Cloud & Platform Engineering
3× faster onboarding · ~18 hrs saved per engagement
A unified GitOps platform that lets a single team manage infrastructure across three clouds through one consistent workflow — replacing fragmented tooling, manual setup, and drift-prone environments.
Challenge
A DevOps services firm managing client infrastructure across Azure, GCP, and AWS had no shared automation layer. Every new client required 18+ hours of manual credential collection, environment provisioning, and tool configuration — per cloud, per engagement.
Approach
Built a Kubernetes-native control plane on GKE Enterprise with a unified declarative schema covering all three clouds. GitOps reconciliation via ArgoCD ensures drift is caught automatically. A structured onboarding flow collects, validates, and provisions credentials across all providers in a single pass.
Outcome
New client environments now onboard in a fraction of the previous time. Manual setup per engagement dropped by ~68%. Infrastructure drift is eliminated by continuous reconciliation. The team operates all three clouds from a single workflow.
The client was a DevOps consultancy managing cloud infrastructure for a portfolio of enterprise customers. Their team was skilled — but their tooling hadn't kept pace with the growth of their multi-cloud footprint. Azure, GCP, and AWS each had their own playbook: different Terraform modules, different CI/CD configurations, different identity systems, and different onboarding checklists. When a new client came on, the setup process started from scratch on each cloud they used.
The operational cost was significant. Onboarding a single new client across three clouds took upward of 18 hours of engineering time — collecting credentials, configuring IAM roles, provisioning namespaces, and running environment-specific setup scripts. The team had started building internal scripts to automate pieces of this, but without a coherent platform behind them, the scripts themselves became a maintenance burden. What was needed was a first-class platform that treated multi-cloud as a first-class concern.
The surface area of the problem was wide. Each cloud provider had its own identity model: Azure AD tenants, GCP project-scoped service accounts, AWS IAM roles with cross-account trust policies. There was no abstraction that spanned all three. Engineers managing an Azure environment had to think in Azure terms; GCP work required GCP context; AWS required switching mental models again. There was no lingua franca for infrastructure declarations, and no shared runtime that could translate intent into provider-specific operations.
The consequence was configuration drift. Without a continuous reconciliation mechanism, manual changes accumulated across environments. A security patch applied to one client's AWS setup might not make it to another. A network policy updated in GCP wouldn't have an equivalent in Azure. The team spent a growing share of their time auditing state rather than delivering new work — and they had no reliable way to know which environments matched their intended configuration at any given moment.
Adimen designed and delivered the full platform in a retainer engagement spanning three months:
One configuration format covers clusters, VMs, databases, and networks across all three clouds. Cloud-specific overrides are available where they matter, but the baseline stays consistent and portable. Engineers declare intent once — the platform handles provider-specific translation. This removed the need for parallel Terraform module trees and eliminated the class of bugs that came from maintaining near-identical configurations in three separate codebases.
Every infrastructure state is declared in Git. Controllers continuously reconcile live environments to the declared state — meaning drift is caught and corrected automatically, not discovered during an incident. ArgoCD manages application state; Crossplane handles cloud resource provisioning. The result is an environment where the Git repository is the source of truth, and any manual change is either overwritten or flagged for review within minutes.
A single, structured onboarding flow collects Azure AD tenant IDs, GCP project IDs, and AWS IAM roles — validates them, applies least-privilege policies, and provisions environment-specific namespaces automatically. What previously took 18 hours of back-and-forth with client IT teams now completes in under an hour. Secrets are stored in a Kubernetes-native secrets backend and rotated automatically on a schedule configurable per client.
Built on GKE Enterprise as the management cluster. Provider-specific Kubernetes controllers handle cross-cloud resource provisioning. The platform integrates with existing OIDC identity providers without requiring changes to how engineers authenticate. Istio provides service mesh capabilities for workload-to-workload security. All platform components are deployed via Helm charts managed in the same Git repository as client infrastructure declarations.
Architecture
From a single config file through Git and CI/CD validation, into the unified control plane, and out to all three clouds. Automation layers for provisioning, security, and monitoring run across all providers via the GKE Enterprise control plane — drift is caught and reconciled continuously, not discovered during incidents.