fix(cli-integ): add retry for iam eventual consistency issue and migration tests for java #788
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abidhasan-aws
requested a deployment
to
integ-approval
GitHub Actions
Waiting
abidhasan-aws
changed the title
cdk migrate java & fetchDockerLoginCredential
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #788 +/- ##
==========================================
- Coverage 81.52% 80.83% -0.69%
==========================================
Files 63 63
Lines 8611 8611
Branches 1038 1032 -6
==========================================
- Hits 7020 6961 -59
- Misses 1561 1619 +58
- Partials 30 31 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
abidhasan-aws
changed the title
abidhasan-aws
changed the title
abidhasan-aws
changed the title
abidhasan-aws
changed the title
Abogical
approved these changes
Aug 13, 2025
| // Write the credentials back to stdout | ||
| fs.writeFileSync(1, JSON.stringify(credentials)); | ||
|
|
||
| const deadline = Date.now() + 60_000; // 60 seconds timeout |
There was a problem hiding this comment.
Didn't know you could have _ in numbers. nice!
kumvprat
reviewed
Aug 13, 2025
There was a problem hiding this comment.
Overall could we have a wrapper method : withBackoffRetry or something like that with a max retry /timeout parameter ?
This would allow us to wrap any such tests in that method and have a centralized place for all retry logic than per test
Could be in future that other tests might come up which need these retries
|
|
||
| // Retry on AccessDenied errors due to eventual consistency in AWS IAM. | ||
| // Newly created roles and policies may take time to propagate across regions. | ||
| if (e.name === 'AccessDenied') { |
There was a problem hiding this comment.
Would it be better to match with error type : Like class/interface type rather than the name ?
mrgrain
reviewed
Aug 13, 2025
There was a problem hiding this comment.
This seems like a very heave-handed approach to what appears to be mainly an issue with our internal integration tests (since I am not aware of customer reports).
In any case, this change needs to be a separate PR as it is Cx facing.
cc @rix0rrr
mrgrain
reviewed
Aug 13, 2025
| const deadline = Date.now() + 60_000; // 60 seconds timeout | ||
| let lastError: Error | undefined; | ||
|
|
||
| while (Date.now() < deadline) { |
There was a problem hiding this comment.
This probably can be implemented at the SDK level using retries:
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-smithy-util-retry/
https://github.com/smithy-lang/smithy-typescript/blob/main/packages/types/src/retry.ts
abidhasan-aws
requested a deployment
to
integ-approval
GitHub Actions
Waiting
abidhasan-aws
force-pushed
the
fix-flaky-cli-integ-tests
branch
from
7b6b015 to
2b6c048
Compare
abidhasan-aws
requested a deployment
to
integ-approval
GitHub Actions
Waiting
abidhasan-aws
requested a deployment
to
integ-approval
GitHub Actions
Waiting
abidhasan-aws
requested a deployment
to
integ-approval
GitHub Actions
Waiting
Signed-off-by: github-actions <[email protected]>
aws-cdk-automation
requested a deployment
to
integ-approval
GitHub Actions
Waiting
abidhasan-aws
requested a deployment
to
integ-approval
GitHub Actions
Waiting
kumvprat
reviewed
Aug 14, 2025
| captureStderr: false, | ||
| let output: string = ''; | ||
|
|
||
| await retry(process.stdout, 'Getting docker credentials', retry.forSeconds(60), async () => { |
There was a problem hiding this comment.
Should this be retry or waitForAssumeRole or even retryOnMatchingErrors ?
There was a problem hiding this comment.
It should not be waitForAssumeRole.
We are retrying this because in this call, there is a credential fetching that needs a wait period for IAM eventual consistency. We could use retryOnMatchingErrors, but there is no clean way to catch error and retry based on that. The package just returns exited with code 1 in case of errors.
So we are retrying anyway and not based on errors, thus the generic retry.
There was a problem hiding this comment.
