DevOps & Cloud Orchestration8
- Terraform & TerragruntMy primary IaC stack. Terragrunt keeps configurations DRY at scale across multi-account AWS organizations using reusable module hierarchies.
- Kubernetes & ArgoCDEKS clusters managed solely via GitOps. Zero click-ops in staging or production — every environment change is a signed Git commit.
- KarpenterAWS node lifecycle manager. Handles bin-packing, spot interruption, and consolidation — cutting cluster scaling latency and costs by up to 60%.
- Helm & KustomizeFor packaging Kubernetes manifests and layering environment-specific overrides across multi-cluster deployments.
- CrossplaneKubernetes-native infrastructure provisioning. Manage AWS resources as CRDs for fully declarative, reconciliation-driven cloud operations.
- External Secrets OperatorSyncs secrets from AWS Secrets Manager and Parameter Store into Kubernetes — no manual secret rotation.
- VeleroCluster backup and disaster recovery. Used for scheduled snapshots of persistent volumes and namespace-level point-in-time restores.
- cert-managerAutomates TLS certificate issuance via Let's Encrypt and AWS ACM. Zero manual certificate rotation across any cluster.
CI/CD & Automation6
- GitHub ActionsPrimary CI/CD engine for application builds, Docker image publishing, Terraform plan/apply, and automated security scans.
- Argo WorkflowsKubernetes-native workflow engine for complex DAG-based pipelines — model-training jobs, data pipelines, and multi-step deployments.
- AtlantisTerraform automation server for pull-request-driven infrastructure changes. Runs plan on PR open, apply on merge. Enforces drift-free IaC.
- BuildkiteUsed on larger enterprise projects for parallelized, self-hosted CI agents running on EKS — fast and cost-efficient at scale.
- Renovate BotAutomated dependency updates across Helm charts, Terraform module versions, and Docker base images via scheduled PRs.
- Pre-commit HooksEnforces code quality at commit time: terraform fmt, tflint, trivy scans, shellcheck, and custom policy validators run before any push.
Local Development & Terminal9
- iTerm2 + ZshHighly customized shell with Oh My Zsh, Starship prompt, and custom AWS account context injectors for instant role switching.
- Cursor / VS CodeMy primary IDE. JetBrains Mono, Vim bindings, and extensive Terraform, Go, and Kubernetes extensions baked in.
- k9sTerminal UI for Kubernetes. Navigate clusters, tail pod logs, exec into containers, and manage resources — faster than any GUI.
- tmuxTerminal multiplexer for persistent sessions across SSH connections. Custom key bindings and status bar with AWS account and cluster context.
- lazygitBlazing fast terminal Git UI. Stage hunks, squash commits, manage stashes, and resolve conflicts without touching a mouse.
- fzf + ripgrepFuzzy finder wired into shell history, file search, and kubectl resource selection. Dramatically accelerates every terminal interaction.
- jq + yqEssential JSON/YAML processors for parsing AWS CLI outputs, Kubernetes manifests, and Terraform state files from the command line.
- Tilt & TelepresenceFor rapid Kubernetes development loops — Tilt for live reload, Telepresence for intercepting cluster traffic to local processes.
- ColimaLightweight container runtime for macOS. Replaced Docker Desktop entirely. Lower overhead, faster image builds, fully CLI-driven.
AWS Power Utilities8
- AWS Secrets ManagerSecurely stores AWS credentials in macOS Keychain. Wraps every CLI call with temporary STS tokens. Never store plain-text access keys.
- aws-cli v2 + saml2awsFor fast shell interactions and federated SSO authentication into enterprise AWS environments at scale using SAML identity providers.
- awssumeInstantly assume cross-account IAM roles from the terminal with a single command — essential for multi-account AWS Organizations setups.
- LocalStackOffline AWS service emulation for running integration tests against S3, SQS, Lambda, and DynamoDB locally without incurring real costs.
- SteampipeSQL-powered cloud asset inventory. Query AWS resource configurations, IAM relationships, and compliance status using standard SQL.
- Former2Reverse-engineers existing AWS infrastructure into Terraform/CDK code. Invaluable when adopting IaC on brownfield accounts.
- AWS CDKUsed alongside Terraform for L3 construct abstractions on application-layer resources where programmatic generation beats raw HCL.
- CloudMapperGenerates interactive network topology maps of AWS VPCs. Used during architecture reviews and security audits to visualize blast radius.
Observability & Security8
- Prometheus & GrafanaCore monitoring stack for EKS clusters. Custom dashboards track node saturation, request latencies, and deployment rollout health.
- Loki & PromtailLightweight log aggregation — far leaner than ELK. Structured log shipping from all pods with multi-tenant label isolation.
- Trivy & SnykContainer and IaC vulnerability scanning integrated into pre-commit hooks and CI pipelines. Blocks builds on critical CVEs.
- OpenTelemetryVendor-agnostic distributed tracing and metrics across microservices. Exports to Jaeger, Grafana Tempo, or AWS X-Ray.
- FalcoRuntime security monitoring for Kubernetes. Detects unexpected syscalls, privilege escalations, and container drift in real time.
- KyvernoKubernetes-native policy engine for enforcing image registries, label requirements, resource limits, and pod security standards as CRDs.
