Apptad- Terraform SME

Senior Terraform Lead

Location- Santa Clara CA/ Remote is also ok

Engagement Sumary

We are looking for a strong Terraform engineer to build and operationalize a Terraform-first Azure infrastructure platform. The work includes (but is not limited to) automated provisioning and lifecycle management of Azure services such as AKS Storage Accounts identity/access controls networking observability security services and data/analytics services including Microsoft Fabric. A key deliverable is to convert and rationalize existing IaC (significant Bicep footprint) into reusable tested Terraform modules and pipelines.

Key Responsibilities

Infrastructure as Code (Terraform-first on Azure)

• Design and implement Terraform modules for consistent reusable provisioning of Azure infrastructure across environments (dev/test/prod).
• Build patterns for subscription/resource-group organization naming standards tagging and environment overlays.
• Implement end-to-end automation: plan/apply workflows validation drift detection and safe promotion between environments.

Kubernetes / AKS automation

• Provision and manage AKS clusters via Terraform including node pools networking integration add-ons policies and baseline security.
• Enable repeatable cluster bootstrapping (GitOps-ready patterns preferred).

Storage Access Governance as Code

• Create and manage Storage Accounts and related services (containers encryption networking rules private endpoints diagnostics).
• Implement RBAC/access management as code: role assignments managed identities service principals group-based access least-privilege patterns.
  • Expectation: permissions are defined and tracked in Terraform to reduce configuration drift.

Broad Azure services enablement (not limited to examples)

• Extend module library to cover diverse Azure services needed by platform/application/data teams (networking security compute PaaS monitoring etc.).
• Collaborate with architects/engineering teams to turn platform requirements into scalable Terraform patterns.

Microsoft Fabric (and data platform) automation

• Automate provisioning and configuration of Microsoft Fabric workspaces and related constructs via Terraform where supported including required identity/permission setup.
  • We already have evidence of Fabric workspace deployment via Terraform pipelines and the need to configure permissions correctly for service principals.

Bicep Terraform conversion

• Assess existing Bicep IaC and lead a conversion strategy:
  • Map Bicep modules to Terraform modules/providers
  • Establish equivalency patterns and migration sequencing
  • Handle importing existing resources into state where needed
  • Minimize disruption and downtime during migration
• Improve standardization by consolidating duplicated patterns and creating a shared module registry.

CI/CD & Operational Excellence

• Implement and maintain CI/CD pipelines for Terraform (linting validation unit tests security scans policy checks).
• Establish best practices for Terraform state management locking secrets handling and safe refactors.
• Create developer enablement assets: examples module docs onboarding guidance.

Required Skills (Must-have)

Terraform Expertise

• 5 years of hands-on Terraform (or equivalent depth) including:
  • Module design (composable versioned modules)
  • Remote state design state locking workspaces/environments
  • Imports refactors (state mv) drift management dependency control
• Strong experience with the AzureRM provider (and related providers where needed).

Azure Platform Engineering

• Deep understanding of Azure fundamentals: subscriptions management groups resource groups networking identity governance.
• Strong experience with Azure RBAC managed identities service principals and group-based access models (Entra ID/AAD concepts).

AKS

• Proven experience deploying and operating AKS via automation: cluster lifecycle networking policies add-ons security baseline.

Security & Governance

• Implements least privilege; codifies access controls; understands auditability/compliance expectations.
• Experience with secret management patterns (avoid committing secrets; integrate with vault systems; secure tfvars/state).

DevOps / Automation

• CI/CD experience (Azure DevOps GitHub Actions or similar) for Terraform workflows.
• Familiarity with trunk-based development PR validation and infrastructure testing patterns.
• Comfort with scripting (PowerShell/Python/Bash) to glue workflows and automate validations.

Preferred Skills (Nice-to-have)

• Microsoft Fabric provisioning and automation experience (workspace deployment permissions integrations).
• Experience converting IaC between frameworks (ARM/Bicep Terraform).
• Experience with policy-as-code (Azure Policy) OPA/Conftest or Sentinel.
• Experience designing multi-tenant landing zones / enterprise-scale Azure architectures.
• Knowledge of GitOps tooling (Flux/Argo) and Kubernetes add-on management.

Deliverables / Outcomes (What success looks like)

Within the engagement the engineer will:

1. Deliver a Terraform module library covering core platform patterns and commonly used Azure services.
2. Stand up a production-grade Terraform CI/CD workflow (validate/plan/apply approvals drift checks).
3. Implement standard access management as code (RBAC patterns role assignment modules least-privilege guardrails).
4. Provide AKS and Storage automation reference implementations (as exemplars not the only scope).
5. Define and execute a Bicep Terraform migration plan including import/state strategy and phased rollout.
6. Produce documentation: module usage guides onboarding and operational runbooks.

Screening / Vendor Evaluation Checklist (you can paste this into an RFP)

Ask vendors to provide:

• 2 3 examples of Terraform module repos they authored (sanitized is fine) demonstrating structure testing and versioning.
• A sample CI/CD pipeline for Terraform with policy checks and environment promotion.
• A short write-up on how they handle:
  • Remote state locking
  • Secrets management
  • Importing existing Azure resources into Terraform state
  • RBAC/permissions as code patterns (group-based access least privilege)