d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
843cdbf71cc0551231e511d98cdd67a2932ef9d0
smom-dbis-138/docs/archive/status-reports/phase1/FIX_PLAN.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

3.5 KiB
Raw Blame History

Phase 1: Fix Plan for Critical Gaps

Immediate Fixes Required

1. Fix Boot Diagnostics Storage Account

Problem: Boot diagnostics enabled but no storage account provided.

Solution: Create storage accounts for boot diagnostics in each region.

Files to Modify:

  • phase1-main.tf: Add storage account creation for each region
  • Update VM module call to pass storage account name

2. Fix Nginx Proxy Backend Connectivity

Problem: Nginx proxy in West Europe cannot reach VMs in US regions via private IPs (not routable across regions).

Solution Options:

  • Option A (Recommended): Give VMs public IPs for RPC access
    • Modify VM module to create public IPs for "besu-node" type
    • Update NSG rules to allow RPC from Nginx proxy public IP only
  • Option B: Use Azure VPN/ExpressRoute (more complex, higher cost)
  • Option C: Deploy Nginx proxy in each region (not recommended)

Files to Modify:

  • modules/vm-deployment/main.tf: Add public IP creation for "besu-node" type
  • phase1-main.tf: Ensure node_type allows public IPs
  • modules/networking-vm/main.tf: Restrict RPC rules to Nginx proxy IP

3. Add Storage Accounts for Backups

Problem: No storage for backups, chaindata, or configuration.

Solution: Add storage module for each region.

Files to Modify:

  • phase1-main.tf: Add storage module for each US region
  • Use existing modules/storage module

4. Add Basic Monitoring

Problem: No observability infrastructure.

Solution: Add Log Analytics Workspace and basic monitoring.

Files to Create/Modify:

  • Create modules/monitoring module
  • Add Log Analytics Workspace
  • Add diagnostic settings for VMs

5. Fix Nginx Proxy Configuration

Problem:

  • Missing environment variable in template
  • No health checks
  • SSL not automated

Solution:

  • Fix template variables
  • Add health check configuration
  • Add certbot automation script

Files to Modify:

  • modules/nginx-proxy/nginx-cloud-init.yaml: Fix template, add health checks
  • Add certbot automation

6. Security Hardening

Problem: NSG rules too permissive, no Key Vault access policies.

Solution:

  • Restrict NSG rules to specific IP ranges (variables)
  • Add Key Vault access policies for VM Managed Identities

Files to Modify:

  • modules/networking-vm/main.tf: Use variables for source IPs
  • modules/secrets/main.tf: Add Managed Identity access policies
  • phase1-main.tf: Add variables for allowed IPs

7. Add Comprehensive Outputs

Problem: Missing useful outputs for management.

Solution: Add outputs for:

  • SSH connection strings
  • VM resource IDs
  • Storage account names
  • Monitoring workspace IDs

Files to Modify:

  • phase1-main.tf: Add comprehensive outputs

Implementation Order

  1. Fix Boot Diagnostics (Critical - blocks deployment)
  2. Fix Nginx Backend Connectivity (Critical - blocks functionality)
  3. Add Storage Accounts (High - needed for backups)
  4. Add Basic Monitoring (High - needed for operations)
  5. Security Hardening (High - security risk)
  6. Fix Nginx Configuration (Medium - operational improvement)
  7. Add Outputs (Low - convenience)

Testing Checklist

After fixes:

  • Terraform plan succeeds without errors
  • Boot diagnostics work on VMs
  • Nginx proxy can reach backend VMs
  • Storage accounts created and accessible
  • Log Analytics Workspace receives logs
  • NSG rules properly restrict access
  • Key Vault accessible by VMs via Managed Identity
  • All outputs provide useful information
Reference in New Issue View Git Blame Copy Permalink