Build Internal Tools

How to turn those scripts and utilities you built for yourself into useful tools others want. Most IT folks already build internal tools, they just don’t think to share them. Here’s how to clean them up and put them out there.
Categories:
Tags:

  29 minute read  

Most of us have been building internal tools for years, we just didn’t think of them that way. We called them “scripts”, “automation”, “quick hacks”, or “stuff I threw together one night to make my job suck less.” But now? These can be the start of something bigger.

Let’s look at how to level-up those scratch-your-own-itch tools into publishable, polished, and potentially monetizable projects.

What Counts as an “Internal Tool”?

If it solves your pain point at work, it probably solves it for someone else too. Think:

  • Automation of repetitive tasks
  • Reporting or dashboards you wish existed
  • Local utilities that convert or validate something
  • Wrappers or helpers around terrible vendor tools
  • Workarounds for clunky GUIs or slow web apps
Reality Check

It is understood that not-everyone is a “software developer” in the traditional sense. So, if you are an engineer or analyst, you can still cobble together scripts or small applications that help you do your job better. The key is to start with something you need, and then build it out.

In present day, with the unlimited help from LLMs, it’s not a matter of “can I learn to code?” or “can I learn a new language?” - it’s really more about “do I want to? And do I have the time?”.

If you are a software developer, in addition to these things, you should really head over to the SaaS section, that’s where your bread and butter is. But, you can still build internal tools as a way to scratch your own itch, and then later turn them into SaaS products.

Tool Maturity Levels

So first, just a note on maturity levels of tools. That is, how complex, feature-rich, and polished they are. Many internal tools start small and grow over time. It’s common for a tool to evolve through several stages of maturity. Here’s a way to look at how your tool might progress, and what this page recommends for these types of infrastructure and security tools:

Maturity Levels

This isn’t about picking one “level” for a tool idea, but recognizing that any tool can progress as its needs and your skills develop.

  1. The Quick Script (Bash, PowerShell, etc.):

    • You have an immediate problem. You write a script to fix it.
    • It’s often specific to your machine or a small set of systems.
    • It’s got hard-coded values and magic numbers.
    • It might be a bit rough around the edges, but it gets the job done for you, on your current workstation.

  2. The Python Enhancement:

    • The script becomes popular, or its logic gets too complex for shell scripting.
    • You rewrite it in Python for better readability, error handling, and access to a vast ecosystem of libraries. For example, the rich library for Python makes it so you can create really beautiful, colorful Text User Interfaces (TUI) in the terminal.
    • It’s more maintainable and easier for others to contribute to.
    • You might add a simple CLI or even a basic web interface. Python has an amazing argument parsing library called argparse that makes it easy to create very rich command-line interfaces that include commands, sub-commands, options, and flags. And, your --help screen will be automatically generated for you.

  3. The Go Distribution (The “boss-level” Tool):

    • The tool is now critical, or you want to share it widely. It needs to be done properly with input validation, error handling, a --help system, and maybe even a configuration file.
    • Performance, cross-platform compatibility, and ease of distribution become key.
    • You rewrite it in Go to produce a single, fast, statically-linked binary. No dependencies for users to install!
    • This is when you might create “Releases” on a GitHub repo for different architectures (Windows, macOS, Linux, and ARM).

This progression isn’t rigid. Some tools might stay as Python scripts forever, and that’s fine! Others might jump straight to Go. The point is to understand the path and choose the right approach for the tool’s current needs and your goals. Another disclaimer: this is just ONE path. Maybe you like Rust, and you should, it’s the only thing faster than Go! Or if you’re developer, maybe you already have some Node.js experience, and you want to use that. That’s great! The key is to start with what you know, and then evolve it as needed. The progression above is just an option if you are looking for a path to follow.

Why the Go language?

Go is absolutely everywhere when it comes to infrastructure and security tools. It’s the language behind Kubernetes, Docker, Terraform, Prometheus, Helm, Istio, Traefik, Consul, Etcd, and many other critical projects. Pretty much everything that comes out of the Cloud Native Computing Foundation (CNCF) is written in Go. It’s also the language of choice for many internal tools at companies like Google, Uber, and Dropbox.

Go Logo

There’s a reason why Big Tech uses it for pretty much all tooling nowadays. It compiles to a single binary, runs extremely fast, and has excellent concurrency support. If you’re building tools that need to be distributed widely or run efficiently, Go is a fantastic choice. It’s the Boss Level of programming languages to use for writing internal tools.

Further Reading: Language of Choice for Infra Teams, Why Go for Modern Infrastructure, Why is Go widely used in DevOps and Cloud Native space, Go for DevOps automating infrastructure and Configuration Management.

Let’s take a look at some ideas for specific roles.

