Carlos Castillo
Resume

Projects

Seven things I built.

Each block is an interactive diagram — hover or focus a node for a one-liner, click to expand the detail. On phones, the same nodes render as a tap-to-expand list below the title.

01

Multi-Cluster Kubernetes Platform

Many EKS clusters across dev / test / prod, tenant-segmented and mesh-overlaid. App-of-apps GitOps for cluster furniture, OpenTofu for substrate, OIDC-backed kubectl login, and a tested break-glass path for when the orchestrator is down.

  • EKS
  • ArgoCD
  • Istio
  • OpenTofu
  • OIDC
Multi-Cluster Kubernetes Platform
Control Plane Git Repo IaC Orchestrator ArgoCD (furniture) Identity (OIDC) Cluster Login B-G Lifecycle Lanes dev EKS clusterset ingress clusterset platform clusterset commerce clusterset data clusterset workload clusterset test EKS clusterset ingress clusterset platform clusterset commerce clusterset data clusterset workload clusterset prod EKS clusterset ingress clusterset platform clusterset commerce clusterset data clusterset workload clusterset Service Mesh Overlay Istio · mTLS · east-west observability Platform-wide overlay
GitOps for the furniture, IaC for the substrate, one mesh across everything.
02

Org-Wide IaC Orchestration Adoption

Multi-quarter roadmap that consolidated a patchwork of CI- and SaaS-driven Terraform onto one managed orchestrator. Stacks-as-code, label-driven OPA policy attachment, per-account assume-role, ASG-backed private worker pools. ~$900K annual savings.

  • Terraform
  • OpenTofu
  • OPA
  • Spacelift
  • AWS
Org-Wide IaC Orchestration
PR PR → plan per-account AssumeRole Admin Repo Terraform-managed orchestrator config Managed IaC Orchestrator Stacks Policies OPA Module Registry ASG · Private Worker Pools Tier A Tier B Tier C Source Repo Source Repo Source Repos · 1..N AWS Account AWS Account AWS Accounts · 1..N RETIRED IN PHASE 3 Legacy CI Orchestrator Legacy SaaS Orchestrator
One orchestrator, one admin repo, segmented workers, account-scoped credentials.
03

Global Edge Routing with Lambda@Edge

A single routing function dispatches thousands of path patterns to service-mesh ingress, a legacy monolith, partner API gateways, and S3 — without exploding CDN config. Maintenance-mode kill switch flippable in minutes. Non-prod gated by viewer-request OIDC.

  • CloudFront
  • Lambda@Edge
  • WAF
  • Route 53
  • Cognito
Global Edge Routing
Global Edge Internet WAF + Shield CDN Edge Routing Service-Mesh Ingress EKS / Istio Monolith ALB legacy Partner API Gateway Static Origin (S3) Viewer-Request Auth (OIDC) non-prod only Maintenance Mode Flag
Hover a node for a one-liner. Click for detail. Mobile: tap a node below.
04

AWS Governance Redesign

Three interlocking workstreams — JIT access, SCP layering, OU restructure — baselined against a live snapshot of Organizations + Identity Center. Standing access reduced to ReadOnly + PowerUser-Minus, JIT for elevation, deny-first SCPs at intent-matched OU boundaries. Build-vs-buy decision documented and shared.

  • Organizations
  • Control Tower
  • IAM Identity Center
  • Terraform
AWS Governance Redesign
Decision Gate Build vs Buy Access (JIT) Before thousands of standing SSO assignments After ReadOnly + PowerUser-Minus standing; JIT for elevation by-team / by-account split SCPs (Guardrails) Before FullAWSAccess at root only; Control Tower guardrails After Deny-first SCPs layered at intent-matched OU boundaries OU Structure Before organic growth; ~100 accounts After AWS SRA-aligned hierarchy recognizable to new hires enables shrinks surface Live Data Snapshot Organizations API + Identity Center API → state baseline
Three interlocking workstreams. Measured baseline. Documented build-vs-buy decision.
05

Worker Pool Segmentation for IaC Orchestration

Migrated ~750 stacks off a shared public pool onto three private pools — default, source-control tenant, mono-repo tenant — in batches, with imported CloudWatch log history and per-pool session-tag trust scopes. Invisible to consumers.

  • Spacelift
  • ASG
  • CloudWatch
  • AWS IAM
Worker Pool Segmentation
Managed IaC Orchestrator Pool A Default · 4 Pool B Source-Control · 2 Pool C Mono-Repo · 4 ASG CW logs ASG CW logs ASG CW logs stacks by pool · ~750 migrated in batches Shared Public Pool legacy drained in batches AWS Account AWS Account AWS Account session-tag trust scope verification surface Session-Tag Audit Trail CloudTrail · AssumeRole + sts:SourceIdentity + pool session tag scheduled query joins event log ⨯ expected pool→role matrix · mismatch = finding
Segmented compute. Per-tenant trust boundaries. Migration without disruption.
06

GitHub-as-Code Organization Management

The GitHub org itself — settings, teams, repos, branch protections — managed as Terraform with a PR-driven plan/apply flow. The people-and-permissions layer gets the same review discipline as the cloud infra below it.

