From 7a62e230ec1db199b00e5586e607668d6ed6306e Mon Sep 17 00:00:00 2001
From: Ata Tekeli <tekeliata2000@gmail.com>
Date: Tue, 8 Oct 2024 12:43:05 +0300
Subject: [PATCH] work with iam, ci/cd and firewall

---
 .github/workflows/aleo-monitoring.yml |  16 ++++
 .github/workflows/aleo-node.yml       |  16 ++++
 .github/workflows/mina-monitoring.yml |  16 ++++
 .github/workflows/mina-node.yml       |  16 ++++
 aleo/node-terraform/iam-policy.tf     | 111 ++++++++++++++++++++++++++
 aleo/node-terraform/iam-role.tf       |  97 ++++++++++++++++++++++
 mina/node-terraform/iam-policy.tf     | 111 ++++++++++++++++++++++++++
 mina/node-terraform/iam-role.tf       |  97 ++++++++++++++++++++++
 8 files changed, 480 insertions(+)
 create mode 100644 .github/workflows/aleo-monitoring.yml
 create mode 100644 .github/workflows/aleo-node.yml
 create mode 100644 .github/workflows/mina-monitoring.yml
 create mode 100644 .github/workflows/mina-node.yml

diff --git a/.github/workflows/aleo-monitoring.yml b/.github/workflows/aleo-monitoring.yml
new file mode 100644
index 0000000..01174b4
--- /dev/null
+++ b/.github/workflows/aleo-monitoring.yml
@@ -0,0 +1,16 @@
+name: Node.js CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+defaults:
+  run:
+    working-directory: web
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
\ No newline at end of file
diff --git a/.github/workflows/aleo-node.yml b/.github/workflows/aleo-node.yml
new file mode 100644
index 0000000..01174b4
--- /dev/null
+++ b/.github/workflows/aleo-node.yml
@@ -0,0 +1,16 @@
+name: Node.js CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+defaults:
+  run:
+    working-directory: web
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
\ No newline at end of file
diff --git a/.github/workflows/mina-monitoring.yml b/.github/workflows/mina-monitoring.yml
new file mode 100644
index 0000000..926f2c6
--- /dev/null
+++ b/.github/workflows/mina-monitoring.yml
@@ -0,0 +1,16 @@
+name: Node.js CI
+
+on:
+    push:
+      branches: [main]
+    pull_request:
+      branches: [main]
+
+defaults:
+  run:
+    working-directory: web
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
\ No newline at end of file
diff --git a/.github/workflows/mina-node.yml b/.github/workflows/mina-node.yml
new file mode 100644
index 0000000..926f2c6
--- /dev/null
+++ b/.github/workflows/mina-node.yml
@@ -0,0 +1,16 @@
+name: Node.js CI
+
+on:
+    push:
+      branches: [main]
+    pull_request:
+      branches: [main]
+
+defaults:
+  run:
+    working-directory: web
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
\ No newline at end of file
diff --git a/aleo/node-terraform/iam-policy.tf b/aleo/node-terraform/iam-policy.tf
index e69de29..170577e 100644
--- a/aleo/node-terraform/iam-policy.tf
+++ b/aleo/node-terraform/iam-policy.tf
@@ -0,0 +1,111 @@
+# Create the service account for the validator server
+resource "google_service_account" "default" {
+  account_id   = "aleo-prover-sa"
+  display_name = "Aleo Prover Service Account"
+}
+
+# Create the GCS bucket for backups
+resource "google_storage_bucket" "validator_backup" {
+  name     = "aleo-backup" # Replace with a unique bucket name
+  location = "US"          # Replace with your desired location
+
+  versioning {
+    enabled = true          # Enable versioning for backups
+  }
+
+  lifecycle {
+    prevent_destroy = true  # Prevent accidental deletion of the bucket
+  }
+}
+
+# Create folders for different types of backup data
+resource "google_storage_bucket_object" "validator_keys" {
+  name   = "validator_keys/"  # Folder for validator keys
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "config_files" {
+  name   = "configuration_files/"  # Folder for configuration files
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "blockchain_data" {
+  name   = "blockchain_data/"  # Folder for blockchain data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "wallet_data" {
+  name   = "wallet_data/"  # Folder for wallet data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "recovery_info" {
+  name   = "recovery_information/"  # Folder for recovery information
