DevOps & Cloud Automation

Establish the cloud account structure, network topology and IaC module boundaries before a single pipeline is wired. Decisions made here determine every blast radius and every rollback path downstream.

• Account / project layout: production, staging, and ephemeral preview accounts with separate state backends
• VPC and subnet design: CIDR allocation, NAT gateway placement, private subnet routing for workloads
• Terraform module boundaries: define the public contract (inputs, outputs) for the network, compute, and secrets modules before writing implementations
• Remote state configuration: S3 + DynamoDB lock or GCS backend with environment-specific workspaces
• Break-glass IAM role with MFA and session recording — the only path to direct console access

Build the build-and-test pipeline as a versioned, testable artefact. The pipeline is not exempt from code review; its configuration lives in source control and is treated like application code.

• Reusable GitHub Actions workflows per workload type: Node.js, Python, Docker-based service
• Build caching strategy: layer caches for Docker builds, dependency caches for package managers
• SBOM generation at build time (BuildKit --sbom flag) and container image signing with Cosign
• Static analysis, dependency vulnerability scanning (Trivy), and policy checks (Conftest) as blocking CI steps
• Artefact promotion policy: image tags are immutable SHA digests; mutable 'latest' is forbidden in production registries

Wire the deployment path from a merged pull request to a running production workload, with a progressive delivery gate that blocks promotion when the canary population is burning its error budget.

• GitOps configuration: Argo CD ApplicationSets or Flux Kustomizations per environment, with auto-sync to staging and manual approval gate to production
• Canary rollout configuration via Argo Rollouts: step percentages (10 % / 40 % / 100 %), analysis interval, and the Prometheus metric that determines pass or fail
• Blue-green swap for stateful services or schema migrations where a canary population would cause split-brain on the data layer
• Rollback automation: analysis failure triggers an automatic abort and revert to the prior stable revision within the sync interval
• Ephemeral preview environments per pull request: created on open, promoted to named URL, destroyed on merge

Provision and configure the compute substrate that workloads run on, with autoscaling policies that eliminate both idle over-spend and cold-start latency spikes under bursty traffic.

• Node pool design for managed Kubernetes (EKS / GKE / AKS): spot instance node group with on-demand fallback via Karpenter disruption budget
• Horizontal Pod Autoscaler (HPA) configuration: CPU/memory triggers for baseline services; KEDA ScaledObject for queue-depth-driven workloads
• Pod Disruption Budget and topology spread constraints to maintain availability during node drain or zone failure
• Resource request and limit calibration from VPA recommendation — not ad-hoc guesses — to prevent OOM evictions and over-provisioning waste
• Cost guardrails: Infracost comment on every IaC pull request; namespace resource quotas to prevent a single team from monopolising cluster capacity

Eliminate long-lived static credentials from the system before day-one hand-off. Every secret is dynamic, scoped, and rotated on a defined schedule.

• Vault dynamic database credentials for Postgres and MySQL: lease duration matched to workload restart interval
• IRSA (AWS) or Workload Identity (GCP) for pod-level cloud API access — no static access keys in environment variables
• External Secrets Operator syncing Vault paths into Kubernetes Secrets, with automatic version sync on lease renewal
• Network policy baseline: deny-all default, explicit allow rules per service pair, enforced by Calico or the cloud-native NetworkPolicy controller
• CIS Benchmark check as a Terraform plan gate via tfsec or Checkov — non-compliant plans are a CI failure, not a review comment