{"id":2202,"date":"2025-07-02T21:14:08","date_gmt":"2025-07-02T21:14:08","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/07\/02\/helvetias-journey-building-an-enterprise-serverless-product-with-terraform\/"},"modified":"2025-07-02T21:14:08","modified_gmt":"2025-07-02T21:14:08","slug":"helvetias-journey-building-an-enterprise-serverless-product-with-terraform","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/07\/02\/helvetias-journey-building-an-enterprise-serverless-product-with-terraform\/","title":{"rendered":"Helvetia\u2019s journey building an enterprise serverless product with Terraform"},"content":{"rendered":"

Helvetia Insurance<\/a>, founded in 1858 and headquartered in Switzerland, is a major European insurance provider with operations across Switzerland, Germany, Austria, Italy, France, and Spain. <\/p>\n

As a traditional financial services company embracing digital transformation, Helvetia faced the classic challenge of balancing innovation speed with operational excellence and compliance requirements. This is the story of how Helvetia’s cloud enablement team turned a specific problem into a reusable, self-service platform that serves multiple business units across Europe. HashiCorp Terraform<\/a> is the engine that provisions this platform.<\/p>\n

This blog post is based on a HashiDays session from Matias Merans, who is part of the Cloud enablement at Helvetia.<\/em><\/p>\n

Challenge: Compliance requirements prevent SaaS selection<\/h2>\n

When Helvetia got a request from Caser<\/a>, one of their companies in Spain, they needed to help them deploy an identity verification tool from VeriDas to support an online insurance application process. Helvetia takes a cloud-first<\/strong> approach to its tool selection: <\/p>\n

\u201cIn Switzerland, we\u2019ve migrated everything to AWS and Azure, and we\u2019re closing our datacenters. \u2026 For new projects, it would not fit our strategy to use on-premises deployments.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia.<\/p>\n

But due to local compliance constraints, Caser couldn\u2019t use the SaaS version of VeriDas and required a self-managed deployment.<\/p>\n

VeriDas provided the application as a container image, with YAML files for Kubernetes deployment, persistent storage, and a PostgreSQL database. However, Caser had no Kubernetes expertise or infrastructure.<\/p>\n

\u201cDeploying YAML files from a vendor without understanding what you\u2019re doing \u2014 especially when it involves databases and persistent storage \u2014 can become a disaster.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia.<\/p>\n

The operational constraints were equally important:<\/p>\n

Limited resources for infrastructure management
\nTight project timelines (“it would be good if it was finished yesterday”)
\nNeed for cost-effective solutions
\nRequirement for enterprise-grade security and compliance<\/p>\n

Solution: Serverless architecture with Terraform<\/h2>\n

Rather than building traditional infrastructure, Helvetia’s team identified an opportunity to leverage AWS-native services to build a serverless architecture<\/a>:<\/p>\n

Core infrastructure components<\/h3>\n

Amazon ECS Fargate<\/strong>: Container orchestration without server management
\nAmazon EFS (Elastic File System)<\/strong>: Persistent storage
\nAmazon RDS<\/strong>: Managed relational databases
\nApplication Load Balancer<\/strong>: Traffic distribution
\nAmazon Route 53<\/strong>: DNS management
\nAWS Certificate Manager<\/strong>: SSL\/TLS certificates
\nAmazon ECR<\/strong>: Container image storage
\nAmazon SES<\/strong>: Email services
\nAWS Secrets Manager<\/strong>: Credential management
\nAmazon CloudWatch<\/strong>: Logging and monitoring<\/p>\n

\u201cWe tried to select only products that we don’t need to manage. So, if possible, only serverless products. The RDS still has a server behind it, but as it’s completely managed by Amazon, it was okay with our needs.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia <\/p>\n

The team at Caser liked this approach. Another subsidiary (Helvetia Seguros) also learned about it and said \u2018We\u2019d like that too.\u2019 But there were still some remaining challenges: <\/p>\n

The operators at Caser didn\u2019t feel comfortable deploying this architecture using AWS-native workflows
\nIf other Helvetia companies wanted to use this platform, it needed a reusable provisioning workflow
\nIt needed to be easy to maintain<\/p>\n

Infrastructure as code with Terraform<\/h3>\n

Being a multi-cloud company on AWS and Azure, Helvetia was already using HashiCorp Terraform to deploy to multiple clouds with one platform.<\/p>\n

\u201cThe team chose Terraform specifically because it’s a well-known, community-based, enterprise-level product.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia <\/p>\n

Aside from the well-known benefits of infrastructure as code<\/a>, Terraform brought guardrails into the provisioning process. Engineers weren\u2019t allowed to make any change they wanted to the infrastructure, and every change was tracked with version control and notifications. <\/p>\n

\u201cAs a financial company, we have a lot of audits, and when an auditor asks who did what and when \u2026 it’s quite easy to show them the Git history \u2026 it’s an out-of-the-box audit trail.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia <\/p>\n

Using Terraform, they built reusable modules to deploy the entire stack across environments (integration, production) and companies (Caser and Helvetia Seguros). Configuration differences are handled via variables.<\/p>\n

Serverless with AWS<\/h3>\n

A cloud-managed, serverless architecture brought many of the benefits you\u2019d expect: <\/p>\n

