fix(purchases): tighten AWS SDK retry budget + bump Lambda timeout to 300s (closes #683)

[cristim]

Summary

Third recurrence of #667 prompted this PR. Original scope was tighten the AWS SDK retry budget; user pushback on the "hanging goroutine" hypothesis correctly identified that SDK-side bounds alone don't cover hangs upstream of the SDK call (STS validation, credential resolution, fan-out scheduling). Scope expanded to a defense-in-depth approach: bound the per-rec budget AND make hangs observable.

Closes #683. Refs #667 #668 #632 #681 #600.

What changed (3 parts)

Part 1 — bound the AWS SDK retry storm

• providers/aws/internal/purchasecfg new package, NewConfig(base aws.Config) returns a copy with RetryMaxAttempts=2 + http.Client{Timeout: 15s}. Worst-case wall clock per SDK request: 2 × 15s = 30s.
• 7 purchase-path service constructors (EC2, RDS, ElastiCache, MemoryDB, OpenSearch, Redshift, SavingsPlans) wired through purchasecfg.NewConfig. OpenSearch + Redshift also tighten their STS client used for ARN/tagging.
• Recommendation-collection clients are NOT touched — recommendations.NewClient is independent and legitimately needs the SDK default 3-retry budget.

Part 2 — bound the per-rec execution itself

• context.WithTimeout(ctx, 30s) wrapping the entire purchase chain inside executeSinglePurchase (provider construction + STS validation + service-client lookup + details decode + the AWS SDK call). Caps the per-rec budget regardless of which step hangs. 30s matches the part-1 SDK ceiling.
• All 42 mock.On(...) call sites in the purchase tests updated from ctx literal to mock.MatchedBy(func(c context.Context) bool { _, ok := c.Deadline(); return ok }) — positively asserts the deadline propagates.

Part 3 — make hangs observable

Every step of the purchase chain now emits an Info log tagged with the execution ID so a single CloudWatch filter (filter @message like /purchase\[<exec-id>\]/) returns the full timing breakdown. Lines added (one per commit):

Stage	Sample log line
Approve handler entry/exit	purchase[<id>]: approve entry (auth=session) / ... exit success in 4.2s
resolveAccountProvider + AWS/Azure/GCP sub-resolvers	purchase[<id>]: resolved AWS provider for account <X> in 142ms
AWS STS GetCallerIdentity + Azure subscriptions ListPager validation	purchase[<id>]: STS GetCallerIdentity for account <X> starting / ... returned in 87ms
findOfferingID pagination in all 7 services	purchase[<id>]: EC2 offering page 1 (token=*) returned in 612ms with 14 offerings
FanOutWithConcurrency per-goroutine	fan-out goroutine entry (account=<X>) / ... exit success in 1.8s

Token / credential values are masked to the last 8 chars per the feedback_pii_in_logs.md memory entry.

Part 4 — Lambda budget headroom

• lambda_timeout bumped 60 -> 300s in github-{dev,staging,prod}.tfvars. With the per-rec 30s ceiling from Part 2, a single hung rec is now nowhere near the Lambda ceiling — the bigger budget exists to absorb large multi-rec executions, not to mask hangs.

Commit list (10)

1. df4755556 purchasecfg helper
2. fe72342f7 wire purchasecfg into 7 service constructors
3. 7a899ed0e lambda_timeout 60 -> 300
4. a8677e939 per-rec context.WithTimeout(30s)
5. 3d10f285c approve handler entry/exit logs
6. 6804727eb resolveAccountProvider timing logs
7. 8f49cf2b2 STS + Azure validation call timing logs
8. 2919058f5 per-page logs in 7 AWS findOfferingID loops
9. 09462dd9d FanOutWithConcurrency per-goroutine timing
10. e4ad3eacd test fixups (mock.MatchedBy for the 42 deadline-aware ctx call sites + 1 savingsplans test parameter)

