https://github.com/jae-labs/concierge

A Slack ChatOps Bot written in GoLang which provisions resources, manages access, and automates workflows across various vendors via Terraform.
https://github.com/jae-labs/concierge

bot chatops golang iac slack terraform

Last synced: 19 days ago
JSON representation

A Slack ChatOps Bot written in GoLang which provisions resources, manages access, and automates workflows across various vendors via Terraform.

• Host: GitHub
• URL: https://github.com/jae-labs/concierge
• Owner: jae-labs
• License: mit
• Created: 2026-05-21T22:17:08.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2026-06-02T22:39:04.000Z (24 days ago)
• Last Synced: 2026-06-02T23:20:58.923Z (24 days ago)
• Topics: bot, chatops, golang, iac, slack, terraform
• Language: Go
• Homepage:
• Size: 494 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: CODEOWNERS
  • Agents: AGENTS.md

Awesome Lists containing this project

README

          


































Slack-native GitOps for infrastructure changes across GitHub, Cloudflare, and Doppler.

`conCIerge` is a Go Slack bot that turns structured Slack requests into reviewed Terraform pull requests. Users request changes in Slack, the bot fetches live Terraform locals from the external `jae-labs/terraform` repository, validates intent, edits HCL, opens a PR, and posts the request summary back to `#concierge`.

It does not mutate production directly. The control point stays where it should: normal GitHub review, merge, and CI/CD in the Terraform repository.

## Why conCIerge?

- Replaces ad hoc infrastructure requests with structured Slack workflows.

- Keeps infrastructure changes in Git, reviewable, auditable, and reversible.

- Reads live Terraform state from the `jae-labs/terraform` repository to populate modals and validate input.

- Supports GitHub repositories, org settings, team membership, Cloudflare DNS, and Doppler projects.

- Uses nonce-protected multi-step Slack flows to avoid stale or duplicated submissions.

- Keeps the apply boundary outside the bot; it prepares code changes, not direct infra mutations.

## Quick Start

### Prerequisites

- Go `1.25+`

- Slack app credentials

- GitHub App credentials with access to the Terraform repository

- Doppler CLI if you use Doppler for local secret injection

### Required configuration

Required baseline config:

- `SLACK_BOT_TOKEN`

- `SLACK_REQUESTS_CHANNEL_ID`

- `GITHUB_APP_ID`

- `GITHUB_APP_INSTALLATION_ID`

- `GITHUB_APP_PRIVATE_KEY`

- `GITHUB_OWNER` -- owner of the Terraform repository the bot mutates

- `GITHUB_REPO` -- repository name of the Terraform repository, not this bot repo

- `SLACK_APP_TOKEN` for Socket Mode or `SLACK_SIGNING_SECRET` for HTTP mode

### Run locally

Use Doppler if that is your secret source:

```sh

doppler login

doppler setup

doppler run -- go run ./cmd/concierge

```

Live reload:

```sh

air

```

Build manually:

```sh

go build ./cmd/concierge

./concierge

```

Local development defaults to Slack Socket Mode. Production runs the same binary with `SLACK_MODE=http` behind nginx and exposes `GET /health` for uptime checks.

## What it manages

| Domain | Resource | Actions |

|---|---|---|

| GitHub | Repository | Add, Remove, Update |

| GitHub | Org Settings | Update |

| GitHub | Team Membership | Add to Team, Remove from Team, Change Role |

| Cloudflare | DNS Records | Add, Remove, Update |

| Doppler | Projects | Add, Remove, Update |

## Why this design

| Capability | Benefit |

|---|---|

| Slack-first request intake | Lowers friction for operators and requesters |

| Terraform PR generation | Preserves review, audit trail, and rollback path |

| HCL parse + render validation | Reduces malformed output risk |

| Thread-keyed in-memory state | Keeps multi-step flows isolated per request |

| Nonce-based callback protection | Rejects stale modal submissions safely |

| GitHub App auth | Avoids long-lived personal credentials |

| OpenTelemetry + Prometheus + Sentry hooks | Improves observability and incident triage |

## CI and releases

| Workflow | Trigger | Behavior |

|---|---|---|

| `ci.yml` | Pushes to `main` and pull requests | Runs formatting, lint, tests, coverage upload, build checks, and security-oriented validation |

| `release.yml` | Pushes to `main` | Builds release artifacts, creates GitHub releases, builds and pushes the container image, and deploys production via the external Ansible repository |

Published release assets:

| Platform | Asset |

|---|---|

| Linux amd64 | `concierge-linux-amd64` |

| Linux arm64 | `concierge-linux-arm64` |

| macOS amd64 | `concierge-darwin-amd64` |

| macOS arm64 | `concierge-darwin-arm64` |

## Related repositories

| Repository | Purpose |

|---|---|

| [`jae-labs/terraform`](https://github.com/jae-labs/terraform) | Terraform source of truth edited by the bot |

| [`jae-labs/ansible`](https://github.com/jae-labs/ansible) | OCI host configuration and production deployment automation |

## Documentation

| Document | Description |

|---|---|

| [Architecture](docs/architecture.md) | Runtime design, package map, request lifecycle, env vars, IaC coupling |

| [Adding a Resource Type](docs/adding-a-resource-type.md) | Checklist for adding new Terraform-backed resources |

| [Validation Patterns](docs/validation-patterns.md) | Input validation rules and error handling patterns |

| [Modals and Blocks](docs/modals-and-blocks.md) | Block Kit conventions, modal builders, and flow structure |

## Test

```sh

go test ./...

```

## Contributing

See `AGENTS.md` and the docs in `docs/` before changing flow behavior, Terraform file paths, or modal structures. This project has hard coupling to the external `jae-labs/terraform` repository, so README-level simplification does not remove implementation constraints.

## License

See [LICENSE](LICENSE).