Tool Ideas By Role

Let’s break it down by common roles in tech. Each of the tool ideas below can start as a simple script and potentially evolve through the maturity levels described above.

For Sysadmins

Here are some tool ideas for system administrators.

1. Tool: backup-verifier

This tool goes beyond just running backups; it actively verifies their integrity.

  • You could have it restore a small, non-critical piece of data daily to a test location.
  • Or, it could perform checksum comparisons against source data or manifests.
  • This helps ensure your backups are sound and recoverable when you need them most.

For example:

# Verify backups using a config, restore a daily test, and check checksums
sudo ./backup-verifier.sh --config /etc/backup-verifier.conf \
    --mode daily-restore-checksum --target /mnt/restore-test

2. Tool: config-snapshotter

Think of this as a version control system for your critical configuration files.

  • It’s a cross-platform CLI that can snapshot current configurations from specified paths.
  • Later, you can easily list, diff, or restore configurations if needed.
  • This is great for tracking changes, rolling back after a bad change, or auditing.

For example:

# Snapshot Nginx and SSH configs with a specific name
./config-snapshotter.sh --action snapshot --paths "/etc/nginx,/etc/ssh/sshd_config" \
    --name "webserver-baseline-$(date +%F)"

3. Tool: etc-checker

You can use this for remote configuration compliance and drift detection.

  • It checks files in /etc (or Windows Registry/config file equivalents) against a defined baseline or template.
  • It can alert you to any deviations, helping ensure your systems stay configured correctly and securely.
  • Baselines could be stored in Git or a central configuration management database.

For example:

# Check /etc against a baseline from a git repo and log results
sudo ./etc-checker.sh --baseline-git https://git.example.com/infra/baselines.git \
    --target-dir /etc --report /var/log/etc-checker-report.txt

4. Tool: health-reporter-agent

This is a lightweight agent that reports system health via simple protocols like REST or MQTT.

  • It’s a simpler alternative to heavier, more complex monitoring tools for specific needs.
  • You can gather key metrics like CPU, memory, disk usage, and specific process status.
  • Data can be sent to a central dashboard or alerting system you build.
Note

This tool, especially with REST/MQTT capabilities, is likely better suited for Python to handle network communication and data formatting. So, you probably wouldn’t do this as a shell script.

For example:

# Run the agent using a Python script, sending data to an MQTT broker
python ./health-reporter-agent.py --config /etc/health-agent.ini \
    --protocol mqtt --broker mqtt.example.com

5. Tool: pass-rotator

This tool helps you manage and automate password rotation for service accounts, API keys, or devices.

  • It can connect to various systems (databases, cloud services, network devices) to update credentials.
  • Then, it securely exports them to a local, encrypted vault file (e.g., using GPG, age, or a dedicated secrets manager).
  • This boosts your security posture by ensuring credentials are changed regularly and reducing manual effort.
Note

Due to API interactions and the need for secure credential handling (like GPG/age integration), this tool is likely better suited for Python. So, you probably wouldn’t do this as a shell script.

For example:

# Rotate password for a specific service account and update the GPG encrypted vault
python ./pass-rotator.py --service-account db-prod-svc \
    --vault-path ~/.secrets/service-accounts.gpg --rotate-now

6. Tool: service-manager-gui

Imagine a simple local web GUI that helps you manage and restart common services on a server.

  • This is handy for quick troubleshooting, for team members less comfortable with CLI commands, or for a support area like the Help Desk.
  • It could display service status, provide start/stop/restart buttons, and show recent log entries.
  • You might build it with Python (Flask/Django) or Go for a self-contained binary.
Note

This tool involves a web GUI, so Python (using frameworks like Flask or Django) or Go would be more appropriate than a simple shell script.

For example:

# Start the web GUI on port 8080
python ./service_manager_gui.py --host 0.0.0.0 --port 8080

7. Tool: smart-monitor

This script or small application monitors disk Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.) data.

  • It alerts you when specific thresholds (e.g., reallocated sectors, temperature) are crossed.
  • This gives you early warnings of potential disk failures, allowing you to prevent data loss.
  • Alerts could be via email, Slack, or integrated into a central monitoring system.

For example:

# Monitor two disks, alert on high temp or reallocated sectors via email and Slack
sudo ./smart-monitor.sh --devices /dev/sda,/dev/sdb \
    --thresholds "temperature:60,reallocated_sectors:5" --alert email,slack

8. Tool: stale-homedir-cleaner

You can use this to clean up orphaned or inactive user home directories, especially across NFS mounts or large file servers.

  • It identifies home folders that haven’t been accessed for a defined period or belong to disabled/deleted accounts.
  • It can then archive these directories to cheaper storage or flag them for deletion.
  • This helps free up valuable storage space and maintain a cleaner file system.

