Infrastructure as code examples?

[plaes]

Any plans for including some Infrastructure as Code (terraform/pulumi/?) howtos and best practices?

[t6nn]

Hi @plaes, thanks for the question!

Examples and more in-depth best practices for IaC are definitely under consideration - most likely in the form of CloudFormation or CDK snippets. Fully maintained CDK constructs or CloudFormation templates are however unlikely to end up here. That is, this repository is more about guidelines and guardrails, rather than end-to-end recipes for setting up security servers.

That said, could you give a few examples of questions that you would like to have answered in howto-s and best practices?

[plaes]

Firstly, I haven't fully dug through the contents of this repository yet. I spent some time last spring looking into a way to set up a dev environment server with packer-generated AMI + terraform for managing the state.

I eventually got stuck trying to figure out the IAM role setup - xroad application required local accounts with password (as per https://github.com/nordic-institute/X-Road/blob/master/doc/Manuals/ug-ss_x-road_6_security_server_user_guide.md#22-managing-the-users).

[t6nn]

I would recommend to ask these specific questions on the X-Road community Slack, to get yourself unblocked faster. Nevertheless, I'm leaving this issue open for now, as it's a good place to discuss the overall best practices on IaC and which ones we should have in the guide.

When it comes to IAM roles and local accounts, I think these should be viewed as being separate concerns. As there's no support in the security server to assume a particular role per user, you would need to set up an IAM role for your security server instance to cover all possible permissions the security server might need - and then have local accounts with passwords separately (either created during initialization or authenticated using PAM).