Infrastructure Control Slack Bot

Slack bot for controlling infrastructure operations via slash commands. Uses the Bolt framework with Socket Mode for secure, firewall-friendly communication.

Why This Exists

Infrastructure management shouldn't require:

SSH access to jump boxes
AWS Console navigation
Remembering CLI commands
Context switching from Slack

The Slack bot provides ChatOps - manage infrastructure where your team already communicates:

/infra status dev - Check what's running
/infra stop dev - Stop services for the night
/infra whitelist add 1.2.3.4 - Grant yourself access

Commands Reference

Main Command

/infra <command> [environment] [options]

Available Commands

Command	Description	Example
`status [env]`	Show infrastructure state	`/infra status dev`
`stop [env]`	Stop ECS/RDS (Tier 1)	`/infra stop staging`
`start [env]`	Start ECS/RDS (Tier 1)	`/infra start dev`
`teardown [env] --level=<level>`	Teardown infrastructure (Tier 2)	`/infra teardown dev --level=full`
`spinup [env]`	Restore from teardown (Tier 2)	`/infra spinup dev`
`whitelist add <ip> [options]`	Add IP to whitelist	`/infra whitelist add 1.2.3.4 --ttl=7d`
`whitelist remove <ip>`	Remove IP	`/infra whitelist remove 1.2.3.4`
`whitelist list [env]`	List whitelisted IPs	`/infra whitelist list dev`
`whitelist refresh [env]`	Sync to security groups	`/infra whitelist refresh dev`

Environments

Environment	Description	Restrictions
`dev`	Development (default)	None
`staging`	Staging	None
`prod`	Production	Stop/teardown blocked

Teardown Levels

Level	Description
`services`	Stop ECS/RDS only (default, fast)
`full`	Full infrastructure teardown (requires confirmation)

IP Whitelist Commands

Add IP

/infra whitelist add <ip> [--ttl=<duration>] [--description='<text>']

TTL Options:

Minutes: 1m to 1440m (e.g., 5m, 30m, 60m)
Days: 1d to 365d (e.g., 7d, 30d, 90d)
Default: 30d

Examples:

/infra whitelist add 1.2.3.4
/infra whitelist add 1.2.3.4 --ttl=5m --description='Quick test'
/infra whitelist add 1.2.3.4/32 --ttl=7d --description='Home office'

Automatic Features

Auto-sync: Security groups update immediately
Auto-expiration: IPs removed when TTL expires
Notifications: Channel notified when IPs expire
Ports managed: 80 (HTTP), 443 (HTTPS), 7233 (gRPC)

Message Formats

Status Response

Infrastructure Status: DEV
─────────────────────────
ECS Services:
  :white_check_mark: api - RUNNING (desired: 2)
  :white_check_mark: worker - RUNNING (desired: 1)

RDS Instances:
  :white_check_mark: docustack-dev-db - available

Action Response

:white_check_mark: STOP - DEV
─────────────────────────
Operation completed successfully.

Details:
- ECS services stopped: 2
- RDS instances stopped: 1

Confirm Teardown
─────────────────────────
:warning: You are about to perform a FULL teardown of the `dev` environment.

This will destroy:
- All ECS services and tasks
- RDS instances (data preserved in snapshots)
- NAT Gateways
- Load Balancers

Critical resources (VPC, S3, Secrets, IAM) will be preserved.

[Type 'dev' to confirm]
[Cancel] [Confirm Teardown]

Slack App Setup

1. Create Slack App

Go to api.slack.com/apps
Click Create New App > From scratch
Name: Infrastructure Control Bot
Select your workspace

2. Configure OAuth & Permissions

Add these Bot Token Scopes:

Scope	Purpose
`chat:write`	Send messages
`commands`	Handle slash commands
`app_mentions:read`	Respond to mentions
`users:read`	Get user info for whitelist

3. Enable Socket Mode

Navigate to Socket Mode
Enable Socket Mode
Create App-Level Token with connections:write scope
Save the token (starts with xapp-)

4. Create Slash Command

Navigate to Slash Commands
Click Create New Command
Configure:
- Command: /infra
- Description: Control infrastructure (status, stop, start, teardown, spinup)
- Usage Hint: <command> [environment] [options]

5. Enable Interactivity

Navigate to Interactivity & Shortcuts
Enable Interactivity
(No Request URL needed for Socket Mode)

6. Install App

Navigate to Install App
Click Install to Workspace
Save the Bot Token (starts with xoxb-)