For example:

# Find home dirs under /mnt/nfs/homes inactive for 90 days and archive them, 
# running in dry-run mode first
sudo ./stale-homedir-cleaner.sh --path /mnt/nfs/homes --inactive-days 90 \
    --action archive --archive-path /mnt/archive/old_homes --dry-run

9. Tool: sys-auditor

This is a self-contained binary or script that enumerates and audits system users, groups, and permissions.

  • You can use it to find dormant accounts (e.g., not logged in for 90+ days).
  • It can also check for overly permissive access rights (e.g., excessive sudo privileges) or compliance with security policies.
  • Reports can be generated in formats like CSV or JSON for further analysis.

For example:

# Audit for dormant users (90+ days) and excessive sudo, outputting a CSV report
sudo ./sys-auditor.sh --check dormant-users:90 --check sudo-privileges \
    --output-format csv > /tmp/system_audit_report.csv

For Cloud / DevOps Engineers

Consider these tool ideas. They can mature from scripts to more robust applications. Maybe these can help you manage cloud resources better?

1. Tool: cloud-cost-viz

This tool provides a dashboard or CLI output to help you visualize cloud costs effectively.

  • You can break down expenses by tag, project, service, or account.
  • It supports major cloud providers like AWS, GCP, or Azure by querying their billing APIs.
  • This helps you track spending, identify cost anomalies, and optimize your cloud budget.
Note

Interacting with cloud billing APIs and generating visualizations makes Python a good choice for this tool, allowing you to leverage cloud SDKs and plotting libraries. So, you probably wouldn’t do this as a shell script.

For example:

# Generate a cost report for AWS, grouped by service, for the last month
python ./cloud-cost-viz.py --provider aws --group-by service \
    --period last-month --output report.html

2. Tool: cloud-tagger

You can use this to auto-tag cloud resources consistently across your environments.

  • It applies project, owner, environment, or cost-center tags based on defined rules or naming conventions.
  • This ensures consistent tagging, which is vital for cost management, resource organization, and automation.
  • Rules could be defined in a YAML file or a simple DSL.
Note

Automating cloud resource tagging via APIs is typically easier with Python, using the respective cloud provider SDKs.

For example:

# Apply tags to all untagged EC2 instances in us-east-1 based on rules in a YAML file
python ./cloud-tagger.py --provider aws --resource-type ec2 --region us-east-1 \
    --rules ./tagging-rules.yaml --apply-missing

3. Tool: iam-explorer

This is a cross-cloud (or single-cloud) permission explorer.

  • It helps you answer “who can do what on which resource?” by navigating complex IAM policies.
  • It can visualize relationships between users, groups, roles, and permissions.
  • This makes understanding access rights much easier and aids in security audits.
Note

Navigating and visualizing complex IAM policies often benefits from Python’s capabilities for API interaction and graph generation. So, you probably wouldn’t do this as a shell script.

For example:

# Explore what actions a specific AWS IAM user can perform on an S3 bucket
python ./iam-explorer.py --cloud aws --user-arn arn:aws:iam::123456789012:user/dev-user \
    --resource-arn arn:aws:s3:::my-app-bucket/* --output text

4. Tool: infra-deployer

This CLI deploys infrastructure templates (e.g., Terraform, CloudFormation, ARM, Pulumi) more intelligently.

  • It could automatically detect required variables or prompt for them interactively.
  • It might offer a simpler interface over complex deployment commands or integrate with a GitOps workflow.
  • This can simplify your deployment workflows and reduce manual errors.

For example:

# Deploy a Terraform configuration, prompting for any missing required variables
./infra-deployer.sh --tool terraform --path ./modules/vpc --action apply --interactive

5. Tool: policy-linter

This tool is a static linter for your cloud security policies (e.g., IAM policies, S3 bucket policies, Security Group rules).

  • It integrates with your CI/CD pipeline to check policies for errors, insecure configurations, or deviations from best practices.
  • This happens before they’re applied, preventing potential security vulnerabilities.
  • You can use existing libraries or define custom rules.
Note

Building a custom policy linter, especially with CI integration and complex rule logic, often suits Python. So, you probably wouldn’t do this as a shell script.

For example:

# Lint IAM policy files in a directory using a custom ruleset, for CI purposes
python ./policy-linter.py --policy-files ./aws/iam_policies/ \
    --rules ./custom_lint_rules.yaml --ci-mode

6. Tool: s3-snapshotter

This CLI snapshots and restores S3 buckets or other object storage services.

  • It can even work across different accounts or regions for data migration or backup purposes.
  • You might implement features like incremental snapshots or versioned restores.
  • This is useful for backups, disaster recovery, or migrating data between environments.
Note

Interacting with S3 APIs for snapshotting, restoration, and cross-account operations is well-suited for Python using the Boto3 library (for AWS). So, you probably wouldn’t do this as a shell script.