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+# Define GCE instance with service account for validator server
+resource "google_compute_instance" "confidential_instance" {
+  name             = "aleo-prover"
+  zone             = "us-central1-a"
+  machine_type     = "n2-standard-8"
+  min_cpu_platform = "Intel Cascade Lake"
+
+  confidential_instance_config {
+    enable_confidential_compute = true
+    confidential_instance_type  = "SEV"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-2004-lts"
+      labels = {
+        my_label = "prover"
+      }
+    }
+  }
+
+  # Local SSD disk
+  scratch_disk {
+    interface = "NVME"
+    size      = 80
+  }
+
+  network_interface {
+    network = "default"
+  }
+
+  service_account {
+    # Attach the custom service account
+    email  = google_service_account.default.email
+    scopes = ["cloud-platform"]
+  }
+}
+
+# IAM policy to grant GCS bucket access to the service account
+resource "google_storage_bucket_iam_member" "validator_gcs_permissions" {
+  bucket = google_storage_bucket.validator_backup.name
+  role   = "roles/storage.objectAdmin"  # Full control over bucket objects
+  member = "serviceAccount:${google_service_account.default.email}"
+}
+
+# (Optional) Grant read-only access to GCS bucket objects
+resource "google_storage_bucket_iam_member" "validator_gcs_viewer" {
+  bucket = google_storage_bucket.validator_backup.name
+  role   = "roles/storage.objectViewer"  # Read-only access to bucket objects
+  member = "serviceAccount:${google_service_account.default.email}"
+}
+
+# Assign Compute Instance Admin role to the service account
+resource "google_project_iam_member" "validator_compute_instance_admin" {
+  project = "your-project-id"
+  role    = "roles/compute.instanceAdmin.v1"
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
+
+# Assign Service Account User role to allow GCE instance to use the service account
+resource "google_project_iam_member" "validator_service_account_user" {
+  project = "your-project-id"
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
diff --git a/aleo/node-terraform/iam-role.tf b/aleo/node-terraform/iam-role.tf
index e69de29..7b42f96 100644
--- a/aleo/node-terraform/iam-role.tf
+++ b/aleo/node-terraform/iam-role.tf
@@ -0,0 +1,97 @@
+provider "google" {
+  project = "your-project-id"  # Replace with your Google Cloud project ID
+  region  = "us-central1"       # Replace with your desired region
+}
+
+# Create a Service Account for the Validator Node
+resource "google_service_account" "validator_node" {
+  account_id   = "validator-node-sa"
+  display_name = "Validator Node Service Account"
+}
+
+# Create the GCS Bucket for Validator Backups
+resource "google_storage_bucket" "validator_backup" {
+  name     = "aleo-backup" # Replace with a unique bucket name
+  location = "US"          # Replace with your desired location
+
+  versioning {
+    enabled = true          # Enable versioning for backups
+  }
+
+  lifecycle {
+    prevent_destroy = true  # Prevent accidental deletion of the bucket
+  }
+}
+
+# Create folders in the GCS bucket for different data types
+resource "google_storage_bucket_object" "validator_keys" {
+  name   = "validator_keys/"            # Folder for validator keys
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "config_files" {
+  name   = "configuration_files/"       # Folder for configuration files
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "blockchain_data" {
+  name   = "blockchain_data/"           # Folder for blockchain data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "wallet_data" {
+  name   = "wallet_data/"               # Folder for wallet data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "recovery_info" {
+  name   = "recovery_information/"       # Folder for recovery information
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+# IAM Role: Storage Object Creator for GCS backups
+resource "google_project_iam_member" "validator_storage_object_creator" {
+  project = "your-project-id"
+  role    = "roles/storage.objectCreator"
+  member  = "serviceAccount:${google_service_account.validator_node.email}"
