POC Check list
checklist
Infrastructure
Virtual Machinesβ
- Set up NGINX web server to allow hosting app outside of VM
- Allow Application to consistently run or restart in case of VM shutdown (persistence)
- Disaster Recovery
- Networking access to Server
- Authentication
- Infrastructure as Code
Containerisationβ
- Set up application to run via containers
- Locally
- Push to client docker artificatory
- CLIENT TODO: Hardened Images
SSL Certificates (Allow Access via HTTPS instead of IP)β
- CLIENT TODO: Generate SSL Certificate to allow HTTPS access
- Configure NGINX web server to do SSL handshakes
- CLIENT TODO: Configure DPN DNS to find web application given a domain name
Databaseβ
- Provision
- Install Database in VM
- Set up Connectivity between Application and Database
- Set up Service Accounts (for application and ops team)
- Set up Initial Tables (Schema)
- Hardening (Security)
- Check with client any hardening guidelines
- Handover (Client Ops Team need to manage this later)
- Database in Azure (?) -
Database Scalingβ
- Create Index/views that allow faster querying (assuming we are only needing one DB for now and will scale vertically for now)
GraphQL/ HASURAβ
- Set up GraphQL/Hasura in PRN. This is a big one. We aligned on the technology and got the green light from DSTG to try and install it
- Allow simulating client environment locally (Vagrant files) This is to develop infrastructure as code and enable
- Connectivity between DB -> Hasura -> Application
Continuous Integration/Deploymentβ
- Deploy webapp (manually first)
- Deploy Simulation Engine( or already there?)
- Repository to Repository Connectivity (similar to DT)
- Automate syncing of the repositories
- CLIENT TODO: coordinate how we can automate this process rather than asking in email given we have more repositories moving forward. (short term: consider mono-repo for all digital-twins? not scalable for production)
- Automated creating a build and running automated tests against the build (Continuous Integration)
- Automated Deployment on VM (Continuous Deployment)
- CLIENT TODO: possible to deploy in nested VM?
- Allow rollback on deployment issues
- Application Versioning
Application
- Configure Security Protocols
- GitLeaks
- SonarQube Code Scanning
- Git Dependencies Scanning
- Deploy web application (RAAF)Β This will be my happiest day on this project!
- Integrate (using API/Database, Production State)
- Simulation Engine to Web Application
- Web Application to Simulation Engine
- Web app -> Database -> Simulation Engine
Authentication/Authorization
- User Access Control of users
- Certificates?
- Integrate with Client Single Sign On?
- Password Authentications?
PerformanceΒ
- Caching (speed up the web application by caching certain responses that we donβt expect to easily change)
- Minify JS files for faster loading times
- Scale automatically (should we worry about this? expected number of concurrent users?)
Monitoring (For Production builds)
- Figure out how to alert/monitor application if it goes down or if there is any issues
- Persistent Storage of Application Logs for Tracing and Debugging any Issues in a production System.
- Performance Monitoring/Load Test Benchmark
Security Checklist
- Database Hardening (Patches, Authorization/Authentication, Service Accounts, Network Ports, Encryption)
- Application Security (OWASP Top 10, CWE Top 25, SANS TOP 25)
- Network Security (HTTP/s, Ports)
- Are non-public facing servers hidden from the public? (DB, Simulation Engines, Backend, etc)
- User Management (Database Users, Web application User)
- Data Storage Security (Encryption, Accessibility, Retention, Backup & Recovery)
- Necessary Data Compliance? (iso 27001, ISO 9001, IEC, Cyber Security Standards, SOC, etc)
- Storage of sensitive configurations/keys
- Rotations
- Zero Trust Policy
Documentation
- Overall Architecture
- Infrastructure
- Setting up Machines
- Decision Registry
- Security Registry