For example:

# Snapshot an S3 bucket to another bucket in a different region, with versioning
python ./s3-snapshotter.py --action snapshot --source-bucket my-prod-data \
    --dest-bucket my-dr-backup --dest-region us-west-1 --enable-versioning

7. Tool: secret-scanner

This tool scans your code repositories, configuration files, or even container images for hardcoded secrets.

  • It uses a combination of regex patterns, entropy checks, and keyword matching.
  • This helps prevent accidental exposure of sensitive credentials like API keys or passwords.
  • You can integrate it into your CI/CD pipeline to fail builds if secrets are detected.
Note

Implementing regex, entropy checks, and keyword matching for secret scanning is often done effectively in Python, which has strong text processing libraries. So, you probably wouldn’t do this as a shell script.

For example:

# Scan a local git repository for secrets and output findings to a JSON file
python ./secret-scanner.py --repo-path /path/to/my-project \
    --output-file secrets-found.json --entropy-threshold 4.0

8. Tool: temp-creds-rotator

You can use this to schedule and automate the rotation of temporary credentials.

  • It enhances security by limiting the lifetime of sensitive credentials.
  • It’s useful for systems like AWS STS, GCP short-lived OAuth tokens, or HashiCorp Vault dynamic secrets.
  • The tool could update application configurations or CI/CD variables with new credentials.
Note

Automating temporary credential rotation with cloud services (like AWS STS) or systems like HashiCorp Vault is typically handled well with Python and their respective SDKs/APIs. So, you probably wouldn’t do this as a shell script.

For example:

# Assume an AWS STS role, get temporary credentials, and update a specific 
# profile in ~/.aws/credentials
python ./temp-creds-rotator.py --service aws-sts  --duration 1h \
    --role-arn arn:aws:iam::123456789012:role/MyDeployRole --update-aws-profile deploy-profile

9. Tool: tf-drift-detector

This tool compares your Terraform (or other IaC tool) state to the actual deployed infrastructure.

  • It clearly shows any drift, highlighting resources created, modified, or deleted outside of IaC.
  • This helps you identify unmanaged changes and keep your infrastructure aligned with your code.
  • It can run on a schedule and send alerts if drift is detected.

For example:

# Check for drift in the production Terraform environment and send a Slack 
# alert if drift is found
./tf-drift-detector.sh --tf-dir /opt/terraform/live/production \
    --alert-to slack:ops-channel --output-detailed-drift drift-report.txt

For Security Engineers and Analysts

These tool ideas can start simple. They can grow in sophistication as you develop them. We believe these can significantly aid your security operations.

1. Tool: ad-stale-user-disabler

This tool automates the process of identifying and disabling stale Active Directory (or other directory service) user accounts.

  • It bases decisions on criteria like the last login time or account creation date.
  • This helps reduce the attack surface by removing unused accounts that could be compromised.
  • It can generate a report of actions taken or require manual approval before disabling.
Note

Interacting with Active Directory often involves PowerShell. However, Python with LDAP libraries can also be effective, especially for cross-platform needs or more complex logic.

For example:

# Report on AD users inactive for over 90 days, connecting to a specific domain controller
python ./ad-stale-user-disabler.py --ldap-server dc01.example.com \
    --base-dn "OU=Users,DC=example,DC=com" --inactive-days 90 --action report-only

2. Tool: alert-triage-cli

Imagine a real-time alert triage CLI designed for speed and efficiency.

  • It could feature keyboard shortcuts for common actions (e.g., acknowledge, escalate, close).
  • Powerful filtering and searching capabilities would help you quickly focus on critical alerts.
  • It might integrate with various SIEMs or alerting platforms via their APIs.
Note

Building a feature-rich CLI with API integrations for alert triage is a good fit for Python, using libraries like click or typer for the CLI and requests for APIs.

For example:

# Connect to SIEM-X, filter for new high-severity alerts, and sort by timestamp
python ./alert-triage-cli.py --source siem-x --filter "severity:high AND status:new" \
    --sort-by timestamp --interactive

3. Tool: code-risk-scanner

This CLI scans code repositories for potentially risky function calls or known vulnerable code patterns.

  • You can customize the patterns using YAML or a simple rule language.
  • It helps identify potential security flaws early in the development lifecycle.
  • This can be integrated into pre-commit hooks or CI/CD pipelines.
Note

Scanning code with custom rules (e.g., YAML-defined) and patterns is a task where Python excels due to its text processing and parsing capabilities.

For example:

# Scan a Python project directory using a specific set of security rules, outputting to JSON
python ./code-risk-scanner.py --path ./my-python-app/ --rules ./python-security-rules.yaml \
    --output-format json > code_risk_report.json

4. Tool: fwlog-parser

This tool parses firewall logs (e.g., from Cisco, Palo Alto Networks, iptables) to extract useful information.

