Cloud Architect

Role Overview

Cloud Architect (GCP) — fully remote long-term contract with Calance. You will provide as-needed GCP support and help build and enforce foundational cloud controls across the organization.

Responsibilities

• Provide GCP support, including monitoring-to-blocking/enforcement transitions.
• Build and maintain infrastructure-as-code using Terraform for:
  • project infrastructure changes
  • firewall changes
  • deployments
• Tune and enforce Google Cloud controls, including:
  • VPC Service Controls (VPC-SC)
  • organization policy management (~30–40 policies) and project-level excludes
• Design GCP networking/security patterns:
  • VPC and network design
  • firewall policy creation
  • tailor alerting
• Review existing Terraform repos and document “tribal knowledge” to standardize foundational controls.
• Manage GCP IAM via Terraform, including:
  • deploying Privileged Access Manager (PAM)
  • mapping users/groups/roles
  • enforcing identity controls, service-account governance, and key rotation
  • moving IAM custom RBAC roles, PAM assignments, and deny IAM policies from current IaC to dedicated IAM Terraform
• Configure alerts for IAM permission assignments.
• Assign least-privilege access for secrets using Google Secrets Manager.

Requirements

• Strong GCP architecture experience, specifically around VPC-SC, org policies, firewall/network controls, and alerting.
• Hands-on Terraform experience for both infrastructure and IAM.
• Expertise in GCP IAM governance, including PAM, service account governance, and key rotation.
• Ability to review existing Terraform repositories and operationalize documented standards.

Nice-to-haves

• Experience tuning/owning large sets of organization policies and implementing project-level excludes.
• Familiarity with IAM repo separation practices (infrastructure vs. IAM IaC).