Terraform
This guide provides step-by-step instructions on automating Cora's PII server deployments with Terraform on AWS
Prerequisites
The information in this article should be used as a guide only. If you are deploying this method into a production environment, we recommend that you also follow all security and configuration best practices.
This guide assumes the following:
- You have an AWS account setup and an account with relevant access to create and delete resources
- You have provisioned a VPC with NAT gateway
- You have existing ssh keypair for EC2 instances
Networking / Firewall
Inbound to TCP port 443 is required and valid TLS certificate recognized in modern browsers. The instance can be located on a private subnet and reached through a VPN (e.g. twingate)
Egress or outbound is required for downloading software packages and JWT verification.
Application listens on TCP port 3000on all interfaces.
Setup & Configuration
KMS Keys
There are 4 keys used to encrypt data and handle 2fa
| name | type | description |
|---|---|---|
| JWT_SIGNING | SIGN_VERIFY | |
| INVITE_CHALLENGE | SIGN_VERIFY | |
| TOTP_SECRET_ENCRYPTION | ENCRYPT_DECRYPT | two factor authentication |
| ENCRYPTION | ENCRYPT_DECRYPT | PII encrypt / decrypt |
JWT/Auth0
| variable | us | eu |
|---|---|---|
| CORSA_JWKS_ISSUER | https://jwks.corsa.finance/ | https://jwks.eu.corsa.finance/ |
| AUTH0_AUDIENCE | EfoTQJf4D14Mkuqhmn46OtvtcC16otdA | WnbMDmVcPqiQzNf9iDKx8042z8JAsUcN |
Example
See our example Infrastructure as code (IaC) repo This creates a t3.micro on-demand instance with an external volume mounted to /var/lib/corsa-pii
Ingress
The application binds to all interfaces on port 3000
You can use any ingress component e.g. AWS ALB, nginx, traefik. The only requirement is the browser can reach this instance over a TLS connection. The Corsa application will handle CORS requests.
Updated 3 months ago