  • For example, it can find top source/destination IPs by traffic volume, top blocked IPs, or unusual port activity.
  • This aids in network traffic analysis, threat detection, and incident response.
  • Output could be in CSV, JSON, or a simple human-readable report.
Note

Python is excellent for parsing various log formats and extracting structured data, making it suitable for a flexible firewall log parser.

For example:

# Parse a Cisco ASA log file and report the top 10 blocked source IPs
python ./fwlog-parser.py --log-file /mnt/logs/asa-firewall.log --format cisco-asa \
    --report top-blocked-src-ips --limit 10

5. Tool: jwt-validator

You can use this CLI or web tool to decode JSON Web Tokens (JWTs).

  • It also validates their signature, structure, and standard claims (e.g., exp, iss, aud).
  • This is handy for testing and debugging OAuth 2.0 or OIDC authentication flows.
  • It helps ensure tokens are correctly formed and haven’t been tampered with.
Note

Decoding and validating JWTs is straightforward with Python’s JWT libraries (e.g., PyJWT), making it a good choice for this tool.

For example:

# Decode and validate a JWT using a provided public key file
python ./jwt-validator.py --token "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26M..." \
    --public-key ./my_public_key.pem

6. Tool: log-anomaly-alerter

This tool watches a folder for new log files or tails existing ones.

  • It automatically emails you or sends a notification if anomalies are detected based on predefined patterns or statistical deviations.
  • You can define what constitutes an anomaly (e.g., error rates, specific keywords, unusual event frequency).
  • This provides proactive threat detection or operational issue alerting.
Note

Watching log files in real-time and performing anomaly detection (pattern matching or statistical analysis) often benefits from Python’s capabilities.

For example:

# Watch the /var/log/app/ directory for logs, using error patterns, and email alerts
python ./log-anomaly-alerter.py --watch-dir /var/log/app/ --patterns ./critical-error-patterns.txt \
    --email-to [email protected] --check-interval 60s

7. Tool: memdump-analyzer

This is a cross-platform binary or script that helps analyze memory dumps for Indicators of Compromise (IOCs).

  • It might look for suspicious processes, network connections, loaded DLLs, or known malware signatures.
  • This is crucial for incident response and digital forensics to understand malware behavior.
  • It could integrate with volatility or other memory analysis frameworks.
Note

Memory dump analysis, especially when integrating with frameworks like Volatility, is typically done with Python.

For example:

# Analyze a memory dump using a specific Volatility profile and run pslist and netscan plugins
python ./memdump-analyzer.py --dumpfile /mnt/forensics/compromised_host.mem \
    --profile Win10x64_19041 --plugins pslist,netscan --output-dir /reports/mem_analysis

8. Tool: port-scanner-pro

This is a custom port scanner that offers more flexibility than generic tools like nmap for specific use cases.

  • It might use YAML-based scan profiles to define target ports, scan types (TCP, UDP), and banners to grab.
  • You could optimize it for speed or stealth depending on your needs.
  • Results can be output in various formats for easy integration with other tools.
Note

Building a custom port scanner with features like YAML-based profiles and various output formats is a good Python project, utilizing its socket programming capabilities.

For example:

# Scan a subnet using a web server profile defined in YAML, outputting results to JSON
python ./port-scanner-pro.py --targets 10.0.1.0/24 --profile ./scan_profiles/web_servers.yaml \
    --output scan_results_web.json --threads 10

9. Tool: sg-auditor

This tool pulls all EC2 security groups (or equivalent in other clouds like Azure NSGs or GCP Firewall Rules).

  • It helps you find overly permissive rules, such as those allowing 0.0.0.0/0 access to sensitive ports.
  • It can check against a baseline of allowed rules or highlight deviations from best practices.
  • This strengthens your cloud security posture by identifying and remediating risky configurations.
Note

Auditing cloud security groups via APIs (e.g., AWS EC2 API) is well-suited for Python, using libraries like Boto3.

For example:

# Audit all AWS security groups in us-east-1 against a baseline ruleset, reporting violations
python ./sg-auditor.py --provider aws --region us-east-1 \
    --baseline-rules ./security_group_baseline.yaml \
    --report-violations sg_violations.txt

For Desktop Support or IT Helpdesk

You can build these tools. Start with scripts and potentially develop them further. We think these will make your support tasks easier.

1. Tool: banned-app-detector

This tool detects running processes or installed applications on a workstation.

  • It matches them against a predefined list of banned or unauthorized software.
  • This helps enforce company policy regarding software usage.
  • It can alert admins, notify the user, or even attempt to terminate the application.

