Managing the resources of tens of AWS accounts and all of their resources from terraform is a huge task. With the correct repository structures, automation pipelines, and tests, this can be implemented as a piece of art. Every configurable module has its responsibility, can be tested on its own, and can be reused for several similar use cases.

The biggest challenge was to deliver a solution for managing tens of thousands of resources across tens of AWS accounts. Some of these contain sensitive data that should be restricted, others are sandbox accounts that should be much less restrictive. Every access should be centrally managed in an on-premise AD, which means that every application must be integrated with it. AWS Identity Center is a great service for this integration, but in this complex situation, a more sophisticated integration was needed between AWS, the AD, and all other applications. The core networking is built from scratch using three dedicated North-South and one East-West firewall system. Security is a must-have in all cases, so multiple layers of managed highly available firewall systems are used. For the testing of this network, the same infrastructure code is used to deploy an identical system. For the workloads of the applications, EKS clusters are used. Most of the services are AWS-managed, so the maintenance overhead of the infrastructure is minimized. The third-party integrations are implemented with PrivateLink, the native solution of AWS for such cases. SnapSoft was able to provide proficiency in designing such systems, and also to implement and document the steps required for maintenance. It is crucial that the operations staff should be familiar with the infrastructure, and should have the courage to reconfigure them anytime.

As the IT ecosystem of the banking sector is highly regulated, the cloud infrastructure must strictly follow the requirements of the regulatory bodies. SnapSoft implemented the AWS infrastructure of a platform where all banking applications can be deployed. Several EKS clusters, VPN connections, Direct Connect connections, third-party integrations, network security components, logging, monitoring, and a lot more are managed from a wide range of interconnected git repositories. Every change to any point of the infrastructure must go through a chain of tests, deployment plans, and approvals workflows before being deployed. Every state and its change to the infrastructure is documented, and archived.

With the wide range of services, AWS was selected as the most suitable cloud provider. The infrastructure is implemented with Terragrunt over Terraform, and GitLab is used for version control and CI/CD. Deployments are automated in pipelines, nothing is modified manually. Some components use AWS Lambda functions, which are written in NodeJS TypeScript.