  • Terraform
  • GitHub
  • Atlantis
GitHub-as-Code · Org Management
GitHub Organization SSO · IP allow · defaults · webhooks Teams membership · hierarchy · grants Repos + Branch Protections IaC Repo terraform · github org PR → plan → apply Sensitive Tenant Pool Pool B · Source-Control (see worker pool diagram) runs on
Source-control-as-code: people-and-permissions get the same review discipline as cloud infra.
07

This site

The site you are reading. Astro static output, hand-built interactive diagrams, dual-account dev/prod with multi-region S3 + CRR failover, CloudFront with OAC, CFF + Lambda@Edge, Cloudflare grey-cloud DNS, and GitHub Actions deploying via OIDC into per-account least-priv roles — all managed as Terraform through Spacelift. The diagram below renders the pipes that served you this page.

  • astro
  • cloudfront
  • s3
  • lambda@edge
  • github-oidc
  • spacelift
  • terraform
This Site · Live Architecture
prod account · 231172330323 CRR OIDC deploy TF apply Visitor Cloudflare DNS CloudFront · cca-prod CFF · headers · redirect L@E · URL rewrite S3 · cca-site-prod-use1 (primary, us-east-1) S3 · cca-site-prod-usw2 (failover, us-west-2) role · gh-actions-prod github · infra Spacelift · 3 stacks github · site GitHub Actions * dev environment exists — mirrored architecture in account 469614661531, omitted for clarity
GitHub → Actions (OIDC) → S3 (use1 ⟶ CRR ⟶ usw2) → CloudFront (CFF + L@E) → Cloudflare DNS (grey-cloud) → you. Infra itself: Terraform via Spacelift.

Side stuff

Personal projects.

Weekend things. Mostly home-network and self-hosted, kept around long enough that I learned something from each one.

P1

Apartment HQ

College apartment automation on a Raspberry Pi 3B. Pi-hole as the DNS sinkhole for the whole flat, Home Assistant on top for smart-plug and sensor wrangling, mDNS publishing every internal service under *.lan so I never had to remember an IP. Nightly cron-rsync to a USB drive for backup, Wireguard tunnel back from campus when I needed in. Learned the hard way that DNS-layer ad blocking breaks half the apps on a phone in interesting ways — kept a per-client allowlist and a small status page on the Pi to spot when blocking went too far.

  • raspberry-pi
  • pi-hole
  • home-assistant
  • wireguard
Apartment HQ · Pi + Pi-hole + Home Assistant
apartment LAN services on the Pi VPN router Raspberry Pi 3B docker · avahi home control plane Pi-hole Home Asst Wireguard mDNS · *.lan Apartment devices Hue · plugs · sensors off-site
One Raspberry Pi runs DNS, automation, and the VPN for the whole apartment.
P2

Personal mesh

A Tailscale tailnet across the laptop, NAS, the apartment Pi, and my phone, with ACLs scoped per device. Exit node on the home box for travel, subnet router so the older LAN gear (printer, a couple of switches) stays reachable. A private Minecraft server — Paper, in a Docker container on the home box — only reachable over the tailnet, with MagicDNS pointing at the worlds. Friends get in via shared nodes and --accept-routes, no port-forwarding ever. Tailscale SSH instead of managing authorized_keys by hand.

  • tailscale
  • wireguard
  • self-hosted
  • minecraft
Personal Mesh · Tailscale Tailnet
tailnet · MagicDNS exit node --accept-routes subnet router tailnet Laptop macOS Phone iOS NAS backups · media Home Pi exit · subnet router Minecraft (Docker) friend node-share legacy LAN 10.0.0.0/24
Identity-scoped overlay. MagicDNS names. Exit node from the road, subnet router into the LAN.
P3

HomeOpsPipeline

Git-driven home automation. Home Assistant config, Pi-hole blocklists, and Caddy routes all live in a private repo. Pushes trigger a self-hosted GitHub Actions runner on a local Pi via webhook, which renders the configs, validates them, restarts the right services, and posts the diff back to the PR. Failed applies auto-rollback to the last known-good commit. Same review discipline I want on cloud infra, pointed at my apartment.

  • gitops
  • self-hosted
  • home-assistant
Home Ops · Git-driven Apartment
webhook home-ops repo webhook push → main 1Password CLI Home Assistant Pi-hole Caddy runner self-hosted on Pi
Everything the Pi runs is in a repo. Push to main, runner renders, services reload.
P4

DotfilesSync

chezmoi-managed dotfiles across the mac, a linux workstation, and a remote dev box. Secrets are injected at apply time via the 1Password CLI — nothing plaintext in the repo, no committed tokens, no .env files trailing around. A small bootstrap script paves a new machine in one command: install chezmoi, point at the repo, sign into 1Password, apply. Templated by hostname so the laptop and the workstation only get what they need.

  • chezmoi
  • dotfiles
  • 1password
Dotfiles · chezmoi Sync
secrets dotfiles repo git · public-safe chezmoi template + apply 1Password CLI apply-time only macOS laptop Linux dev box Remote dev box
One repo, three machines. chezmoi renders per-machine; 1Password supplies secrets at apply time.