feat: lambda subscriber (#4372)

* ci: lambda subscriber

* ci: lambda subscriber

* chore: bump chain abstraction

* fix: update tf config for sequncer cname

* fix: sequencer http queue config update

* fix: add auto scaling to seq publisher

* fix: typo and seq health port config change

* ci: prover

---------

Co-authored-by: Rahul Sethuram <rahul.eth@icloud.com>
Co-authored-by: just-a-node <eye1717@gmail.com>
Co-authored-by: preethamr <preethamr@users.noreply.github.com>

ops/modules/amq/outputs.tf

@@ -5,3 +5,7 @@ output "aws_mq_broker_console" {
 output "aws_mq_amqp_endpoint" {
   value = trimprefix(aws_mq_broker.default.instances[0].endpoints[0], "amqps://")
 }
+
+output "aws_mq_amqp_arn" {
+  value = aws_mq_broker.default.arn
+}

ops/modules/lambda-mq-subscriber/main.tf

@@ -0,0 +1,76 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+locals {
+  account_id     = data.aws_caller_identity.current.account_id
+  repository_url = "${local.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.ecr_repository_name}"
+}
+
+resource "aws_iam_role" "lambda" {
+  name = "${var.container_family}-${var.environment}-${var.stage}-lambda-mq-subscriber-role"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Action" : "sts:AssumeRole",
+        "Principal" : {
+          "Service" : "lambda.amazonaws.com"
+        },
+        "Effect" : "Allow"
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "${var.container_family}-${var.environment}-${var.stage}-lambda-mq-subscriber-policies"
+    policy = jsonencode({
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : [
+            "mq:DescribeBroker",
+            "secretsmanager:GetSecretValue",
+            "ec2:CreateNetworkInterface",
+            "ec2:DescribeNetworkInterfaces",
+            "ec2:DescribeVpcs",
+            "ec2:DeleteNetworkInterface",
+            "ec2:DescribeSubnets",
+            "ec2:DescribeSecurityGroups",
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream",
+            "logs:PutLogEvents"
+          ],
+          "Resource" : ["*"]
+        }
+      ]
+    })
+  }
+}
+resource "aws_lambda_function" "executable" {
+  function_name = "${var.container_family}-${var.environment}-${var.stage}-mq-subscriber"
+  image_uri     = "${local.repository_url}:${var.docker_image_tag}"
+  package_type  = "Image"
+  role          = aws_iam_role.lambda.arn
+  architectures = ["x86_64"]
+  timeout       = var.timeout
+  memory_size   = var.memory_size
+  environment {
+    variables = merge(var.container_env_vars, { DD_SERVICE = var.container_family })
+  }
+}
+
+
+resource "aws_lambda_event_source_mapping" "prover_x" {
+  batch_size       = 10
+  event_source_arn = var.aws_mq_broker_arn
+  enabled          = true
+  function_name    = aws_lambda_function.executable.arn
+  queues           = ["proverX"]
+
+  source_access_configuration {
+    type = "BASIC_AUTH"
+    uri  = aws_secretsmanager_secret_version.rmq_uri.arn
+  }
+}

ops/modules/lambda-mq-subscriber/sm.tf

@@ -0,0 +1,11 @@
+resource "aws_secretsmanager_secret" "rmq_secret" {
+  name = "rmq-pw-${var.environment}-${var.stage}"
+}
+
+resource "aws_secretsmanager_secret_version" "rmq_uri" {
+  secret_id = aws_secretsmanager_secret.rmq_secret.id
+  secret_string = jsonencode({
+    username = var.rmq_mgt_user
+    password = var.rmq_mgt_password
+  })
+}

ops/modules/lambda-mq-subscriber/variables.tf

@@ -0,0 +1,100 @@
+
+variable "docker_image_tag" {
+  description = "Docker image tag"
+  type        = string
+  default     = "latest"
+}
+variable "ecr_repository_name" {
+  description = "ECR repository name"
+  type        = string
+}
+
+
+variable "container_family" {
+  description = "Container family"
+  type        = string
+}
+
+variable "container_env_vars" {
+  description = "env vars for running container"
+}
+
+variable "timeout" {
+  description = "timeout for lambda"
+  default     = 500
+}
+
+variable "memory_size" {
+  description = "memory size for lambda"
+  default     = 10240
+}
+
+
+variable "stage" {
+  description = "stage of deployment"
+}
+
+variable "environment" {}
+
+variable "rmq_mgt_password" {
+  type        = string
+  description = "RabbitMQ management password"
+}
+
+variable "rmq_mgt_user" {
+  type        = string
+  default     = "connext"
+  description = "RabbitMQ management user"
+}
+
+variable "host_instance_type" {
+  type        = string
+  description = "The broker's instance type. e.g. mq.t2.micro or mq.m4.large"
+  default     = "mq.m5.large"
+}
+
+variable "publicly_accessible" {
+  type        = bool
+  description = "Whether to enable connections from applications outside of the VPC that hosts the broker's subnets"
+  default     = false
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "The ID of the VPC to create the broker in"
+}
+
+variable "zone_id" {
+  description = "hosted zone id"
+}
+
+variable "base_domain" {
+  description = "base domain of the application"
+  default     = "connext.ninja"
+}
+
+variable "subnet_ids" {
+  type        = list(string)
+  description = "List of VPC subnet IDs"
+}
+
+variable "sg_id" {
+  type        = string
+  description = "security group id of worker node sg"
+}
+
+variable "deployment_mode" {
+  type        = string
+  description = "Deployment mode of cluster"
+  default     = "CLUSTER_MULTI_AZ"
+}
+
+variable "aws_mq_amqp_endpoint" {
+  type        = string
+  description = "The AMQP endpoint of the broker"
+}
+
+variable "aws_mq_broker_arn" {
+  type        = string
+  description = "The ARN of the broker"
+}

ops/testnet/prod/core/main.tf

@@ -310,6 +310,26 @@ module "lighthouse_prover_cron" {
   memory_size         = 10240
 }
 
+module "lighthouse_prover_subscriber" {
+  source               = "../../../modules/lambda-mq-subscriber"
+  stage                = var.stage
+  environment          = var.environment
+  sg_id                = module.network.ecs_task_sg
+  vpc_id               = module.network.vpc_id
+  zone_id              = data.aws_route53_zone.primary.zone_id
+  publicly_accessible  = true
+  subnet_ids           = module.network.public_subnets
+  rmq_mgt_user         = var.rmq_mgt_user
+  rmq_mgt_password     = var.rmq_mgt_password
+  aws_mq_amqp_endpoint = module.centralised_message_queue.aws_mq_amqp_endpoint
+  aws_mq_broker_arn    = module.centralised_message_queue.aws_mq_amqp_arn
+  ecr_repository_name  = "nxtp-lighthouse"
+  docker_image_tag     = var.lighthouse_image_tag
+  container_family     = "lighthouse-prover"
+  container_env_vars   = merge(local.lighthouse_env_vars, { LIGHTHOUSE_SERVICE = "prover" })
+  memory_size          = 512
+}
+
 module "lighthouse_process_from_root_cron" {
   source              = "../../../modules/lambda"
   ecr_repository_name = "nxtp-lighthouse"