DevOps
Indonesia's PDN (Pusat Data Nasional): What Developers Need to Know About Government Cloud Migration
May 202612 min read
Photo by Unsplash
Photo by Unsplash
Indonesia's Pusat Data Nasional (PDN) is the government's most ambitious digital infrastructure initiative, mandated by Government Regulation PP No. 71/2019 to consolidate over 2,700 agency data centers into four national facilities. For developers building systems for government agencies, understanding PDN's architecture, compliance requirements, and migration process is no longer optional — it is a legal obligation under SPBE (Sistem Pemerintahan Berbasis Elektronik) integration rules.
The PDN program designates four strategic locations across Indonesia, each hosting a Tier IV equivalent data center with redundant power, cooling, and network connectivity. These facilities are designed to serve different geographic demands while ensuring national data sovereignty under Indonesian jurisdiction.
The four PDN hubs are: PDN Cikarang (West Java) — the primary facility serving the Java corridor; PDN Batam (Riau Islands) — the secondary facility for Sumatra and connectivity to Singapore's submarine cable landing stations; PDN Ibu Kota Nusantara (East Kalimantan) — co-located with the new capital city development; and PDN Labuan Bajo (East Nusa Tenggara) — serving eastern Indonesia. Each facility operates under BSSN (Badan Siber dan Sandi Negara) security oversight.
PDN offers IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) tiers exclusively for government agencies. Services include virtual machine instances, managed Kubernetes clusters, managed databases (PostgreSQL, MySQL), object storage, and load balancers — all hosted within Indonesian jurisdiction. Commercial cloud providers (AWS, Azure, GCP) may be used for non-classified workloads, but data classified as RAHASIA or above must remain within PDN infrastructure.
Register your agency application on the SPBE portal (spbe.go.id) early — the integration assessment process typically takes 4–8 weeks and must be completed before you can request a PDN tenant provisioning order.
Government Regulation PP No. 71/2019 on the Implementation of Electronic Systems and Transactions is the cornerstone legal instrument governing PDN. It mandates that all government electronic systems handling state data must be hosted within Indonesian territory, and for classified data, within PDN facilities specifically. SPBE (Presidential Regulation No. 95/2018) further requires interoperability between all agency systems via standardized APIs and shared services.
PDN enforces four security classification tiers based on Indonesian government standards: TERBUKA (open — publicly accessible data), TERBATAS (limited — internal government use only), RAHASIA (confidential — restricted access, requires encryption at rest and in transit), and SANGAT RAHASIA (top secret — highest protection, only accessible within PDN Tier 1 secure zones). Misclassifying data at a lower tier than required constitutes a compliance violation subject to administrative sanctions.
# terraform/pdn-government-workload/main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# PDN-compliant: all resources must be in approved Indonesian regions
provider "aws" {
region = var.pdn_region # e.g. "ap-southeast-3" (Jakarta)
}
# Enforce encryption at rest — mandatory for SPBE Tier 2+
resource "aws_s3_bucket" "gov_data" {
bucket = "${var.agency_code}-pdn-data"
tags = {
Classification = "RAHASIA" # TERBUKA / TERBATAS / RAHASIA / SANGAT_RAHASIA
DataOwner = var.agency_code
SPBECompliant = "true"
Regulation = "PP-71-2019"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gov_data_enc" {
bucket = aws_s3_bucket.gov_data.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.pdn_key.arn
}
}
}
resource "aws_kms_key" "pdn_key" {
description = "PDN encryption key — ${var.agency_code}"
deletion_window_in_days = 30
enable_key_rotation = true
tags = {
Regulation = "PP-71-2019"
}
}
# Block all public access — no public buckets allowed for government data
resource "aws_s3_bucket_public_access_block" "gov_data_block" {
bucket = aws_s3_bucket.gov_data.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}Before migrating to PDN, developers must complete: (1) data inventory and classification audit for all datasets; (2) dependency mapping of external services and APIs; (3) network connectivity plan (IPSec VPN or dedicated MPLS to PDN); (4) disaster recovery strategy leveraging secondary PDN location; (5) BSSN security assessment for RAHASIA-tier workloads; and (6) SPBE integration test for API interoperability with national shared services (identity, payment, document management).
Terraform and cloud-init scripts should encode PDN compliance requirements as immutable infrastructure constraints — not as manual post-deployment steps. This ensures every deployment is auditable, reproducible, and compliant by default. The Terraform snippet below demonstrates S3-compatible object storage provisioning on PDN's cloud infrastructure with mandatory encryption, public access blocking, and compliance tags.
All workloads on PDN must encrypt data at rest using AES-256 with agency-managed keys stored in PDN's HSM (Hardware Security Module) service. TLS 1.2 or above is mandatory for all in-transit data. Unencrypted HTTP endpoints are not permitted for any TERBATAS or higher classification workloads — this must be enforced at the load balancer level, not left to application code.
Hosting RAHASIA-classified data (e.g. NIK, medical records, financial data) outside PDN or on a public cloud without prior BSSN authorization is a direct violation of PP No. 71/2019 and can result in criminal liability for the responsible officer under UU ITE. Always obtain a formal data classification certificate from your agency's security officer before selecting a hosting environment.
SPBE mandates that government applications connect to national shared service APIs rather than building redundant infrastructure. These include: DUKCAPIL API for NIK verification, SATU SEHAT API for health data exchange, BRImo/GovPay for government payment collection, and the National Single Sign-On (SSO) via SPBE Identity. Integration requires registering your application in the SPBE app catalogue and completing an interoperability assessment.
PDN tenants receive isolated virtual networks (equivalent to AWS VPCs) with no default internet egress. Internet connectivity is provided via a government-managed NAT Gateway with IP allowlisting. Design your VPC with at least three subnets: a public DMZ subnet for load balancers, a private application subnet for compute, and an isolated data subnet for databases — with all database traffic restricted to the application subnet via security group rules.
PP No. 71/2019 requires audit logs to be retained for a minimum of 5 years for RAHASIA-tier workloads. Integrate CloudTrail-equivalent logging (PDN provides an LKAP — Log Keamanan dan Audit Platform) from day one. All privileged administrative actions, data access events, and configuration changes must be immutably logged. Export logs daily to a write-once storage bucket to prevent tampering.
Use Terraform's `prevent_destroy = true` lifecycle rule on your PDN encryption keys and audit log buckets. Accidental deletion of these resources during a terraform destroy run would create both a compliance gap and an irreversible data loss scenario.
The first wave of agencies migrating to PDN in 2024–2025 revealed several common challenges: underestimating network latency to non-Jakarta PDN nodes, misconfiguring VPN tunnels causing intermittent connectivity, and failing to account for PDN's different storage performance tiers compared to commercial clouds. Early engagement with BSSN and the Ministry of Communication's PDN technical team is essential for a smooth migration.
Government workloads on PDN require security scanning at every CI/CD pipeline stage: SAST (Static Application Security Testing) to detect vulnerabilities before build, SCA (Software Composition Analysis) to identify vulnerable dependencies, container image scanning before pushing to PDN's private registry, and IaC security scanning (tfsec, checkov) to flag non-compliant Terraform configurations. BSSN may request pipeline audit logs during security assessments.
Key terms in this article include PDN, SPBE, PP 71/2019, and Government Cloud.