Project Portfolio

Problem

Provide a hardened file transfer service with least-privilege access and predictable networking for partners and internal users.

Solution

• Terraform modules for VPC, subnets, security groups, and IAM permissions
• SFTP-only access with restricted users and locked-down inbound rules
• Logging/monitoring hooks for auditability and operational troubleshooting

Impact

• Repeatable, version-controlled infrastructure with consistent deployments
• Reduced manual configuration drift and improved security posture

Tech Stack

AWS (VPC, EC2, IAM, S3), Terraform, Bash

Production Thinking

• Least-privilege IAM and security groups for narrow ingress
• Structured logging and audit-friendly patterns for transfers
• IaC supports rollback and reduces configuration drift

Problem

Enable secure remote access without exposing internal networks, while keeping operations simple for support workflows.

Solution

• Infrastructure-as-code for compute, networking, and firewall rules
• Hardened inbound access patterns and least-privilege security groups
• Automated bootstrap to reduce manual setup steps and mistakes

Impact

• More reliable remote support flow with repeatable deployments
• Lower operational overhead through automation and standardization

Tech Stack

AWS (EC2, VPC, IAM), Terraform

Production Thinking

• Minimal exposure surface via security groups and explicit ports
• Automation reduces manual build steps and inconsistency
• Design supports teardown and rebuild for maintenance windows

Problem

Reduce manual admin work and errors when onboarding/offboarding users who need group-based access.

Solution

• Event-driven Lambda workflow to apply membership rules consistently
• API-based updates against Google Admin / Directory services
• Guardrails for validation and safe retries to avoid partial updates

Impact

• Faster provisioning with fewer helpdesk requests
• More consistent access control driven by automation

Tech Stack

AWS Lambda, Python, Google Admin SDK / Directory API, IAM

Production Thinking

• Validation and safe retries to avoid partial membership updates
• Operational logs for tracing API outcomes
• Scoped credentials and least-privilege service roles

Problem

Ensure users land in the correct Organizational Unit so the right policies, apps, and settings apply automatically.

Solution

• Serverless workflow to move users between OUs based on onboarding signals
• API-driven changes with validation for edge cases and mismatched inputs
• Operational visibility via structured logs for troubleshooting

Impact

• Consistent policy application and fewer manual corrections
• Improved onboarding speed and reduced admin burden

Tech Stack

AWS Lambda, Python, Google Workspace APIs, IAM

Production Thinking

• Input validation for mismatched or incomplete user records
• Structured logging for troubleshooting failed API calls
• Idempotent-style handling where possible to avoid duplicate moves

Problem

Remove Cisco components safely and consistently without leaving devices in a broken or partially removed state.

Solution

• Step Functions state machine orchestrating checks, removal, and verification
• Idempotent steps with retries and clear failure states for operations
• Separation of concerns: workflow orchestration vs per-step execution

Impact

• More predictable removals with fewer escalations and rework
• Clear audit trail of what ran and where failures occurred

Tech Stack

AWS Step Functions, Lambda, IAM, CloudWatch

Production Thinking

• Retries and idempotent steps to handle transient failures
• Clear state machine visibility for audits and incident review
• Separation between orchestration and per-step execution for maintainability

Problem

Deploy a private file collaboration platform with secure access patterns and reproducible infrastructure.

Solution

• Terraform for networking, compute, and baseline hardening
• Secure ingress/egress controls and environment separation practices
• Repeatable provisioning to support upgrades and recovery scenarios

Impact

• Consistent deployments and easier troubleshooting/rollbacks
• Improved resilience through standard infrastructure patterns

Tech Stack

AWS (VPC, EC2, S3, IAM), Terraform

Production Thinking

• Network segmentation and controlled ingress for collaboration workloads
• IaC supports cost-aware sizing and environment parity
• Operational focus on backup and recovery assumptions documented in code

Problem

Reduce onboarding lead time by converting structured Jira requests into consistent account provisioning actions.

