Enable VPCSC dryrun mode to mitigate issues with flaky failures in CI tests.
Expected behavior
Integration tests create a perimeter along with other resources, configure an access level exception to work with resources inside the perimeter, then eventually tear down the whole perimeter.
When done in the correct order and with the correct configurations, this should all work without errors.
Observed behavior
There is a high rate of flaky CI failures related to VPCSC errors.
VPCSC has a long propagation delay when modifying the perimeter. Even after a command to remove the perimeter, subsequent steps like destroy-networks have a high failure rate with the error SECURITY_POLICY_VIOLATED
Terraform Configuration
n/a
Terraform Version
n/a
Additional information
Regardless of the immediate issue with CI pipelines, the change to VPCSC perimeter design was already planned for a more significant design overhaul in a later version. This change aligns to existing best practices and the future planned design work.
eeaton
commented
2 months ago
TL;DR
Enable VPCSC dryrun mode to mitigate issues with flaky failures in CI tests.
Expected behavior
Integration tests create a perimeter along with other resources, configure an access level exception to work with resources inside the perimeter, then eventually tear down the whole perimeter.
When done in the correct order and with the correct configurations, this should all work without errors.
Observed behavior
There is a high rate of flaky CI failures related to VPCSC errors.
VPCSC has a long propagation delay when modifying the perimeter. Even after a command to remove the perimeter, subsequent steps like
destroy-networkshave a high failure rate with the errorSECURITY_POLICY_VIOLATEDTerraform Configuration
Terraform Version
Additional information
Regardless of the immediate issue with CI pipelines, the change to VPCSC perimeter design was already planned for a more significant design overhaul in a later version. This change aligns to existing best practices and the future planned design work.
Enabling a VPCSC perimeter in a dryrun mode is the recommended best practice from product documentation and also matches the guidance in the Enterprise foundations blueprint concept guide for how to safely adopt VPCSC.