How the World Bank Tames Hybrid Cloud Complexity Using Terraform

"Developers always take easy path. So if you make the easiest way the right way, then you have the right outcome."— Suneer Pallitharammal Mukkolakal, Lead Platform Engineer, World Bank

This principle guided the World Bank's platform engineering overhaul. The organization compressed infrastructure provisioning from five days of manual work and configuration inconsistencies down to 30 minutes of self-service automation. Their platform now orchestrates 27,000 cloud resources supporting 1,700 applications across Azure, AWS, and GCP.

HCP Terraform became the foundation for building golden paths that embed security, compliance, and best practices by default.

Here's how they standardized their hybrid infrastructure from fragmented "snowflake" pipelines into cohesive platform products.

This analysis draws from a HashiConf session presented by Suneer Pallitharammal Mukkolakal, Lead Platform Engineer at the World Bank.

The hybrid cloud problem

World Bank faced complexity across five dimensions:

Manual operations

• Point-and-click operations and ticket-based workflows dominated

• Manual configuration across numerous cloud subscriptions

• Each manual intervention created technical debt requiring ongoing maintenance

Configuration drift

• Development environments bore little resemblance to production

• No standardized workflows to prevent environmental divergence

Compliance pressure

• Continuous emergence of cyber threats and regulatory requirements

• Cloud providers constantly updating products, forcing teams to adapt

• Maintaining compliance across fragmented infrastructure proved challenging

Custom applications

• Every application treated as unique, requiring bespoke infrastructure

• Data teams demanded custom-built data platforms

• Application teams required tailored hosting environments

• Each request followed the same cycle: requirements gathering → custom design → build → perpetual management

• Hundreds of these one-off platforms accumulated across the infrastructure estate

Cognitive overload

• Platform teams juggled countless unique configurations

• Developers, data engineers, and data scientists navigated complex, inconsistent environments

The catalyst: The CIO launched a digital transformation initiative centered on platform engineering strategy.

Four pillars of platform engineering

World Bank's approach rests on these foundations:

Developer experience

• Internal developer portal enabling self-service

• Golden paths for applications, data, and AI workloads

• Scorecards measuring platform quality and adoption

Security by design

• Security policies codified rather than documented in static files

• Version control, audit trails, and automated pre-deployment enforcement

• Robust secrets management

• Security scorecards for transparency

Unified standards

• Reusable, composable Terraform modules as building blocks

• Modules distributed through an internal private registry in HCP Terraform

• Standardized governance through code-based changes and pull request workflows

• Versioned standard updates

AI-embedded workflows

• Coding assistance for development teams

• AI-powered policy validation

• Roadmap for AI-generated test cases, intelligent observability, and AI operations

• Automated documentation serving both human readers and AI prompt libraries

Building the framework

World Bank implemented their strategy using a pyramid model, constructing from the foundation upward:

1. Create infrastructure components as Terraform modules with embedded security hardening and best practices.

2. Assemble module bundles or "templates" delivering complete, production-ready deployments (HashiCorp note: Terraform Stacks supports this pattern).

3. Provide workflows orchestrating Day 1 and Day 2 operations with Terraform and complementary tools.

4. Identify recurring patterns from layers 1-3 and encode them as workflows with built-in best practices and controls. These become golden path options in the platform-as-a-product.

5. Build the storefront: an internal developer portal.

Self-service Terraform workflow

The framework enables developers to access pre-built application stacks through a secure, streamlined process:

1. Developer requests a golden path product via the IDP

2. Platform management pipeline activates:

3. Provisions HCP Terraform workspaces

4. Pre-populates variables

5. Connects execution agents

6. Configures Git repository with golden path definitions

7. HCP Terraform executes plan and applies golden path patterns

Platform engineers manage operations at the Git repository level, simplifying maintenance across the board.

The workflow's other critical component is shift-left security integration.

Embedded security controls

Integrating security into design and delivery workflows—rather than appending it afterward—reduces rework costs and strengthens security outcomes.

World Bank's security integration works like this:

• After Terraform plan completion, the plan routes to security scanning tools via Terraform run task integration.

• Security scans execute at the provisioning gateway

• Infrastructure deploys only when compliant with security standards

• Policy-as-code checks run automatically at this stage

• Passing all checks triggers deployment to World Bank's hybrid environment: Azure, AWS, on-premises, and GCP through a unified workflow

The complete self-service workflow appears below:

Architecture perspective

Each standard template balances flexibility with consolidation. World Bank's typical logical architecture for platform deployments includes:

Deployments comprise three planes: resource, platform, and developer.

