aws-samples
diff --git a/‎lib/tezos/.gitignore
Lines changed: 9 additions & 0 deletions b/‎lib/tezos/.gitignore
Lines changed: 9 additions & 0 deletions
diff --git a/‎lib/tezos/README.md
Lines changed: 207 additions & 0 deletions b/‎lib/tezos/README.md
Lines changed: 207 additions & 0 deletions
diff --git a/‎lib/tezos/app.ts
Lines changed: 76 additions & 0 deletions b/‎lib/tezos/app.ts
Lines changed: 76 additions & 0 deletions
diff --git a/‎lib/tezos/cdk.json
Lines changed: 57 additions & 0 deletions b/‎lib/tezos/cdk.json
Lines changed: 57 additions & 0 deletions
diff --git a/‎lib/tezos/doc/assets/Architecture-HA.png
105 KB b/‎lib/tezos/doc/assets/Architecture-HA.png
105 KB
diff --git a/‎lib/tezos/doc/assets/Architecture-Single.png
39.6 KB b/‎lib/tezos/doc/assets/Architecture-Single.png
39.6 KB
diff --git a/‎lib/tezos/jest.config.js
Lines changed: 8 additions & 0 deletions b/‎lib/tezos/jest.config.js
Lines changed: 8 additions & 0 deletions
diff --git a/‎lib/tezos/lib/assets/cfn-hup/cfn-auto-reloader.conf
Lines changed: 4 additions & 0 deletions b/‎lib/tezos/lib/assets/cfn-hup/cfn-auto-reloader.conf
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/tezos/lib/assets/cfn-hup/cfn-hup.conf
Lines changed: 5 additions & 0 deletions b/‎lib/tezos/lib/assets/cfn-hup/cfn-hup.conf
Lines changed: 5 additions & 0 deletions
diff --git a/‎lib/tezos/lib/assets/cfn-hup/cfn-hup.service
Lines changed: 8 additions & 0 deletions b/‎lib/tezos/lib/assets/cfn-hup/cfn-hup.service
Lines changed: 8 additions & 0 deletions
@@ -0,0 +1,9 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+package-lock.json
@@ -0,0 +1,207 @@
+# Sample AWS Blockchain Node Runner app for Tezos Nodes
+
+| Contributed by |
+|:--------------------:|
+| [@AhGhanima](https://github.com/AhGhanima), [@chrisdotn](https://github.com/chrisdotn) |
+
+## Architecture Overview
+
+This blueprint has two options for running nodes. You can set up a single JSON RPC node or multiple nodes in highly-available setup. The details are below.
+
+### Single RPC node setup
+![SingleNodeSetup](./doc/assets/Architecture-Single.png)
+
+This setup is for small scale PoC or development environments. It deploys a single EC2 instance with the tezos client. The RPC port is exposed only to internal IP range of the VPC, while P2P ports allow external access to keep the client synced.
+
+### Highly available setup
+![Architecture](./doc/assets/Architecture-HA.png)
+
+1.	An ongoing data synchronization process is configured with nodes in the Tezos network with a sync node and RPC nodes.
+2.	The sync node is used to create a copy of node's state data in Amazon S3 bucket.
+3.	When new RPC nodes are provisioned, they copy state data from Amazon S3 bucket to speed up the initial sync process.
+4.	Applications and smart contract development tools access highly available RPC nodes behind the Application Load Balancer.
+
+
+## Solution Walkthrough
+
+### Setup Cloud9
+
+We will use AWS Cloud9 to execute the subsequent commands. Follow the instructions in [Cloud9 Setup](../../docs/setup-cloud9.md)
+
+### Clone this repository and install dependencies
+
+```bash
+   git clone https://github.com/aws-samples/aws-blockchain-node-runners.git
+   cd aws-blockchain-node-runners
+   npm install
+```
+
+**NOTE:** In this tutorial we will set all major configuration through environment variables, but you also can modify parameters in `config/config.ts`.
