Fix: Race between layer and Lambda update (#5927)

[dsotirho-ucsc]

Linked issues: #5927

Checklist

Author

• PR is assigned to the author
• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• PR is linked to all issues it (partially) resolves
• PR description links to connected issues
• PR title matches¹ that of a linked issue _{or comment in PR explains why they're different}
• PR title references all linked issues
• For each linked issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all linked issues}
• This PR partially resolves each of the linked issues _{or does not have the partial label}

Author (reindex)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}

Author (API changes)

• This PR and its linked issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make docker_images.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify docker_images.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any linked issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues linked to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed fixups from prior reviews
• Ran make requirements_update _{or this PR does not modify requirements*.txt, common.mk, Makefile, Dockerfile or environment.boot}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}
• PR is awaiting requested review from a peer
• Status of PR is Review requested
• PR is assigned to only the peer

Peer reviewer (after approval)

Note that when requesting changes, the PR must be assigned back to the author.

• Actually approved the PR
• PR is not a draft
• PR is awaiting requested review from system administrator
• Status of PR is Review requested
• PR is assigned to only the system administrator

System administrator (after approval)

• Actually approved the PR
• Labeled linked issues as demo or no demo
• Commented on linked issues about demo expectations _{or all linked issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Status of PR is Approved
• PR is assigned to only the operator

Operator

• Checked reindex:… labels and r commit title tag
• Checked that demo expectations are clear _{or all linked issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub

Operator (deploy .shared and .gitlab components)

• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator _{or this PR is not labeled deploy:gitlab}

System administrator (post-deploy of .gitlab component)

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator

Operator (deploy runner image)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}

Operator (sandbox build)

• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in dev}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}

Operator (merge the branch)

• All status checks passed and the PR is mergeable
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Pushed merge commit to GitHub
• Status of PR is Merged lower
• Status of blocked issues is Triage _{or no issues are blocked on the linked issues}

Operator (main build)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev
• Status of linked issues is Lower

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Restarted the Data Browser pipeline for the ucsc/hca/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/lungmap/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/anvil/anvildev branch on GitLab in anvildev _{or this PR does not require reindexing anvildev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in anvildev _{or this PR does not require reindexing anvildev}

Operator (mirroring)

• Started mirroring in dev _{or this PR does not require mirroring dev}
• Started mirroring in anvildev _{or this PR does not require mirroring anvildev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in dev _{or this PR does not require mirroring dev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in anvildev _{or this PR does not require mirroring anvildev}
• Emptied mirror fail queue in dev _{or this PR does not require mirroring dev}
• Emptied mirror fail queue in anvildev _{or this PR does not require mirroring anvildev}

Operator

• Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[codecov]

Codecov Report

❌ Patch coverage is 22.05882% with 53 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.26%. Comparing base (6c0ff8d) to head (134898b).

Files with missing lines	Patch %	Lines
src/azul/terraform.py	18.75%	26 Missing ⚠️
src/azul/chalice.py	26.08%	17 Missing ⚠️
src/azul/lambdas.py	12.50%	7 Missing ⚠️
src/azul/queues.py	25.00%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #7436      +/-   ##
===========================================
- Coverage    85.36%   85.26%   -0.10%     
===========================================
  Files          156      156              
  Lines        22484    22517      +33     
===========================================
+ Hits         19193    19200       +7     
- Misses        3291     3317      +26     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coveralls]

coverage: 85.485% (-0.09%) from 85.578%
when pulling 134898b on issues/dsotirho-ucsc/5927-layer-and-lambda-race-2
into 6c0ff8d on develop.

[dsotirho-ucsc]

Reran reproduction steps #5927 (comment)

• Deployed PR branch (TF plan lambda-alias-1-tf-plan.txt)
• Ran IT (7436_IT_2025-05-06.txt)
• Applied patch 1 (with ua_parser reqirement) (TF plan lambda-alias-2-patch1-plan.txt)
  • Deploy caused a window of 65 seconds when requests to /index/summary returned 403 responses {message: "Forbidden"}. All requests outside this window were successful.
• Removed patch 1 and applied patch 2 (without ua_parser requirement) (TF plan: lambda-alias-3-patch2-plan.txt)
  • Deploy caused a window of 4 seconds when requests to /index/test were slow (~3 seconds response time). All requests inside and outside this window were successful.
• Removed patch 2 (TF plan: lambda-alias-4-remove-patch-plan.txt)
  • Deploy caused a window of 50 seconds when requests to /index/summary returned 403 responses {message: "Forbidden"}. All requests outside this window were successful.

