Terraform SME/ Santa Clara, CA

Senior Terraform Lead Location- Santa Clara, CA/ Remote is also okEngagement Summary We are looking for a strong Terraform engineer to build and operationalize a Terraform-first Azure infrastructure platform. The work includes (but is not limited to) automated provisioning and lifecycle management of Azure services such as AKS, Storage Accounts, identity/access controls, networking, observability, security services, and data/analytics services including Microsoft Fabric. A key deliverable is to convert and rationalize existing IaC (significant Bicep footprint) into reusable, tested Terraform modules and pipelines.Key Responsibilities Infrastructure as Code (Terraform-first on Azure)Design and implement Terraform modules for consistent, reusable provisioning of Azure infrastructure across environments (dev/test/prod).Build patterns for subscription/resource-group organization, naming standards, tagging, and environment overlays.Implement end-to-end automation: plan/apply workflows, validation, drift detection, and safe promotion between environments.Kubernetes / AKS automationProvision and manage AKS clusters via Terraform, including node pools, networking integration, add-ons, policies, and baseline security.Enable repeatable cluster bootstrapping (GitOps-ready patterns preferred).Storage + Access Governance as CodeCreate and manage Storage Accounts and related services (containers, encryption, networking rules, private endpoints, diagnostics).Implement RBAC/access management as code: role assignments, managed identities, service principals, group-based access, least-privilege patterns.Expectation: permissions are defined and tracked in Terraform to reduce configuration drift.Broad Azure services enablement (not limited to examples)Extend module library to cover diverse Azure services needed by platform/application/data teams (networking, security, compute, PaaS, monitoring, etc.).Collaborate with architects/engineering teams to turn platform requirements into scalable Terraform patterns.Microsoft Fabric (and data platform) automationAutomate provisioning and configuration of Microsoft Fabric workspaces and related constructs via Terraform where supported, including required identity/permission setup.We already have evidence of Fabric workspace deployment via Terraform pipelines and the need to configure permissions correctly for service principals.Bicep → Terraform conversionAssess existing Bicep IaC and lead a conversion strategy:Map Bicep modules to Terraform modules/providersEstablish equivalency patterns and migration sequencingHandle importing existing resources into state where neededMinimize disruption and downtime during migrationImprove standardization by consolidating duplicated patterns and creating a shared module registry.CI/CD & Operational ExcellenceImplement and maintain CI/CD pipelines for Terraform (linting, validation, unit tests, security scans, policy checks).Establish best practices for Terraform state management, locking, secrets handling, and safe refactors.Create developer enablement assets: examples, module docs, onboarding guidance.Required Skills (Must-have) Terraform Expertise5+ years of hands-on Terraform (or equivalent depth), including:Module design (composable, versioned modules)Remote state design, state locking, workspaces/environmentsImports, refactors (state mv), drift management, dependency controlStrong experience with the AzureRM provider (and related providers where needed).Azure Platform EngineeringDeep understanding of Azure fundamentals: subscriptions, management groups, resource groups, networking, identity, governance.Strong experience with Azure RBAC, managed identities, service principals, and group-based access models (Entra ID/AAD concepts).AKSProven experience deploying and operating AKS via automation: cluster lifecycle, networking, policies, add-ons, security baseline.Security & GovernanceImplements least privilege; codifies access controls; understands auditability/compliance expectations.Experience with secret management patterns (avoid committing secrets; integrate with vault systems; secure tfvars/state).DevOps / AutomationCI/CD experience (Azure DevOps, GitHub Actions, or similar) for Terraform workflows.Familiarity with trunk-based development, PR validation, and infrastructure testing patterns.Comfort with scripting (PowerShell/Python/Bash) to glue workflows and automate validations.Preferred Skills (Nice-to-have) Microsoft Fabric provisioning and automation experience (workspace deployment, permissions, integrations).Experience converting IaC between frameworks (ARM/Bicep → Terraform).Experience with policy-as-code (Azure Policy), OPA/Conftest, or Sentinel.Experience designing multi-tenant landing zones / enterprise-scale Azure architectures.Knowledge of GitOps tooling (Flux/Argo) and Kubernetes add-on management.Deliverables / Outcomes (What success looks like) Within the engagement, the engineer will:Deliver a Terraform module library covering core platform patterns and commonly used Azure services.Stand up a production-grade Terraform CI/CD workflow (validate/plan/apply, approvals, drift checks).Implement standard access management as code (RBAC patterns, role assignment modules, least-privilege guardrails).Provide AKS and Storage automation reference implementations (as exemplars, not the only scope).Define and execute a Bicep→Terraform migration plan, including import/state strategy and phased rollout.Produce documentation: module usage guides, onboarding, and operational runbooks.Screening / Vendor Evaluation Checklist (you can paste this into an RFP) Ask vendors to provide:2–3 examples of Terraform module repos they authored (sanitized is fine) demonstrating structure, testing, and versioning.A sample CI/CD pipeline for Terraform with policy checks and environment promotion.A short write-up on how they handle:Remote state + lockingSecrets managementImporting existing Azure resources into Terraform stateRBAC/permissions as code patterns (group-based access, least privilege)Optional but strong: examples of AKS and/or Microsoft Fabric automation work.