Write-ups of infrastructure work I've done, including the parts that went sideways. Each one covers what the problem was and what actually changed.
Reusable Terraform modules cut manual provisioning effort by ~70% across concurrent client environments. Goes into module design, state management, and how promotion between environments actually works.
Production deploys went from kubectl commands in CI to reviewed PR merges, and a rollback is now a git revert. CI lost its cluster credentials entirely, and node costs came down about 30% in the process.
Every client repo now calls one versioned workflow library instead of maintaining its own copy of the pipeline. CI spend dropped around 60%, and long-lived AWS keys were replaced with OIDC.
Secret scanning, IaC compliance gates, IAM least-privilege enforcement, and SOPS secret management embedded into GitHub Actions across 10+ client environments. After the first rollout attempt got bypassed, I introduced the gates one at a time.
A two-tier certificate authority built with OpenSSL: root and subordinate CAs, server and client certificates with correct SANs, CRL distribution, and Nginx enforcing mutual TLS. Any connection without a valid cert from this CA gets rejected.
A repeatable review method I run on client AWS accounts: tag everything first, take the quick wins, then right-size and schedule what's left. The savings get locked in as Terraform defaults so the bill doesn't creep back up.
Client emails were getting spoofed, and unhandled bounces were quietly eating sender reputation. The fix was SPF, DKIM, and DMARC across multiple domains on AWS SES, plus a practical guide to bounce types, SMTP status codes, and suppression-list operations.
The engineering that happens before a platform gets built: 330 features scoped bottom-up to ~230 engineer-days, a launch stack costed at AUD 45–55/month with managed Postgres failover, written upgrade triggers for every deferral, and failure-mode design for Stripe webhooks and stock oversell.