overmindtech · tphoney · Apr 16, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/assets/view_in_overmind-dark.png b/assets/view_in_overmind-dark.png
diff --git a/assets/view_in_overmind-light.png b/assets/view_in_overmind-light.png
diff --git a/aws-source/build/package/Dockerfile b/aws-source/build/package/Dockerfile
@@ -1,5 +1,5 @@
 # Build the source binary
-FROM golang:1.26-alpine AS builder
+FROM golang:1.26.2-alpine3.23 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG BUILD_VERSION

diff --git a/aws-source/module/provider/.github/workflows/release.yml b/aws-source/module/provider/.github/workflows/release.yml
@@ -18,10 +18,10 @@ jobs:
           fetch-depth: 0
 
       - name: Install 1Password CLI
-        uses: 1password/install-cli-action@v2
+        uses: 1password/install-cli-action@v3.0.0
 
       - name: Load GPG secrets from 1Password
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@v4.0.0
         with:
           export-env: true
         env:

diff --git a/aws-source/proc/proc.go b/aws-source/proc/proc.go
@@ -46,6 +46,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/viper"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
 )
 
 // This package contains a few functions needed by the CLI to load this in-proc.
@@ -82,20 +84,23 @@ func ConfigFromViper() ([]aws.Config, error) {
 	return CreateAWSConfigs(authConfig)
 }
 
-// isOptInRegionError checks if an error indicates an opt-in region that is not enabled.
-// This typically occurs when trying to authenticate with IRSA in a region that hasn't
-// been enabled in the AWS account. These errors should not cause source initialization
-// to fail - the region should simply be skipped.
+// isTimeoutError checks if an error is a context deadline exceeded.
+// A single unresponsive region (e.g. me-south-1 being decommissioned) must
+// not take down the whole source — see ENG-3665.
+func isTimeoutError(err error) bool {
+	return err != nil && errors.Is(err, context.DeadlineExceeded)
+}
+
+// isOptInRegionError checks if an error indicates an opt-in region that is not
+// enabled in the AWS account (InvalidIdentityToken + OIDC).
 func isOptInRegionError(err error) bool {
 	if err == nil {
 		return false
 	}
 
-	// Check for the InvalidIdentityToken error code from STS AssumeRoleWithWebIdentity
 	var apiErr smithy.APIError
 	if errors.As(err, &apiErr) {
 		if apiErr.ErrorCode() == "InvalidIdentityToken" {
-			// Additional validation: check if it's specifically about OIDC provider
 			errMsg := err.Error()
 			if strings.Contains(errMsg, "No OpenIDConnect provider found") {
 				return true
@@ -106,13 +111,22 @@ func isOptInRegionError(err error) bool {
 	return false
 }
 
+// isSkippableRegionError checks if an error indicates a region that cannot be
+// reached and should be skipped rather than failing the entire source.
+func isSkippableRegionError(err error) bool {
+	return isTimeoutError(err) || isOptInRegionError(err)
+}
+
 // wrapRegionError wraps misleading AWS errors with more helpful context
 func wrapRegionError(err error, region string) error {
 	if err == nil {
 		return nil
 	}
 
-	// Check for opt-in region errors and provide helpful context
+	if isTimeoutError(err) {
+		return fmt.Errorf("%w. Region '%s' is unreachable (timeout); it may be decommissioned or experiencing an outage", err, region)
+	}
+
 	if isOptInRegionError(err) {
 		return fmt.Errorf("%w. This error often occurs when region '%s' is not enabled in the target AWS account", err, region)
 	}
@@ -322,18 +336,32 @@ func InitializeAwsSourceAdapters(ctx context.Context, e *discovery.Engine, confi
 					"region": cfg.Region,
 				}
 
-				// Check if this is an opt-in region error
-				if isOptInRegionError(err) {
-					// This region is not enabled in the account - skip it but don't fail
+				// Check if this is a skippable region error (timeout or opt-in)
+				if isSkippableRegionError(err) {
 					wrappedErr := wrapRegionError(err, cfg.Region)
 					skippedRegionsMu.Lock()
 					skippedRegions = append(skippedRegions, skippedRegion{
 						region: cfg.Region,
 						err:    wrappedErr,
 					})
 					skippedRegionsMu.Unlock()
-					log.WithError(wrappedErr).WithFields(lf).Warn("Skipping region - not enabled in account")
-					return nil // Don't fail the pool for opt-in regions
+
+					reason := "opt-in region not enabled"
+					if isTimeoutError(err) {
+						reason = "timeout"
+						log.WithError(wrappedErr).WithFields(lf).Warn("Skipping region - unreachable (timeout)")
+					} else {
+						log.WithError(wrappedErr).WithFields(lf).Warn("Skipping region - not enabled in account")
+					}
+
+					span := trace.SpanFromContext(ctx)
+					span.AddEvent("ovm.adapter.regionSkipped", trace.WithAttributes(
+						attribute.String("ovm.adapter.region", cfg.Region),
+						attribute.String("ovm.adapter.skipReason", reason),
+						attribute.String("ovm.adapter.error", wrappedErr.Error()),
+					))
+
+					return nil // Don't fail the pool for skippable regions
 				}
 
