Self-host Sombra to encrypt user data before it leaves your firewall.
Built by security engineers with a healthy sense of paranoia.
View on the Terraform Module Registry
Sombra provides the same security guarantees as going completely on-premise, but with a simple, lightweight gateway that performs cryptographic operations. By hosting Sombra on-prem, you don't have to trust Transcend. Sombra verifies that any incoming webhooks from Transcend were consented to by the user and verified by a trusted identity provider. It passes on the verified webhooks to any destination server or script inside the company firewall. When it's time to upload data to Transcend's cloud, Sombra encrypts the data before it leaves the firewall with a key that is only known to Sombra. Since Transcend doesn't have the decryption keys, Transcend employees have no means of seeing the data.
This is a logically separated application with an open port on the internet that is only accessible by Transcend. Performing any operation on the data subject's personal data requires authorization (or consent) from an authenticated data subject.
The external application is responsible for receiving all communications from Transcend. Any webhook comes through here as well as operations related to the data subject's data download step.
This is a logically separated application with one open port on the company private network. Only internal clients can use these ports (when var.use_private_load_balancer is set to true). There is also the option to add an internal password to prevent accidental or unauthorized access from clients in the private network.
You need to be able to communicate with Sombra's internal load balancer and port from your backend. There are two options:
- You can leave
var.use_private_load_balancerset to false, which will allow you to talk to sombra over TCP. If you go this route, make sure to setvar.incoming_cidr_rangesto the public DNS CIDR blocks for your backend. - You can communicate through a VPC Peering Connection. This way, all of your communication with the internal ALB can happen over private DNS. To accomplish this, you'll need to:
- Set up VPC peering. I'd recommend checking out https://registry.terraform.io/modules/cloudposse/vpc-peering/aws/0.3.0
- Set
var.use_private_load_balancerto true on this module - Make sure your backends security group can communicate to private subnet CIDR blocks from the VPC containing this module
- Set
var.incoming_cidr_rangesto be the private CIDR blocks from your backend's VPC - Add your backend's VPC to the private hosted zone association, with something like:
resource "aws_route53_zone_association" "private_sombra_zone" {
zone_id = module.sombra.private_zone_id
vpc_id = module.your_peered_vpc.vpc_id
}After that, you can reference the internal_url output from your backend over HTTPS.
Copyright © 2020 Transcend Inc.
We have two examples of deploying soombra in the ./examples folder, one for using HTTP and one for HTTPS.
To release a new version of the module to the Terraform Module registry, simply create a new Github release here. CI will automatically pick up this release & publish to registry.terraform.io