For example:

# Check for banned applications based on a config file and notify the current user if any are found
./banned-app-detector.sh --app-list /etc/it_policy/banned_apps.cfg \
    --action notify_user --log /var/log/banned_app.log

2. Tool: pass-expiry-notifier

This tool proactively emails a user-friendly report or desktop notification to users.

  • It warns them before their domain or local account passwords expire (e.g., 14 days, 7 days, 1 day).
  • This helps reduce lockout incidents and improves the user experience.
  • It could integrate with Active Directory or other identity systems.
Note

While PowerShell is common for Active Directory tasks, Python can be used for broader identity system integration or custom notification logic, especially if you need cross-platform compatibility.

For example:

# Check AD for users whose passwords expire in 14, 7, or 1 day and send email notifications
python ./pass-expiry-notifier.py --source active-directory --days-warning 14,7,1 \
    --email-template ./templates/expiry_notification.html --smtp-server mail.example.com

3. Tool: resource-mapper

You can use this to automatically map network printers and shared drives for users.

  • It often works based on Active Directory group membership or user location/department.
  • This automates a common onboarding or login script task.
  • It ensures users get the right resources without manual configuration.

For example:

# Map resources for the current user based on their AD group "Sales"
./resource-mapper.sh --user-group "Sales" --action map \
    --config-file /etc/it_policy/resource_map_sales.json

4. Tool: setup-wizard-gui

This is an interactive GUI application that walks a new user through their first-day IT setup.

  • It can configure email clients (Outlook, Thunderbird), install standard software, set up printers, and map drives.
  • This streamlines the onboarding process and reduces helpdesk calls.
  • You might build this with Electron, Python (Tkinter/PyQt), or PowerShell GUI frameworks.
Note

This tool is GUI-based, making Python with GUI libraries like Tkinter or PyQt, or frameworks like Electron, suitable choices rather than a command-line script.

For example:

# Launch the setup wizard application (assuming it's a Python app)
python ./setup-wizard-app.py

5. Tool: slack-cmd-listener

This is a local tray application or background service that listens for commands from a company Slack bot.

  • Users can trigger common support scripts (e.g., “clear cache,” “restart print spooler,” “request software”) directly from Slack.
  • This provides a convenient self-service interface for users.
  • The tool would execute predefined scripts based on the received commands.
Note

Interacting with the Slack API and running local scripts makes Python a good choice for this tool, allowing you to use Slack SDKs and manage subprocesses.

For example:

# Start the Slack command listener with a specific Slack bot token and script directory
python ./slack-cmd-listener.py --slack-token "xoxb-your-slack-bot-token" \
    --allowed-scripts-dir /opt/it_support_scripts/ \
    --log-file /var/log/slack_listener.log

6. Tool: support-toolbox-gui

Imagine a graphical “support toolbox” application for helpdesk staff.

  • It has tabs or sections for common diagnostic scripts, remote assistance tools, and links to knowledge base articles.
  • This provides a central place for support staff to quickly access frequently used tools and information.
  • It can be customized with scripts relevant to your specific environment.
Note

A graphical toolbox is best built with GUI frameworks. Python’s Tkinter or PyQt, or technologies like Electron, would be more suitable than a simple script.

For example:

# Launch the support toolbox GUI application
python ./support-toolbox-app.py --user-role helpdesk-L1

7. Tool: sysinfo-reporter

This tool pulls comprehensive system information from a workstation.

  • It gathers details like OS version, CPU, RAM, storage, installed software, and network configuration.
  • Then, it emails this info to an asset tracker, posts it to a database, or saves it to a shared location.
  • This helps keep your IT asset inventory up-to-date.

For example:

# Gather system info, including installed software, and email it to the asset tracker
./sysinfo-reporter.sh --output-method email --email-to [email protected] \
    --include-software-list --format json

8. Tool: ticket-triage-bot

This is a chatbot-style Q&A tool that helps triage common IT support tickets.

  • It can guide users through basic troubleshooting steps for common issues (e.g., “printer not working,” “can’t access X”).
  • If self-service fails, it can gather necessary diagnostic information before escalating the ticket to a human agent.
  • This can be integrated with your existing ticketing system.
Note

Building a chatbot with Q&A logic and potential ticketing system integration is well-suited for Python, using NLP libraries and API clients.

For example:

# Start the ticket triage bot, connecting to a knowledge base and ticketing system API
python ./ticket-triage-bot.py --knowledge-base-url http://kb.example.com/api \
    --ticketing-system-api http://tickets.example.com/api --port 8888

9. Tool: workstation-validator

This is a self-contained binary or script that validates all workstation settings against a defined baseline or security policy.

  • It checks security configurations (firewall, antivirus), software versions, disk encryption status, and more.
  • This helps ensure workstations are compliant and reduces security risks.
  • It can generate a report for the user or IT staff highlighting any non-compliant settings.

