Services Overview
DocuStack uses a collection of Lambda functions and services to automate infrastructure management, reduce costs, and provide ChatOps capabilities.
Why These Services Exist
Traditional infrastructure management requires manual intervention, leads to forgotten resources running 24/7, and lacks audit trails. Our services solve these problems:
| Problem | Solution |
|---|---|
| Dev resources running overnight | Nightly Scheduler auto-stops at 2 AM CT |
| No secure database access | Bastion Orchestrator provides on-demand SSM bastions |
| Manual infrastructure control | Infra Orchestrator + Slack Bot enable ChatOps |
| IP whitelist management | IP Whitelist Manager with auto-expiration |
| Database initialization | DB Init Lambda for Temporal setup |
Service Architecture
┌─────────────────────────────────────────────────────┐
│ Slack Bot │
│ (ECS Fargate Service) │
│ │
│ /infra status /infra stop /infra whitelist │
└──────────┬────────────┬────────────────┬────────────┘
│ │ │
┌────────────────┘ │ └────────────────┐
│ │ │
v v v
┌─────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ Bastion │ │ Infra Orchestrator │ │ IP Whitelist │
│ Orchestrator │ │ │ │ Manager │
│ │ │ Tier 1: Lambda │ │ │
│ On-demand EC2 │ │ Tier 2: Terrateam │ │ DynamoDB + SG Sync │
└─────────────────┘ └──────────┬──────────┘ └─────────────────────┘
│
v
┌─────────────────────┐
│ Nightly Scheduler │
│ │
│ stop_resources │
│ start_resources │
└─────────────────────┘
Services
Nightly Scheduler
Purpose: Automatically stop and start infrastructure during off-hours to reduce costs.
- Stops ECS services, RDS instances, and EC2 at 2 AM CT
- Starts resources at 5 PM CT (before next workday)
- Discovery mode finds resources automatically
- Tag resources with
NightlyTeardown=skipto exclude
Estimated savings: 60-70% on dev/staging compute costs
Bastion Orchestrator
Purpose: Provide secure, on-demand database access without long-lived bastion hosts.
- Launch via Slack:
/infra bastion create - Auto-terminates after 3 hours
- SSM-only access (no SSH keys, no public IPs)
- Full audit logging for HIPAA compliance
Cost per session: ~$0.001 (3 hours on t4g.nano)
Infra Orchestrator
Purpose: Central control plane for infrastructure operations with safety controls.
- Tier 1: Fast stop/start via Lambda (seconds)
- Tier 2: Full teardown/spinup via Terrateam (minutes)
- Production protection built-in
- Audit logging for all actions
IP Whitelist Manager
Purpose: Manage IP-based access to protected resources with automatic expiration.
- Add IPs via Slack with TTL (e.g.,
--ttl=7d) - Auto-syncs to security groups via DynamoDB Streams
- Manages ALB (80/443) and NLB (7233) ports
- Slack notifications on expiration
DB Init Lambda
Purpose: Initialize PostgreSQL databases required by Temporal.
- Creates
temporalandtemporal_visibilitydatabases - Idempotent (safe to run multiple times)
- Invoked automatically during Temporal deployment
Slack Bot
Purpose: ChatOps interface for infrastructure management.
/infra status dev- Check infrastructure state/infra stop dev- Stop services (Tier 1)/infra whitelist add 1.2.3.4- Manage IP access- Confirmation modals for destructive operations
Code Location
All Lambda and service code lives in the application monorepo:
docustack-mono/services/
├── lambdas/
│ ├── nightly-scheduler/
│ ├── bastion-orchestrator/
│ ├── infra-orchestrator/
│ ├── ip-whitelist-manager/
│ └── db-init/
└── slack-bot/
Infrastructure modules that deploy these services are in docustack-infrastructure-modules/modules/.
Development Workflow
- Make code changes in
docustack-mono/services/ - Test locally using the development instructions in each service doc
- Push changes - CI builds and pushes Docker images to ECR
- Deploy - Terraform picks up new image tags automatically
See individual service documentation for specific development instructions.