Test plan

• go test ./internal/purchase/... ./internal/execution/... ./internal/api/... ./providers/aws/services/... -count=1 -short — 1732 tests pass across 10 packages
• go build ./... — clean
• terraform validate in terraform/environments/aws/ — clean
• Recommendation-collection path NOT affected (purchasecfg only applied to purchase-path clients)
• Post-deploy: t4g.nano repro attempt either succeeds OR fails within ≤30s with the new log lines pinning which step hung. CloudWatch query: filter @message like /purchase\[<exec-id>\]/ | sort @timestamp asc

Cross-references

• fix(purchases): EC2 RI purchase times out under transient AWS SDK retries; Lambda 60s budget blown (P0) #667 (the proposed fix this PR implements + extends)
• fix(purchases): #667 recurrent -- recommend implementing the Lambda timeout bump + SDK retry tightening NOW (P0) #683 (the recurrence driver)
• fix(purchases): add execution-tagged logging to executeSinglePurchase (refs #667) #668 (the prior diagnostic logging — this PR extends it)
• bug(purchases): approve strands execution in 'approved' (purchase never runs, no error) on interrupted sync execution #632 (status stranding — bounded per-rec timeout reduces the strand window)
• fix(purchase): reap purchase_executions stuck in approved/running >10m (closes #678) #681 (the 10-min reaper — now a much-less-needed safety net)
• fix(frontend/api): preserve details + engine on purchase POST (closes #597) #600 (frontend strip — separate concern; rec details still needed for correct AWS API filter)

Summary by CodeRabbit

• Improvements
  • Expanded structured logging and timing across approval, execution, fan-out and provider flows (with actor masking) for better diagnostics and correlation.
  • Added per-recommendation execution timeouts and tightened SDK retry/HTTP timeouts for more predictable purchases.
  • Enhanced offering-lookup and per-account timing logs.
  • Increased Lambda timeout limits to 300s.
• Tests
  • Relaxed context matching in tests to tolerate per-recommendation deadline contexts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3896640f-783a-4270-be2b-927a038ed776

📥 Commits

Reviewing files that changed from the base of the PR and between ee235cf and a477d7c.

📒 Files selected for processing (3)

• internal/purchase/coverage_extra_test.go
• internal/purchase/execution_test.go
• internal/purchase/manager_test.go

---

📝 Walkthrough

Walkthrough

Adds timing and structured logs to approval and provider flows, enforces 30s per-recommendation timeouts, introduces purchase-specific AWS SDK config (2 retries, 15s HTTP timeout) wired to purchase-path clients, relaxes tests to accept deadline-bearing contexts, and increases Lambda timeout to 300s.

Changes

Purchase Approval and Execution Hardening

Layer / File(s)	Summary
Approval handler and flow observability internal/api/handler_purchases.go, internal/purchase/approvals.go	Request entry, completion, and failure logging in approvePurchaseViaSession, ApproveExecution, and ApproveAndExecute with elapsed-time measurement and masked actor values.
AWS SDK purchase-path configuration package providers/aws/internal/purchasecfg/config.go, providers/aws/internal/purchasecfg/config_test.go	New purchasecfg package with MaxAttempts=2, HTTPTimeout=15s, and NewConfig(base aws.Config) aws.Config that returns a copied config with capped retries and a per-request HTTP timeout; unit tests verify behavior and immutability.
Wiring purchase config across AWS service clients providers/aws/services/{ec2,rds,elasticache,memorydb,opensearch,redshift,savingsplans}/client.go	All purchase-path AWS clients now use purchasecfg.NewConfig(cfg), pass opts.ExecutionID to offering lookups for log correlation, and add per-page timing/structured logs during pagination.
Provider credential resolution & provider ValidateCredentials timing internal/purchase/execution.go, providers/aws/provider.go, providers/azure/provider.go	Credential-resolution paths (resolveAccountProvider, provider-specific resolvers) instrumented with start/failure/success elapsed-time logs; AWS/Azure ValidateCredentials now time STS/subscriptions calls and log durations.
Per-recommendation 30-second execution timeout and diagnostics internal/purchase/execution.go	executeSinglePurchase creates a 30s recCtx per recommendation and uses it for provider creation, GetServiceClient, and PurchaseCommitment; adds logRecCtxErr to distinguish DeadlineExceeded vs Canceled with elapsed timing.
Fan-out execution per-account timing and observability internal/execution/fanout.go	Per-account goroutine invocations are wrapped with start/elapsed timing and Info/Error logs on start, completion, and failure.
Test mock expectations relaxed for deadline-bearing contexts internal/purchase/{coverage_extra_test.go,execution_test.go,manager_test.go}	Tests updated to match contexts via mock.Anything or mock.MatchedBy(deadline-check) rather than exact ctx, accommodating derived/deadlined contexts.
Lambda execution timeout increase 60s → 300s terraform/environments/aws/github-{dev,staging,prod}.tfvars	Lambda timeout extended from 60 to 300 seconds to accommodate AWS SDK retry/HTTP-timeout settings and purchase request handling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• fix(purchases): EC2 RI purchase times out under transient AWS SDK retries; Lambda 60s budget blown (P0) #667: PR implements the Lambda timeout bump and SDK retry/HTTP-timeout tightening requested to prevent AWS SDK-induced Lambda budget overruns.

