policy_document" "assume_role_policy_document" { + statement { + effect = "Allow" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Service = "vpc.amazonaws.com" - } - Action = "sts:AssumeRole" - } + principals { + type = "Service" + identifiers = ["vpc-flow-logs.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "vpc_flow_logs_role" { + name = "vpc_flow_logs_role" + assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json +} + +data "aws_iam_policy_document" "aws_logs_policy" { + statement { + effect = "Allow" + + actions = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", ] - }) + + resources = ["*"] + } } -resource "aws_iam_role_policy_attachment" "vpc_flow_logs" { - policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" - role = aws_iam_role.vpc_flow_logs.name -} \ No newline at end of file +resource "aws_iam_role_policy" "vpc_flow_logs_policy" { + name = "vpc_flow_logs_policy" + role = aws_iam_role.vpc_flow_logs_role.id + policy = data.aws_iam_policy_document.aws_logs_policy.json +} diff --git a/ops/modules/networking/main.tf b/ops/modules/networking/main.tf index 42582b76d2..269460b042 100755 --- a/ops/modules/networking/main.tf +++ b/ops/modules/networking/main.tf @@ -1,15 +1,7 @@ data "aws_availability_zones" "available" {} data "aws_iam_role" "vpc_flow_logs" { - name = "vpc_flow_logs" -} - -data "aws_s3_bucket" "vpc_flow_logs_bucket" { - bucket = "all-vpcs-flow-logs-bucket" -} - -data "aws_iam_role" "ecr_admin_role" { - name = "vpc_flow_logs" + name = "vpc_flow_logs_role" } resource "aws_vpc" "main" { @@ -130,10 +122,13 @@ resource "aws_security_group" "allow_tls" { } } +resource "aws_cloudwatch_log_group" "flow_logs_log_group" { + name = "vpc-flow-logs-${var.environment}-${var.stage}-${var.domain}" +} resource "aws_flow_log" "vpc_flow_logs" { iam_role_arn = data.aws_iam_role.vpc_flow_logs.arn - log_destination = data.aws_s3_bucket.vpc_flow_logs_bucket.arn + log_destination = aws_cloudwatch_log_group.flow_logs_log_group.arn traffic_type = "ALL" - vpc_id = aws_vpc.my_vpc.id + vpc_id = aws_vpc.main.id } diff --git a/ops/modules/s3/vpc.tf b/ops/modules/s3/vpc.tf deleted file mode 100644 index 5c80976c12..0000000000 --- a/ops/modules/s3/vpc.tf +++ /dev/null @@ -1,28 +0,0 @@ -resource "aws_s3_bucket" "vpc_flow_logs" { - bucket = "all-vpcs-flow-logs-bucket" - acl = "private" - - versioning { - enabled = true - } - - lifecycle { - prevent_destroy = true - - rule { - id = "expire-old-logs" - status = "Enabled" - prefix = "" - enabled = true - - transitions { - days = 30 - storage_class = "GLACIER" - } - - expiration { - days = 365 - } - } - } -} From 7480659e4350d1db0e4081b29124a273d8471704 Mon Sep 17 00:00:00 2001 From: carlomazzaferro Date: Wed, 11 Oct 2023 15:19:23 +0100 Subject: [PATCH 4/5] feat: split flow logs between private and public --- ops/modules/networking/main.tf | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/ops/modules/networking/main.tf b/ops/modules/networking/main.tf index 269460b042..abd6f52b3c 100755 --- a/ops/modules/networking/main.tf +++ b/ops/modules/networking/main.tf @@ -122,13 +122,28 @@ resource "aws_security_group" "allow_tls" { } } -resource "aws_cloudwatch_log_group" "flow_logs_log_group" { - name = "vpc-flow-logs-${var.environment}-${var.stage}-${var.domain}" +resource "aws_cloudwatch_log_group" "flow_logs_log_group_private_subnets" { + count = var.az_count + name = "vpc-flow-logs-${var.environment}-${var.stage}-${var.domain}-private-${count.index}" } -resource "aws_flow_log" "vpc_flow_logs" { +resource "aws_cloudwatch_log_group" "flow_logs_log_group_public_subnets" { + count = var.az_count + name = "vpc-flow-logs-${var.environment}-${var.stage}-${var.domain}-public-${count.index}" +} + +resource "aws_flow_log" "vpc_flow_logs_private_subnets" { + count = var.az_count + iam_role_arn = data.aws_iam_role.vpc_flow_logs.arn + log_destination = aws_cloudwatch_log_group.flow_logs_log_group_private_subnets[count.index].arn + traffic_type = "ALL" + subnet_id = aws_subnet.private[count.index].id +} + +resource "aws_flow_log" "vpc_flow_logs_public_subnets" { + count = var.az_count iam_role_arn = data.aws_iam_role.vpc_flow_logs.arn - log_destination = aws_cloudwatch_log_group.flow_logs_log_group.arn + log_destination = aws_cloudwatch_log_group.flow_logs_log_group_public_subnets[count.index].arn traffic_type = "ALL" - vpc_id = aws_vpc.main.id + subnet_id = aws_subnet.main[count.index].id } From b4e632f20861af9974fa2d975d152e73de072829 Mon Sep 17 00:00:00 2001 From: carlomazzaferro Date: Wed, 11 Oct 2023 15:35:28 +0100 Subject: [PATCH 5/5] fix: private subnet for router web3signer --- ops/testnet/staging/core/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ops/testnet/staging/core/main.tf b/ops/testnet/staging/core/main.tf index e9fb65e01b..cee1b38dbb 100755 --- a/ops/testnet/staging/core/main.tf +++ b/ops/testnet/staging/core/main.tf @@ -119,7 +119,7 @@ module "router_web3signer" { execution_role_arn = data.aws_iam_role.ecr_admin_role.arn cluster_id = module.ecs.ecs_cluster_id vpc_id = module.network.vpc_id - lb_subnets = module.network.public_subnets + lb_subnets = module.network.private_subnets docker_image = "ghcr.io/connext/web3signer:latest" container_family = "router-web3signer" health_check_path = "/upcheck"