Selected work

Projects

Cloud infrastructure projects built with Terraform, AWS, and GCP — emphasising security-first architecture, automation, and observability.

01 / 02
FastAPI Weather Dashboard
AWS Terraform Docker ECS Fargate CloudFront ALB Zero Trust IaC
⤢ Full Page Demo ↗ View on GitHub
Overview

A production-grade serverless weather application built on a Zero Trust security model. The entire backend runs inside private subnets — no direct internet access, no public IPs on any task.

CloudFront acts as the single entry point. A custom HTTP header is injected into every CloudFront request; the ALB listener rule rejects anything missing that header. This means even if someone discovers the ALB DNS name, they can't reach the backend directly.

All infrastructure is declared in Terraform and deployed via a GitHub Actions CI/CD pipeline. No manual AWS console clicks required after the initial bootstrap.

Key technical decisions
  • ECS Fargate chosen over EC2 to eliminate OS patching and right-sizing overhead
  • Multi-AZ VPC with public/private subnet separation; NAT Gateway for outbound-only internet from private tasks
  • ALB security group only allows inbound from CloudFront managed prefix list
  • CloudFront origin custom header stored in SSM Parameter Store (SecureString) — never hardcoded
  • Docker images built and scanned in CI, pushed to Amazon ECR on clean build
  • Terraform state stored remotely in S3 with DynamoDB locking
  • API key for OpenWeatherMap stored in SSM, retrieved at Lambda cold-start and cached in memory
Architecture components
CloudFront CDN Application Load Balancer ECS Fargate (private subnet) Amazon ECR API Gateway + Lambda SSM Parameter Store Multi-AZ VPC NAT Gateway GitHub Actions CI/CD Terraform (IaC) S3 + DynamoDB (remote state) OpenWeatherMap API
Live endpoint   POST /weather → 3-day forecast Requires hosting on yashjagani.com (CORS)
02 / 02
DevSecOps Flask Project
GCP Terraform Docker Kubernetes (GKE) Trivy Prometheus Grafana DevSecOps CI/CD
↗ View on GitHub
Overview

A complete DevSecOps pipeline demonstrating how to embed security scanning into the deployment process for a containerised Python web application running on Google Kubernetes Engine.

The pipeline treats security as a hard gate: if Trivy finds HIGH or CRITICAL CVEs in the container image, the GitHub Actions workflow fails immediately and the image never reaches the registry. No exceptions.

Once deployed, Prometheus scrapes cluster metrics every 15 seconds. Grafana dashboards surface pod health, resource utilisation, and custom application metrics in real time.

Key technical decisions
  • Trivy runs against the local Docker image before any push — catches vulnerabilities before they touch the registry
  • Base image pinned to a specific SHA256 digest in the Dockerfile — prevents silent upstream changes
  • GKE Autopilot chosen to reduce node management overhead while keeping Kubernetes flexibility
  • Terraform manages GKE cluster, VPC, and IAM bindings — all infrastructure version-controlled
  • Kubernetes secrets stored in Google Secret Manager, injected at pod startup via Workload Identity
  • Prometheus alerts configured for pod crash-looping, high memory, and request error rate spikes
  • Grafana alert webhooks push to a Slack channel for immediate incident awareness
  • Trello board linked to GitHub branches — PR merge triggers deployment pipeline automatically
Architecture components
GitHub Actions CI/CD Trivy (CVE scanning) Docker / GCR Google Kubernetes Engine Terraform (IaC) Google Secret Manager Workload Identity Prometheus Grafana kube-state-metrics Flask (Python) Trello (project mgmt)
CI/CD pipeline flow
git push GitHub Actions trigger docker build trivy scan push to GCR terraform apply GKE deploy

Pipeline halts at trivy scan if HIGH/CRITICAL CVEs are found — image never reaches GCR.