Hey, I'm Andrew. I've spent 10+ years in software and worn a lot of hats along the way โ I started out as a frontend engineer, got deep into accessibility, and over time grew into platform and data work. I write SDKs, infrastructure, and the data pipelines that everything else runs on.
These days I mostly build cloud-native data platforms and developer tooling in AWS. The work I like best is owning a problem end to end. Scoping it, shaping the architecture, shipping it, and watching people actually use it. That frontend background still sneaks in whenever I'm thinking about how a platform feels to the people building on it.
Fun fact: my degree is a BFA in Computer Game Design, so I came into all this from a pretty unusual angle.
Leaning further into platform and data engineering and building developer tools, internal platforms, and the AI/LLM infrastructure space. I'm also tinkering with open source on the side (see below).
A serverless, multi-tenant data workspace on AWS. Codebase walkthrough available upon request.
A web portal where authenticated users bring their own data, manage it, and query it with SQL all in the browser, with no backend server. A React + TypeScript SPA talks directly to AWS using short-lived, scoped credentials. The entire stack auth, storage, static hosting, the analytics catalog, the async control planes, and every per-user IAM policy is provisioned with OpenTofu.
The mutation-heavy operations (creating shared spaces, building tables, sharing tables) run as fully declarative serverless pipelines โ FIFO SQS โ EventBridge Pipes โ Step Functions orchestrating single-task Lambdas โ all defined in OpenTofu alongside the rest of the stack.
Deployment is OIDC-based end to end. GitHub Actions assumes an AWS role via short-lived tokens, so there are no long-lived cloud keys stored anywhere. Three pipelines keep app, infra, and Lambda code independently deployable, and nothing reaches main without passing the gates.
On every pull request and push, the frontend CI must pass:
ESLint (lint) and Prettier (format:check) โ style and correctness are enforced, not suggested. TypeScript strict build (tsc -b && vite build) โ a type error is a failed build. Vitest integration-style tests with V8 coverage, mocking only the AWS service boundary so real hooks and components are exercised. Accessibility assertions via vitest-axe (axe-core) baked into the test suite.
The Python Lambdas have their own gates. Ruff lint plus pytest, with the real polars runtime installed in CI so schema-inference logic is tested for real rather than mocked away.
Infrastructure changes are gated too. OpenTofu fmt -check, validate, and plan run on every infra PR, and the plan is posted straight back to the PR as a comment for review before anything is applied. Merges to main trigger apply automatically for continuous deploymnent.
- Upload & manage files in their own private S3 space. Download, move, rename, copy, delete, and organize into folders, with a familiar filesystem-style UX.
- Define tables over their data. Register schemas in the Glue Data Catalog and create views directly from the app.
- Query with SQL through Amazon Athena. An in-app query workspace (Monaco editor, schema browser, multi-tab, multi-statement scripts) runs interactive, cross-database queries and saves results back to their own files.
- Share tables and workspaces. Push a table into another user's or a shared space's catalog, or collaborate in shared connections, all driven by serverless control planes rather than a server you have to run.
Every user is confined to their own data by AWS, not by application logic. A Cognito Identity Pool stamps a verified username principal tag server-side (ABAC), and a single shared IAM role scopes S3 prefixes, Glue databases/tables, and Athena results to ${aws:PrincipalTag/username} โ so tenancy can't be spoofed by the client. Lake Formation registers the user-space bucket in hybrid mode to extend the exact same isolation model to the analytics catalog. Because isolation lives in the trust policy and IAM conditions, there's no application code path that can accidentally leak one tenant's data to another.
- React 18 + Vite + TypeScript
- TanStack Query
- AWS SDK v3
- Cognito / Amplify
- Athena + Glue + Lake Formation
- SQS + EventBridge Pipes + Step Functions + Lambda
- S3 + CloudFront
- OpenTofu
Find me on LinkedIn! The link is on my GitHub profile.
- AWS & infrastructure-as-code โ๏ธ
- Developer tooling & observability ๐
- Video Games ๐ฎ
- Coffee โ



