Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.corsa.finance/llms.txt

Use this file to discover all available pages before exploring further.

This guide provides step-by-step instructions on automating Corsa’s PII server deployments with Terraform on AWS.

Prerequisites

The information in this article should be used as a guide only. If you are deploying into a production environment, follow all security and configuration best practices.
This guide assumes:
  • You have an AWS account with relevant access to create and delete resources.
  • You have provisioned a VPC with NAT gateway.
  • You have an existing SSH keypair for EC2 instances.

Networking / Firewall

  • Inbound to TCP port 443 is required with a valid TLS certificate.
  • The instance can be on a private subnet and reached through a VPN (e.g. Twingate).
  • Egress/outbound is required for downloading packages and JWT verification.
  • Application listens on TCP port 3000 on all interfaces.

Setup & Configuration

KMS Keys

NameTypeDescription
JWT_SIGNINGSIGN_VERIFYJWT signing key
INVITE_CHALLENGESIGN_VERIFYInvitation challenge key
TOTP_SECRET_ENCRYPTIONENCRYPT_DECRYPTTwo-factor authentication
ENCRYPTIONENCRYPT_DECRYPTPII encrypt / decrypt

JWT/Auth0

VariableUSEU
CORSA_JWKS_ISSUERhttps://jwks.corsa.finance/https://jwks.eu.corsa.finance/
AUTH0_AUDIENCEEfoTQJf4D14Mkuqhmn46OtvtcC16otdAWnbMDmVcPqiQzNf9iDKx8042z8JAsUcN

Example

The example creates a t3.micro on-demand instance with an external volume mounted to /var/lib/corsa-pii.

Ingress

The application binds to all interfaces on port 3000. You can use any ingress component (e.g. AWS ALB, nginx, traefik). The only requirement is the browser can reach the instance over a TLS connection. The Corsa application handles CORS requests.