+}
+
+# IAM Role: Storage Object Viewer for GCS
+resource "google_project_iam_member" "validator_storage_object_viewer" {
+  project = "your-project-id"
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_service_account.validator_node.email}"
+}
+
+# IAM Role: Compute Instance Admin for managing the validator node
+resource "google_project_iam_member" "validator_compute_instance_admin" {
+  project = "your-project-id"
+  role    = "roles/compute.instanceAdmin.v1"
+  member  = "serviceAccount:${google_service_account.validator_node.email}"
+}
+
+# Create a Compute Engine instance for the Validator Node
+resource "google_compute_instance" "validator_node_instance" {
+  name             = "aleo-validator"
+  zone             = "us-central1-a"  # Replace with your desired zone
+  machine_type     = "n2-standard-8"
+  min_cpu_platform = "Intel Cascade Lake"
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-2004-lts"  # Replace with your preferred image
+    }
+  }
+
+  network_interface {
+    network = "default"
+    access_config {
+      # Assign a public IP address
+    }
+  }
+
+  service_account {
+    email  = google_service_account.validator_node.email
+    scopes = ["cloud-platform"]  # Scope for accessing GCP services
+  }
+}
diff --git a/mina/node-terraform/iam-policy.tf b/mina/node-terraform/iam-policy.tf
index e69de29..170577e 100644
--- a/mina/node-terraform/iam-policy.tf
+++ b/mina/node-terraform/iam-policy.tf
@@ -0,0 +1,111 @@
+# Create the service account for the validator server
+resource "google_service_account" "default" {
+  account_id   = "aleo-prover-sa"
+  display_name = "Aleo Prover Service Account"
+}
+
+# Create the GCS bucket for backups
+resource "google_storage_bucket" "validator_backup" {
+  name     = "aleo-backup" # Replace with a unique bucket name
+  location = "US"          # Replace with your desired location
+
+  versioning {
+    enabled = true          # Enable versioning for backups
+  }
+
+  lifecycle {
+    prevent_destroy = true  # Prevent accidental deletion of the bucket
+  }
+}
+
+# Create folders for different types of backup data
+resource "google_storage_bucket_object" "validator_keys" {
+  name   = "validator_keys/"  # Folder for validator keys
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "config_files" {
+  name   = "configuration_files/"  # Folder for configuration files
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "blockchain_data" {
+  name   = "blockchain_data/"  # Folder for blockchain data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "wallet_data" {
+  name   = "wallet_data/"  # Folder for wallet data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "recovery_info" {
+  name   = "recovery_information/"  # Folder for recovery information
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+# Define GCE instance with service account for validator server
+resource "google_compute_instance" "confidential_instance" {
+  name             = "aleo-prover"
+  zone             = "us-central1-a"
+  machine_type     = "n2-standard-8"
+  min_cpu_platform = "Intel Cascade Lake"
+
+  confidential_instance_config {
+    enable_confidential_compute = true
+    confidential_instance_type  = "SEV"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-2004-lts"
+      labels = {
+        my_label = "prover"
+      }
+    }
+  }
+
+  # Local SSD disk
+  scratch_disk {
+    interface = "NVME"
+    size      = 80
+  }
+
+  network_interface {
+    network = "default"
+  }
+
+  service_account {
+    # Attach the custom service account
+    email  = google_service_account.default.email
+    scopes = ["cloud-platform"]
+  }
+}
+
+# IAM policy to grant GCS bucket access to the service account
+resource "google_storage_bucket_iam_member" "validator_gcs_permissions" {
+  bucket = google_storage_bucket.validator_backup.name
+  role   = "roles/storage.objectAdmin"  # Full control over bucket objects
+  member = "serviceAccount:${google_service_account.default.email}"
+}
+
+# (Optional) Grant read-only access to GCS bucket objects
+resource "google_storage_bucket_iam_member" "validator_gcs_viewer" {
