IAM SPRAWL IS ACCESS DEBT
Three years into your cloud journey, you run an IAM inventory. The spreadsheet has hundreds of roles. Dozens have administrative permissions. A handful are attached to service accounts whose original purpose nobody can explain. A few belong to users who haven’t logged in for over a year. The rest belong to projects that may or may not still exist; the only way to know is to grep through Terraform you weren’t sure you owned.
WHAT TECHNICAL LEADERS GET WRONG COMMUNICATING ARCHITECTURE UPWARD
The same architecture decision can be approved by one audience and rejected by another in the same quarter. Not because the decision changed. Because the document each audience was reading was different.
WHAT A CROSS-ACCOUNT MIGRATION FORCES YOU TO CONFRONT
A cross-account database move is the diagnostic, not the work. It surfaces architectural decisions a team has been making implicitly for years: who owns the encryption key, what each account is for, which services depend on the database that nobody documented.
IAC ARCHITECTURE AT 5, 50, AND 500 ENGINEERS
At several dozen engineers, a SaaS company I worked with, one that had been growing its platform team faster than its tooling, had a single Terraform state file that took nearly twenty minutes to plan. Engineers from three teams kept colliding on the apply lock. The platform team was visibly burning out from rebasing each other’s changes. The story everyone in the org told was “Terraform doesn’t scale.” What didn’t scale was their architecture.
THE FOUR KINDS OF CLOUD ARCHITECTURE DEBT
Cloud architecture debt doesn’t announce itself. It accumulates in the gaps between the decisions someone made and the documentation they didn’t leave behind: the IAM policy nobody can justify, the VPC peering connection from a project that shipped two years ago, the data classification spreadsheet that was current when someone made it. None of this comes from incompetence. Each decision made sense when somebody made it. Each role solved a problem somebody had on a Tuesday. Each peering connection unblocked a project that needed to ship.