No patching or infrastructure maintenance (AWS-managed)
\nDon\u2019t need to choose the number of Kubernetes nodes or their sizing
\nDon\u2019t need to check for remaining disk storage
\nLogs are automatically saved and forwarded to CloudWatch<\/p>\n

The only operational task the companies need to perform is updating VeriDas if a new version is released. With Terraform, the operators can make that update by changing a single line of code in the configuration variables and committing that change to Git \u2014 first to integration, then to production.<\/p>\n

Platform: Automated container deployments<\/h2>\n

Encouraged by the success, Helvetia decided to turn the new platform into an internal product that could deploy third-party containers safely and easily. <\/p>\n

While also working on an Azure architecture for this platform, their new architecture for the AWS product looked like this:<\/p>\n

With this product, internal teams can:<\/p>\n

Provide a container image
\nSelect optional components (database, storage, backups)
\nSubmit a request via ServiceNow<\/p>\n

Behind the scenes, a Terraform-powered pipeline does three things:<\/p>\n

Create a new AWS account
\nDeploy a standardized landing zone<\/a>
\nProvision the application stack<\/p>\n

This architecture supports one AWS account per application for better cost tracking and permission segregation.<\/p>\n

Enterprise security and governance features<\/h2>\n

Using Terraform and ServiceNow, Helvetia was able to put a number of guardrails in place to make the product workflow cost-efficient and secured by design.<\/p>\n

Container security<\/h3>\n

Because they\u2019re dealing with third-party containers, they need to make sure they\u2019re secure. Using a Terraform provider to plug into the provisioning workflow, the product uses Amazon ECR to scan containers upon submission (either by upload or public registry URL) and automatically block any vulnerable images. <\/p>\n

Secret input<\/h3>\n

The product prevents users from directly pasting plaintext secrets into the ServiceNow form. The only secrets users can add are:<\/p>\n

Database configuration strings
\nStorage mount points<\/p>\n

For anything else, they have to work with the enablement team.<\/p>\n

Resource optimization<\/h3>\n

\u201cIf they receive the specifications from the vendor [CPU, memory] … what will they do? Take the requirements and double them. Why? Because \u2018we want to be sure\u2019 \u2026 if they\u2019re not sure about size, they\u2019ll just take the biggest one.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia <\/p>\n

To head off any potential resource over-provisioning by users, Helvetia only allows three \u201ct-shirt size\u201d resource sizing options (Small, Medium, Large). If a user needs a larger size than Large, then they can go to the enablement team for an assessment. <\/p>\n

How do they prevent users from just selecting Large unnecessarily? Their FinOps team puts tools in place to monitor their usage after provisioning. If they detect underutilization of their sizing choice, the size is scaled down automatically.<\/p>\n

Future enhancements<\/h2>\n

The platform is now live and serving multiple teams and Helvetia has even more enhancements the product roadmap:<\/p>\n

Automating backup restores
\nStreamlining database engine upgrades
\nEnhancing secret management workflows<\/p>\n

Takeaways<\/h2>\n

What began as a single compliance requirement became an enterprise platform serving multiple business units at Helvetia, proving how some challenges can become significant opportunities.<\/p>\n

\u201cWe started with a very basic use case, a small problem that some team had. Taking a step back, looking at what we could do, getting experience from our errors, we were able to find a new product and a great opportunity to make things better just by starting from something small.\u201d
\n\u2014Matias Merans, Cloud enablement, Helvetia <\/p>\n

By leveraging AWS-native services and Terraform, Helvetia built a scalable, secure, and efficient platform for deploying third-party containers \u2014 without burdening teams with infrastructure management.<\/p>\n

The platform transformation delivered significant business value:<\/p>\n

Rapid scaling, consistent deployments
\nStandardized security and compliance across all deployments
\nCloud-managed benefits with almost no ongoing maintenance requirements
\nCost optimization through right-sizing and serverless scaling
\nMulti-cloud capability supporting expanded adoption throughout the business
\nFast, reliable auditing through infrastructure as code and other tools<\/p>\n

Many of these benefits were made possible with Terraform. Provisioning through Terraform infrastructure as code makes it possible for the automated container deployment platform to be:<\/p>\n

Multi-cloud
\nProductized and quickly built across multiple companies
\nRapidly modified at scale
\nGoverned with cost and compliance guardrails
\nQuickly auditable
\nStandardized with workflows that meet company guidelines and regulatory requirements<\/p>\n

To learn more about how Terraform has helped other companies develop faster, save money, and reduce risks, visit our case studies<\/a> page.<\/p>\n

If, like Helvetia, you manage several heterogeneous IT environments, are you struggling to keep security, compliance, and operations aligned? We\u2019ve helped hundreds of organizations through hybrid and multi-cloud journeys so that they can move fast and stay secure. Read this guide containing our key pieces of advice: Securing and governing hybrid and multi-cloud at scale<\/a>.<\/p>\n

This blog is based on this session from HashiDays London 2025:<\/p>\n

And be sure to check out Helvetia\u2019s session from 2024: Automatic multi-cloud landing zones via HCP Terraform at Helvetia Insurance<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Helvetia Insurance, founded in 1858 and headquartered in Switzerland, is a major European insurance provider with operations across Switzerland, Germany, […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"class_list":["post-2202","post","type-post","status-publish","format-standard","hentry","category-terraform"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2202"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2202\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}