+
+### Prepare to deploy nodes
+
+1. Make sure you are in the root directory of the cloned repository
+
+2. If you have deleted or don't have the default VPC, create default VPC
+
+```bash
+    aws ec2 create-default-vpc
+   ```
+
+   **NOTE:** You may see the following error if the default VPC already exists: `An error occurred (DefaultVpcAlreadyExists) when calling the CreateDefaultVpc operation: A Default VPC already exists for this account in this region.`. That means you can just continue with the following steps.
+
+   **NOTE:** The default VPC must have at least two public subnets in different Availability Zones, and public subnet must set `Auto-assign public IPv4 address` to `YES`
+
+3. Configure  your setup
+
+Create your own copy of `.env` file and edit it:
+```bash
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+   cd lib/tezos
+   pwd
+   cp ./sample-configs/.env-sample-full .env
+   nano .env
+```
+   **NOTE:** You can find more examples inside the `sample-configs` directory.
+
+
+4. Deploy common components such as IAM role, and Amazon S3 bucket to store data snapshots
+
+```bash
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+   npx cdk deploy tz-common
+```
+
+### Option 1: Single RPC Node
+
+1. Deploy Single RPC Node
+
+```bash
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+   npx cdk deploy tz-single-node --json --outputs-file single-node-deploy.json
+```
+   **NOTE:** The default VPC must have at least two public subnets in different Availability Zones, and public subnet must set `Auto-assign public IPv4 address` to `YES`.
+
+   The EC2 instance will deploy, initialize the node and start the first sync. In Cloudformation the instance will show as successful once the node is running. From that point it still takes a while until the node is synced to the blockchain. You can check the sync status with the REST call below in step 4. If the `curl cannot connect to the node on port 8732, then the node is still importing. Once that's done, the curl command works. 
+
+2. After starting the node you need to wait for the inital syncronization process to finish. It may take from an hour to half a day depending on the the state of the network. You can use Amazon CloudWatch to track the progress. To see them:
+
+    - Navigate to [CloudWatch service](https://console.aws.amazon.com/cloudwatch/) (make sure you are in the region you have specified for `AWS_REGION`)
+    - Open `Dashboards` and select `tz-single-node-<type>-<network>` from the list of dashboards.
+
+4. Once the initial synchronization is done, you should be able to access the RPC API of that node from within the same VPC. The RPC port is not exposed to the Internet. Run the following query against the private IP of the single RPC node you deployed:
+
+```bash
+   INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.singleinstanceid? | select(. != null)')
+   NODE_INTERNAL_IP=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query 'Reservations[*].Instances[*].PrivateIpAddress' --output text)
+
+    # We query if the node is synced to main
+    curl http://$NODE_INTERNAL_IP:8732/chains/main/is_bootstrapped
+```
+
+The result should be like this (the actual balance might change):
+
+```javascript
+   {"bootstrapped":true,"sync_state":"synced"}
+```
+
+### Option 2: Highly Available RPC Nodes
+
+1. Deploy Snapshot Node
+
+```bash
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+   npx cdk deploy snapshot-node --json --outputs-file sync-node-deploy.json
+```
+   **NOTE:** The default VPC must have at least two public subnets in different Availability Zones, and public subnet must set `Auto-assign public IPv4 address` to `YES`
+
+2. After starting the node you need to wait for the inital syncronization process to finish. It may take from an hour to half a day depending the state of the network. You can use Amazon CloudWatch to track the progress. To see them:
+
+    - Navigate to [CloudWatch service](https://console.aws.amazon.com/cloudwatch/) (make sure you are in the region you have specified for `AWS_REGION`)
+    - Open `Dashboards` and select `tz-snapshot-node-<type>-<network>` from the list of dashboards.
+
+Once synchronization process is over, the script will automatically stop the client and copy all the contents of the `/data` directory to your snapshot S3 bucket. That may take from 30 minutes to about 2 hours. During the process on the dashboard you will see lower CPU and RAM utilization but high data disc throughput and outbound network traffic. The script will automatically start the clients after the process is done.
+
+Note: the snapshot backup process will automatically run ever day at midnight time of the time zone were the sync node runs. To change the schedule, modify `crontab` of the root user on the node's EC2 instance.