Resource plane (foundation)

• Services from Azure, AWS, GCP, and on-premises infrastructure

• Engineers select from compute, network, services, and data options

Platform plane (middle)

• Terraform, Ansible, and ArgoCD power platform delivery pipelines

• Application and Data platform products delivered as services

Developer plane (top)

• Maximum flexibility for developers, data engineers, and data scientists using IDEs, MCP servers, and AI tools like Copilot

• Internal developer portal accessible through a web interface

Platform products: Application and data

Suneer outlined World Bank's two primary platform products, highlighting where flexibility matters and where capabilities are mandatory.

Application platform

Core stack:

• VNet with network security controls

• User interface, API, and database capabilities

• Standardized on NodeJS, Java, and .NET (based on existing usage patterns, not mandates)

• Database options: PostgreSQL, MySQL, and Cosmos DB (NoSQL)

Optional capabilities (configurable):

• Serverless functions (Azure Functions, Lambda-style)

• Caching (Redis with embedded security controls)

• Object storage for media and files

Security and authentication (mandatory):

• Authentication required everywhere

• Native authentication preferred

• Managed identity for most scenarios

Standard components (always included):

• Monitoring, logging, key management, DNS, managed identity

Developers welcomed these standard security and monitoring components—they no longer need to design these integrations themselves. Security and observability come built-in.

The toggle approach allows applications to start minimal, with optional capabilities disabled, then expand as requirements grow.

Suneer also detailed the data platform supporting data products and AI initiatives.

Data platform components

Compute options:

• Analytical platforms: large compute clusters like Databricks, AWS EMR

• Data movement: Integration platforms such as Data Factory and AWS Glue handle data pipelines

• Protected through private endpoints

Storage options:

• Data lakes

• Relational databases

• NoSQL databases

AI capabilities:

• Vector databases enable retrieval augmented generation (RAG)

• LLM APIs from Azure, OpenAI, Claude, and other providers

Security:

• Platform-wide integration with private endpoints and private links across cloud vendors

• Robust key management system for database connections

The toggle approach delivers a crucial advantage: teams can add capabilities without requesting platform support. The flexibility built into these platform products enables true self-service operations.

Day 2 operations for platform engineers

Platform teams experienced dramatic productivity gains after developing these platform products. Rather than maintaining dozens of custom processes and responding to individual change requests, they could manage and maintain infrastructure in bulk at scale. Key improvements include:

• Complete GitHub-based management with infrastructure codified in Terraform

• Rapid version changes at scale—when security vulnerabilities emerge in cloud vendor products, teams update the Terraform module and release a new version

• Security and compliance stakeholders can modify checks and policy code in a scalable, versioned manner

Key results: From days to minutes

The World Bank's platform strategy delivered measurable impact across three critical areas:

Greater delivery velocity

• Infrastructure provisioning time dropped from 5 days to 30 minutes

• The 30-minute figure represents pure execution time

Standardized infrastructure across the org

• 70% of teams now use standardized platform offerings

• Built-in optionality within golden paths ensures consistent service consumption

• Organic growth in standardization across the organization

Scale and reach

• Deployed 27,000 cloud resources in record time

• Supporting 1,700 applications using these patterns alone

• Maintained security, consistency, and compliance throughout

Lessons learned

The World Bank identified six critical lessons from this transformation:

Start small, standardize, and automate relentlessly

• Begin with a single bottleneck

• Automate end-to-end processes from the outset

Adopt modular, flexible architectures

• Avoid overengineering Terraform modules

• Resist excessive configurability

• Build minimum viable modules for templates, then iterate based on real needs

Apply team topologies and agile ways of working

• Essential when coordinating multiple teams: security, development, data science, and compliance

• Cross-functional collaboration drives incremental progress

• Team topologies provided structure and clarity across groups

Have clarity on the patterns that serve a majority of use cases

• Attempting to standardize workflows for 100% of enterprise use cases guarantees failure

• Bespoke "snowflakes" will always exist—handle them separately

Embed AI in platform engineering workflows effectively

• Policy checks

• Coding assistance

• AI-powered automation throughout the platform

Make the easy path the right path

Developers want to build secure, compliant applications, but platform teams must make that path frictionless. When compliance becomes too difficult, developers route around it, creating shadow IT. Reducing operational overhead in development workflows frees developers to focus on creative work that delivers business value.

"Your developers' creative work truly begins where their wait time ends." — Suneer Pallitharammal Mukkolakal, Lead Platform Engineer, World Bank

To learn more about how we can help your company navigate the complexities of hybrid infrastructure for more secure, automated operations, read our guide to navigating cloud complexity and drop us a line to talk about your unique IT challenges.

Watch the full session from HashiConf below: