Research and Implement IaC PoC for OWASP Nest Infrastructure

[arkid15r]

Description:

As part of our cloud migration and modernization efforts, we want to implement Infrastructure as Code (IaC) for the OWASP Nest stack. The goal is to evaluate available IaC tools (Terraform or alternatives) and implement a Proof of Concept (PoC) covering all critical infrastructure components.

High-level objectives:

• Research IaC tools suitable for AWS (Terraform, AWS CDK, Pulumi, etc.) and compare them based on maintainability, community support, and AWS integration.

• Implement a PoC infrastructure that includes:

  1. Backend: AWS Lambda (via Zappa or direct deployment)
  2. Frontend: ECS/Fargate service for serving frontend assets
  3. Static/media storage: S3 buckets
  4. Database: RDS (PostgreSQL) with proper security groups and parameter configurations
  5. Cache: Redis (ElastiCache)
  6. Nightly sync tasks: EC2 instance for cron-style batch jobs

Acceptance criteria:

1. A documented comparison of IaC tools with pros/cons for our use case.
2. A working PoC that provisions all listed infrastructure components in a sandbox AWS account.
3. IaC code is modular, reusable, and version-controlled.
4. Instructions for deploying, updating, and tearing down the PoC infrastructure.

Optional enhancements:

• Automate environment-specific variables (dev/staging/prod).
• Integrate with CI/CD for automatic provisioning and updates.
• Include monitoring/alerting via CloudWatch or alternative tools.

[tusharrrr1]

“Yes, I’d like to work on implementing this.”

“I would implement this by evaluating IaC tools (Terraform, CDK, Pulumi), selecting the best fit, and then creating a PoC that provisions Lambda, ECS/Fargate, S3, RDS, and ElastiCache, with reusable modular code and clear deployment instructions.”

[arkid15r]

“Yes, I’d like to work on implementing this.”

“I would implement this by evaluating IaC tools (Terraform, CDK, Pulumi), selecting the best fit, and then creating a PoC that provisions Lambda, ECS/Fargate, S3, RDS, and ElastiCache, with reusable modular code and clear deployment instructions.”

Hi @tusharrrr1
Do you have hands-on experience with any of the mentioned tools/services?

[tusharrrr1]

Heyy @arkid15r I am familiar with AWS fundamentals (EC2, S3, RDS concepts) and app infra patterns from prior projects.

Moreover, I have hands-on experience with the tools/services you mentioned and I’m comfortable implementing the PoC.

[nishkersh]

Description:

As part of our cloud migration and modernization efforts, we want to implement Infrastructure as Code (IaC) for the OWASP Nest stack. The goal is to evaluate available IaC tools (Terraform or alternatives) and implement a Proof of Concept (PoC) covering all critical infrastructure components.

High-level objectives:

• Research IaC tools suitable for AWS (Terraform, AWS CDK, Pulumi, etc.) and compare them based on maintainability, community support, and AWS integration.

• Implement a PoC infrastructure that includes:

  1. Backend: AWS Lambda (via Zappa or direct deployment)
  2. Frontend: ECS/Fargate service for serving frontend assets
  3. Static/media storage: S3 buckets
  4. Database: RDS (PostgreSQL) with proper security groups and parameter configurations
  5. Cache: Redis (ElastiCache)
  6. Nightly sync tasks: EC2 instance for cron-style batch jobs

Acceptance criteria:

1. A documented comparison of IaC tools with pros/cons for our use case.
2. A working PoC that provisions all listed infrastructure components in a sandbox AWS account.
3. IaC code is modular, reusable, and version-controlled.
4. Instructions for deploying, updating, and tearing down the PoC infrastructure.

Optional enhancements:

• Automate environment-specific variables (dev/staging/prod).
• Integrate with CI/CD for automatic provisioning and updates.
• Include monitoring/alerting via CloudWatch or alternative tools.

Hi @arkid15r, I'd like to express my strong interest in leading or contributing to this IaC PoC.

This directly aligns with a production-grade infrastructure project I recently completed. You can review the complete code and architecture on my GitHub here: https://github.com/nishkersh/GCP_Proj.git

In this project I authored a suite of custom, reusable Terraform modules to deploy a secure, multi-environment foundation on GCP.
My experience maps directly to your requirements:

Modular IaC: Developed modules for VPC, GKE, Cloud SQL, and ALB, focusing on clean interfaces and reusability.
Secure Networking: Engineered a Hub and Spoke topology with VPC Peering and custom routing to integrate the Zscaler Zero Trust platform for all network traffic.
Security by Design: Implemented a zero-trust posture using private-only resources, GSM for all credentials, and IAP for bastion access.

While my recent focus was GCP, the architectural patterns and Terraform principles are directly transferable to AWS.

I see @tusharrrr1 is also interested. I'm happy to collaborate or, if the issue is still open for assignment, I'm ready to take the lead. Please let me know how I can best contribute.

[arkid15r]

Hi @tusharrrr1, @nishkersh and thanks for your interest 👍

At this point I'm trying to understand what fits our needs the best -- Terraform/Pulimi/somthing else. It seems that .tf is the industry standard and I don't have any objections. Maybe we should discuss it first (we normally use this approach to gather more info before making some big-ish decision).

[tusharrrr1]

Great mindset @arkid15r take your time and let us know what you decide and we can move forward with that.

[arkid15r]

@nishkersh @tusharrrr1

It seems Terraform is winning for now. We're having our weekly huddle tomorrow, I'm going to gather more opinions from other leaders and contributors. Feel free to join if interested -- https://owasp.slack.com/archives/C07JLLG2GFQ (via https://owasp.org/slack/invite).

Anyway, I'll post an update here soon.

[arkid15r]

Alright, as per our recent huddle discussion we're going to do this one in a collaborative fashion. @nishkersh will be leading the implementation with @tusharrrr1 helping as a code reviewer and PoC readiness verifier.

@nishkersh @tusharrrr1 please take care of the code quality checks (pre-commit, formatting and linting tools) for both local and CI/CD environments.

I hope this works for both of you.