+
+3. Configure and deploy 2 RPC Nodes
+
+```bash
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+   npx cdk deploy tz-ha-nodes --json --outputs-file rpc-node-deploy.json
+```
+
+4. Give the new RPC nodes about an hour to initialize and then run the following query against the load balancer behind the RPC node created
+
+```bash
+    export RPC_ABL_URL=$(cat rpc-node-deploy.json | jq -r '..|.alburl? | select(. != null)')
+    echo $RPC_ABL_URL
+
+    curl http://$RPC_ABL_URL:8732/chains/main/is_bootstrapped
+```
+
+The result should be like this:
+
+```javascript
+   {"bootstrapped":true,"sync_state":"synced"}
+```
+
+   If the nodes are still starting and catching up with the chain, you will see the following repsonse:
+
+```HTML
+   <html>
+   <head><title>503 Service Temporarily Unavailable</title></head>
+   <body>
+   <center><h1>503 Service Temporarily Unavailable</h1></center>
+   </body>
+```
+
+**NOTE:** By default and for security reasons the load balancer is available only from within the default VPC in the region where it is deployed. It is not available from the Internet and is not open for external connections. Before opening it up please make sure you protect your RPC APIs.
+
+### Clearing up and undeploying everything
+
+1. Undeploy RPC Nodes, Sync Nodes and Common components
+
+```bash
+   # Setting the AWS account id and region in case local .env file is lost
+    export AWS_ACCOUNT_ID=<your_target_AWS_account_id>
+    export AWS_REGION=<your_target_AWS_region>
+
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+
+    # Undeploy Single RPC Node
+    cdk destroy tz-single-node
+
+   # Undeploy RPC Nodes
+    cdk destroy tz-ha-nodes
+
+    # Undeploy Sync Node
+    cdk destroy tz-snapshot-node
+
+    # You need to manually delete an s3 bucket with a name similar to 'tz-snapshots-$accountid-tz-nodes-common' on the console,firstly empty the bucket,secondly delete the bucket,and then execute
+    # Delete all common components like IAM role and Security Group
+    cdk destroy tz-common
+```
+
+2. Follow steps to delete the Cloud9 instance in [Cloud9 Setup](../../doc/setup-cloud9.md)
+
+### FAQ
+
+1. How to check the logs from the EC2 user-data script?
+
+   **Note:** In this tutorial we chose not to use SSH and use Session Manager instead. That allows you to log all sessions in AWS CloudTrail to see who logged into the server and when. If you receive an error similar to `SessionManagerPlugin is not found`, [install Session Manager plugin for AWS CLI](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
+
+```bash
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/tezos
+
+   export INSTANCE_ID=$(cat single-node-deploy.json | jq -r '..|.single-node-instance-id? | select(. != null)')
+   echo "INSTANCE_ID=" $INSTANCE_ID
+   aws ssm start-session --target $INSTANCE_ID --region $AWS_REGION
+   sudo cat /var/log/cloud-init-output.log
+```
@@ -0,0 +1,76 @@
+import 'dotenv/config'
+import "source-map-support/register";
+import * as cdk from "aws-cdk-lib";
+import * as config from "./lib/config/tzConfig";
+import * as configTypes from "./lib/config/tzConfig.interface";
+import { TzCommonStack } from "./lib/common-stack";
+import { TzSingleNodeStack } from "./lib/single-node-stack";
+import { TzHANodesStack } from "./lib/ha-nodes-stack";
+import * as nag from "cdk-nag";
+import { TzSnapshotNodeStack } from './lib/snapshot-node-stack';
+
+const app = new cdk.App();
+cdk.Tags.of(app).add("Project", "AWS_TZ");
+
+const commonStack = new TzCommonStack(app, "tz-common", {
+    stackName: `tz-nodes-common`,
