I built Taskly about a year ago. Standard MERN stack, ran on a $10/month VPS with PM2 and nginx. It worked fine. Nobody was complaining.
I migrated it to AWS serverless anyway. Partly to learn, partly because I was mass applying to DevOps roles and needed something real to talk about in interviews. "I deployed a hello world Lambda" doesn't cut it.
The app
Task management for small teams. Tasks, projects, teams, calendar, notifications, avatar uploads, productivity stats. About 15 API routes, 6 Mongoose models. React frontend with Context API nothing fancy but enough moving parts that the migration wasn't trivial.
Original stack: Express, session auth, MongoDB, Cloudinary, Resend for emails.
Where I ended up
Request flow: users hit CloudFront for the React app, WAF-filtered API Gateway for the backend. Lambda runs Express via serverless-express, talks to DocumentDB in a private VPC, pushes events to EventBridge, and queues emails through SQS to SES.
Network layer: VPC with public and private subnets across two AZs. Security groups restrict DocumentDB to Lambda only (port 27017). VPC endpoints for Secrets Manager. NAT gateway for outbound.
Deployment: GitHub Actions authenticates via OIDC (no stored keys), packages Lambda, does canary traffic shifting, monitors error rate, auto-rolls back if anything breaks.
VPC with private subnets. Security groups. NAT gateway. Secrets Manager. 12 Terraform modules, about 2000 lines of HCL. GitHub Actions CI/CD with OIDC auth and canary deployments.
Took about 3 weeks of evenings.
Sessions broke immediately
First thing. My Express app used express-session with a MongoDB store. Lambda spins up new instances per request. Sessions were just gone.
I ended up with dual mode auth. Sessions for local dev (easy to debug, familiar), Cognito JWT for production (stateless, works with Lambda). The middleware checks which environment it's running in:
if (process.env.COGNITO_USER_POOL_ID && process.env.COGNITO_CLIENT_ID) {
return validateCognitoToken(req, res, next);
} else {
return req.isAuthenticated() ? next() : res.status(401).json({...});
}
Not elegant. Works.
DocumentDB is almost MongoDB
95% compatible. The other 5% shows up at the worst times.
Some aggregation stages behave differently. The connection needs a TLS certificate bundle you have to download from AWS and ship with your Lambda zip. I only caught these because I tested against the actual cluster, not just local Mongo.
If I'd only tested locally, these would have been production bugs discovered at 2 am.
Terraform got out of hand fast
Started with one main.tf. Lasted a day.
Split into modules: vpc, lambda, iam, s3, documentdb, waf, ses, api-gateway, cloudfront, secrets, monitoring, disaster-recovery. State in S3 with DynamoDB locking.
The thing about Terraform: plan says "2 to add, 0 to destroy" and you feel safe. Then apply takes 15 minutes because NAT gateways are slow. And if it fails halfway, you get to learn about terraform state rm.
Security groups
The mental model that clicked:
- Lambda SG: egress all (needs DocumentDB, NAT, VPC endpoints)
- DocumentDB SG: ingress port 27017 from Lambda SG only
- VPC Endpoints SG: ingress port 443 from Lambda SG only
Three groups. Database unreachable from internet. Lambda can reach database. Done.
Canary deploys
The CI/CD pipeline packages the code, uploads to S3, publishes a new Lambda version, shifts 10% of traffic to it, waits 5 minutes watching CloudWatch error metrics, and either promotes to 100% or rolls back.
Saved me twice. Once from a missing env var, once from a dependency that worked locally but not in the Lambda runtime.
What I'd change
Skip the VPC for Lambda if possible. The ENI attachment adds cold start latency, and NAT gateways cost $32/month each. DocumentDB forces you into a VPC though, so I was stuck.
Write smaller Terraform modules. My IAM module has 8 policies in one file. Should be separate.
Set up CI/CD first, not last. I did manual deploys for weeks. Dumb.
Cost
- Old VPS: $10/month
- AWS serverless: ~$45/month (mostly NAT gateway and DocumentDB)
More expensive. But I actually understand VPCs, IAM, security groups, and Terraform now. That's worth more than $35/month to me.
Code
Infrastructure in infrastructure/, Lambda handler in backend/lambda/handler.js, CI/CD in .github/workflows/.
If you're doing something similar, start with VPC and DocumentDB. They take the longest to provision and have the most surprises. Get those working, then add Lambda and API Gateway on top.
