feat: devnet (#3473)

Closes #2994
Closes #2998
Closes #2999 
Closes #3130 

- Create a pipeline to deploy not just our versioned releases, but all
merges to `master` to Dockerhub, under `aztec-dev` tag
- Run terraforms to deploy 2 aztec node instances, 2 p2p bootstrap nodes
+ a faucet
- Deploys L1 contracts to our new mainnet fork.

# Checklist:
Remove the checklist to signal you've completed it. Enable auto-merge if
the PR is ready to merge.
- [ ] If the pull request requires a cryptography review (e.g.
cryptographic algorithm implementations) I have added the 'crypto' tag.
- [ ] I have reviewed my diff in github, line by line and removed
unexpected formatting changes, testing logs, or commented-out code.
- [ ] Every change is related to the PR description.
- [ ] I have
[linked](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue)
this pull request to relevant issues (if any exist).

---------

Co-authored-by: PhilWindle <60546371+PhilWindle@users.noreply.github.com>
Co-authored-by: PhilWindle <philip.windle@gmail.com>

.circleci/config.yml

@@ -948,7 +948,21 @@ jobs:
           name: "Deploy mainnet fork"
           command: |
             should_deploy || exit 0
-            deploy_ecr mainnet-fork
+            deploy mainnet-fork
+
+  deploy-contracts:
+    machine:
+      image: ubuntu-2204:2023.07.2
+    resource_class: medium
+    steps:
+      - *checkout
+      - *setup_env
+      - run:
+          name: "Deploy L1 contracts to mainnet fork"
+          working_directory: l1-contracts
+          command: |
+            should_deploy || exit 0
+            ./scripts/ci_deploy_contracts.sh
 
   deploy-npm:
     machine:
@@ -977,6 +991,29 @@ jobs:
             deploy_dockerhub noir x86_64,arm64
             deploy_dockerhub aztec-sandbox x86_64,arm64
             deploy_dockerhub cli x86_64,arm64
+            deploy_dockerhub faucet x86_64,arm64
+            deploy_dockerhub mainnet-fork x86_64,arm64
+            dpeloy_dockerhub l1-contracts x86_64,arm64
+
+  deploy-devnet:
+    machine:
+      image: ubuntu-2204:2023.07.2
+    resource_class: medium
+    steps:
+      - *checkout
+      - *setup_env
+      - run:
+          name: "Deploy devnet to AWS"
+          command: |
+            should_deploy 0 || exit 0
+            export TF_VAR_FAUCET_PRIVATE_KEY=$FAUCET_PRIVATE_KEY
+            export TF_VAR_BOOTNODE_1_PEER_ID=$BOOTNODE_1_PEER_ID
+            export TF_VAR_BOOTNODE_2_PEER_ID=$BOOTNODE_2_PEER_ID
+            export TF_VAR_BOOTNODE_1_PRIVATE_KEY=$BOOTNODE_1_PRIVATE_KEY
+            export TF_VAR_BOOTNODE_2_PRIVATE_KEY=$BOOTNODE_2_PRIVATE_KEY
+            deploy p2p-bootstrap
+            deploy aztec-node
+            deploy aztec-faucet
 
 # Repeatable config for defining the workflow below.
 defaults: &defaults
@@ -1203,4 +1240,16 @@ workflows:
       # Production deployment
       - deploy-dockerhub: *defaults_deploy
       - deploy-npm: *defaults_deploy
-      - deploy-mainnet-fork: *defaults_deploy
+      - deploy-mainnet-fork:
+          requires:
+            - deploy-dockerhub
+          <<: *defaults_deploy
+      - deploy-contracts:
+          requires:
+            - deploy-mainnet-fork
+          <<: *defaults_deploy
+      - deploy-devnet:
+          requires:
+            - deploy-contracts
+          <<: *defaults_deploy
+

build-system/scripts/deploy

@@ -19,7 +19,7 @@ if check_rebuild cache-$CONTENT_HASH-$DEPLOY_TAG-deployed $REPOSITORY; then
   exit 0
 fi
 
-deploy_terraform $REPOSITORY ./terraform/$DEPLOY_ENV "$TO_TAINT"
+deploy_terraform $REPOSITORY ./terraform/ "$TO_TAINT"
 