- Checkov & tfsecStatic analysis for Terraform and Kubernetes manifests. Catches misconfigurations like open S3 buckets or unencrypted EBS volumes pre-apply.
- PagerDutyOn-call incident management integrated with Grafana alerts and Kubernetes events. Escalation policies ensure no critical alarm is missed.
Networking & DNS6
- AWS Transit GatewayCentralizes VPC interconnectivity across accounts and regions. Eliminates peering mesh complexity in large AWS Organizations.
- ExternalDNSAutomates Route 53 record management based on Kubernetes Service and Ingress annotations. DNS-as-code without manual console changes.
- CiliumeBPF-powered CNI for EKS. Provides L7 network policies, deep packet inspection, and Hubble for real-time flow observability.
- CloudflareDNS, WAF, and DDoS protection for public-facing endpoints. Zero-Trust tunnels for secure internal service exposure without VPN.
- TailscaleMesh VPN for secure developer access to private EKS clusters and AWS resources without bastion hosts or complex security group rules.
- AWS PrivateLinkExposes internal services across VPCs without traffic traversing the public internet. Critical for multi-tenant SaaS isolation patterns.
Kubernetes & Container Platform10
- Amazon EKSManaged Kubernetes on AWS. Primary platform for all production workloads — combined with Karpenter, IRSA, and EKS Blueprints for full automation.
- vClusterVirtual Kubernetes clusters inside a host EKS cluster. Used for tenant isolation, ephemeral dev environments, and CI preview namespaces.
- Istio / AWS App MeshService mesh for mTLS between microservices, traffic shifting, circuit breaking, and deep L7 observability across the cluster.
- KEDAKubernetes Event-Driven Autoscaler. Scales workloads based on SQS depth, Kafka lag, or custom CloudWatch metrics beyond basic HPA.
- Argo RolloutsProgressive delivery controller for canary and blue-green deployments with automatic metric-based promotion or rollback gates.
- Cluster API (CAPI)Declarative Kubernetes cluster lifecycle management. Provision, upgrade, and scale clusters using the same GitOps workflows as application code.
- OPA / GatekeeperPolicy-as-code enforcement at the admission controller level. Blocks non-compliant workloads before they ever reach the scheduler.
- Flux CDLightweight GitOps operator used alongside ArgoCD on multi-cluster setups where a pull-based agent with minimal footprint is preferred.
- KnativeServerless workloads on Kubernetes. Scale-to-zero event-driven functions without leaving the cluster — used for bursty batch processing.
- Vertical Pod AutoscalerAutomatically right-sizes container CPU and memory requests based on real usage history, reducing waste across long-running services.
ML Platform & AI Infrastructure12
- AWS SageMakerEnd-to-end ML platform for training, tuning, and deploying models at scale. Used for custom model hosting behind real-time inference endpoints.
- AWS BedrockManaged foundation model API. Deploy Claude, Llama, and Titan models with VPC isolation, guardrails, and fine-tuning without managing GPUs.
- MLflowExperiment tracking, model registry, and artifact storage for ML pipelines. Deployed on EKS with S3 backend for team-wide visibility.
- Kubeflow PipelinesOrchestrates multi-step ML workflows on Kubernetes — data ingestion, preprocessing, training, evaluation, and deployment as DAGs.
- Ray on EKSDistributed ML compute framework for hyperparameter sweeps and large-scale batch inference jobs across heterogeneous GPU node groups.
- Argo Workflows (ML)Used as a leaner alternative to Kubeflow for scheduled retraining pipelines and feature engineering DAGs with native S3 artifact passing.
- AWS Lambda PowertoolsStructured logging, tracing, and metrics for serverless ML inference wrappers — essential for observing model latency in production.
- pgvector on RDSVector similarity search directly inside PostgreSQL. Used for RAG pipelines and semantic search without operating a standalone vector database.
- NVIDIA GPU OperatorAutomates GPU driver and runtime installation on EKS GPU node groups. Enables cuda workloads without manual AMI configuration.
- Weights & BiasesExperiment tracking and model lineage for larger ML projects. Dashboard gives non-technical stakeholders visibility into training runs.
- Amazon Q / Bedrock AgentsAgentic AI workflows with tool use and knowledge bases backed by OpenSearch. Used for internal enterprise copilots and automated ops assistants.
- Feast (Feature Store)Open-source feature store deployed on EKS. Centralises feature computation and serving to prevent training-serving skew across teams.
AI & Productivity6
- Claude (Anthropic)Primary AI assistant for architecture design, IaC module generation, incident runbook drafting, and complex AWS cost analysis.
- GitHub CopilotIn-editor AI for accelerating Terraform module authoring, Python scripting, and boilerplate Kubernetes manifest generation.
- RaycastmacOS launcher and productivity hub. Custom scripts for AWS SSO switching, clipboard history, and instant documentation search.
- NotionArchitecture decision records (ADRs), runbooks, on-call playbooks, and client project documentation all live here.
- ExcalidrawFast, hand-drawn-style architecture diagrams for whiteboarding sessions and technical proposals before committing to formal diagrams.
- draw.ioFormal architecture diagrams with official AWS icon sets. Used for deliverables, compliance documentation, and client presentations.
This list is updated periodically. All tools reflect my current production stack — not aspirational software. Last updated · 2026