This guide provides step-by-step instructions on automating Corsa’s PII server deployments with Terraform on AWS.
Prerequisites
The information in this article should be used as a guide only. If you are deploying into a production environment, follow all security and configuration best practices.
- You have an AWS account with relevant access to create and delete resources.
- You have provisioned a VPC with NAT gateway.
- You have an existing SSH keypair for EC2 instances.
Networking / Firewall
- Inbound to TCP port 443 is required with a valid TLS certificate.
- The instance can be on a private subnet and reached through a VPN (e.g. Twingate).
- Egress/outbound is required for downloading packages and JWT verification.
- Application listens on TCP port 3000 on all interfaces.
Setup & Configuration
KMS Keys
| Name | Type | Description |
|---|
| JWT_SIGNING | SIGN_VERIFY | JWT signing key |
| INVITE_CHALLENGE | SIGN_VERIFY | Invitation challenge key |
| TOTP_SECRET_ENCRYPTION | ENCRYPT_DECRYPT | Two-factor authentication |
| ENCRYPTION | ENCRYPT_DECRYPT | PII encrypt / decrypt |
JWT/Auth0
| Variable | US | EU |
|---|
CORSA_JWKS_ISSUER | https://jwks.corsa.finance/ | https://jwks.eu.corsa.finance/ |
AUTH0_AUDIENCE | EfoTQJf4D14Mkuqhmn46OtvtcC16otdA | WnbMDmVcPqiQzNf9iDKx8042z8JAsUcN |
Example
The example creates a t3.micro on-demand instance with an external volume mounted to /var/lib/corsa-pii.
Ingress
The application binds to all interfaces on port 3000.
You can use any ingress component (e.g. AWS ALB, nginx, traefik). The only requirement is the browser can reach the instance over a TLS connection. The Corsa application handles CORS requests. 