 # Restart services.
 for SERVICE in $SERVICES; do

build-system/scripts/deploy_dockerhub

@@ -20,7 +20,17 @@ function docker_or_dryrun {
 echo "Repo: $REPOSITORY"
 echo "Arch List: $ARCH_LIST"
 
-VERSION_TAG=$(extract_tag_version $REPOSITORY true)
+VERSION_TAG=$(extract_tag_version $REPOSITORY false)
+
+# if no version tag, check if we're on `master` branch
+if [[ -z "$VERSION_TAG" ]]; then
+  if [[ "$BRANCH" != "master" ]]; then
+    echo "No version tag found. Exiting" >&2
+    exit 1
+  fi
+  # if we're on master, use the DEPLOY_TAG as the version tag
+  VERSION_TAG=$DEPLOY_TAG
+fi
 
 MANIFEST_DEPLOY_URI=$DOCKERHUB_ACCOUNT/$REPOSITORY:$VERSION_TAG
 MANIFEST_DIST_URI=$DOCKERHUB_ACCOUNT/$REPOSITORY:$DIST_TAG
@@ -42,12 +52,17 @@ for ARCH in $ARCH_LIST; do
   echo "Adding image $IMAGE_DEPLOY_URI to manifest list $MANIFEST_DEPLOY_URI..."
   docker_or_dryrun manifest create $MANIFEST_DEPLOY_URI --amend $IMAGE_DEPLOY_URI
 
-  echo "Adding image $IMAGE_DEPLOY_URI to manifest list $MANIFEST_DIST_URI"
-  docker_or_dryrun manifest create $MANIFEST_DIST_URI --amend $IMAGE_DEPLOY_URI
+  # Add latest manifest if we're making a release.
+  if [[ "$VERSION_TAG" != $DEPLOY_TAG ]]; then
+    echo "Adding image $IMAGE_DEPLOY_URI to manifest list $MANIFEST_DIST_URI"
+    docker_or_dryrun manifest create $MANIFEST_DIST_URI --amend $IMAGE_DEPLOY_URI
+  fi
 done
 
-echo "Tagging $MANIFEST_DEPLOY_URI as $VERSION_TAG..."
 docker_or_dryrun manifest push --purge $MANIFEST_DEPLOY_URI
-# Publish version as latest.
-echo "Tagging $MANIFEST_DEPLOY_URI as $DIST_TAG..."
-docker_or_dryrun manifest push --purge $MANIFEST_DIST_URI
+
+# Retag version as latest if we're making a release.
+if [[ "$VERSION_TAG" != "$DEPLOY_TAG" ]]; then
+  echo "Tagging $MANIFEST_DEPLOY_URI as $DIST_TAG..."
+  docker_or_dryrun manifest push --purge $MANIFEST_DIST_URI
+fi

build-system/scripts/deploy_terraform

@@ -25,6 +25,10 @@ echo "Deploying terraform found at $PWD..."
 # Always want to export the DEPLOY_TAG variable to terraform. It's used to easily scope releases.
 export TF_VAR_DEPLOY_TAG=$DEPLOY_TAG
 export TF_VAR_COMMIT_HASH=$COMMIT_HASH
+export TF_VAR_DOCKERHUB_ACCOUNT=$DOCKERHUB_ACCOUNT
+export TF_VAR_FORK_MNEMONIC=$FORK_MNEMONIC
+export TF_VAR_INFURA_API_KEY=$INFURA_API_KEY
+export TF_VAR_API_KEY=$FORK_API_KEY
 
 # If given a repository name, use it to construct and set/override the backend key.
 # Otherwise use the key as specified in the terraform.

build-system/scripts/ensure_terraform

@@ -6,7 +6,7 @@ set -eu
 [ ! -f /usr/local/bin/terraform ] || exit 0
 
 cd $HOME
-TERRAFORM_VERSION=0.13.3
+TERRAFORM_VERSION=1.5.2
 curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o terraform.zip
 sudo apt install -y unzip
 unzip terraform.zip

build-system/scripts/should_deploy

@@ -1,7 +1,15 @@
 #!/bin/bash
-# Retuns success if we are expected to do a deploy.
-# At present this is only if we have a commit tag.
-# Once we are doing master deployments to devnet, we'll want to check if BRANCH is master.
+# Returns success if we are expected to do a deployment.
+# This is if we have a commit tag (release) or if we're on `master` branch (devnet deployment).
+
 set -eu
 
