From 8586a0c7e5b43df31025408ef0822999bdba64f9 Mon Sep 17 00:00:00 2001
From: carlomazzaferro <carlo.mazzaferro@gmail.com>
Date: Mon, 16 Oct 2023 11:26:35 +0200
Subject: [PATCH] fix: networking mainnet fixes and ecr lcps

---
 ops/mainnet/prod/backend/main.tf |  5 --
 ops/mainnet/prod/core/main.tf    | 31 ++++---------
 ops/modules/ecr-lcp/main.tf      | 77 +++++++++++++++++++++++++++++++
 ops/modules/ecr-lcp/variables.tf |  4 ++
 ops/modules/ecr/main.tf          | 79 --------------------------------
 ops/testnet/prod/core/main.tf    |  5 ++
 ops/testnet/staging/core/main.tf |  6 +++
 7 files changed, 102 insertions(+), 105 deletions(-)
 create mode 100644 ops/modules/ecr-lcp/main.tf
 create mode 100644 ops/modules/ecr-lcp/variables.tf

diff --git a/ops/mainnet/prod/backend/main.tf b/ops/mainnet/prod/backend/main.tf
index 4f9f4abb8d..de202329b3 100755
--- a/ops/mainnet/prod/backend/main.tf
+++ b/ops/mainnet/prod/backend/main.tf
@@ -121,7 +121,6 @@ module "postgrest" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = "postgrest/postgrest:v10.0.0.20221011"
@@ -150,7 +149,6 @@ module "sdk-server" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = var.full_image_name_sdk_server
@@ -304,7 +302,4 @@ module "ecs" {
   environment             = var.environment
   domain                  = var.domain
   ecs_cluster_name_prefix = "nxtp-ecs"
-  vpc_id                  = module.network.vpc_id
-  private_subnets         = module.network.private_subnets
-  public_subnets          = module.network.public_subnets
 }
diff --git a/ops/mainnet/prod/core/main.tf b/ops/mainnet/prod/core/main.tf
index 323024c32b..ce96035080 100755
--- a/ops/mainnet/prod/core/main.tf
+++ b/ops/mainnet/prod/core/main.tf
@@ -34,7 +34,6 @@ module "router_subscriber" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = var.full_image_name_router_subscriber
@@ -64,7 +63,6 @@ module "router_publisher" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = var.full_image_name_router_publisher
@@ -94,7 +92,6 @@ module "router_executor" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = var.full_image_name_router_executor
@@ -124,8 +121,7 @@ module "router_web3signer" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
-  lb_subnets               = module.network.public_subnets
+  lb_subnets               = module.network.private_subnets
   docker_image             = "ghcr.io/connext/web3signer:latest"
   container_family         = "router-web3signer"
   health_check_path        = "/upcheck"
@@ -167,7 +163,6 @@ module "sequencer_server" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   docker_image             = var.full_image_name_sequencer_server
   container_family         = "sequencer"
@@ -196,7 +191,6 @@ module "sequencer_publisher" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   docker_image             = var.full_image_name_sequencer_publisher
   container_family         = "sequencer-publisher"
@@ -236,7 +230,6 @@ module "sequencer_subscriber" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = var.full_image_name_sequencer_subscriber
@@ -278,8 +271,7 @@ module "sequencer_web3signer" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
-  lb_subnets               = module.network.public_subnets
+  lb_subnets               = module.network.private_subnets
   docker_image             = "ghcr.io/connext/web3signer:latest"
   container_family         = "sequencer-web3signer"
   health_check_path        = "/upcheck"
@@ -311,7 +303,7 @@ module "lighthouse_prover_cron" {
   timeout                = 300
   memory_size            = 10240
   lambda_in_vpc          = true
-  private_subnets        = module.network.private_subnets
+  subnet_ids             = module.network.private_subnets
   lambda_security_groups = flatten([module.network.allow_all_sg, module.network.ecs_task_sg])
 
 }
@@ -327,7 +319,6 @@ module "lighthouse_prover_subscriber" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   internal_lb              = false
   docker_image             = var.full_image_name_lighthouse_prover_subscriber
@@ -407,7 +398,6 @@ module "relayer" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   docker_image             = var.full_image_name_relayer
   container_family         = "relayer"
@@ -437,8 +427,7 @@ module "relayer_web3signer" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
-  lb_subnets               = module.network.public_subnets
+  lb_subnets               = module.network.private_subnets
   docker_image             = "ghcr.io/connext/web3signer:latest"
   container_family         = "relayer-web3signer"
   health_check_path        = "/upcheck"
@@ -467,7 +456,6 @@ module "watcher" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
   lb_subnets               = module.network.public_subnets
   docker_image             = var.full_image_name_watcher
   container_family         = "watcher"
@@ -497,8 +485,7 @@ module "watcher_web3signer" {
   execution_role_arn       = data.aws_iam_role.ecr_admin_role.arn
   cluster_id               = module.ecs.ecs_cluster_id
   vpc_id                   = module.network.vpc_id
-  private_subnets          = module.network.private_subnets
-  lb_subnets               = module.network.public_subnets
+  lb_subnets               = module.network.private_subnets
   docker_image             = "ghcr.io/connext/web3signer:latest"
   container_family         = "watcher-web3signer"
   health_check_path        = "/upcheck"
@@ -542,9 +529,6 @@ module "ecs" {
   environment             = var.environment
   domain                  = var.domain
   ecs_cluster_name_prefix = "nxtp-ecs"
-  vpc_id                  = module.network.vpc_id
-  private_subnets         = module.network.private_subnets
-  public_subnets          = module.network.public_subnets
 }
 
