Engineering Projects
A selection of cloud, DevSecOps, and infrastructure-as-code projects from our founder's open-source work, spanning policy-driven pipelines, Kubernetes platforms, and enterprise Azure landing zones.
Enterprise DevSecOps Pipeline
Policy-as-Code for Secure Infrastructure Delivery
A production-grade DevSecOps pipeline that embeds security scanning and policy enforcement directly into the Terraform deployment lifecycle. Every infrastructure change is linted, scanned for misconfigurations with Checkov, and validated against custom OPA/Rego policies β with a manual approval gate standing between any change and live Azure resources.
Pipeline Flow
Shift-left security: non-compliant infrastructure is blocked before it's ever provisioned, with Checkov and OPA running as hard gates rather than advisory checks.
Azure AKS DevSecOps Pipeline
Branch-Based CI/CD for Multi-Environment Kubernetes Delivery
A DevSecOps pipeline purpose-built for Azure Kubernetes Service, routing commits through dedicated dev, pre-prod, and prod branches into matching AKS namespaces. The project includes a documented real-world troubleshooting story β diagnosing and resolving a CrashLoopBackOff failure during rollout β along with a clear roadmap toward GitOps maturity.
Pipeline Flow
Includes a real troubleshooting writeup of a CrashLoopBackOff incident and its fix. Roadmap targets Helm, Ingress + TLS, Azure Monitor, Prometheus/Grafana, HPA, OPA/Gatekeeper, and ArgoCD-based GitOps.
AKS DevOps Platform
Modular Terraform Foundation for Production AKS
A reusable AKS platform built from dedicated Terraform modules for networking, monitoring, and the cluster itself β paired with Helm charts and a sample Node.js workload that exercises the platform end-to-end. The configuration was verified stable as of October 24, 2025.
Architecture Flow
Clean separation between network, monitoring, and compute modules makes the platform easy to extend or fork for new clusters; a documented "stable configuration" milestone anchors the repo's reliability.
Azure Landing Zone β End-to-End IaC Deployment
CAF-Aligned Landing Zone Across the Full Subscription Hierarchy
An end-to-end Infrastructure-as-Code implementation of Microsoft's Cloud Adoption Framework, provisioning a full management-group hierarchy that spans platform, dev, pre-prod, and prod subscriptions with shared services, landing zones, and workload boundaries β built on hardened defaults from day one.
Architecture Flow
Security best practices enforced by default: TLS 1.2 minimum, no public blob access, and least-privilege RBAC across every subscription tier.
LandingZoneEmpire
Pre-Production Azure Landing Zone Automation
Automates a full pre-production landing zone footprint β resource groups, hub-spoke VNets, NSGs, Log Analytics, storage, Bastion, and Key Vault β with diagnostic settings and policy assignments wired in so pre-prod testing reflects the same governance constraints used in production.
Architecture Flow
Mirrors production-grade governance controls in a pre-prod environment, so issues surface in testing rather than after promotion to production.
Terraform + Ansible Production Setup
Hybrid IaC + Configuration Management for Windows Workloads
Combines Terraform for provisioning with Ansible for configuration management to stand up and configure Windows VMs in Azure. Secrets are handled entirely through GitHub Secrets β no hardcoded credentials anywhere in the codebase β with a remote Terraform state backend in Azure Storage and a full GitHub Actions pipeline running from push to a live IIS endpoint.
Pipeline Flow
Secrets-free pipeline design β Azure credentials and the VM admin password are injected only via GitHub Secrets, never committed to the repo.