Environment Variables

Variable	Description	Required
`SLACK_BOT_TOKEN`	Bot token (`xoxb-...`)	Yes
`SLACK_APP_TOKEN`	App token for Socket Mode (`xapp-...`)	Yes
`ORCHESTRATOR_LAMBDA_ARN`	ARN of orchestrator Lambda	Yes
`IP_WHITELIST_LAMBDA_ARN`	ARN of IP whitelist Lambda	Yes

Deployment

ECS Fargate (Production)

The Slack bot runs as a long-running service on ECS Fargate:

module "slack_bot" {
  source = "../../modules/slack-bot"

  name        = "docustack-infra-bot"
  environment = var.environment

  vpc_id          = module.vpc.vpc_id
  private_subnets = module.vpc.private_subnets

  slack_bot_token_secret_arn = aws_secretsmanager_secret.slack_bot_token.arn
  slack_app_token_secret_arn = aws_secretsmanager_secret.slack_app_token.arn
  orchestrator_lambda_arn    = module.infra_orchestrator.lambda_arn
}

Docker Image

Multistage build with UV for fast, reproducible dependencies:

# Build stage
FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
WORKDIR /app
COPY pyproject.toml .
RUN uv sync --no-dev --frozen

# Runtime stage
FROM python:3.12-slim
WORKDIR /app
COPY --from=builder /app/.venv /app/.venv
COPY app.py .
ENV PATH="/app/.venv/bin:$PATH"
CMD ["python", "app.py"]

Development Workflow

Prerequisites

Install UV for Python package management:

# macOS/Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

# Or via Homebrew
brew install uv

Install Dependencies

cd docustack-mono/services/slack-bot
uv sync

Set Environment Variables

export SLACK_BOT_TOKEN="xoxb-your-bot-token"
export SLACK_APP_TOKEN="xapp-your-app-token"
export ORCHESTRATOR_LAMBDA_ARN="arn:aws:lambda:us-east-1:123456789:function:infra-orchestrator"
export IP_WHITELIST_LAMBDA_ARN="arn:aws:lambda:us-east-1:123456789:function:ip-whitelist-manager"

Run Locally

uv run python app.py

The bot connects via Socket Mode and starts listening for commands.

Testing Commands

Open Slack
Type /infra to see help
Try /infra status dev to check infrastructure

Security Considerations

Socket Mode Benefits

Feature	Benefit
No public endpoint	Works behind firewalls
Encrypted WebSocket	Secure communication
No SSL management	Slack handles certificates

Token Security

Store tokens in AWS Secrets Manager
Use IAM roles for Lambda/ECS access
Rotate tokens periodically

Production Protection

Production teardown/stop blocked at bot level
Additional protection in orchestrator Lambda
Audit logging for all actions

Troubleshooting

Bot Not Responding

Check Socket Mode is enabled in Slack App settings
Verify SLACK_APP_TOKEN is correct (starts with xapp-)
Check CloudWatch logs for connection errors
Verify ECS service is running

Permission Errors

Verify bot has required OAuth scopes
Re-install app to workspace after scope changes
Check IAM role has Lambda invoke permissions

Command Not Found

Verify slash command is configured in Slack App
Check command name matches exactly (/infra)
Ensure app is installed to the workspace

Files

File	Description
`app.py`	Main Slack bot application
`pyproject.toml`	Python dependencies (UV)
`Dockerfile`	Multistage build for ECR

Code Location

docustack-mono/services/slack-bot/
├── app.py              # Main application
├── pyproject.toml      # Dependencies
├── Dockerfile          # Container build
└── README.md

Why This Exists​

Commands Reference​

Main Command​

Available Commands​

Environments​

Teardown Levels​

IP Whitelist Commands​

Add IP​

Automatic Features​

Message Formats​

Status Response​

Action Response​

Confirmation Modal (Full Teardown)​

Slack App Setup​

1. Create Slack App​

2. Configure OAuth & Permissions​

3. Enable Socket Mode​

4. Create Slash Command​

5. Enable Interactivity​

6. Install App​

Environment Variables​

Deployment​

ECS Fargate (Production)​

Docker Image​

Development Workflow​

Prerequisites​

Install Dependencies​

Set Environment Variables​

Run Locally​

Testing Commands​

Security Considerations​

Socket Mode Benefits​

Token Security​

Production Protection​

Troubleshooting​

Bot Not Responding​

Permission Errors​

Command Not Found​

Files​

Code Location​