 module "sequencer_cache" {
@@ -593,3 +577,8 @@ module "lighthouse_cache" {
   cache_subnet_group_subnet_ids = module.network.public_subnets
   node_type                     = "cache.r4.large"
 }
+
+module "ecr-lcp" {
+  source           = "../../../modules/ecr-lcp"
+  repository_names = ["nxtp-cartographer", "nxtp-lighthouse", "postgrest"]
+}
diff --git a/ops/modules/ecr-lcp/main.tf b/ops/modules/ecr-lcp/main.tf
new file mode 100644
index 0000000000..eee1523c9c
--- /dev/null
+++ b/ops/modules/ecr-lcp/main.tf
@@ -0,0 +1,77 @@
+resource "aws_ecr_lifecycle_policy" "remove_old_images" {
+  for_each   = toset(var.repository_names)
+  repository = each.value
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Expire main images that are not the last 50",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["main-"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 50
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 2,
+            "description": "Expire staging images that are not the last 20",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["staging-"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 20
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 3,
+            "description": "Expire testnet-prod images that are not the last 10",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["testnet-prod-"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 10
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 4,
+            "description": "Expire prod images that are not the last 5",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["prod-"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 5
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 6,
+            "description": "Expire images older than 60 days",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["main-", "staging-", "testnet-prod", "prod-"],
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 180
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}
diff --git a/ops/modules/ecr-lcp/variables.tf b/ops/modules/ecr-lcp/variables.tf
new file mode 100644
index 0000000000..548f62d059
--- /dev/null
+++ b/ops/modules/ecr-lcp/variables.tf
@@ -0,0 +1,4 @@
+variable "repository_names" {
+  description = "ECR repository names"
+  type        = list(string)
+}
diff --git a/ops/modules/ecr/main.tf b/ops/modules/ecr/main.tf
index 05816a5673..79ef3cb043 100644
--- a/ops/modules/ecr/main.tf
+++ b/ops/modules/ecr/main.tf
@@ -3,85 +3,6 @@ resource "aws_ecr_repository" "name" {
   name     = each.value
 }
 
-resource "aws_ecr_lifecycle_policy" "remove_old_images" {
-  for_each   = aws_ecr_repository.name
-  repository = each.value.name
-
-  policy = <<EOF
-{
-    "rules": [
-        {
-            "rulePriority": 1,
-            "description": "Expire main images that are not the last 50",
-            "selection": {
-                "tagStatus": "tagged",
-                "tagPrefixList": ["main-"],
-                "countType": "imageCountMoreThan",
-                "countNumber": 50
-            },
-            "action": {
-                "type": "expire"
-            }
-        },
-        {
-            "rulePriority": 2,
-            "description": "Expire staging images that are not the last 20",
-            "selection": {
-                "tagStatus": "tagged",
-                "tagPrefixList": ["staging-"],
-                "countType": "imageCountMoreThan",
-                "countNumber": 20
-            },
-            "action": {
-                "type": "expire"
-            }
-        },
-        {
-            "rulePriority": 3,
-            "description": "Expire testnet-prod images that are not the last 10",
-            "selection": {
-                "tagStatus": "tagged",
-                "tagPrefixList": ["testnet-prod-"],
-                "countType": "imageCountMoreThan",
-                "countNumber": 10
-            },
-            "action": {
-                "type": "expire"
-            }
-        },
-        {
-            "rulePriority": 4,
-            "description": "Expire prod images that are not the last 5",
-            "selection": {
-                "tagStatus": "tagged",
-                "tagPrefixList": ["prod-"],
-                "countType": "imageCountMoreThan",
-                "countNumber": 5
-            },
-            "action": {
-                "type": "expire"
-            }
-        },
-        {
-            "rulePriority": 6,
-            "description": "Expire images older than 60 days",
-            "selection": {
-                "tagStatus": "tagged",
-                "tagPrefixList": ["main-", "staging-", "testnet-prod", "prod-"],
-                "countType": "sinceImagePushed",
-                "countUnit": "days",
-                "countNumber": 180
-            },
-            "action": {
-                "type": "expire"
-            }
-        }
-    ]
-}
-EOF
-}
-
-
 resource "aws_ecr_replication_configuration" "this" {
   replication_configuration {
 
diff --git a/ops/testnet/prod/core/main.tf b/ops/testnet/prod/core/main.tf
index 1871a594b7..87cae9b330 100755
--- a/ops/testnet/prod/core/main.tf
+++ b/ops/testnet/prod/core/main.tf
@@ -519,3 +519,8 @@ module "lighthouse_cache" {
   cache_subnet_group_subnet_ids = module.network.public_subnets
   node_type                     = "cache.r4.large"
 }
+
+module "ecr-lcp" {
+  source           = "../../../modules/ecr-lcp"
+  repository_names = ["nxtp-cartographer", "nxtp-lighthouse", "postgrest"]
+}
diff --git a/ops/testnet/staging/core/main.tf b/ops/testnet/staging/core/main.tf
index 72c05b139c..d4be6080ac 100755
--- a/ops/testnet/staging/core/main.tf
+++ b/ops/testnet/staging/core/main.tf
@@ -565,3 +565,9 @@ module "lighthouse_cache" {
   vpc_id                        = module.network.vpc_id
   cache_subnet_group_subnet_ids = module.network.public_subnets
 }
+
+
+module "ecr-lcp" {
+  source           = "../../../modules/ecr-lcp"
+  repository_names = ["nxtp-cartographer", "nxtp-lighthouse", "postgrest"]
+}