Final thought should we add a sleep time to retry function ? Is that something that can be used like the wait and retry we do in retryOnMatchingErrors ? Would that add any value ?
There was a problem hiding this comment.
It already has a sleep time of 5 seconds.
abidhasan-aws
temporarily deployed
to
integ-approval
GitHub Actions
Inactive
mrgrain
changed the title
mrgrain
changed the title
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
abidhasan-aws
temporarily deployed
to
run-tests
GitHub Actions
Inactive
iankhou
pushed a commit
that referenced
this pull request
Aug 21, 2025
…ation tests for java (#788) ### Background The CDK pipelines have been experiencing intermittent failures due to flaky tests that typically pass on retry. This pull request addresses the investigation of the two most frequent failing tests. <img width="1307" height="530" alt="image (1)" src="https://github.com/user-attachments/assets/c03da25a-6921-4358-8a12-81db8722d437" /> ### AWS IAM Eventual Consistency Issue Test: `docker-credential-cdk-assets can assume role and fetch ECR credentials` Issue: Docker credential fetching fails with AccessDenied errors because newly created IAM roles and policies require time to propagate across AWS regions. Fix: Implemented a 60-second retry mechanism for `fetchDockerLoginCredentials()` when encountering AccessDenied errors. ### CDK Migration Test Instability Test: `cdk migrate java deploys successfully` Issue: Java CDK migration tests fail sporadically due to Maven Central repository rate limiting errors & dependency resolution failure Fix: Implemented full test retry logic as these transient network-related issues could not be reproduced in local environments. ### Impact These changes should improve pipeline stability and reduce the need for manual intervention. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license --------- Signed-off-by: github-actions <[email protected]> Co-authored-by: github-actions <[email protected]>
vivian12300
pushed a commit
to vivian12300/aws-cdk-cli
that referenced
this pull request
Aug 26, 2025
…ation tests for java (aws#788) ### Background The CDK pipelines have been experiencing intermittent failures due to flaky tests that typically pass on retry. This pull request addresses the investigation of the two most frequent failing tests. <img width="1307" height="530" alt="image (1)" src="https://github.com/user-attachments/assets/c03da25a-6921-4358-8a12-81db8722d437" /> ### AWS IAM Eventual Consistency Issue Test: `docker-credential-cdk-assets can assume role and fetch ECR credentials` Issue: Docker credential fetching fails with AccessDenied errors because newly created IAM roles and policies require time to propagate across AWS regions. Fix: Implemented a 60-second retry mechanism for `fetchDockerLoginCredentials()` when encountering AccessDenied errors. ### CDK Migration Test Instability Test: `cdk migrate java deploys successfully` Issue: Java CDK migration tests fail sporadically due to Maven Central repository rate limiting errors & dependency resolution failure Fix: Implemented full test retry logic as these transient network-related issues could not be reproduced in local environments. ### Impact These changes should improve pipeline stability and reduce the need for manual intervention. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license --------- Signed-off-by: github-actions <[email protected]> Co-authored-by: github-actions <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
The CDK pipelines have been experiencing intermittent failures due to flaky tests that typically pass on retry. This pull request addresses the investigation of the two most frequent failing tests.
AWS IAM Eventual Consistency Issue
Test:
docker-credential-cdk-assets can assume role and fetch ECR credentialsIssue: Docker credential fetching fails with AccessDenied errors because newly created IAM roles and policies require time to propagate across AWS regions.
Fix: Implemented a 60-second retry mechanism for
fetchDockerLoginCredentials()when encountering AccessDenied errors.CDK Migration Test Instability
Test:
cdk migrate java deploys successfullyIssue: Java CDK migration tests fail sporadically due to Maven Central repository rate limiting errors & dependency resolution failure
Fix: Implemented full test retry logic as these transient network-related issues could not be reproduced in local environments.
Impact
These changes should improve pipeline stability and reduce the need for manual intervention.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license