02 · Cloud architecture & engineering
02 · Cloud architecture & engineering
Platforms that work the day after the architect leaves .
Senior GCP architecture and engineering. Opinionated where opinion costs less than coordination — IaC-everywhere, conditional org policy, Workload Identity Federation over static keys.
02a · Capability map
- Foundation and landing zones
- Folders, projects, networks, org policies, audit log routing, and budget controls — built once, applied as code, evolved on PRs.
- Platform engineering
- Shared services that application teams self-serve against: clusters, pipelines, secrets, observability. Sensible defaults; clear escape hatches.
- Data platform
- BigQuery, Pub/Sub, Dataflow, and BQ-ML where it fits. Cost-aware partitioning, column-level controls, and audit-log discipline.
- Migrations
- From on-prem, from AWS, from one project sprawl into another. Cutover plans with empirical verification, not Gantt-chart optimism.
a
b
c
d
02b · How we operate
- Terraform-everywhere
- Console is read-only. Every change is a PR, with plan output reviewed by another senior engineer before any apply touches production state.
- Identity, not keys
- Workload Identity Federation for every workload. Service account keys are rotated to zero, then deleted, then disabled organization-wide.
i
ii
99 · Begin