Change ServicePerimeterResource to use a policy level mutex lock #12725
Conversation
|
Feel free to review, but please hold off on merging. I'll have an ACM team member review as well. Thanks! |
|
Hello! I am a robot. Tests will require approval from a repository maintainer to run. @SirGitsalot, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
1 similar comment
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: 3 Click here to see the affected service packages
🟢 All tests passed! View the build log |
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: 3 Click here to see the affected service packages
🟢 All tests passed! View the build log |
Tests analyticsTotal tests: 3 Click here to see the affected service packages
🟢 All tests passed! View the build log |
This is a prerequisite for an upcoming PR for adding etags to ServicePerimeterResource.
Why change the mutex lock?
Multiple service perimeters can exist within the same policy and the policy is really the core entity. So, etags are logically at the policy level and this means all perimeters within the same policy will have the same etag. Without this change, if two update requests with etags were sent from Terraform to change different perimeters in the same policy around the same time (a few seconds) the second request would be rejected. While it's queueing, the valid etag for the policy would change so the etag in its request body would no longer work. This change makes it so the second request would only start processing (and fetch a valid etag) after no other update requests for the entire policy are in progress.
What's the impact of this change?
ServicePerimeterResourcepreviously and they were all in the same perimeter, they would have been processed sequentially anyway since they would have the share a mutex lock on the same perimeter.ServicePerimeterResourcepreviously and they were in different perimeters, then the API calls to update them would still be processed serially to ensure data integrity. Ie a second update request would queue until the first finished anyway. So, with this change we're just saying don't even try the requests yet since they'd be queued by the server anyway.Terraform API changes
access_policy_idproperty. It may be visible in plan output but I doubt it will cause confusion. If there's a way to have a completely internal property, please let me know.Testing
Warning
I'll also make similar changes to all other ACM resource types, but I thought it would be good to start with just this to ensure the pattern is fine. To reduce risk, I think we should change all of the mutex locks to policy in the same TF release so please hold off on merging this PR until the other PR is ready as well. Thanks!
Release Note Template for Downstream PRs (will be copied)
See Write release notes for guidance.