Bitcoin Core Implementation

lib/bitcoin-core/app.js

@@ -0,0 +1,28 @@
+#!/usr/bin/env node
+require('dotenv').config(); // Load .env first
+const cdk = require('aws-cdk-lib');
+const { Aspects } = require('aws-cdk-lib');
+const { AwsSolutionsChecks } = require('cdk-nag');
+const { BitcoinCommonStack } = require('./lib/common-infra');
+const { SingleNodeBitcoinCoreStack } = require('./lib/single-node-stack');
+const { HABitcoinCoreNodeStack } = require('./lib/ha-node-stack');
+
+const app = new cdk.App();
+
+Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
+
+const env = {
+    account: process.env.AWS_ACCOUNT_ID,
+    region: process.env.AWS_REGION,
+};
+
+const commonStack = new BitcoinCommonStack(app, 'BitcoinCommonStack', { env });
+new SingleNodeBitcoinCoreStack(app, 'SingleNodeBitcoinCoreStack', {
+    env,
+    instanceRole: commonStack.instanceRole,
+});
+
+new HABitcoinCoreNodeStack(app, 'HABitcoinCoreNodeStack', {
+    env,
+    instanceRole: commonStack.instanceRole,
+});

lib/bitcoin-core/cdk.json

@@ -0,0 +1,3 @@
+{
+    "app": "node app.js"
+}

lib/bitcoin-core/generateRPCAuth.js

@@ -0,0 +1,100 @@
+const crypto = require('crypto');
+const base64url = require('base64url');
+const fs = require('fs');
+const { SecretsManagerClient, CreateSecretCommand, PutSecretValueCommand } = require('@aws-sdk/client-secrets-manager');
+
+// Set up AWS SDK client
+const client = new SecretsManagerClient({ region: 'us-east-1' }); // Change region if needed
+
+// Create size byte hex salt
+function genSalt(size = 16) {
+    const buffer = crypto.randomBytes(size);
+    return buffer.toString('hex');
+}
+
+// Create 32 byte b64 password
+function genPass(size = 32) {
+    const buffer = crypto.randomBytes(size);
+    return base64url.fromBase64(buffer.toString('base64'));
+}
+
+function genUser() {
+    return 'user_' + Math.round(Math.random() * 1000);
+}
+
+function genHash(password, salt) {
+    const hash = crypto
+        .createHmac('sha256', salt)
+        .update(password)
+        .digest('hex');
+    return hash;
+}
+
+function genRpcAuth(username = genUser(), password = genPass(), salt = genSalt()) {
+    const hash = genHash(password, salt);
+    return { username, password, salt, hash };
+}
+
+function writeRpcAuthToConf(rpcauthStr) {
+    const confPath = 'lib/bitcoin.conf';
+    try {
+        fs.writeFileSync(confPath, rpcauthStr + '\n', { flag: 'a' });
+        console.log(`Successfully wrote to ${confPath}`);
+    } catch (error) {
+        console.error(`Error writing to ${confPath}:`, error);
+    }
+}
+
+async function storeCredentialsInAWS(username, password) {
+    const secretName = 'bitcoin_rpc_credentials';
+    const secretValue = `${username}:${password}`;
+
+    try {
+        const createCommand = new CreateSecretCommand({
+            Name: secretName,
+            SecretString: secretValue,
+        });
+        await client.send(createCommand);
+        console.log(`Successfully stored credentials in AWS Secrets Manager: ${secretName}`);
+    } catch (error) {
+        if (error.name === 'ResourceExistsException') {
+            const updateCommand = new PutSecretValueCommand({
+                SecretId: secretName,
+                SecretString: secretValue,
+            });
+            await client.send(updateCommand);
+            console.log(`Successfully updated existing secret in AWS Secrets Manager: ${secretName}`);
+        } else {
+            console.error(`Error storing credentials in AWS Secrets Manager:`, error);
+        }
+    }
+}
+
+async function genRpcAuthStr(username, password, salt) {
+    const rpcauth = genRpcAuth(username, password, salt);
+    const str = `rpcauth=${rpcauth.username}:${rpcauth.salt}$${rpcauth.hash}`;
+    const strEscapeCharacter = `${rpcauth.username}:${rpcauth.salt}\\$${rpcauth.hash}`;
+    console.log(`Username: ${rpcauth.username}`);
+    console.log("Password generated securely and stored in Secrets Manager");
+    console.log(`rpcauth string with escape character: ${strEscapeCharacter}`);  // Print the rpcauth string
+
+    // Write to bitcoin.conf
+    writeRpcAuthToConf(str);
+
+    // Store in AWS Secrets Manager
+    await storeCredentialsInAWS(rpcauth.username, rpcauth.password);
+
+    return str;
+}
+
+// Example usage
+genRpcAuthStr();
+
+module.exports = {
+    genSalt,
+    genPass,
+    genUser,
+    genHash,
+    genRpcAuth,
+    genRpcAuthStr,
+};