For example:

# Validate workstation settings against a company policy YAML and report to a central server
./workstation-validator.sh --policy-file /etc/it_policy/workstation_baseline.yaml \
    --report-to-server http://compliance.example.com/api/checkin --user-id $(whoami)

For Infrastructure as Code (IaC) Engineers

These ideas can evolve from basic scripts to comprehensive Go tools. We believe these will streamline your IaC workflows.

1. Tool: hcl-json-converter

This tool converts HCL (HashiCorp Configuration Language - used by Terraform, Packer, Nomad, etc.) to JSON and vice versa.

  • It provides a slick CLI for easy conversions, useful for scripting or interoperability with tools that expect JSON.
  • It could also handle other HCL-like formats or offer formatting options.
  • This is particularly useful when you need to programmatically generate or parse HCL.
Note

While Go is excellent for HCL parsing (as used in Terraform itself), Python also has libraries that can handle HCL to JSON conversion for scripting purposes.

For example:

# Convert an HCL file to JSON and print to stdout
python ./hcl-json-converter.py --input ./my_terraform_module/main.tf --to json

2. Tool: iac-change-visualizer

This tool visualizes the changes proposed by an IaC plan (e.g., terraform plan).

  • It shows what resources will be created, updated, or destroyed in a more human-friendly or graphical way than raw plan output.
  • It might generate a dependency graph of changes or highlight potentially risky operations.
  • This helps you better understand the impact of IaC changes before applying them.
Note

Parsing IaC plan outputs (like Terraform’s binary plan file) and generating visualizations (e.g., graphs) often benefits from Python’s capabilities.

For example:

# Generate a Terraform plan, then visualize it as a dependency graph image
terraform plan -out=tfplan.bin && python ./iac-change-visualizer.py \
    --plan-file tfplan.bin --output-type png --output-file plan_graph.png

3. Tool: iac-health-dashboard

This provides a dashboard (web or CLI) of all your IaC repositories or projects.

  • It shows their deployment health, last successful/failed deployment, and status of CI/CD pipelines.
  • You can quickly see which pipelines are failing, track deployment frequency, or monitor for drift.
  • It might integrate with Git repository hosting services and CI/CD systems.
Note

This tool likely involves API integrations (Git, CI/CD systems) and potentially a web dashboard, making Python (with frameworks like Flask/Django) a strong candidate.

For example:

# Start the IaC health dashboard web application using a configuration file
python ./iac-health-dashboard-app.py --config ./dashboard_config.yaml --port 8000

4. Tool: iac-inventory-generator

This standalone binary or script creates a full inventory of your infrastructure directly from your IaC code (Terraform, CloudFormation, etc.).

  • It parses your code to list all managed resources, their types, and key attributes.
  • This helps you understand your managed resources without needing to query cloud provider APIs.
  • It’s useful for audits, documentation, or cost estimation based on code.
Note

Parsing various IaC file formats (Terraform HCL, CloudFormation JSON/YAML) to generate an inventory is a task well-suited for Python.

For example:

# Generate an inventory from a Terraform project directory and output as CSV
python ./iac-inventory-generator.py --iac-path ./production_terraform_project/ \
    --output-format csv > full_infra_inventory.csv

5. Tool: iac-limit-checker

This is a CI pre-check tool that ensures resource limits and requests are defined in your IaC (e.g., for Kubernetes manifests, cloud provider resource definitions).

  • For example, it checks for CPU or memory limits in Kubernetes deployments or that VM sizes are within allowed tiers.
  • This helps prevent resource overruns, ensure fair resource allocation, and control costs.
  • Rules can be defined in a configuration file.
Note

Checking IaC files (like Kubernetes YAML or Terraform HCL) against configurable resource limit rules is effectively done with Python, using its parsing and data handling strengths.

For example:

# Check Kubernetes manifest files in a directory against a set of limit rules, for CI
python ./iac-limit-checker.py --iac-files ./kubernetes_manifests/production/ \
    --rules ./k8s_limit_rules.yaml --ci-mode --fail-on-error

6. Tool: iac-module-extractor

This tool greps all Terraform, Pulumi, or CloudFormation files in a repository.

  • It extracts a list of all used modules, providers, or resource types and their versions.
  • This helps you track dependencies, identify outdated modules, or plan for upgrades.
  • The output could be a simple list, CSV, or JSON for further processing.
Note

Extracting module, provider, and resource type information from various IaC files can be efficiently handled by Python scripts that parse these formats.

For example:

# Extract all Terraform modules and their versions from a project, output as JSON
python ./iac-module-extractor.py --repo-path ./my_company_terraform_modules/ \
    --type terraform --output-format json > tf_modules_versions.json

7. Tool: iac-validator-action

This is a GitHub Action (or similar for other CI/CD systems) that lints, tests, and validates your IaC before merging.

