AWS Developer Platform

/01Problem

Application teams should not have to hand-write S3 buckets, wire IAM, and remember every hardening checkbox to ship a service. Doing so spreads inconsistent, often insecure infrastructure across an org and makes every new service a bespoke review.

The goal was a paved road: a self-service interface where a developer declares what they need, and the platform returns a real, hardened, policy-compliant resource without ever touching cloud credentials.

/02Approach

• ArgoCD app-of-apps GitOps reconciles every platform component from Git, so the cluster's desired state is version-controlled and auditable.
• Crossplane with an IRSA-authenticated AWS provider exposes a self-service Bucket API: a developer's one-line claim provisions a real S3 bucket, no static credentials in the path.
• Buckets are hardened by default: AES256 encryption, versioning, all four public-access-block settings, and a mandatory owning-team tag.
• Kyverno enforces an owning-team label as an admission policy in flagged namespaces, so non-compliant workloads are rejected at the API server.
• A Backstage golden-path template scaffolds a new service with a Dockerfile, a hardened Helm chart, and an ArgoCD Application, GitOps-deployable the moment it exists.

/03Architecture

EKS, the VPC, the OIDC provider, and the scoped IRSA role are all provisioned in Terraform with an S3 remote state backend. Crossplane assumes the IRSA role to act on AWS, which keeps credential material out of pods entirely.

The platform layer (ArgoCD, Crossplane, Kyverno, Backstage) is itself reconciled by GitOps, so the boundary between cluster bootstrap (Terraform) and platform configuration (Git) is explicit.

/04Outcome

A developer's one-line claim yields a production-grade, hardened S3 bucket with zero credential handling and guaranteed tagging for cost attribution and ownership.

Verified end to end against real AWS, then torn down clean, demonstrating the full provision-and-destroy lifecycle rather than a screenshot.