Possibly related PRs

• LeanerCloud/CUDly#613: Overlaps on orphan-check logging and approval-path changes.
• LeanerCloud/CUDly#668: Overlaps on purchase execution logging/timing and complements this PR’s per-rec timeouts and credential-resolution logs.
• LeanerCloud/CUDly#373: Prior edits to approval flows where similar logging/masking was touched.

Poem

🐰 I time each hop and guard the log,

Mask my name, avoid the fog.
Thirty seconds, retries few,
Lambdas wake, not stuck like glue.
Hooray — purchases sing anew.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.61% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main changes: AWS SDK retry tightening plus Lambda timeout increase to 300 seconds.
Linked Issues check	✅ Passed	The PR implements all coding requirements from issue #683: Lambda timeout bumped to 300s in all three tfvars, purchase-path clients (EC2, RDS, ElastiCache, MemoryDB, OpenSearch, Redshift, SavingsPlans) configured with RetryMaxAttempts=2 and HTTP timeout=15s, per-record 30s timeout applied, exec-tagged timing logs added, and recommendations path unchanged.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #683 requirements: SDK configuration tightening, Lambda timeout bump, per-record deadline enforcement, and observability logging are all in-scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-683-lambda-sdk-tightening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

internal/purchase/execution_test.go (1)

70-73: ⚡ Quick win

Strengthen provider-factory context assertions to preserve the 30s budget contract.

Using mock.Anything for CreateAndValidateProvider no longer verifies deadline propagation on the provider-construction step. A deadline-aware matcher here would keep this contract covered end-to-end.

Suggested pattern

+deadlineCtx := mock.MatchedBy(func(c context.Context) bool {
+	d, ok := c.Deadline()
+	if !ok {
+		return false
+	}
+	remaining := time.Until(d)
+	return remaining > 0 && remaining <= 31*time.Second
+})
-
-mockFactory.On("CreateAndValidateProvider", mock.Anything, "aws", mock.Anything).Return(mockProviderInst, nil)
+mockFactory.On("CreateAndValidateProvider", deadlineCtx, "aws", mock.Anything).Return(mockProviderInst, nil)

Also applies to: 130-135, 186-191, 531-534, 759-762, 924-931, 1042-1054, 1171-1180, 1394-1397, 1468-1476, 1550-1557, 1688-1691

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/purchase/execution_test.go` around lines 70 - 73, The test currently
uses mockFactory.On("CreateAndValidateProvider", mock.Anything, "aws",
mock.Anything) which doesn't assert the 30s deadline on the
provider-construction context; update the matcher for the first argument to a
deadline-aware matcher (e.g., mock.MatchedBy that checks ctx.Deadline() is set)
so CreateAndValidateProvider receives a context with a deadline, similar to how
GetServiceClient and PurchaseCommitment are asserted; apply the same change to
other occurrences listed (lines around 130-135, 186-191, etc.) referencing the
same method name CreateAndValidateProvider to preserve the deadline propagation
contract end-to-end.

providers/aws/internal/purchasecfg/config.go (1)

41-45: ⚡ Quick win

Preserve caller-provided aws.Config.HTTPClient at Line 44 (composability).

