Skip to content

fix: resolve Service Catalog portfolio sharing race condition #914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jtaylortech wants to merge 1 commit into
base: release/v1.13.1
Choose a base branch
from
Open

fix: resolve Service Catalog portfolio sharing race condition #914

jtaylortech wants to merge 1 commit into from

Conversation

@jtaylortech
Copy link

@jtaylortech jtaylortech commented Oct 14, 2025
edited
Loading

Issue, #601

This PR fixes the InvalidStateException errors that occur when sharing Service Catalog portfolios with multiple organizational units.

Problem:
The existing implementation uses a random delay to prevent concurrent portfolio share operations, which is unreliable and still results in failures when multiple OUs are targeted. When failures occur, the lambda returns SUCCESS to CloudFormation despite the error, causing silent failures.

Solution:
This PR implements two complementary approaches as suggested in the issue:

  1. Sequential Processing via CDK Dependencies:

    • Modified share-portfolio-with-org.ts to add CloudFormation dependencies between portfolio share resources
    • Ensures portfolio shares are created one at a time, preventing concurrent operations
    • This is the primary fix that prevents the race condition at the orchestration level

  2. Retry Logic for InvalidStateException:

    • Added exponential backoff retry mechanism (up to 5 attempts) in createPortfolioShare(), updatePortfolioShare(), and deletePortfolioShare() functions
    • Specifically catches InvalidStateException and retries with increasing delays (2s, 4s, 8s, 10s, 10s)
    • Provides resilience if race conditions still occur despite sequential processing
    • Maintains existing error handling for other exception types

Changes:

  • share-portfolio-with-org.ts: Added resource dependencies to enforce sequential creation
  • share-portfolio-with-org/index.ts:
    • Removed unreliable random delay
    • Added retry logic with exponential backoff for InvalidStateException
    • Improved error messages for debugging

Testing:

  • Code compiles without TypeScript errors
  • Maintains backward compatibility
  • Error handling paths are preserved

Benefits:

  • Eliminates race condition failures when sharing with multiple OUs
  • More reliable than random delays
  • Better observability with retry attempt logging
  • No need to manually deploy customizations stack multiple times

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jtaylortech
fix: resolve Service Catalog portfolio sharing race condition
314d95f 
Fix InvalidStateException errors when sharing portfolios with multiple
organizational units by implementing two complementary solutions:

1. Sequential Processing: Add CDK resource dependencies to ensure
   portfolio shares are created one at a time, preventing concurrent
   operations that trigger InvalidStateException.

2. Retry Logic: Implement exponential backoff retry mechanism for
   InvalidStateException in create/update/delete operations, providing
   resilience if race conditions still occur.

These changes replace the unreliable random delay approach with proper
error handling and resource orchestration, ensuring portfolio shares
are created reliably even when targeting multiple OUs.

Fixes awslabs#601
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jtaylortech