Helvetia’s journey building an enterprise serverless product with Terraform

Helvetia Insurance, founded in 1858 and headquartered in Switzerland, is a major European insurance provider with operations across Switzerland, Germany, Austria, Italy, France, and Spain.

As a traditional financial services company embracing digital transformation, Helvetia faced the classic challenge of balancing innovation speed with operational excellence and compliance requirements. This is the story of how Helvetia's cloud enablement team turned a specific problem into a reusable, self-service platform that serves multiple business units across Europe. HashiCorp Terraform is the engine that provisions this platform.

This blog post is based on a HashiDays session from Matias Merans, who is part of the Cloud enablement at Helvetia.

»Challenge: Compliance requirements prevent SaaS selection

When Helvetia got a request from Caser, one of their companies in Spain, they needed to help them deploy an identity verification tool from VeriDas to support an online insurance application process. Helvetia takes a cloud-first approach to its tool selection:

“In Switzerland, we’ve migrated everything to AWS and Azure, and we’re closing our datacenters. … For new projects, it would not fit our strategy to use on-premises deployments.”
—Matias Merans, Cloud enablement, Helvetia.

But due to local compliance constraints, Caser couldn’t use the SaaS version of VeriDas and required a self-managed deployment.

VeriDas provided the application as a container image, with YAML files for Kubernetes deployment, persistent storage, and a PostgreSQL database. However, Caser had no Kubernetes expertise or infrastructure.

“Deploying YAML files from a vendor without understanding what you’re doing — especially when it involves databases and persistent storage — can become a disaster.”
—Matias Merans, Cloud enablement, Helvetia.

The operational constraints were equally important:

• Limited resources for infrastructure management
• Tight project timelines ("it would be good if it was finished yesterday")
• Need for cost-effective solutions
• Requirement for enterprise-grade security and compliance

»Solution: Serverless architecture with Terraform

Rather than building traditional infrastructure, Helvetia's team identified an opportunity to leverage AWS-native services to build a serverless architecture:

»Core infrastructure components

• Amazon ECS Fargate: Container orchestration without server management
• Amazon EFS (Elastic File System): Persistent storage
• Amazon RDS: Managed relational databases
• Application Load Balancer: Traffic distribution
• Amazon Route 53: DNS management
• AWS Certificate Manager: SSL/TLS certificates
• Amazon ECR: Container image storage
• Amazon SES: Email services
• AWS Secrets Manager: Credential management
• Amazon CloudWatch: Logging and monitoring

“We tried to select only products that we don't need to manage. So, if possible, only serverless products. The RDS still has a server behind it, but as it's completely managed by Amazon, it was okay with our needs.”
—Matias Merans, Cloud enablement, Helvetia

The team at Caser liked this approach. Another subsidiary (Helvetia Seguros) also learned about it and said ‘We’d like that too.’ But there were still some remaining challenges:

• The operators at Caser didn’t feel comfortable deploying this architecture using AWS-native workflows
• If other Helvetia companies wanted to use this platform, it needed a reusable provisioning workflow
• It needed to be easy to maintain

»Infrastructure as code with Terraform

Being a multi-cloud company on AWS and Azure, Helvetia was already using HashiCorp Terraform to deploy to multiple clouds with one platform.

“The team chose Terraform specifically because it's a well-known, community-based, enterprise-level product.”
—Matias Merans, Cloud enablement, Helvetia

Aside from the well-known benefits of infrastructure as code, Terraform brought guardrails into the provisioning process. Engineers weren’t allowed to make any change they wanted to the infrastructure, and every change was tracked with version control and notifications.

“As a financial company, we have a lot of audits, and when an auditor asks who did what and when … it's quite easy to show them the Git history … it's an out-of-the-box audit trail.”
—Matias Merans, Cloud enablement, Helvetia

Using Terraform, they built reusable modules to deploy the entire stack across environments (integration, production) and companies (Caser and Helvetia Seguros). Configuration differences are handled via variables.