+    env: { account: config.baseConfig.accountId, region: config.baseConfig.region }
+});
+
+const singleNodeStack = new TzSingleNodeStack(app, "tz-single-node", {
+    stackName: `tz-single-node-${config.baseNodeConfig.historyMode}-${config.baseNodeConfig.tzNetwork}`,
+
+    env: { account: config.baseConfig.accountId, region: config.baseConfig.region },
+    nodeRole: <configTypes.TzNodeRole> "single-node",
+    instanceType: config.baseNodeConfig.instanceType,
+    instanceCpuType: config.baseNodeConfig.instanceCpuType,
+    tzNetwork: config.baseNodeConfig.tzNetwork,
+    historyMode: config.baseNodeConfig.historyMode,
+    snapshotsUrl:config.baseNodeConfig.snapshotsUrl,
+    octezDownloadUri: config.baseNodeConfig.octezDownloadUri,
+    downloadSnapshot: config.baseNodeConfig.downloadSnapshot == "true",
+    dataVolume: config.baseNodeConfig.dataVolume,
+});
+singleNodeStack.addDependency(commonStack);
+
+const snapshotNode = new TzSnapshotNodeStack(app, "tz-snapshot-node", {
+    stackName: `tz-snapshot-node-${config.baseNodeConfig.historyMode}-${config.baseNodeConfig.tzNetwork}`,
+    env: { account: config.baseConfig.accountId, region: config.baseConfig.region },
+    nodeRole: <configTypes.TzNodeRole> "rpc-node",
+    instanceType: config.baseNodeConfig.instanceType,
+    instanceCpuType: config.baseNodeConfig.instanceCpuType,
+    tzNetwork: config.baseNodeConfig.tzNetwork,
+    historyMode: config.baseNodeConfig.historyMode,
+    snapshotsUrl:config.baseNodeConfig.snapshotsUrl,
+    octezDownloadUri: config.baseNodeConfig.octezDownloadUri,
+    downloadSnapshot: config.baseNodeConfig.downloadSnapshot == "true"
+})
+
+const haNodeStack = new TzHANodesStack(app, "tz-ha-nodes", {
+    stackName: `tz-ha-nodes-${config.baseNodeConfig.historyMode}-${config.baseNodeConfig.tzNetwork}`,
+    env: { account: config.baseConfig.accountId, region: config.baseConfig.region },
+    nodeRole: <configTypes.TzNodeRole> "rpc-node",
+    instanceType: config.baseNodeConfig.instanceType,
+    instanceCpuType: config.baseNodeConfig.instanceCpuType,
+    tzNetwork: config.baseNodeConfig.tzNetwork,
+    historyMode: config.baseNodeConfig.historyMode,
+    snapshotsUrl:config.baseNodeConfig.snapshotsUrl,
+    dataVolume: config.baseNodeConfig.dataVolume,
+    octezDownloadUri: config.baseNodeConfig.octezDownloadUri,
+
+    albHealthCheckGracePeriodMin: config.haNodeConfig.albHealthCheckGracePeriodMin,
+    heartBeatDelayMin: config.haNodeConfig.heartBeatDelayMin,
+    numberOfNodes: config.haNodeConfig.numberOfNodes,
+    downloadSnapshot: config.baseNodeConfig.downloadSnapshot == "true"
+});
+haNodeStack.addDependency(commonStack);
+haNodeStack.addDependency(snapshotNode);
+
+// Security Check
+cdk.Aspects.of(app).add(
+    new nag.AwsSolutionsChecks({
+        verbose: false,
+        reports: true,
+        logIgnores: false
+    })
+);
@@ -0,0 +1,57 @@
+{
+  "app": "npx ts-node --prefer-ts-exts app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true
+  }
+}
@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};
@@ -0,0 +1,4 @@
+[cfn-auto-reloader-hook]
+triggers=post.update
+path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init
+action=/opt/aws/bin/cfn-init -v --stack __AWS_STACK_NAME__ --resource WebServerHost --region __AWS_REGION__
@@ -0,0 +1,5 @@
+[main]
+stack=__AWS_STACK_ID__
+region=__AWS_REGION__
+# The interval used to check for changes to the resource metadata in minutes. Default is 15
+interval=2
@@ -0,0 +1,8 @@
+[Unit]
+Description=cfn-hup daemon
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/cfn-hup
+Restart=always
+[Install]
+WantedBy=multi-user.target