Sam Town
Cloud & Production Systems

AWS, TERRAFORM, ECS, RDS.
SHIPPED AND HARDENED.

AWS via Terraform, ECS Fargate, RDS Aurora, CloudFront + WAF, CI/CD pipelines, Docker, VPS provisioning and hardening. I build it, deploy it, and keep it running.

Book a callSee case studies
What I Build

Terraform, ECS, RDS, CloudFront, CI/CD — You Own It

Terraform PlatformsMulti-module AWS: ECS, RDS, CloudFront, WAF, VPN, S3, Secrets
ECS FargateAuto-scaling (CPU/memory targets), Spot capacity, task definition templating
RDS Aurora Serverless v2IAM auth, 30-day backup retention, enhanced monitoring
CDN & SecurityCloudFront + WAF, edge functions, security headers, basic-auth
CI/CD PipelinesGitHub Actions, GitLab CI, OIDC role assumption, multi-environment
DockerMulti-stage builds, Compose orchestration, health checks, layer caching
VPS HardeningKey-only SSH, fail2ban, UFW, Cloudflare Tunnels, unattended upgrades
Secrets ManagementAWS Secrets Manager, SSM Parameter Store, KMS encryption
Tech Stack

Tools I Ship With

TerraformAWSECS FargateRDS AuroraCloudFrontWAFAPI GatewayS3ECRRoute53Secrets ManagerKMSGitHub ActionsGitLab CIDockerDocker ComposeCloudflare TunnelsHetznerUbuntufail2banUFWOpenVPNNginxPostgreSQL
Case Evidence

Infrastructure in Production

InfrastructureTerraform

EU Fintech AWS Platform

Built a complete multi-module Terraform platform for a stealth EU fintech: ECS Fargate with auto-scaling, RDS Aurora Serverless v2, CloudFront CDN with WAF, OpenVPN module, API Gateway, and multi-environment CI/CD with OIDC role assumption.

Terraform modules12+
ServicesECS, Aurora, CloudFront, WAF, VPN, API GW
EnvironmentsProduction + Staging
CI/CDGitHub Actions OIDC
InfrastructureDevOps

Agent Platform Deployment

Provisioned and hardened a VPS for production AI platform: key-only SSH, root disabled, fail2ban (3 attempts = 1h ban), UFW, Cloudflare Tunnels for all services. Docker Compose with health checks, volume isolation, auto-restart.

ServerHetzner CPX31 (4 vCPU, 8GB)
AccessCloudflare Tunnels only
OrchestrationDocker Compose
UptimeProduction since Feb 2026
InfrastructureCI/CD

CI/CD Pipeline Architecture

Designed reusable CI/CD pipeline architecture: _build.yaml + _deploy-ecs.yaml composed into deploy-prod/deploy-stg workflows. OIDC role assumption, multi-account support, Docker Buildx with layer caching, ECS service stability wait.

PatternReusable workflows (_build + _deploy)
RegistryECR with Buildx + git SHA tags
DeployECS task definition templating
Frequently Asked Questions

What does a Terraform-based AWS platform include?

A typical platform includes: ECS Fargate for container orchestration with auto-scaling, RDS Aurora Serverless v2 for the database, CloudFront CDN with WAF and security headers, VPC with public/private subnet separation, NAT gateways, Secrets Manager with KMS encryption, ECR for container images, S3 for logging, and Route53 for DNS. Everything is modular — each component is a reusable Terraform module with its own state, so you can deploy pieces independently.

How do you handle multi-environment deployments?

Terraform workspaces for infrastructure isolation (prod + staging with separate state), combined with reusable CI/CD workflows that compose build and deploy steps. Each environment gets its own secrets, database, and scaling configuration. Deployments use OIDC role assumption — no long-lived AWS credentials in CI. The staging environment mirrors production but with smaller instance sizes and relaxed scaling targets.

What's your approach to VPS security hardening?

Layered security: (1) key-only SSH with root login disabled, (2) fail2ban with aggressive thresholds (3 failed attempts = 1 hour ban), (3) UFW firewall with only SSH exposed to internet, (4) all application services behind Cloudflare Tunnels — no direct internet exposure, (5) unattended security upgrades enabled, (6) Docker containers with non-root users and read-only filesystems where possible. The goal is: even if someone finds the server, there's nothing to attack.

Do you manage infrastructure after deployment?

Yes. I build monitoring (CloudWatch enhanced monitoring, custom dashboards), alerting, and auto-scaling policies, and operate infrastructure day-to-day after deployment. My own agent platform has been running on a hardened VPS since February 2026 — I designed it and I run it.

LET'S BUILD YOUR INFRASTRUCTURE

First call is free. Book a 30-minute call.

Book a call