  • It can run a suite of tools like tfsec for security scanning, terratest for integration testing, or kubeval for Kubernetes manifest validation.
  • This improves code quality, catches errors early, and enforces best practices automatically.
  • It provides feedback directly in pull requests.

For example:

# In your .github/workflows/main.yml:
- name: Validate IaC
  uses: your-org/iac-validator-action@v1 # Replace with the actual action
  with:
    iac-path: './terraform' # Path to your IaC code
    tools: 'tfsec,tflint,checkov' # Comma-separated list of tools to run
    tfsec-args: '--exclude-rule aws-s3-enable-bucket-logging'

8. Tool: resource-name-validator

This tool validates naming conventions for cloud resources defined in your IaC before you commit or deploy.

  • It checks resource names against a configurable regex or pattern defined by your organization.
  • This ensures consistency across your infrastructure, which helps with organization, tagging, and policy enforcement.
  • It can be run as a pre-commit hook or in a CI pipeline.
Note

Validating resource names against configurable patterns (e.g., regex in a YAML file) within IaC files is a good use case for Python, especially for pre-commit hooks.

For example:

# Validate resource names in Terraform files using a specific naming 
# convention config, for a pre-commit hook
python ./resource-name-validator.py --iac-files ./terraform/*.tf \
    --naming-convention ./company_naming_standards.yaml --mode pre-commit

9. Tool: stale-stack-reporter

This tool reports which IaC stacks (e.g., Terraform workspaces, CloudFormation stacks) haven’t been deployed or updated in N days.

  • This helps identify unused, forgotten, or potentially obsolete infrastructure.
  • You can then investigate and decommission these resources to save costs and reduce clutter.
  • It might query CI/CD deployment logs or IaC state file metadata.
Note

Querying CI/CD deployment logs (via APIs) or IaC state file metadata (e.g., from Terraform Cloud/Enterprise or S3 backends) to find stale stacks is often best done with Python.

For example:

# Report Terraform Cloud workspaces not updated in 60 days, alerting 
# to a Slack channel
python ./stale-stack-reporter.py --provider terraform-cloud \
    --organization "my-awesome-company" --inactive-days 60 \
    --alert slack:infra-alerts

Why Not Just Stop at Python?

Python is fantastic! It’s readable, friendly, powerful. It’s often the perfect choice for many internal tools, especially when they are evolving from simpler scripts. However, it has it’s drawbacks too:

  • Performance: Python is an interpreted language, which means it is significantly slower than compiled languages like Go. For tools that need to run quickly or handle large datasets, this can be a bottleneck.
  • Virtual Environments: Python often requires a virtual environment ot be established (on each new machine where it runs), and then to install dependencies. That means that it needs access to the internet. In some corporate environments, this can be a challenge or even not possible due to security policies or proxy server restrictions.
Note

You can use tools like PyInstaller, cx_Freeze, or PyOxidizer to create standalone executables from Python scripts. But this adds complexity and can lead to larger binaries compared to Go.

If you are serious about building tools that others can download and run on any OS, without installing anything? That’s where Go shines, representing a more mature stage for a tool.

  • Cross-platform binaries for macOS, Windows, Linux, and ARM
  • Single binary with no dependencies
  • No runtime or dependencies
  • Ridiculously fast execution
  • Native support for modern concurrency, HTTP, and CLI UX

If you’re writing tools for ops, cloud, or security, learning Go is a really good investment.

Where to start with Go?

You don’t need to be an expert to write useful tools. Pick a real problem. Start small. Configure GitHub Copilot within Visual Studio Code and ask it to teach you - literally. Then, share what you learn.

What To Do With Your Tool

No matter your level, this is your roadmap:

  1. Write the script. Solve your problem.
  2. GitHub Get it into GitHub. Create a repo, add a README, and push your code.
    • If you want to share it with the world, make it public. See HOWTO: Open Source.
    • If you want to keep it private, you can still share it with your team or company.
    • Reference the GitHub Cheatsheet, if needed.
  3. Polish the repo. See How to Open Source.
  4. Write a blog post. Talk about why you made it and how it helps.
  5. Share it. On Mastodon, Reddit, LinkedIn or wherever your people are.
  6. Keep going. Add features, fix bugs, write docs.

You never know who’s going to discover it. You might help someone else. You might get a contributor. You might get a job. You might even turn it into a SaaS.

Summary

  • Internal tools are the easiest starting point. They’re useful by default.
  • You already know the pain points; turn those into projects.
  • Grow from bash or PowerShell to Python or Go at your own pace.
  • Publish early, polish later. Just ship it.