README
¶
Slack-native GitOps for infrastructure changes across GitHub, Cloudflare, and Doppler.
conCIerge is a Go Slack bot that turns structured Slack requests into reviewed Terraform pull requests. Users request changes in Slack, the bot fetches live Terraform locals from the external jae-labs/terraform repository, validates intent, edits HCL, opens a PR, and posts the request summary back to #concierge.
It does not mutate production directly. The control point stays where it should: normal GitHub review, merge, and CI/CD in the Terraform repository.
Why conCIerge?
- Replaces ad hoc infrastructure requests with structured Slack workflows.
- Keeps infrastructure changes in Git, reviewable, auditable, and reversible.
- Reads live Terraform state from the
jae-labs/terraformrepository to populate modals and validate input. - Supports GitHub repositories, org settings, team membership, Cloudflare DNS, and Doppler projects.
- Uses nonce-protected multi-step Slack flows to avoid stale or duplicated submissions.
- Keeps the apply boundary outside the bot; it prepares code changes, not direct infra mutations.
Quick Start
Prerequisites
- Go
1.25+ - Slack app credentials
- GitHub App credentials with access to the Terraform repository
- Doppler CLI if you use Doppler for local secret injection
Required configuration
Required baseline config:
SLACK_BOT_TOKENSLACK_REQUESTS_CHANNEL_IDGITHUB_APP_IDGITHUB_APP_INSTALLATION_IDGITHUB_APP_PRIVATE_KEYGITHUB_OWNER-- owner of the Terraform repository the bot mutatesGITHUB_REPO-- repository name of the Terraform repository, not this bot repoSLACK_APP_TOKENfor Socket Mode orSLACK_SIGNING_SECRETfor HTTP mode
Run locally
Use Doppler if that is your secret source:
doppler login
doppler setup
lefthook install
doppler run -- go run ./cmd/concierge
Live reload:
air
Build manually:
go build ./cmd/concierge
./concierge
Local development defaults to Slack Socket Mode. Production runs the same binary with SLACK_MODE=http behind nginx and exposes GET /health for uptime checks.
What it manages
| Domain | Resource | Actions |
|---|---|---|
| GitHub | Repository | Add, Remove, Update |
| GitHub | Org Settings | Update |
| GitHub | Team Membership | Add to Team, Remove from Team, Change Role |
| Cloudflare | DNS Records | Add, Remove, Update |
| Doppler | Projects | Add, Remove, Update |
Why this design
| Capability | Benefit |
|---|---|
| Slack-first request intake | Lowers friction for operators and requesters |
| Terraform PR generation | Preserves review, audit trail, and rollback path |
| HCL parse + render validation | Reduces malformed output risk |
| Thread-keyed in-memory state | Keeps multi-step flows isolated per request |
| Nonce-based callback protection | Rejects stale modal submissions safely |
| GitHub App auth | Avoids long-lived personal credentials |
slog + OpenTelemetry + Sentry + Alloy |
Duplicates logs/traces intentionally while keeping app instrumentation mostly vendor-neutral |
Observability
Application code emits structured logs through slog and traces/metrics through OpenTelemetry. In production, logs flow to Grafana Alloy through the container logging path and into Loki, while the same application logs are mirrored to Sentry. Traces are exported to Alloy for Tempo and directly to Sentry. Metrics stay Grafana-native through Prometheus scrape plus optional OTLP metrics export into Alloy.
Relevant environment variables:
- defaults:
OTEL_EXPORTER_OTLP_ENDPOINT=127.0.0.1:4317OTEL_EXPORTER_OTLP_PROTOCOL=grpcOTEL_EXPORTER_OTLP_METRICS_ENDPOINTfalls back toOTEL_EXPORTER_OTLP_ENDPOINTOTEL_EXPORTER_OTLP_METRICS_PROTOCOLfalls back toOTEL_EXPORTER_OTLP_PROTOCOL
SERVICE_VERSIONOTEL_SERVICE_NAMEOTEL_ENVIRONMENTOTEL_EXPORTER_OTLP_ENDPOINTOTEL_EXPORTER_OTLP_PROTOCOLOTEL_EXPORTER_OTLP_METRICS_ENDPOINTOTEL_EXPORTER_OTLP_METRICS_PROTOCOLSENTRY_DSNSENTRY_ENVIRONMENTSENTRY_RELEASESENTRY_TRACES_SAMPLE_RATE
CI and releases
| Workflow | Trigger | Behavior |
|---|---|---|
ci.yml |
Pushes to main and pull requests |
Runs formatting, lint, tests, coverage upload, build checks, and security-oriented validation |
release.yml |
Pushes to main |
Builds release artifacts, creates GitHub releases, builds and pushes the container image, and deploys production via the external Ansible repository |
Published release assets:
| Platform | Asset |
|---|---|
| Linux amd64 | concierge-linux-amd64 |
| Linux arm64 | concierge-linux-arm64 |
| macOS amd64 | concierge-darwin-amd64 |
| macOS arm64 | concierge-darwin-arm64 |
Related repositories
| Repository | Purpose |
|---|---|
jae-labs/terraform |
Terraform source of truth edited by the bot |
jae-labs/ansible |
OCI host configuration and production deployment automation |
Documentation
| Document | Description |
|---|---|
| Architecture | Runtime design, package map, request lifecycle, env vars, IaC coupling |
| Adding a Resource Type | Checklist for adding new Terraform-backed resources |
| Validation Patterns | Input validation rules and error handling patterns |
| Modals and Blocks | Block Kit conventions, modal builders, and flow structure |
Test
go test ./...
Contributing
See AGENTS.md and the docs in docs/ before changing flow behavior, Terraform file paths, or modal structures. This project has hard coupling to the external jae-labs/terraform repository, so README-level simplification does not remove implementation constraints.
License
See LICENSE.
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
concierge
command
|
|
|
internal
|
|
|
observability
Package observability initialises the OpenTelemetry tracer and meter providers, wires Sentry, and exposes a Prometheus-compatible /metrics endpoint for local Alloy scraping.
|
Package observability initialises the OpenTelemetry tracer and meter providers, wires Sentry, and exposes a Prometheus-compatible /metrics endpoint for local Alloy scraping. |