Senior Terraform Lead

Position  : Senior Terraform Lead

Location : Remote

Contract : 06+ months 

 

Engagement Summary

We are looking for a strong Terraform engineer to build and operationalize a Terraform-first Azure infrastructure platform. The work includes (but is not limited to) automated provisioning and lifecycle management of Azure services such as AKS, Storage Accounts, identity/access controls, networking, observability, security services, and data/analytics services including Microsoft Fabric. A key deliverable is to convert and rationalize existing IaC (significant Bicep footprint) into reusable, tested Terraform modules and pipelines.

 

Key Responsibilities

Infrastructure as Code (Terraform-first on Azure)

• Design and implement Terraform modules for consistent, reusable provisioning of Azure infrastructure across environments (dev/test/prod).
• Build patterns for subscription/resource-group organization, naming standards, tagging, and environment overlays.
• Implement end-to-end automation: plan/apply workflows, validation, drift detection, and safe promotion between environments.

Kubernetes / AKS automation

• Provision and manage AKS clusters via Terraform, including node pools, networking integration, add-ons, policies, and baseline security.
• Enable repeatable cluster bootstrapping (GitOps-ready patterns preferred).

Storage + Access Governance as Code

• Create and manage Storage Accounts and related services (containers, encryption, networking rules, private endpoints, diagnostics).
• Implement RBAC/access management as code: role assignments, managed identities, service principals, group-based access, least-privilege patterns.
• Expectation: permissions are defined and tracked in Terraform to reduce configuration drift.

Broad Azure services enablement (not limited to examples)

• Extend module library to cover diverse Azure services needed by platform/application/data teams (networking, security, compute, PaaS, monitoring, etc.).
• Collaborate with architects/engineering teams to turn platform requirements into scalable Terraform patterns.

Microsoft Fabric (and data platform) automation

• Automate provisioning and configuration of Microsoft Fabric workspaces and related constructs via Terraform where supported, including required identity/permission setup.
• We already have evidence of Fabric workspace deployment via Terraform pipelines and the need to configure permissions correctly for service principals.

Bicep → Terraform conversion

• Assess existing Bicep IaC and lead a conversion strategy:

1. Map Bicep modules to Terraform modules/providers
2. Establish equivalency patterns and migration sequencing
3. Handle importing existing resources into state where needed
4. Minimize disruption and downtime during migration

• Improve standardization by consolidating duplicated patterns and creating a shared module registry.

CI/CD & Operational Excellence

• Implement and maintain CI/CD pipelines for Terraform (linting, validation, unit tests, security scans, policy checks).
• Establish best practices for Terraform state management, locking, secrets handling, and safe refactors.
• Create developer enablement assets: examples, module docs, onboarding guidance.

 

Required Skills (Must-have)

Terraform Expertise

• 5+ years of hands-on Terraform (or equivalent depth), including:

1. Module design (composable, versioned modules)
2. Remote state design, state locking, workspaces/environments
3. Imports, refactors (state mv), drift management, dependency control

• Strong experience with the AzureRM provider (and related providers where needed).

Azure Platform Engineering

• Deep understanding of Azure fundamentals: subscriptions, management groups, resource groups, networking, identity, governance.
• Strong experience with Azure RBAC, managed identities, service principals, and group-based access models (Entra ID/AAD concepts).

AKS

• Proven experience deploying and operating AKS via automation: cluster lifecycle, networking, policies, add-ons, security baseline.

Security & Governance

• Implements least privilege; codifies access controls; understands auditability/compliance expectations.
• Experience with secret management patterns (avoid committing secrets; integrate with vault systems; secure tfvars/state).

DevOps / Automation

• CI/CD experience (Azure DevOps, GitHub Actions, or similar) for Terraform workflows.
• Familiarity with trunk-based development, PR validation, and infrastructure testing patterns.
• Comfort with scripting (PowerShell/Python/Bash) to glue workflows and automate validations.

 

Preferred Skills (Nice-to-have)

• Microsoft Fabric provisioning and automation experience (workspace deployment, permissions, integrations).
• Experience converting IaC between frameworks (ARM/Bicep → Terraform).
• Experience with policy-as-code (Azure Policy), OPA/Conftest, or Sentinel.
• Experience designing multi-tenant landing zones / enterprise-scale Azure architectures.
• Knowledge of GitOps tooling (Flux/Argo) and Kubernetes add-on management.

 

Deliverables / Outcomes (What success looks like)

Within the engagement, the engineer will:

• Deliver a Terraform module library covering core platform patterns and commonly used Azure services.
• Stand up a production-grade Terraform CI/CD workflow (validate/plan/apply, approvals, drift checks).
• Implement standard access management as code (RBAC patterns, role assignment modules, least-privilege guardrails).
• Provide AKS and Storage automation reference implementations (as exemplars, not the only scope).
• Define and execute a Bicep→Terraform migration plan, including import/state strategy and phased rollout.
• Produce documentation: module usage guides, onboarding, and operational runbooks.

 

Screening / Vendor Evaluation Checklist (you can paste this into an RFP)

Ask vendors to provide:

• 2–3 examples of Terraform module repos they authored (sanitized is fine) demonstrating structure, testing, and versioning.
• A sample CI/CD pipeline for Terraform with policy checks and environment promotion.
• A short write-up on how they handle:

1. Remote state + locking
2. Secrets management
3. Importing existing Azure resources into Terraform state
4. RBAC/permissions as code patterns (group-based access, least privilege)

• Optional but strong: examples of AKS and/or Microsoft Fabric automation work.