Line 44 unconditionally replaces base.HTTPClient with a new *http.Client{Timeout: HTTPTimeout}, which would drop any caller/custom transport/proxy/TLS/instrumentation settings if base.HTTPClient is non-default. In the main AWS provider path, aws.Config is loaded via config.LoadDefaultConfig with only region/profile/credentials options, so this likely doesn’t affect current production flows—but it reduces future safety and test composability.

Suggested fix

 func NewConfig(base aws.Config) aws.Config {
 	cfg := base.Copy()
 	cfg.RetryMaxAttempts = MaxAttempts
-	cfg.HTTPClient = &http.Client{Timeout: HTTPTimeout}
+	if hc, ok := base.HTTPClient.(*http.Client); ok && hc != nil {
+		clone := hc.Clone()
+		clone.Timeout = HTTPTimeout
+		cfg.HTTPClient = clone
+	} else {
+		cfg.HTTPClient = &http.Client{Timeout: HTTPTimeout}
+	}
 	return cfg
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@providers/aws/internal/purchasecfg/config.go` around lines 41 - 45, NewConfig
currently overwrites any caller-provided HTTP client, dropping custom
transports/proxies/TLS/instrumentation; change it to preserve base.HTTPClient:
after copying base into cfg, only set cfg.HTTPClient = &http.Client{Timeout:
HTTPTimeout} when base.HTTPClient is nil, otherwise leave cfg.HTTPClient
untouched (or if you want to ensure a timeout, detect if cfg.HTTPClient is an
*http.Client and only set its Timeout when it's zero). Keep the rest
(cfg.RetryMaxAttempts = MaxAttempts) unchanged; this uses the NewConfig function
and symbols RetryMaxAttempts/HTTPTimeout to locate the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/purchase/execution.go`:
- Around line 791-794: The current check treats any non-nil recCtx.Err() as the
30s per-rec timeout; update the branch that inspects recCtx.Err() to distinguish
context.DeadlineExceeded from context.Canceled (and other errors). Use
errors.Is(recCtx.Err(), context.DeadlineExceeded) to log the "per-rec deadline
30s exceeded" message, use errors.Is(recCtx.Err(), context.Canceled) to log a
"rec cancelled by parent/ctx canceled" message (including opts.ExecutionID,
recTuple, elapsed), and otherwise log the actual error from recCtx.Err(); ensure
to import the errors package if not present and keep logging via logging.Errorf
and the existing variables (recCtx, opts.ExecutionID, recTuple, elapsed).

---

Nitpick comments:
In `@internal/purchase/execution_test.go`:
- Around line 70-73: The test currently uses
mockFactory.On("CreateAndValidateProvider", mock.Anything, "aws", mock.Anything)
which doesn't assert the 30s deadline on the provider-construction context;
update the matcher for the first argument to a deadline-aware matcher (e.g.,
mock.MatchedBy that checks ctx.Deadline() is set) so CreateAndValidateProvider
receives a context with a deadline, similar to how GetServiceClient and
PurchaseCommitment are asserted; apply the same change to other occurrences
listed (lines around 130-135, 186-191, etc.) referencing the same method name
CreateAndValidateProvider to preserve the deadline propagation contract
end-to-end.

In `@providers/aws/internal/purchasecfg/config.go`:
- Around line 41-45: NewConfig currently overwrites any caller-provided HTTP
client, dropping custom transports/proxies/TLS/instrumentation; change it to
preserve base.HTTPClient: after copying base into cfg, only set cfg.HTTPClient =
&http.Client{Timeout: HTTPTimeout} when base.HTTPClient is nil, otherwise leave
cfg.HTTPClient untouched (or if you want to ensure a timeout, detect if
cfg.HTTPClient is an *http.Client and only set its Timeout when it's zero). Keep
the rest (cfg.RetryMaxAttempts = MaxAttempts) unchanged; this uses the NewConfig
function and symbols RetryMaxAttempts/HTTPTimeout to locate the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a97129d2-95a8-45dc-ab31-48891e82df8d

📥 Commits

Reviewing files that changed from the base of the PR and between b727ecb and e4ad3ea.

