What we do

Reusable infrastructure library

Pinned, versioned Terraform modules and reusable GitHub Actions workflows that engineering teams consume via HTTPS tags. Hardened against AWS security best practices, signed with build provenance, scanned for vulnerabilities, attested with CycloneDX SBOMs. Pin a tag and inherit upgrades on your own cadence.

Hardened container images

Base images with locked-down ARM64 builds, runtime-version-pinned tags, structure tests, and lifecycle policies that make rollback trivial. Every image carries its own build metadata, prints provenance at startup, and ships with cosign signatures and SBOM attestations.

Reusable CI/CD pipelines

Terraform plan/apply workflows and container build / promote / deploy workflows — production-tested, audit-friendly, OIDC-authenticated, no long-lived credentials. Reusable across projects so security improvements roll out everywhere a workflow is consumed.

Fractional CTO and DevOps consulting

Strategic engineering leadership for teams adopting modern infrastructure. We pair short-term execution — standing up the library, migrating workloads, setting up CI/CD — with longer-term advisory on architecture, hiring, and engineering culture.

Methodology

• IaC-first — every resource defined in Terraform, every container built via reusable workflows. If it isn’t in a repo, it doesn’t exist.
• No long-lived credentials — OIDC short-lived tokens, GitHub App installations, SSM SecureString. No PATs, no access keys.
• Separate AWS accounts per environment — blast radius containment, billing isolation, separate IAM boundaries.
• Immutable releases — versioned and pinned. latest is a managed pointer updated by explicit promotion.
• Graviton by default — ARM64 compute. Roughly 20% cheaper, better performance for most workloads.
• Audit-ready by default — signed releases, generated SBOMs, control narratives.

The library targets SOC 2 Type II as a universal compliance baseline. HIPAA and PCI DSS overlays are available when client engagements require them.