Architecture
Opinionated modules encode security defaults (private subnets, least-privilege IAM, encrypted state). Services consume modules via versioned tags — no floating main.
Engineering details
- Environment matrix — dev/staging/prod with identical topology, scaled down in non-prod.
- Runbooks as code — alert rules shipped with each module.
- Cost guards — budget alerts wired at account level.
Outcomes
- New service bootstrap from empty repo to staging in under 2 hours
- Incident MTTR down after standardized dashboards per service