Infrastructure Modules
DocuStack uses a modular Terraform architecture with 16 production-ready modules organized into logical groups. All modules are versioned and maintained in the docustack-infrastructure-modules repository.
Module Categories
Core Infrastructure
Foundation modules that every environment requires:
| Module | Purpose | HIPAA |
|---|---|---|
| Bootstrap | Terraform state backend (S3 + DynamoDB) | Yes |
| VPC | Multi-AZ networking with VPC endpoints | Yes |
| ECS Cluster | Fargate cluster with Spot support | Yes |
| ECR | Container registry with lifecycle policies | Yes |
| RDS | PostgreSQL with encryption and backups | Yes |
Database & Workflows
Application-layer infrastructure:
| Module | Purpose | HIPAA |
|---|---|---|
| DB Init Lambda | Automated database initialization | Yes |
| Temporal | Workflow orchestration on ECS | Yes |
Secure Access
Zero-trust access to private resources:
| Module | Purpose | HIPAA |
|---|---|---|
| Bastion | On-demand SSM bastion hosts | Yes |
| Bastion Orchestrator | Lifecycle management for bastions | Yes |
Cost Management
Automated cost optimization:
| Module | Purpose | Savings |
|---|---|---|
| Nightly Scheduler | Stop/start resources on schedule | 60-70% |
| Infra Orchestrator | Tier 1/2 teardown routing | Variable |
ChatOps
Slack-based infrastructure management:
| Module | Purpose |
|---|---|
| Slack Bot | Socket Mode bot for infrastructure commands |
| IP Whitelist | DynamoDB-backed IP management with auto-sync |
Security & Compliance
Preventive and detective controls:
| Module | Purpose | HIPAA |
|---|---|---|
| Compliance | AWS Config with HIPAA conformance pack | Yes |
| SCP Policies | Organization-wide guardrails | Yes |
| GitHub Actions OIDC | Secure CI/CD authentication | Yes |
Module Versioning
All modules use semantic versioning via Git tags:
terraform {
source = "git::git@github.com:docustackapp/docustack-infrastructure-modules.git//modules/vpc?ref=v1.2.0"
}
Version Strategy:
- Major (v2.0.0): Breaking changes requiring migration
- Minor (v1.1.0): New features, backward compatible
- Patch (v1.0.1): Bug fixes only
Lambda Code Location
Infrastructure Lambda functions (bastion-orchestrator, db-init, nightly-scheduler, etc.) have their code in the monorepo and their deployment configuration in infrastructure-modules:
docustack-mono/services/lambdas/
├── bastion-orchestrator/ # Lambda code
├── db-init/
├── infra-orchestrator/
├── ip-whitelist-manager/
└── nightly-scheduler/
docustack-infrastructure-modules/modules/
├── bastion-orchestrator/ # Terraform module
├── db-init-lambda/
├── infra-orchestrator/
├── ip-whitelist/
└── nightly-scheduler/
This separation ensures:
- Application code (monorepo) defines WHAT to deploy
- Infrastructure modules define HOW to deploy
Quick Reference
Deployment Order
For a new environment, deploy modules in this order:
- bootstrap - State backend (run locally first)
- vpc - Networking foundation
- ecs-cluster - Container orchestration
- ecr - Container registry
- rds - Database
- db-init-lambda - Initialize databases
- temporal - Workflow engine
- bastion-orchestrator - Secure access
- nightly-scheduler - Cost optimization
- slack-bot - ChatOps (optional)
Environment-Specific Configurations
| Setting | Dev | Staging | Prod |
|---|---|---|---|
| Multi-AZ | No | Yes | Yes |
| Fargate Spot | 100% | 80% | 50% |
| RDS Instance | db.t3.small | db.t3.medium | db.r5.large |
| Backup Retention | 7 days | 14 days | 35 days |
| Deletion Protection | No | Yes | Yes |
| Nightly Scheduler | Enabled | Enabled | Disabled |