-[ -n "$COMMIT_TAG" ]
+# This is when we only want to deploy on master, not release with new COMMIT_TAG.
+# Specifically for deploying devnet.
+RELEASE=${1:-1}
+
+if [ -n "$COMMIT_TAG" ] && [ "$RELEASE" != "0" ] || [ "$BRANCH" = "master" ]; then
+  exit 0
+else
+  exit 1
+fi

iac/mainnet-fork/scripts/wait_for_fork

@@ -6,7 +6,7 @@ set -e
 # This script waits on a healthy status from the fork - a valid response to the chainid request
 # We retry every 20 seconds, and wait for a total of 5 minutes (15 times)
 
-export ETHEREUM_HOST="https://aztec-mainnet-fork.aztec.network:8545/$FORK_API_KEY"
+export ETHEREUM_HOST="https://aztec-mainnet-fork.aztec.network:8545/$API_KEY"
 
 curl -H "Content-Type: application/json" -X POST --data '{"method":"eth_chainId","params":[],"id":33,"jsonrpc":"2.0"}' \
   --connect-timeout 30 \

iac/mainnet-fork/terraform/main.tf

@@ -1,7 +1,6 @@
 terraform {
   backend "s3" {
     bucket = "aztec-terraform"
-    key    = "aztec-network/mainnet-fork"
     region = "eu-west-2"
   }
   required_providers {
@@ -50,7 +49,7 @@ provider "aws" {
 }
 
 resource "aws_service_discovery_service" "aztec_mainnet_fork" {
-  name = "aztec-network-mainnet-fork"
+  name = "${var.DEPLOY_TAG}-mainnet-fork"
 
   health_check_custom_config {
     failure_threshold = 1
@@ -75,10 +74,10 @@ resource "aws_service_discovery_service" "aztec_mainnet_fork" {
 
 # EFS filesystem for mainnet fork
 resource "aws_efs_file_system" "aztec_mainnet_fork_data_store" {
-  creation_token = "aztec-network-mainnet-fork-data"
+  creation_token = "${var.DEPLOY_TAG}-mainnet-fork-data"
 
   tags = {
-    Name = "aztec-network-mainnet-fork-data"
+    Name = "${var.DEPLOY_TAG}-mainnet-fork-data"
   }
 
   lifecycle_policy {
@@ -100,7 +99,7 @@ resource "aws_efs_mount_target" "aztec_fork_private_az2" {
 
 # Define deployment task and service
 resource "aws_ecs_task_definition" "aztec_mainnet_fork" {
-  family                   = "aztec-network-mainnet-fork"
+  family                   = "${var.DEPLOY_TAG}-mainnet-fork"
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
   cpu                      = "2048"
@@ -117,13 +116,13 @@ resource "aws_ecs_task_definition" "aztec_mainnet_fork" {
   container_definitions = <<DEFINITION
 [
   {
-    "name": "aztec-network-mainnet-fork",
-    "image": "${var.ECR_URL}/aztec-mainnet-fork:aztec3-packages-prod",
+    "name": "${var.DEPLOY_TAG}-mainnet-fork",
+    "image": "${var.DOCKERHUB_ACCOUNT}/aztec-mainnet-fork:${var.DEPLOY_TAG}",
     "essential": true,
     "environment": [
       {
         "name": "API_KEY",
-        "value": "${var.FORK_API_KEY}"
+        "value": "${var.API_KEY}"
       },
       {
         "name": "MNEMONIC",
@@ -170,7 +169,7 @@ DEFINITION
 
 # ALB to to limit public requests to apikey routes
 resource "aws_alb_target_group" "mainnet_fork" {
-  name                 = "aztec-network-mainnet-fork"
+  name                 = "${var.DEPLOY_TAG}-mainnet-fork"
   port                 = "80"
   protocol             = "HTTP"
   target_type          = "ip"
@@ -181,7 +180,7 @@ resource "aws_alb_target_group" "mainnet_fork" {
   ]
 
   health_check {
-    path                = "/${var.FORK_API_KEY}"
+    path                = "/${var.API_KEY}"
     matcher             = "404,400"
     interval            = 300
     healthy_threshold   = 2
@@ -190,12 +189,12 @@ resource "aws_alb_target_group" "mainnet_fork" {
   }
 
   tags = {
-    name = "aztec-network-mainnet-fork"
+    name = "${var.DEPLOY_TAG}-mainnet-fork"
   }
 }
 