»Serverless with AWS

A cloud-managed, serverless architecture brought many of the benefits you’d expect:

• No patching or infrastructure maintenance (AWS-managed)
• Don’t need to choose the number of Kubernetes nodes or their sizing
• Don’t need to check for remaining disk storage
• Logs are automatically saved and forwarded to CloudWatch

The only operational task the companies need to perform is updating VeriDas if a new version is released. With Terraform, the operators can make that update by changing a single line of code in the configuration variables and committing that change to Git — first to integration, then to production.

»Platform: Automated container deployments

Encouraged by the success, Helvetia decided to turn the new platform into an internal product that could deploy third-party containers safely and easily.

While also working on an Azure architecture for this platform, their new architecture for the AWS product looked like this:

With this product, internal teams can:

1. Provide a container image
2. Select optional components (database, storage, backups)
3. Submit a request via ServiceNow

Behind the scenes, a Terraform-powered pipeline does three things:

1. Create a new AWS account
2. Deploy a standardized landing zone
3. Provision the application stack

This architecture supports one AWS account per application for better cost tracking and permission segregation.

»Enterprise security and governance features

Using Terraform and ServiceNow, Helvetia was able to put a number of guardrails in place to make the product workflow cost-efficient and secured by design.

»Container security

Because they’re dealing with third-party containers, they need to make sure they’re secure. Using a Terraform provider to plug into the provisioning workflow, the product uses Amazon ECR to scan containers upon submission (either by upload or public registry URL) and automatically block any vulnerable images.

»Secret input

The product prevents users from directly pasting plaintext secrets into the ServiceNow form. The only secrets users can add are:

• Database configuration strings
• Storage mount points

For anything else, they have to work with the enablement team.

»Resource optimization

“If they receive the specifications from the vendor [CPU, memory] ... what will they do? Take the requirements and double them. Why? Because ‘we want to be sure’ … if they’re not sure about size, they’ll just take the biggest one.”
—Matias Merans, Cloud enablement, Helvetia

To head off any potential resource over-provisioning by users, Helvetia only allows three “t-shirt size” resource sizing options (Small, Medium, Large). If a user needs a larger size than Large, then they can go to the enablement team for an assessment.

How do they prevent users from just selecting Large unnecessarily? Their FinOps team puts tools in place to monitor their usage after provisioning. If they detect underutilization of their sizing choice, the size is scaled down automatically.

»Future enhancements

The platform is now live and serving multiple teams and Helvetia has even more enhancements the product roadmap:

• Automating backup restores
• Streamlining database engine upgrades
• Enhancing secret management workflows

»Takeaways

What began as a single compliance requirement became an enterprise platform serving multiple business units at Helvetia, proving how some challenges can become significant opportunities.

“We started with a very basic use case, a small problem that some team had. Taking a step back, looking at what we could do, getting experience from our errors, we were able to find a new product and a great opportunity to make things better just by starting from something small.”
—Matias Merans, Cloud enablement, Helvetia

By leveraging AWS-native services and Terraform, Helvetia built a scalable, secure, and efficient platform for deploying third-party containers — without burdening teams with infrastructure management.

The platform transformation delivered significant business value:

• Rapid scaling, consistent deployments
• Standardized security and compliance across all deployments
• Cloud-managed benefits with almost no ongoing maintenance requirements
• Cost optimization through right-sizing and serverless scaling
• Multi-cloud capability supporting expanded adoption throughout the business
• Fast, reliable auditing through infrastructure as code and other tools

Many of these benefits were made possible with Terraform. Provisioning through Terraform infrastructure as code makes it possible for the automated container deployment platform to be:

• Multi-cloud
• Productized and quickly built across multiple companies
• Rapidly modified at scale
• Governed with cost and compliance guardrails
• Quickly auditable
• Standardized with workflows that meet company guidelines and regulatory requirements

To learn more about how Terraform has helped other companies develop faster, save money, and reduce risks, visit our case studies page.

If, like Helvetia, you manage several heterogeneous IT environments, are you struggling to keep security, compliance, and operations aligned? We’ve helped hundreds of organizations through hybrid and multi-cloud journeys so that they can move fast and stay secure. Read this guide containing our key pieces of advice: Securing and governing hybrid and multi-cloud at scale.

This blog is based on this session from HashiDays London 2025:

And be sure to check out Helvetia’s session from 2024: Automatic multi-cloud landing zones via HCP Terraform at Helvetia Insurance.