[achave11-ucsc]

Looks good in general.

Is there a reason behind the fixup! commit? I personally have mix feelings about comments, but if you must use them, you should be as direct and brief as possible to keep it lean. Try to reevaluate your comments and see if they truly add necessary meaning/context in their placement, and if so to ensure they are as informative as they are concise.

[achave11-ucsc]

Suggested change

	# Concurrency settings apply to the function as a whole,
	# including all published versions and the unpublished
	# version
	# Concurrency settings apply to the function as a whole,
	# including all published versions and unpublished

Or try to minimize the lines, make the comment as concise possible.

[dsotirho-ucsc]

I originally thought the comments would be useful to explain why we specify the Lambda alias in some boto3 calls (e.g. list_event_source_mappings) and not others (e.g. put_function_concurrency), but I agree it's a bit redundant since it's available from boto3's documentation. I will remove.

[achave11-ucsc]

Suggested change

	# You can’t modify the configuration of a published version,
	# only the unpublished version
	# Configuration modifications allowed only to unpublished version

[dsotirho-ucsc]

Is there a reason behind the fixup! commit?

The fixup commit was from development, and separated the original design which referenced function versions by the version number, with the fixup commit that implemented function aliases. Now that the alias approach appears viable I've merged the commits.

[dsotirho-ucsc]

7436_IT_2025-10-07.txt

[hannes-ucsc]

If the versions are ordered, I'd prefer to delete only versions prior to the specified version.

[hannes-ucsc]

This is needlessly touched by two commits.

[hannes-ucsc]

PL, please.

[dsotirho-ucsc]

Suggested change

	# Note that this method returns the unpublished version ("$LATEST") of
	# Note that this method returns the $LATEST version which is what Amazon calls the "unpublished version".

[dsotirho-ucsc]

Suggested change

	Delete all published versions of a Lambda function except for the
	Delete all versions of a Lambda function prior to the specified one.

[dsotirho-ucsc]

Suggested change

	if function['Version'] != '$LATEST' # unpublished version
	if function['Version'] != '$LATEST' # The so-called "unpublished" version

[dsotirho-ucsc]

Suggested change

# Script deletes any published version *except* the specified one

[dsotirho-ucsc]

Suggested change

	f'{config.project_root}/scripts/delete_other_function_versions.py',
	f'{config.project_root}/scripts/delete_older_function_versions.py',

[dsotirho-ucsc]

7436_IT_2025-10-24.txt

[hannes-ucsc]

You seem to have missed a bunch of earlier comments.

[hannes-ucsc]

Suggested change

	and int(function['Version']) <= int(keep_version)
	and int(function['Version']) = int(keep_version)

[hannes-ucsc]

Suggested change

	try:
	versions.remove(keep_version)
	except ValueError:
	assert False, R(
	'Function version not found',
	function_name, keep_version, versions)

I don't see the point of this.

[hannes-ucsc]

Suggested change

	keep_version: str) -> None:
	keep_version: int) -> None:

Always convert to the canonical representation as soon as possible, at the perimeter of the system/module/program.

[dsotirho-ucsc]

7436_IT_2025-10-27.txt

[hannes-ucsc]

Suggested change

	e.g. 'azul-service-dev'
	e.g. 'azul-service-dev'

[hannes-ucsc]

Suggested change

	self.metric_alarm(metric=metric,
	threshold=0,
	period=5 * 60)
	self.metric_alarm(metric=metric, threshold=0, period=5 * 60)

[hannes-ucsc]

Suggested change

	help='The Lambda function version to keep')
	help='The Lambda function version to keep. Must be an integer')

[hannes-ucsc]

New scripts and modules should be covered by mypy.

[hannes-ucsc]

Suggested change

	function_name: str,
	function: str,

[hannes-ucsc]

This looks like a refactoring, not needed by nor directly related to the other changes of the commit it is in.

[dsotirho-ucsc]

Reverted the refactoring, however note that I removed FunctionVersion='ALL' since keeping it would cause the list_functions operation to return multiple versions of each function (e.g. $LATEST and 23), which would then cause manage_lambda to attempt to enable or disable each function more than once.

[hannes-ucsc]

This …

[hannes-ucsc]

… and this are coupled in very brittle way.