Experience with developers is highly valued at DZ BANK. The development environment’s security profile shouldn’t be jeopardised, though, at the same time. Google Cloud started a mission to significantly improve both Cloud and DZ Bank security posture and the developer experience as part of DZ Bank cooperation with Google Cloud. Here’s how Google Cloud used Cloud Workstations to accomplish DZ Bank objectives.
Lack of emphasis on developer experience
In the past, there was no common method for automating project setup and developer environments. The onboarding process for new developers might take days or weeks, depending on the complexity of the project. They had to manually set up their projects, which required them to comb through numerous internal documentation sources, provision infrastructure, and speak with colleagues when they encountered problems. This was a considerable amount of labour that ought to be automated.
Moreover, the developers didn’t have a prescribed method for obtaining specific container tools, such as Docker runtime and the tooling around it. Consequently, a great deal of teams were operating independently and not exchanging best practices for production. Standardising development environments is essential to better understand security posture and to give transparency about the tools and frameworks that development teams are using. It desired the ability to regularly check tools for potential vulnerabilities and to have control over which tools developers use.
Workstations in the cloud to the rescue
Cloud Workstations offer a simple solution to standardize DZ Bank development environments because they are a fully managed service. Without putting in additional work, it can use predefined base images to handle infrastructure, OS patches, and security patches. Additionally, users can redirect traffic between ports on a local machine and ports workstation without exposing it to the internet by directly accessing Workstation tools via SSH (or any other TCP protocol). It is able to encrypt resources with a customer-managed encryption key thanks to CMEK support.
Furthermore, Cloud Workstations facilitates persistent discs, which let they store data in between sessions, and offers multiple base images with preset Integrated Development Environments (IDEs) that are frequently used by developers. These base images provide support for Docker-in-Docker and can be further customised. For workstation setups, Google Cloud might install JetBrains IDEs or other standardised IDE extensions and plugins.
It also have a lot of alternatives with Cloud Workstations to help DZ Bank expedite the developer experience. To provision resources and permissions for Cloud Workstations, for example, DZ Bank can use the infrastructure-as-code tool Terraform. This allows DZ Bank to automate the configuration of the entire development environment. In order to speed up startup times and enable engineers to get started more quickly, DZ Bank also set up a series of pre-warmed workstations. Additionally, inactivity time limitations can be set, which will cause workstations to automatically shut down after a predetermined amount of inactivity. DZ Bank have also managed it’s expenditures by using Cloud Workstations, where you just pay for workstation uptime.
DZ BANK architecture for deployment
Google Cloud operate DZ Bank’s workstations within DZ Bank’s secure Google Cloud landing zone, or deployed cloud environment, in a private workstation cluster with private IP addresses within a shared VPC network. There are two Private Service Connect (PSC) endpoints needed to access the workstation cluster and private network:
- Workstation clusters with a private gateway by default construct a PSC endpoint to connect the control plane to workstations in DZ Bank’s private network.
- An extra PSC endpoint that facilitates connections between developers and desktops within DZ Bank’s VPC. In DZ Bank’s private DNS zone, it additionally establish a DNS record for the workstation domain using the IP address of this PSC endpoint.
Ongoing input from developers
After gaining access to DZ Bank’s Cloud Workstations within the Google Cloud landing area, it proceeded to modify them to suit their needs. Using the preset basic images that the Cloud Workstation team provided, it produced DZ Bank’s own unique Docker images, which featured the following:
- A centrally located proxy configuration
- A package and tool download artefact server that is routinely inspected by the cyber security team
- Package manager configurations particular to a language (e.g., mvn, pip, npm, etc.)
- Additional standardised tools according to project requirements and programming language
- Pre-installation and IDE plugin and extension upgrades carried out automatically
- Repositories of the OS package manager that are accessible via the artefact server (i.e., without internet connectivity)
- An automated setup of the environment that includes the Java Keytool, Git certificates, IDE setups, and other standard environment variables
- X11 enablement utilising SSH, so that the developers can also access GUI apps, such as tools for UI testing
- Certain bash scripts
Additionally, it carried out several proofs of concept with different DZ BANK development teams, each of which represented a distinct set of issues and tooling environments. It further enhanced and tailored DZ Bank’s Cloud Workstations environment based on their input.
Project-specific customisations are one instance. Even while standardised images cover the majority of developer needs, some requirements like project-specific tools and environment variables cannot be included in the standardised images. It utilise bash scripts to customise images on startup in order to automate tasks.
It generate a unique workstation.yaml file for every project, with all the necessary automation commands, and we double-check it in DZ Bank’s Git repository. DZ Bank’s script is a bash script that searches for this file at startup of a Cloud Workstation and executes the commands found within. This enables them to fully automate the setup of DZ Bank’s projects, allowing a fresh developer to contribute from the outset.
A cloud workstation order CI pipeline was also developed by DZ Bank. It’s Git repository houses the custom image code, which, when committed, starts a continuous integration process. This pipeline produces all the necessary container images depending on the hierarchy of images provided in DZ Bank’s Dockerfiles.
Docker images are inspected for vulnerabilities according to Google cloud’s cyber security requirements and pushed into an Artifact Registry of DZ Bank’s Google Cloud project allocated for testing by DZ Bank’s testers and developers. Following a successful scan and testing process, photos are combined and put into production.
Developers can place internal orders for Cloud Workstations using an automated procedure that starts DZ Bank’s order CI pipeline and installs all the appropriate permissions and infrastructure. No more looking in documentation is necessary! In order to further empower and expedite DZ Bank’s devs, they are excited to investigate into AI-enabled code development now that Gemini Code Assist powers Cloud Workstations.
Learnings
It’s collaboration with Google Cloud and the use of Cloud Workstations has made it possible for it to greatly increase the development productivity of bank teams.
“Before Cloud Workstations, onboarding new devs took a week, but now it only takes one day. The cloud-native development environment is fully automated, safe, and standardised, allowing developers to begin working on the code base right away. The qualities of automation and standardisation make development easier. – Gregor Otto Milenkovic, DZ BANK AG Product Owner
Along the road, DZ Bank picked up a lot of knowledge that may be helpful for your own travels:
In order to arrive at a solution that pleases all parties involved, the ongoing developer feedback cycle is essential.
- It’s essential to strike the right balance between the freedom provided to developers and the environment’s security requirements.
- Bank Customer Engineers and the Product Engineering team are instrumental in seeing projects through to the end.
- This Bank had regular touch with them to answer it’s concerns, report bugs, and feature requests.
- Automate everything and eliminate toil!
