Terraform Lead | Santa Clara, CA

Senior Terraform Lead Location- Santa Clara, CA / Remote is also ok Buy Rate- $70/hr Engagement Summary We are looking for a strong Terraform engineer to build and operationalize a Terraform-first Azure infrastructure platform. The work includes (but is not limited to) automated provisioning and lifecycle management of Azure services such as AKS, Storage Accounts, identity/access controls, networking, observability, security services, and data/analytics services including Microsoft Fabric. A key deliverable is to convert and rationalize existing IaC (significant Bicep footprint) into reusable, tested Terraform modules and pipelines. Key Responsibilities Infrastructure as Code (Terraform-first on Azure) • Design and implement Terraform modules for consistent, reusable provisioning of Azure infrastructure across environments (dev/test/prod). • Build patterns for subscription/resource-group organization, naming standards, tagging, and environment overlays. • Implement end-to-end automation: plan/apply workflows, validation, drift detection, and safe promotion between environments. Kubernetes / AKS automation • Provision and manage AKS clusters via Terraform, including node pools, networking integration, add-ons, policies, and baseline security. • Enable repeatable cluster bootstrapping (GitOps-ready patterns preferred). Storage + Access Governance as Code • Create and manage Storage Accounts and related services (containers, encryption, networking rules, private endpoints, diagnostics). • Implement RBAC/access management as code: role assignments, managed identities, service principals, group-based access, least-privilege patterns. • Expectation: permissions are defined and tracked in Terraform to reduce configuration drift. Broad Azure services enablement (not limited to examples) • Extend module library to cover diverse Azure services needed by platform/application/data teams (networking, security, compute, PaaS, monitoring, etc.). • Collaborate with architects/engineering teams to turn platform requirements into scalable Terraform patterns. Microsoft Fabric (and data platform) automation • Automate provisioning and configuration of Microsoft Fabric workspaces and related constructs via Terraform where supported, including required identity/permission setup. • We already have evidence of Fabric workspace deployment via Terraform pipelines and the need to configure permissions correctly for service principals. Bicep → Terraform conversion • Assess existing Bicep IaC and lead a conversion strategy: • Map Bicep modules to Terraform modules/providers • Establish equivalency patterns and migration sequencing • Handle importing existing resources into state where needed • Minimize disruption and downtime during migration • Improve standardization by consolidating duplicated patterns and creating a shared module registry. CI/CD & Operational Excellence • Implement and maintain CI/CD pipelines for Terraform (linting, validation, unit tests, security scans, policy checks). • Establish best practices for Terraform state management, locking, secrets handling, and safe refactors. • Create developer enablement assets: examples, module docs, onboarding guidance. Required Skills (Must-have) Terraform Expertise • 5+ years of hands-on Terraform (or equivalent depth), including: • Module design (composable, versioned modules) • Remote state design, state locking, workspaces/environments • Imports, refactors (state mv), drift management, dependency control • Strong experience with the AzureRM provider (and related providers where needed). Azure Platform Engineering • Deep understanding of Azure fundamentals: subscriptions, management groups, resource groups, networking, identity, governance. • Strong experience with Azure RBAC, managed identities, service principals, and group-based access models (Entra ID/AAD concepts). AKS • Proven experience deploying and operating AKS via automation: cluster lifecycle, networking, policies, add-ons, security baseline. Security & Governance • Implements least privilege; codifies access controls; understands auditability/compliance expectations. • Experience with secret management patterns (avoid committing secrets; integrate with vault systems; secure tfvars/state). DevOps / Automation • CI/CD experience (Azure DevOps, GitHub Actions, or similar) for Terraform workflows. • Familiarity with trunk-based development, PR validation, and infrastructure testing patterns. • Comfort with scripting (PowerShell/Python/Bash) to glue workflows and automate validations. Preferred Skills (Nice-to-have) • Microsoft Fabric provisioning and automation experience (workspace deployment, permissions, integrations). • Experience converting IaC between frameworks (ARM/Bicep → Terraform). • Experience with policy-as-code (Azure Policy), OPA/Conftest, or Sentinel. • Experience designing multi-tenant landing zones / enterprise-scale Azure architectures. • Knowledge of GitOps tooling (Flux/Argo) and Kubernetes add-on management. Deliverables / Outcomes (What Success Looks Like) Within the engagement, the engineer will: • Deliver a Terraform module library covering core platform patterns and commonly used Azure services. • Stand up a production-grade Terraform CI/CD workflow (validate/plan/apply, approvals, drift checks). • Implement standard access management as code (RBAC patterns, role assignment modules, least-privilege guardrails). • Provide AKS and Storage automation reference implementations (as exemplars, not the only scope). • Define and execute a Bicep→Terraform migration plan, including import/state strategy and phased rollout. • Produce documentation: module usage guides, onboarding, and operational runbooks. Screening / Vendor Evaluation Checklist (you can paste this into an RFP) Ask Vendors To Provide • 2-3 examples of Terraform module repos they authored (sanitized is fine) demonstrating structure, testing, and versioning. • A sample CI/CD pipeline for Terraform with policy checks and environment promotion. • A short write-up on how they handle: • Remote state + locking • Secrets management • Importing existing Azure resources into Terraform state • RBAC/permissions as code patterns (group-based access, least privilege) Optional but strong: examples of AKS and/or Microsoft Fabric automation work. Notes:- All qualified applicants will receive consideration for employment without regard to race, color, religion, religious creed, sex, national origin, ancestry, age, physical or mental disability, medical condition, genetic information, military and veteran status, marital status, pregnancy, gender, gender expression, gender identity, sexual orientation, or any other characteristic protected by local law, regulation, or ordinance. Benefits: Danta offers a compensation package to all W2 employees that are competitive in the industry. It consists of competitive pay, the option to elect healthcare insurance (Dental, Medical, Vision), Major holidays and Paid sick leave as per state law. The rate/ Salary range is dependent on numerous factors including Qualification, Experience and Location.