 				// Wrap misleading OIDC errors with helpful region enablement context
@@ -645,7 +673,7 @@ func InitializeAwsSourceAdapters(ctx context.Context, e *discovery.Engine, confi
 		log.WithFields(log.Fields{
 			"skipped_regions": skippedRegionNames,
 			"count":           len(skippedRegions),
-		}).Warn("Some regions were skipped because they are not enabled in the AWS account. The source will operate normally with the remaining regions.")
+		}).Warn("Some regions were skipped because they are unreachable or not enabled in the AWS account. The source will operate normally with the remaining regions.")
 	}
 
 	log.Debug("Sources initialized")

diff --git a/aws-source/proc/proc_test.go b/aws-source/proc/proc_test.go
@@ -176,6 +176,16 @@ func TestIsOptInRegionError(t *testing.T) {
 			err:            errors.New("No OpenIDConnect provider found"),
 			expectedResult: false,
 		},
+		{
+			name:           "context.DeadlineExceeded returns false",
+			err:            context.DeadlineExceeded,
+			expectedResult: false,
+		},
+		{
+			name:           "context.Canceled returns false",
+			err:            context.Canceled,
+			expectedResult: false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -188,6 +198,105 @@ func TestIsOptInRegionError(t *testing.T) {
 	}
 }
 
+func TestIsTimeoutError(t *testing.T) {
+	tests := []struct {
+		name           string
+		err            error
+		expectedResult bool
+	}{
+		{
+			name:           "nil error returns false",
+			err:            nil,
+			expectedResult: false,
+		},
+		{
+			name:           "context.DeadlineExceeded returns true",
+			err:            context.DeadlineExceeded,
+			expectedResult: true,
+		},
+		{
+			name:           "wrapped context.DeadlineExceeded returns true",
+			err:            fmt.Errorf("operation error STS: GetCallerIdentity: %w", context.DeadlineExceeded),
+			expectedResult: true,
+		},
+		{
+			name:           "context.Canceled returns false",
+			err:            context.Canceled,
+			expectedResult: false,
+		},
+		{
+			name:           "wrapped context.Canceled returns false",
+			err:            fmt.Errorf("operation error STS: GetCallerIdentity: %w", context.Canceled),
+			expectedResult: false,
+		},
+		{
+			name:           "non-timeout error returns false",
+			err:            errors.New("some random error"),
+			expectedResult: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isTimeoutError(tt.err)
+			if result != tt.expectedResult {
+				t.Errorf("isTimeoutError() = %v, want %v for error: %v", result, tt.expectedResult, tt.err)
+			}
+		})
+	}
+}
+
+func TestIsSkippableRegionError(t *testing.T) {
+	tests := []struct {
+		name           string
+		err            error
+		expectedResult bool
+	}{
+		{
+			name:           "nil error returns false",
+			err:            nil,
+			expectedResult: false,
+		},
+		{
+			name:           "context.DeadlineExceeded returns true (ENG-3665)",
+			err:            context.DeadlineExceeded,
+			expectedResult: true,
+		},
+		{
+			name:           "wrapped context.DeadlineExceeded returns true (ENG-3665)",
+			err:            fmt.Errorf("operation error STS: GetCallerIdentity: %w", context.DeadlineExceeded),
+			expectedResult: true,
+		},
+		{
+			name:           "context.Canceled returns false (parent cancellation, not region timeout)",
+			err:            context.Canceled,
+			expectedResult: false,
+		},
+		{
+			name: "opt-in region error returns true",
+			err: &mockAPIError{
+				code:    "InvalidIdentityToken",
+				message: "No OpenIDConnect provider found in your account",
+			},
+			expectedResult: true,
+		},
+		{
+			name:           "non-skippable error returns false",
+			err:            errors.New("some random error"),
+			expectedResult: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isSkippableRegionError(tt.err)
+			if result != tt.expectedResult {
+				t.Errorf("isSkippableRegionError() = %v, want %v for error: %v", result, tt.expectedResult, tt.err)
+			}
+		})
+	}
+}
+
 func TestWrapRegionError(t *testing.T) {
 	tests := []struct {
 		name         string
@@ -240,6 +349,27 @@ func TestWrapRegionError(t *testing.T) {
 			shouldWrap:   false,
 			expectedText: "",
 		},
+		{
+			name:         "timeout error gets timeout-specific message",
+			err:          context.DeadlineExceeded,
+			region:       "me-south-1",
+			shouldWrap:   true,
+			expectedText: "unreachable (timeout)",
+		},
+		{
+			name:         "wrapped timeout error gets timeout-specific message",
+			err:          fmt.Errorf("operation error STS: GetCallerIdentity: %w", context.DeadlineExceeded),
+			region:       "me-south-1",
+			shouldWrap:   true,
+			expectedText: "unreachable (timeout)",
+		},
+		{
+			name:         "canceled error is not wrapped (parent cancellation, not region timeout)",
+			err:          context.Canceled,
+			region:       "me-south-1",
+			shouldWrap:   false,
+			expectedText: "",
+		},
 	}
 
 	for _, tt := range tests {