Projects

10+ years in DevOps and Platform Engineering — AWS, Azure, Kubernetes, Terraform, CI/CD.
Below are selected projects spanning multi-account cloud infrastructure, containerised deployments, and automated pipelines.

Multi-layer AWS Infrastructure — Travel Realm

Private project · Terraform · AWS Multi-Account · GitHub Actions CI/CD

Designed a three-layer AWS infrastructure system for Travel Realm that separates governance, environment provisioning, and application delivery across multiple AWS accounts. New environments that previously required days of manual setup now spin up in hours via a single Terraform run.

Outcome: Fully automated end-to-end provisioning. CI/CD pipelines secured by short-lived OIDC tokens — no stored credentials anywhere in the pipeline. Environment setup reduced from days to hours.

Architecture layers

Layer 1 - Governance (management account)
AWS Organizations and sub-account creation, IAM Identity Center (SSO) with permission sets, root DNS via Route 53, budget monitoring, and OIDC provider configuration for GitHub Actions.

Layer 2 - Environment provisioning (child accounts)
Complete infrastructure stack per environment: VPC with subnets, NAT, and IGW; ECS Fargate for application containers; RDS (PostgreSQL) and ElastiCache (Redis); CloudFront multi-origin distribution serving two separate static sites under distinct subdomains; ACM for TLS (provisioned in us-east-1 for CloudFront compatibility); ALB, WAF, and Secrets Manager. Keycloak deployed as the identity provider.

Layer 3 - CI/CD application delivery
GitHub Actions pipelines for three delivery tracks: frontend (Vite build → S3 upload → CloudFront cache invalidation), backend (Docker image → ECR → ECS service update), and database bootstrap (SQL via CodeBuild, optional). All pipelines authenticate via OIDC - no stored AWS credentials.

Stack: AWS Organizations · Terraform · ECS Fargate · RDS PostgreSQL · ElastiCache · CloudFront · ACM · WAF · GitHub Actions · IAM Identity Center · Secrets Manager · Keycloak

View full case study →

Secure Containerised Deployment Platform — Azure

Private project · Azure App Service · ACR · Entra ID · Azure DevOps

End-to-end Azure deployment platform combining identity configuration, container registry integration, and automated CI/CD — built with strict least-privilege access and passwordless authentication throughout. Designed so the client could hand it off to an internal team without needing to rotate or manage pipeline credentials.

Outcome: Eliminated stored credentials from all pipeline stages using federated identity and Managed Identity. Separated build and release identities across pipeline stages for a production-grade governance model.

Key deliverables

App Registrations and Service Principals in Entra ID with custom App Roles, and IAM role bindings scoped to resource groups (Contributor, AcrPull, Storage Blob Data Contributor)
Managed Identity for App Services pulling images directly from ACR — no credential rotation required
Federated identity for Azure DevOps pipelines — OIDC-based, passwordless access to Azure resources
Azure Resource Manager and Docker Registry service connections in Azure DevOps
CI/CD pipeline: Docker build → ACR push → App Service deploy, with Terraform for infrastructure provisioning
Controlled DevOps organisation with restricted user access and separated build/release identities

Stack: Azure DevOps · Azure App Service · ACR · Entra ID · Managed Identity · Terraform · Docker · OIDC

On-demand GPU Infrastructure Pipeline — ComfyUI

Private project · Azure DevOps · Terraform · VM Orchestration

An Azure DevOps pipeline that provisions and tears down GPU-backed VMs on demand — with persistent model storage, SSH access, and full application setup — so the client pays only for compute they actually use. The pipeline handles two independently triggerable execution modes: base infrastructure creation and VM attach/detach.

Outcome: Infrastructure and VM lifecycle fully automated via pipeline parameters. AI models persist across VM teardowns on dedicated Azure Disk. Client went from hours of manual VM setup to a single pipeline trigger taking minutes.

Key deliverables

Two execution modes: base infra creation (networking, disks, Key Vault) and VM attach/detach — independently triggerable from the same pipeline
SSH key management via Key Vault; secure model uploads via SCP — no credentials exposed in pipeline variables
Persistent Azure Disk ensures model data survives VM teardown cycles
End-to-end: networking → VM → SSH config → app install → model deploy, all from one trigger

Stack: Azure DevOps · Terraform · Azure VM · Key Vault · Azure Disk · SSH

AWS Infrastructure Experiments

Open source · mayank0131/AWSFiddling

A personal lab for implementing and documenting real-world AWS infrastructure scenarios using Terraform, EC2, Route 53, and GitHub Actions. Each scenario is self-contained and written to be reusable as a starting point.

Scenarios covered

EC2 web hosting (private subnet + ALB)
Application hosted in a private subnet via Apache, served through an Application Load Balancer. Domain integrated with Route 53; outbound internet access via NAT Gateway.

Disaster recovery
Apache web app hardened against server and AZ failures. Ensures data persistence and DNS continuity during failover events.

Node.js on EC2
Node.js app served via Nginx reverse proxy, SSL secured with Let’s Encrypt, process managed with PM2.

Reusable GitHub Actions CI/CD
OIDC-authenticated Terraform workflows with separate flows for PRs (plan) and pushes (apply), sharing a common boilerplate workflow for plan/apply logic.

Stack: AWS · Terraform · EC2 · Nginx · Apache · Route 53 · GitHub Actions · Let’s Encrypt · PM2