+  bucket = google_storage_bucket.validator_backup.name
+  role   = "roles/storage.objectViewer"  # Read-only access to bucket objects
+  member = "serviceAccount:${google_service_account.default.email}"
+}
+
+# Assign Compute Instance Admin role to the service account
+resource "google_project_iam_member" "validator_compute_instance_admin" {
+  project = "your-project-id"
+  role    = "roles/compute.instanceAdmin.v1"
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
+
+# Assign Service Account User role to allow GCE instance to use the service account
+resource "google_project_iam_member" "validator_service_account_user" {
+  project = "your-project-id"
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
diff --git a/mina/node-terraform/iam-role.tf b/mina/node-terraform/iam-role.tf
index e69de29..7b42f96 100644
--- a/mina/node-terraform/iam-role.tf
+++ b/mina/node-terraform/iam-role.tf
@@ -0,0 +1,97 @@
+provider "google" {
+  project = "your-project-id"  # Replace with your Google Cloud project ID
+  region  = "us-central1"       # Replace with your desired region
+}
+
+# Create a Service Account for the Validator Node
+resource "google_service_account" "validator_node" {
+  account_id   = "validator-node-sa"
+  display_name = "Validator Node Service Account"
+}
+
+# Create the GCS Bucket for Validator Backups
+resource "google_storage_bucket" "validator_backup" {
+  name     = "aleo-backup" # Replace with a unique bucket name
+  location = "US"          # Replace with your desired location
+
+  versioning {
+    enabled = true          # Enable versioning for backups
+  }
+
+  lifecycle {
+    prevent_destroy = true  # Prevent accidental deletion of the bucket
+  }
+}
+
+# Create folders in the GCS bucket for different data types
+resource "google_storage_bucket_object" "validator_keys" {
+  name   = "validator_keys/"            # Folder for validator keys
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "config_files" {
+  name   = "configuration_files/"       # Folder for configuration files
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "blockchain_data" {
+  name   = "blockchain_data/"           # Folder for blockchain data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "wallet_data" {
+  name   = "wallet_data/"               # Folder for wallet data
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+resource "google_storage_bucket_object" "recovery_info" {
+  name   = "recovery_information/"       # Folder for recovery information
+  bucket = google_storage_bucket.validator_backup.name
+}
+
+# IAM Role: Storage Object Creator for GCS backups
+resource "google_project_iam_member" "validator_storage_object_creator" {
+  project = "your-project-id"
+  role    = "roles/storage.objectCreator"
+  member  = "serviceAccount:${google_service_account.validator_node.email}"
+}
+
+# IAM Role: Storage Object Viewer for GCS
+resource "google_project_iam_member" "validator_storage_object_viewer" {
+  project = "your-project-id"
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_service_account.validator_node.email}"
+}
+
+# IAM Role: Compute Instance Admin for managing the validator node
+resource "google_project_iam_member" "validator_compute_instance_admin" {
+  project = "your-project-id"
+  role    = "roles/compute.instanceAdmin.v1"
+  member  = "serviceAccount:${google_service_account.validator_node.email}"
+}
+
+# Create a Compute Engine instance for the Validator Node
+resource "google_compute_instance" "validator_node_instance" {
+  name             = "aleo-validator"
+  zone             = "us-central1-a"  # Replace with your desired zone
+  machine_type     = "n2-standard-8"
+  min_cpu_platform = "Intel Cascade Lake"
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-2004-lts"  # Replace with your preferred image
+    }
+  }
+
+  network_interface {
+    network = "default"
+    access_config {
+      # Assign a public IP address
+    }
+  }
+
+  service_account {
+    email  = google_service_account.validator_node.email
+    scopes = ["cloud-platform"]  # Scope for accessing GCP services
+  }
+}