The configuration provided is intended to only be an example of running a
Validator for a core supported network. You may have to modify the Validator
module to support more advanced configurations. It is recommended to test
thoroughly before using this setup in a production environment.
Overview
The provided terraform has a few key parts:- IAM/KMS module: automatically completes Agent Keys configuration for you.
- S3 module: automatically completes AWS Signatures Bucket configuration for you.
- EFS module: sets up a persistent volume that can be mounted to the Validator.
- Validator module: uses the above modules to run an instance of a Validator.
global.tf
: top-level networking configuration for a cluster that Validators can run in.main.tf
: configures Validators for deployment.
Usage
As a prerequisite, you need to have Terraform installed and the AWS CLI configured with your credentials. To initialize the terraform state:Modules
Several modules exist so you can choose which parts of the Validator setup you would like managed by terraform.IAM / KMS
Theiam_kms
module creates an IAM user and a KMS key for secure signing operations. It also sets up IAM policies and attachments to grant the necessary permissions for using the KMS key and other AWS services, such as S3, EFS and ECS later on.
S3
Thes3
module creates an S3 bucket for storing Validator-related data, such as signatures. It also sets bucket policies to manage access and permissions, including public access restrictions and versioning.
EFS
Theefs
module defines an EFS file system and access point, allowing the Validator application to store and access data on EFS. It also sets up a mount target for connecting the EFS file system to the network.
This module is only required when using the
validator
module.Validator
Thevalidator
module uses all of the above to integrate the EFS, IAM/KMS, and S3 configurations.
In addition to:
- Creating a new IAM user and relevant roles to run a Validator.
- Creating an S3 bucket that a Validator can write signatures to.
- Creating an EFS volume to persist data in the service.
- Defines an ECS task definition for running the Validator application, including container definitions, volume configurations, and logging.
- Creates an ECS service to manage the deployment and scaling of the Validator tasks.
Main Configuration
The root level configuration sets up a VPC, subnets, internet gateway, NAT gateway, route tables, and security groups for network infrastructure. It also provides example usage of thevalidator
module.
Outputs
The root-leveloutputs.tf
passes forward all outputs from the Validators configured in main.tf
. You will have to update this as you add, modify or remove Validators.
Example architecture
The diagram below shows how the Validator ECS cluster fits into the top-level network infrastructure.Known issues
PI configuration
It is non-trivial to set custom configuration values for PI chains, such as ones you’ve deployed Hyperlane to yourself. Currently you may have to just pass a long list of environment variables or command line arguments.Individual agent logs
Currently all agents log to the same log group -DefaultLogGroup
. To separate them per agent, you may have to adjust the log group name and update the agent’s log policy with the new group name.