Engineering Projects

A selection of cloud, DevSecOps, and infrastructure-as-code projects from our founder's open-source work, spanning policy-driven pipelines, Kubernetes platforms, and enterprise Azure landing zones.

πŸ›‘οΈ

Enterprise DevSecOps Pipeline

Policy-as-Code for Secure Infrastructure Delivery

A production-grade DevSecOps pipeline that embeds security scanning and policy enforcement directly into the Terraform deployment lifecycle. Every infrastructure change is linted, scanned for misconfigurations with Checkov, and validated against custom OPA/Rego policies β€” with a manual approval gate standing between any change and live Azure resources.

Terraform Checkov OPA / Rego GitHub Actions Azure Policy as Code
Developer Commit
β†’
GitHub Repo
β†’
GitHub Actions
β†’
Terraform Validate / Lint
β†’
Checkov Scan
β†’
OPA Policy Eval
β†’
Terraform Plan
β†’
Manual Approval Gate
β†’
Terraform Apply
β†’
Azure Cloud Resources
β€·
Slack / Teams Notification (on every stage)
πŸ’‘

Shift-left security: non-compliant infrastructure is blocked before it's ever provisioned, with Checkov and OPA running as hard gates rather than advisory checks.

☸️

Azure AKS DevSecOps Pipeline

Branch-Based CI/CD for Multi-Environment Kubernetes Delivery

A DevSecOps pipeline purpose-built for Azure Kubernetes Service, routing commits through dedicated dev, pre-prod, and prod branches into matching AKS namespaces. The project includes a documented real-world troubleshooting story β€” diagnosing and resolving a CrashLoopBackOff failure during rollout β€” along with a clear roadmap toward GitOps maturity.

AKS Kubernetes GitHub Actions Terraform Docker Branch-per-Environment
dev branch
β†’
dev namespace
preprod branch
β†’
preprod namespace
prod branch
β†’
Manual Approval
β†’
prod namespace
All namespaces run on a single shared AKS cluster, isolated via Kubernetes RBAC & resource quotas
πŸ”§

Includes a real troubleshooting writeup of a CrashLoopBackOff incident and its fix. Roadmap targets Helm, Ingress + TLS, Azure Monitor, Prometheus/Grafana, HPA, OPA/Gatekeeper, and ArgoCD-based GitOps.

🧱

AKS DevOps Platform

Modular Terraform Foundation for Production AKS

A reusable AKS platform built from dedicated Terraform modules for networking, monitoring, and the cluster itself β€” paired with Helm charts and a sample Node.js workload that exercises the platform end-to-end. The configuration was verified stable as of October 24, 2025.

Terraform Modules AKS Helm Docker Node.js
Terraform Module: network
Terraform Module: monitoring
Terraform Module: aks
β†’
AKS Cluster
β†’
Helm Charts
β†’
Sample Node.js App
βœ…

Clean separation between network, monitoring, and compute modules makes the platform easy to extend or fork for new clusters; a documented "stable configuration" milestone anchors the repo's reliability.

πŸ›οΈ

Azure Landing Zone β€” End-to-End IaC Deployment

CAF-Aligned Landing Zone Across the Full Subscription Hierarchy

An end-to-end Infrastructure-as-Code implementation of Microsoft's Cloud Adoption Framework, provisioning a full management-group hierarchy that spans platform, dev, pre-prod, and prod subscriptions with shared services, landing zones, and workload boundaries β€” built on hardened defaults from day one.

Terraform Cloud Adoption Framework Management Groups Azure Policy RBAC
Management Group
β†’
Platform Subscription
Dev Subscription
PreProd Subscription
Prod Subscription
β†’
Shared Services
Landing Zones
Workloads
πŸ”’

Security best practices enforced by default: TLS 1.2 minimum, no public blob access, and least-privilege RBAC across every subscription tier.

🌐

LandingZoneEmpire

Pre-Production Azure Landing Zone Automation

Automates a full pre-production landing zone footprint β€” resource groups, hub-spoke VNets, NSGs, Log Analytics, storage, Bastion, and Key Vault β€” with diagnostic settings and policy assignments wired in so pre-prod testing reflects the same governance constraints used in production.

Terraform Hub-Spoke VNets Azure Bastion Key Vault Log Analytics Policy Assignments
Resource Groups
β†’
Hub-Spoke VNets / NSGs
β†’
Bastion / Key Vault
β†’
Log Analytics & Diagnostics
β†’
Policy Assignments
πŸ§ͺ

Mirrors production-grade governance controls in a pre-prod environment, so issues surface in testing rather than after promotion to production.

βš™οΈ

Terraform + Ansible Production Setup

Hybrid IaC + Configuration Management for Windows Workloads

Combines Terraform for provisioning with Ansible for configuration management to stand up and configure Windows VMs in Azure. Secrets are handled entirely through GitHub Secrets β€” no hardcoded credentials anywhere in the codebase β€” with a remote Terraform state backend in Azure Storage and a full GitHub Actions pipeline running from push to a live IIS endpoint.

Terraform Ansible Azure VMs GitHub Actions GitHub Secrets IIS
GitHub Push
β†’
GitHub Actions
β†’
Terraform: Provision 2Γ— Windows VM
β†’
Ansible: Configure
β†’
Live IIS Endpoint
πŸ”‘

Secrets-free pipeline design β€” Azure credentials and the VM admin password are injected only via GitHub Secrets, never committed to the repo.