The main objective of BTG Pactual is to consolidate itself as the region’s most influential investment and capital bank through digital products and services aimed at the segment of individuals and large companies.
To achieve this, BTG needed a transactional portal that offered a competitive portfolio compared to existing banks. This portal had to have a continuous delivery strategy, minimizing quality issues to comply with government regulations and meet customer expectations.
To implement the solution, a Continuous Integration and Continuous Deployment (CI/CD) process was established, orchestrated with Jenkins and templates written in Groovy, using only one template for each solution. However, these templates were personalized through secrets stored in Jenkins with environment-specific settings, such as the AWS account ID to which changes should be applied.
The pipelines designed for the relevant deployments, including the stages to perform the required tasks, can be grouped into 1) preparation tasks, 2) building tasks, and 3) deployment tasks.
Variables are applied using JSON documents, and CloudFormation was chosen to build the IaC since the customer’s team is familiar with this language.
These templates are deployed in Jenkins pipelines, divided by directories with the type of resource they deploy and version in a GIT repository.
Similarly, there are pipelines to provision managed service resources, for example, a group of users in AWS Cognito, due to the regulations that must be satisfied (a single active session, confidentiality of user information). Adding Lambda, which works as a user pool trigger, was necessary to meet the requirements.
Considering that these resources (Lambdas and Cognito User Pool) become a single component that must be replicated in multiple environments (dev, qa, prod), infrastructure stacks are established as code and executed from Jenkins using AWS CLI.
Regarding metrics and findings, the SonarQube tool evaluates the code quality the team’s developers create. It analyzes and identifies existing vulnerabilities, duplicate code, and its coverage through unit tests.
Within this validation process, we decided to restrict the updating of requests, incorporating quality gate validation rules in the pipelines to proactively control and block new changes in the environments.
Third-party applications or solutions:
How AWS is used as part of the solution:
As a good practice, this project sought to have the most significant number of components supported by AWS-managed services for the solution, such as S3, Cognito, CloudFront, and DynamoDB, to guarantee high availability and correct operation without an extra operational load for BTG Pactual. In the case of EC2 instances used in the EKS cluster, an update procedure for their Operating System was set. AWS Inspector was suggested to detect security issues. To improve the security and access control of AWS accounts, BTG Pactual uses AWS Organization, thus controlling who (people and machines) can use the resources deployed as part of the solution or available through the AWS console. Other services that are helping us with the solution security and are in place are CloudFront and WAF. The latter protects end users’ consumption of services deployed in the API Gateway.
CloudTrail was enabled on all accounts in the production environment to review any activity within the AWS cloud. Trusted Advisor was also implemented to protect the client-side infrastructure, allowing the detection of and action upon any security problem on the workload. To improve monitoring of the entire solution, X-Ray is enabled in the API Gateway service, and the logs are sent to CloudWatch. The EKS service is monitored with logs to CloudWatch, and error information is submitted to Elasticsearch. To automate the deployment of the solution infrastructure, we worked with CloudFormation through templates stored in Git repositories; these are used to deploy components such as Amazon Cognito, AWS Lambda, and API Gateway.
To meet the expectations of the challenge, we decided to leverage a large part of BTG’s technological stack with AWS technologies, tending to build cloud-native services and use the latest technology trends with a clear and robust DevOps strategy. We sought to create value for the bank’s internal and external customers by delivering new quality features promptly and covering key security aspects.
The proposed strategy made it possible to deliver products to the customer in a timely manner, positively impacting delivery times, which used to be monthly before implementing continuous integration and deployment mechanisms. Now, with DevOps capabilities, these times have been reduced to weekly and even daily deployments.
As an additional point of this strategy, verification mechanisms were implemented in the applications’ code and the infrastructure within the pipelines. They identified improvement points and existing vulnerabilities, thus generating findings and metrics in the development and pre-production environments that help implement product quality and safety improvements before applying changes in the production environment.
The second phase of this verification is planned to restrict the updating of applications by incorporating quality gate validation rules in the different pipelines to have proactive control and block new changes in the environments.