📒 Files selected for processing (22)

• internal/api/handler_purchases.go
• internal/execution/fanout.go
• internal/purchase/approvals.go
• internal/purchase/coverage_extra_test.go
• internal/purchase/execution.go
• internal/purchase/execution_test.go
• internal/purchase/manager_test.go
• providers/aws/internal/purchasecfg/config.go
• providers/aws/internal/purchasecfg/config_test.go
• providers/aws/provider.go
• providers/aws/services/ec2/client.go
• providers/aws/services/elasticache/client.go
• providers/aws/services/memorydb/client.go
• providers/aws/services/opensearch/client.go
• providers/aws/services/rds/client.go
• providers/aws/services/redshift/client.go
• providers/aws/services/savingsplans/client.go
• providers/aws/services/savingsplans/client_test.go
• providers/azure/provider.go
• terraform/environments/aws/github-dev.tfvars
• terraform/environments/aws/github-prod.tfvars
• terraform/environments/aws/github-staging.tfvars

[cristim]

CodeRabbit pass-1 response

All three findings addressed in commit ee235cf.

#	File	Finding	Action	Rationale
1	internal/purchase/execution.go:791	Mislabels all context cancellations as 30s per-rec timeout	Fixed	Extracted logRecCtxErr helper that distinguishes context.DeadlineExceeded from context.Canceled; kept out of the main function body so gocyclo stays under 10.
2	internal/purchase/execution_test.go (12 occurrences)	CreateAndValidateProvider uses mock.Anything for ctx, not asserting 30s deadline propagation	Fixed	Replaced all 12 mock.Anything first-args with mock.MatchedBy(func(c context.Context) bool { _, ok := c.Deadline(); return ok }) to cover the full factory->client->SDK chain end-to-end.
3	providers/aws/internal/purchasecfg/config.go:44	NewConfig unconditionally replaces HTTPClient, dropping caller custom transports	Fixed	Shallow-copies the *http.Client when one is provided and only overrides Timeout; falls back to fresh client otherwise. Added TestNewConfig_PreservesCustomTransport to pin the contract.

@coderabbitai review

[coderabbitai]

@cristim Thanks for the detailed summary — all three fixes look well-targeted:

1. logRecCtxErr helper — cleanly separates DeadlineExceeded (per-rec 30 s budget hit) from Canceled (upstream cancellation), without inflating cyclomatic complexity. Good call keeping it out of the main function body.
2. mock.MatchedBy deadline assertions — covering all 12 call sites ensures the full factory → client → SDK chain actually receives a deadline-bound context, not just the outer one.
3. Shallow-copy *http.Client in NewConfig — preserving custom transports while only overriding Timeout is the correct contract; pinning it with TestNewConfig_PreservesCustomTransport makes the behaviour explicit.

Triggering a fresh review now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/purchase/execution_test.go`:
- Line 70: The current test uses a context-deadline matcher that only checks for
any deadline, which allows reusing a longer parent deadline; update the mock
expectations that call mockFactory.On("CreateAndValidateProvider", ...) (and the
other identical sites) to assert the remaining deadline is ~30s (with a small
tolerance) by reusing the existing timeout-deadline matcher helper used
elsewhere in tests (the helper that checks WithTimeout(..., 30*time.Second)
behavior) so executeSinglePurchase is verified to create a 30s per-request
deadline rather than inheriting a longer parent context.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 473da1cd-7126-4151-a248-dab9dda3b0b4

📥 Commits

Reviewing files that changed from the base of the PR and between e4ad3ea and ee235cf.

📒 Files selected for processing (4)

• internal/purchase/execution.go
• internal/purchase/execution_test.go
• providers/aws/internal/purchasecfg/config.go
• providers/aws/internal/purchasecfg/config_test.go

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.