lib/bitcoin-core/lib/assets/bitcoin-setup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# This script is used to set up a mainnet Bitcoin Core node on an Amazon Linux 2 instance.
+yum update -y
+amazon-linux-extras install docker -y
+service docker start
+mkdir -p /home/bitcoin/.bitcoin
+echo "${BITCOIN_CONF}" > /home/bitcoin/.bitcoin/bitcoin.conf
+docker run -d --name bitcoind -v /home/bitcoin/.bitcoin:/root/.bitcoin -p 8333:8333 -p 8332:8332 bitcoin/bitcoin:latest bash -c "chown -R bitcoin:bitcoin /root/.bitcoin && bitcoind"

lib/bitcoin-core/lib/assets/blockheight-cron.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# This script is used to set up a cron job to send the Bitcoin block height to Amazon CloudWatch every 5 minutes.
+REGION=${AWS_REGION}
+(crontab -l 2>/dev/null; echo "*/5 * * * * sudo /usr/bin/docker exec bitcoind bitcoin-cli getblockcount | xargs -I {} sudo /usr/bin/aws cloudwatch put-metric-data --metric-name BlockHeight --namespace Bitcoin --unit Count --value {} --region $REGION") | crontab -

lib/bitcoin-core/lib/assets/cloudwatch-setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# This script is used to set up the Amazon CloudWatch agent on an Amazon Linux 2 instance.
+
+yum install -y amazon-cloudwatch-agent
+mkdir -p /opt/aws/amazon-cloudwatch-agent/etc
+cat <<EOF > /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
+{
+  "metrics": {
+    "metrics_collected": {
+      "disk": {
+        "measurement": ["used_percent", "inodes_free"],
+        "resources": ["*"],
+        "ignore_file_system_types": ["sysfs", "devtmpfs"]
+      },
+      "mem": {
+        "measurement": ["mem_used_percent"]
+      },
+      "cpu": {
+        "measurement": ["cpu_usage_idle", "cpu_usage_user", "cpu_usage_system"]
+      },
+      "net": {
+        "measurement": ["net_bytes_sent", "net_bytes_recv"],
+        "resources": ["eth0"]
+      }
+    }
+  }
+}
+EOF
+
+/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s

lib/bitcoin-core/lib/bitcoin.conf

@@ -0,0 +1,5 @@
+server=1
+rpcallowip=0.0.0.0/0
+txindex=1
+rpcbind=0.0.0.0:8332
+datadir=/home/bitcoin/.bitcoin

lib/bitcoin-core/lib/common-infra.js

@@ -0,0 +1,39 @@
+const cdk = require("aws-cdk-lib");
+const iam = require("aws-cdk-lib/aws-iam");
+const nag = require("cdk-nag");
+
+class BitcoinCommonStack extends cdk.Stack {
+    constructor(scope, id, props) {
+        super(scope, id, props);
+
+        this.instanceRole = new iam.Role(this, "BitcoinNodeRole", {
+            assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
+            managedPolicies: [
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore"),
+                iam.ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy"),
+            ],
+        });
+
+        new cdk.CfnOutput(this, "InstanceRoleArn", {
+            value: this.instanceRole.roleArn,
+            exportName: "BitcoinNodeInstanceRoleArn",
+        });
+
+        // cdk-nag suppressions
+        nag.NagSuppressions.addResourceSuppressions(
+            this.instanceRole,
+            [
+                {
+                    id: "AwsSolutions-IAM4",
+                    reason: "AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy are sufficient for this use case.",
+                },
+                {
+                    id: "AwsSolutions-IAM5",
+                    reason: "Managed policies and wildcard usage are acceptable for this limited-scope Bitcoin node role.",
+                },
+            ]
+        );
+    }
+}
+
+module.exports = { BitcoinCommonStack };

lib/bitcoin-core/lib/constructs/bitcoin-mainnet-security-group.js

@@ -0,0 +1,20 @@
+const { Construct } = require('constructs');
+const ec2 = require('aws-cdk-lib/aws-ec2');
+
+class BitcoinSecurityGroup extends Construct {
+    constructor(scope, id, vpc) {
+        super(scope, id);
+
+        const sg = new ec2.SecurityGroup(this, 'BitcoinSG', {
+            vpc,
+            allowAllOutbound: true,
+        });
+
+        sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(8333), 'Bitcoin P2P');
+        sg.addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(8332), 'Bitcoin RPC from VPC');
+
+        this.securityGroup = sg;
+    }
+}
+
+module.exports = { BitcoinSecurityGroup };