dydxprotocol · vincentwschau · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023
@@ -74,13 +74,29 @@ resource "aws_ecr_lifecycle_policy" "lambda_services" {
 # -----------------------------------------------------------------------------
 # Full Node
 # -----------------------------------------------------------------------------
-# Data pointing to the validator ECR repository
-data "aws_ecr_repository" "validator" {
+# Data pointing to the node ECR repository
+# For test-nets ECR repositories are in us-east-2
+# For main-net ECR repositories are in ap-northeast-1
+# Provider can't be provided dynamitcally, so create separate data blocks for each region
+
+data "aws_ecr_repository" "full_node_us_east_2" {
+  count    = var.environment == "mainnet" ? 0 : 1
   provider = aws.us-east-2
   name     = var.full_node_ecr_repository_name
 }
 
-data "aws_ecr_repository" "snapshot_validator" {
+data "aws_ecr_repository" "snapshot_full_node_us_east_2" {
+  count    = var.environment == "mainnet" ? 0 : 1
   provider = aws.us-east-2
   name     = var.snapshot_full_node_ecr_repository_name
 }
+
+data "aws_ecr_repository" "full_node_ap_northeast_1" {
+  count = var.environment == "mainnet" ? 1 : 0
+  name  = var.full_node_ecr_repository_name
+}
+
+data "aws_ecr_repository" "snapshot_full_node_ap_northeast_1" {
+  count = var.environment == "mainnet" ? 1 : 0
+  name  = var.snapshot_full_node_ecr_repository_name
+}
@@ -26,7 +26,7 @@ module "full_node_ap_northeast_1" {
   datadog_api_key = var.datadog_api_key
   dd_site         = var.dd_site
 
-  ecr_repository_url = data.aws_ecr_repository.validator.repository_url
+  ecr_repository_url = local.node_ecr_repository_url
 
   ec2_instance_type = var.full_node_ec2_instance_type
 

@@ -304,3 +304,8 @@ locals {
     }
   ]
 }
+
+locals {
+  node_ecr_repository_url          = var.environment == "mainnet" ? data.aws_ecr_repository.full_node_ap_northeast_1[0].repository_url : data.aws_ecr_repository.full_node_us_east_2[0].repository_url
+  snapshot_node_ecr_repository_url = var.environment == "mainnet" ? data.aws_ecr_repository.snapshot_full_node_ap_northeast_1[0].repository_url : data.aws_ecr_repository.snapshot_full_node_us_east_2[0].repository_url
+}
@@ -12,7 +12,9 @@ resource "aws_s3_bucket" "load_balancer" {
 # TODO: refactor snapshotting full node into a separate module
 # AWS S3 bucket to store all Indexer full node snapshots
 resource "aws_s3_bucket" "indexer_full_node_snapshots" {
-  bucket = var.s3_snapshot_bucket
+  # Use account id for mainnet to avoid name collisions
+  # TODO(IND-457): Migrate files in other envs and update bucket name
+  bucket = var.environment == "mainnet" ? "${local.account_id}-${var.s3_snapshot_bucket}" : var.s3_snapshot_bucket
 
   tags = {
     Name        = "${local.account_id}-${var.environment}-full-node-snapshots"

@@ -246,22 +246,26 @@ resource "aws_security_group" "load_balancer_public" {
   name   = "${var.environment}-${var.indexers[var.region].name}-lb-public-sg"
   vpc_id = aws_vpc.main.id
 
-  # Allow all outbound ipv4 traffic.
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
   tags = {
     Name        = "${var.environment}-${var.indexers[var.region].name}-lb-public-sg"
     Environment = "${var.environment}"
   }
 }
 
+resource "aws_security_group_rule" "outbound_traffic_from_load_balancer" {
+  count             = var.public_access ? 1 : 0
+  security_group_id = aws_security_group.load_balancer_public.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
 # Ingress rule for HTTP traffic for the load balancer
 resource "aws_security_group_rule" "inbound_http_to_load_balancer" {
+  count             = var.public_access ? 1 : 0
   security_group_id = aws_security_group.load_balancer_public.id
   type              = "ingress"
   from_port         = 80
@@ -273,7 +277,7 @@ resource "aws_security_group_rule" "inbound_http_to_load_balancer" {
 
 # Ingress rule for HTTP traffic for the load balancer - - only created if `var.enable_https` is true
 resource "aws_security_group_rule" "inbound_https_to_load_balancer" {
-  count             = var.enable_https ? 1 : 0
+  count             = var.public_access && var.enable_https ? 1 : 0
   security_group_id = aws_security_group.load_balancer_public.id
   type              = "ingress"
   from_port         = 443

@@ -25,9 +25,10 @@ module "full_node_snapshot_ap_northeast_1" {
   datadog_api_key = var.datadog_api_key
   dd_site         = var.dd_site
 
-  # in public testnet, use the validator image which contains the snapshot script.
+  # in public testnet, use the node image which contains the snapshot script.
   # in dev environments, we build separate images.
-  ecr_repository_url = contains(["testnet", "testnet1", "testnet2"], var.environment) ? data.aws_ecr_repository.validator.repository_url : data.aws_ecr_repository.snapshot_validator.repository_url
+  # TODO(CLOB-976): Determine if mainnet configuration uses a separate image.
+  ecr_repository_url = contains(["testnet", "testnet1", "testnet2"], var.environment) ? local.node_ecr_repository_url : local.snapshot_node_ecr_repository_url
 
   ec2_instance_type = var.full_node_ec2_instance_type
 

@@ -427,3 +427,9 @@ variable "vulcan_ecs_environment_variables" {
   description = "Environment variables to set for the Indexer Vulcan ECS task, in addition to the default values."
   default     = []
 }
+
+variable "public_access" {
+  type        = bool
+  description = "Enables public access of the indexer endpoints."
+  default     = true
+}
@@ -1,6 +1,6 @@
 variable "env" {
   default     = "dev"
-  description = "dev/dev2/dev3/dev4/dev5/staging/testnet/public-testnet/testnet1/testnet2"
+  description = "dev/dev2/dev3/dev4/dev5/staging/testnet/public-testnet/testnet1/testnet2/mainnet"
 }
 
 variable "name" {