Solution

• Jira-driven workflow that validates ticket fields before executing changes
• API Gateway + Lambda to apply provisioning steps in an auditable way
• Clear error states and notifications when prerequisites are missing

Impact

• Faster onboarding and fewer manual steps for IT operations
• More consistent outcomes with reduced human error

Tech Stack

AWS API Gateway, AWS Lambda, Python, Microsoft Graph / M365, Jira REST API, IAM

Production Thinking

• Ticket validation gates before any tenant changes
• Explicit error paths and notifications when prerequisites fail
• IAM-scoped roles for API integrations; logging for traceability

Problem

Help users find answers quickly without repeatedly paging engineers for common support questions.

Solution

• Slack bot interface with structured prompts and response formatting
• Retrieval-augmented generation to ground answers in internal docs/sources
• Fallback messaging when confidence is low or sources are missing

Impact

• Reduced repeat questions and improved self-service support
• Faster time-to-answer with better user experience in Slack

Tech Stack

Python, Flask, Slack API, RAG / embeddings pipeline

Production Thinking

• Low-confidence responses avoid presenting guesses as facts
• Designed for maintainable prompt and retrieval updates
• Suitable for rate limiting and basic operational logging around requests

Problem

Website deployments depended on Jenkins, while validation and release visibility were moving to GitHub. This split ownership made troubleshooting, auditing, and maintenance slower.

Solution

• Implemented GitHub Actions validate and deploy workflows for this repository.
• Moved deploy operations to a self-hosted runner running in an LXC Debian container.
• Configured environment-scoped secrets for SSH key, host/path, and Discord webhook.
• Added deploy parity steps: validation checks, SSH sync, Nginx restart, and status notifications.

Impact

• CI/CD is fully running on GitHub Actions with successful production deployments.
• Jenkins is retained only as a commented fallback reference and is no longer the active path.
• Faster release feedback with clear run history and logs in one platform.

Tech Stack

GitHub Actions, self-hosted runner, PHP site deploy over SSH, environment-scoped secrets.

Production Thinking

• Secrets scoped to the deploy environment; no credentials in the workflow YAML.
• Deploy logs and run history centralized in GitHub for auditing and rollbacks.

Current workflow map

Validate: pull requests to main + manual runs.
Deploy: pushes to main + manual runs, with environment secrets.

Flow

Jira Automation → API Gateway (HTTP API) → VPC Link → internal ALB → EC2 Flask app

The EC2 app

• Receives a POST request
• Validates a shared secret
• Validates and normalizes the JSON payload
• Creates or disables a Pritunl user depending on the endpoint
• Sends credentials via SES for onboarding
• Writes a Jira internal comment
• Returns a JSON response

Onboarding path (manually validated)

Create the user, download the Pritunl profile ZIP, extract the limited .ovpn profile, email it through SES, delete the downloaded archive, and add a Jira internal comment — aligned with the repo’s expected behavior.

Fetches live user data by email from Snipe-IT and returns deployed assets (status label ID 5), accessories assigned to that user, and optionally posts a Jira internal comment when issue_key is provided.

Environment variables

• SNIPEIT_BASE_URL — e.g. https://snipeit.example.com
• SNIPEIT_API_TOKEN — Snipe-IT API token
• EXPECTED_SECRET — shared secret for API requests
• JIRA_URL — e.g. https://your-domain.atlassian.net
• JIRA_EMAIL — Jira API user email
• JIRA_API_TOKEN — Jira API token

Local usage

uv run hello.py "[email protected]"

AWS Lambda

• Handler: snipeit_api.lambda_handler
• Query (required): email
• Query (optional): issue_key
• Secret: query/body secret or header x-shared-secret
• SAM: template.yaml

Example event

{
  "queryStringParameters": {
    "email": "[email protected]",
    "issue_key": "IT-12345",
    "secret": "your-shared-secret"
  }
}

