Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable VPCSC dryrun mode #1209

Open
eeaton opened this issue Apr 29, 2024 · 0 comments
Open

enable VPCSC dryrun mode #1209

eeaton opened this issue Apr 29, 2024 · 0 comments
Assignees
@eeaton
Labels
backlog

Comments

@eeaton
Copy link
Collaborator

eeaton commented Apr 29, 2024

TL;DR

Enable VPCSC dryrun mode to mitigate issues with flaky failures in CI tests.

Expected behavior

Integration tests create a perimeter along with other resources, configure an access level exception to work with resources inside the perimeter, then eventually tear down the whole perimeter.

When done in the correct order and with the correct configurations, this should all work without errors.

Observed behavior

There is a high rate of flaky CI failures related to VPCSC errors.

VPCSC has a long propagation delay when modifying the perimeter. Even after a command to remove the perimeter, subsequent steps like destroy-networks have a high failure rate with the error SECURITY_POLICY_VIOLATED

Terraform Configuration

n/a

Terraform Version

n/a

Additional information

Regardless of the immediate issue with CI pipelines, the change to VPCSC perimeter design was already planned for a more significant design overhaul in a later version. This change aligns to existing best practices and the future planned design work.

Enabling a VPCSC perimeter in a dryrun mode is the recommended best practice from product documentation and also matches the guidance in the Enterprise foundations blueprint concept guide for how to safely adopt VPCSC.
@eeaton eeaton added the bug Something isn't working label Apr 29, 2024
@eeaton eeaton mentioned this issue Apr 29, 2024
Draft
@eeaton eeaton mentioned this issue May 20, 2024
Closed
@eeaton eeaton added enhancement New feature or request backlog and removed bug Something isn't working labels May 23, 2024
@eeaton eeaton self-assigned this May 23, 2024
@eeaton eeaton removed the enhancement New feature or request label May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eeaton eeaton

Labels
backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eeaton