 resource "aws_ecs_service" "aztec_mainnet_fork" {
-  name                               = "aztec-network-mainnet-fork"
+  name                               = "${var.DEPLOY_TAG}-mainnet-fork"
   cluster                            = data.terraform_remote_state.setup_iac.outputs.ecs_cluster_id
   launch_type                        = "FARGATE"
   desired_count                      = 1
@@ -213,13 +212,13 @@ resource "aws_ecs_service" "aztec_mainnet_fork" {
 
   load_balancer {
     target_group_arn = aws_alb_target_group.mainnet_fork.arn
-    container_name   = "aztec-network-mainnet-fork"
+    container_name   = "${var.DEPLOY_TAG}-mainnet-fork"
     container_port   = 80
   }
 
   service_registries {
     registry_arn   = aws_service_discovery_service.aztec_mainnet_fork.arn
-    container_name = "aztec-network-mainnet-fork"
+    container_name = "${var.DEPLOY_TAG}-mainnet-fork"
     container_port = 80
   }
 
@@ -241,15 +240,15 @@ resource "aws_lb_listener_rule" "aztec_mainnet_fork_route" {
 
   condition {
     host_header {
-      values = ["aztec-network-mainnet-fork.aztec.network"]
+      values = ["${var.DEPLOY_TAG}-mainnet-fork.aztec.network"]
     }
   }
 }
 
 # mainnet-fork DNS entry.
 resource "aws_route53_record" "aztec_mainnet_fork" {
   zone_id = data.terraform_remote_state.aztec2_iac.outputs.aws_route53_zone_id
-  name    = "aztec-network-mainnet-fork"
+  name    = "${var.DEPLOY_TAG}-mainnet-fork"
   type    = "A"
   alias {
     name                   = data.aws_alb.aztec-network_alb.dns_name

iac/mainnet-fork/terraform/variables.tf

@@ -6,10 +6,14 @@ variable "FORK_MNEMONIC" {
   type = string
 }
 
-variable "FORK_API_KEY" {
+variable "API_KEY" {
   type = string
 }
 
-variable "ECR_URL" {
+variable "DOCKERHUB_ACCOUNT" {
+  type = string
+}
+
+variable "DEPLOY_TAG" {
   type = string
 }

l1-contracts/.gitignore

@@ -16,4 +16,7 @@ lcov.info
 .foundry
 
 # Yarn lockfile
-yarn.lock
+yarn.lock
+
+# 'deploy_contracts' script output
+serve/

l1-contracts/Dockerfile

@@ -8,7 +8,7 @@ RUN yarn && yarn lint
 # Building requires foundry.
 FROM ghcr.io/foundry-rs/foundry:nightly-c331b5eeee1b4151ef7354a081667e2d770b37f5
 # Required for foundry
-RUN apk update && apk add git
+RUN apk update && apk add git jq bash
 WORKDIR /usr/src/l1-contracts
 COPY . .
 RUN git init

l1-contracts/scripts/ci_deploy_contracts.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+FORCE_DEPLOY=${2:-"false"}
+
+export ETHEREUM_HOST=$DEPLOY_TAG-mainnet-fork.aztec.network:8545/$API_KEY
+
+# If we have previously successful commit, we can early out if nothing relevant has changed since.
+if [[ $FORCE_DEPLOY == 'false' ]] && check_rebuild cache-"$CONTENT_HASH" $REPOSITORY; then
+  echo "No contract deploy necessary."
+  exit 0
+fi
+
+mkdir -p serve
+# Contract addresses will be mounted in the serve directory
+docker run \
+  -v $(pwd)/serve:/usr/src/contracts/serve \
+  -e ETHEREUM_HOST=$ETHEREUM_HOST -e PRIVATE_KEY=$CONTRACT_PUBLISHER_PRIVATE_KEY \
+  aztecprotocol/l1-contracts:$DEPLOY_TAG \
+  ./scripts/deploy_contracts.sh
+
+# Write the contract addresses as terraform variables
+for KEY in ROLLUP_CONTRACT_ADDRESS REGISTRY_CONTRACT_ADDRESS INBOX_CONTRACT_ADDRESS OUTBOX_CONTRACT_ADDRESS; do
+  VALUE=$(jq -r .$KEY ./serve/contract_addresses.json)
+  export TF_VAR_$KEY=$VALUE
+done
+
+# Write TF state variables
+deploy_terraform l1-contracts ./terraform