Example response

{
  "email": "[email protected]",
  "deployed_assets_count": 2,
  "deployed_assets": [
    {
      "status_label": { "id": 5, "name": "Deployed" },
      "name": "Mac mini (2018)",
      "serial": "C07XP1LHJYVW",
      "book_value": "0.00"
    },
    {
      "status_label": { "id": 5, "name": "Deployed" },
      "name": "MacBook Pro 14 - M4 Pro",
      "serial": "HK1FPW42GM",
      "book_value": "917.92"
    }
  ],
  "accessories_count": 2,
  "accessories": [
    { "name": "Magic Mouse A1657" },
    { "name": "Magic Keyboard MK2A3B/A" }
  ],
  "has_accessories": true,
  "jira_comment_added": true,
  "jira_issue_key": "IT-12345"
}

Deploy with SAM

sam build
sam deploy --guided

When prompted (or use --parameter-overrides), set: SnipeBaseUrl, SnipeApiToken, ExpectedSecret, JiraUrl, JiraEmail, JiraApiToken.

sam deploy --stack-name snipeit-user-search \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
  SnipeBaseUrl=https://snipeit.example.com \
  SnipeApiToken=YOUR_TOKEN \
  ExpectedSecret=YOUR_SHARED_SECRET \
  JiraUrl=https://your-domain.atlassian.net \
  [email protected] \
  JiraApiToken=YOUR_JIRA_TOKEN

Source and supporting files for a serverless app that connects Jira webhooks to Snipe-IT user creation. The Lambda handles POSTs from Jira, validates them, and creates users in Snipe-IT when they do not already exist, with internal comments back on the Jira issue.

Application overview

The Lambda (app.lambda_handler) processes POST requests from Jira webhooks:

• Validation — X-Webhook-Secret header must match the EXPECTED_SECRET environment variable.
• Data extraction — Parses the Jira payload for user details (issue key, display name, email).
• Snipe-IT integration — If the user does not exist in Snipe-IT, creates a new user with a generated password and assigns them to group 6.
• Jira feedback — Posts internal comments to the Jira issue with success or failure.

Environment variables

• EXPECTED_SECRET — Secret for webhook validation.
• SNIPEIT_API_KEY — Bearer token for the Snipe-IT API.
• SNIPEIT_BASE_URL — Snipe-IT base URL (e.g. https://snipeit.example.com/api/v1).
• JIRA_URL — Jira instance URL (e.g. https://your-company.atlassian.net).
• JIRA_EMAIL — Email for Jira authentication.
• JIRA_API_TOKEN — API token for Jira authentication.

Automates creating Microsoft 365 (Azure AD) user accounts from open Jira Service Desk onboarding tickets, and posts credentials as internal comments on the same issues.

Features

• Fetches open onboarding tickets from Jira Service Desk.
• Automatically creates Microsoft 365 user accounts for Clinical department tickets.
• Generates strong random passwords for new accounts.
• Posts account credentials as internal comments on the Jira ticket.

Requirements

• Python 3.7+
• Microsoft 365 tenant with API access
• Jira Service Desk with API access
• Python packages (from requirements.txt): requests, python-dotenv

Setup

Clone the repository and install dependencies:

pip install -r requirements.txt

Create a .env file in the project directory with:

TENANT_ID=your-azure-tenant-id
CLIENT_ID=your-azure-client-id
CLIENT_SECRET=your-azure-client-secret

JIRA_URL=https://your-domain.atlassian.net
[email protected]
JIRA_API_TOKEN=your-jira-api-token

Usage

python JiraMSAccountCreation.py

The script fetches open onboarding tickets from Jira, creates a Microsoft 365 user for each Clinical ticket, and posts the username and password as an internal comment on the ticket.

Security

• Passwords are generated securely and only posted as internal comments visible to the Service Desk team.
• Never commit your .env file or credentials to version control.

Files

• JiraMSAccountCreation.py — main automation script.
• requirements.txt — Python dependencies.