# Problem Statement This work makes up Phase 5 of https://gitlab.com/groups/gitlab-org/-/epics/14310+ please see that Epic for more details on the overall problem description. # Approach We suggest to take a two-pronged approach to removing the `AvailableServices` API that Duo and other Cloud Connector features use today. This would see us start with a breadth-first approach to code migration, followed by a depth-first approach to remaining code: 1. **Shrink `AvailableServices` API surface.** Iteratively remove all its methods except for `access_token` (see below). This will "clear the path" and make it easier to focus on the remaining larger chunks. Replacing these methods is fairly straight-forward and does not carry much risk. 2. **Migrate use of `access_token` use case by use case.** This method is used far too often and for too many reasons to remove it in one go. Instead, we will take a vertical approach to migration here, with moving individual features or use cases away from it one-by-one. This will reduce risk during migration. ## :white_check_mark: 5.0: Prepare migration Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/538101 - [x] Announce widely that we are starting to remove `AvailableServices` * [x] Decided against [this](https://gitlab.com/gitlab-org/gitlab/-/issues/538101#note_2504050090) - [x] Consider adding deprecation warnings in code when using this API ## :white_check_mark: 5.1: Migrate by method We will first remove the following methods from `AvailableServices` to shrink its API surface, and replace them with equivalent code from either ~"group::provision" or \~"group::cloud connector" APIs: <table> <tr> <th>Method</th> <th>Description</th> <th>Issue</th> <th>Size</th> <th>Status</th> </tr> <tr> <td> `free_access?` </td> <td> Determines whether a "service" can be used subscription-free before its cut-off date. - Used in `UserAuthorizable`, Amazon Q and SAST Scanner. - This needs to be replaced with equivalent calls into a `UnitPrimitive` matching the given service (there are often 1-1 mappings). - This has a dependency on Phase 4. </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/542420 </td> <td>S</td> <td> :white_check_mark: </td> </tr> <tr> <td> `purchased?` </td> <td> Determines whether a "service" has been "purchased" (this translates to: are the UPs under this service bundled with an add-on that is active for the namespace/instance). - Used primarily in UI access control checks (Code Suggestions, Anthropic Proxy, X-Ray, settings API). - If we replace this with ~"group::provision" APIs, then it depends on Phase 4 since we'd have to replace the service name with a UP name. </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/542422 </td> <td>M</td> <td> :white_check_mark: </td> </tr> <tr> <td></td> <td></td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/543079+ </td> <td>S</td> <td>Not started</td> </tr> <tr> <td> `allowed_for?(user)` </td> <td> This performs a seat assignments check and should be replaced with existing code outside of Cloud Connector that performs these checks. - This is only called [here](https://gitlab.com/gitlab-org/gitlab/-/blob/1b50980b818d52599de87dfe18a4fe638a4e1120/ee/app/policies/ee/global_policy.rb#L255) by SHM. I suggest we explode this method into the callsite so that we can remove it here. The caller will still use a `service` object, we can migrate this later as part of SHM. </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/538104 </td> <td></td> <td> :white_check_mark: </td> </tr> </table> ## :white_check_mark: 5.2: Migrate `access_token` by feature or use case _Some of these steps require Phase 4 to be completed. Phase 3 is assumed to be completed._ _Details here:_ https://gitlab.com/groups/gitlab-org/-/epics/17999+ ## ## :white_check_mark: 5.3: Migrate `find_by_name` by feature or use case _Phase 5.2 is assumed to be completed._ _Details here:_ https://gitlab.com/groups/gitlab-org/-/epics/19060 ## :white_check_mark: 5.4: Finalize migration and remove AvailableServices _Phase 5.3 is assumed to be completed._ _Details here:_ https://gitlab.com/groups/gitlab-org/-/epics/19071 ## Next steps - Self Hosted Models: https://gitlab.com/groups/gitlab-org/-/epics/17836+. - Amazon Q: https://gitlab.com/groups/gitlab-org/-/epics/17837+ ## Updates ### Status 2025-09-28 * **Phase 5.4 completed:** https://gitlab.com/groups/gitlab-org/-/epics/19071 - Cleaning up the legacy code, removal of AvailableServices, and updating documentation. ### Status 2025-09-18 * **Phase 5.3 completed**: https://gitlab.com/groups/gitlab-org/-/epics/19060+ All code in repository is now using the new cloud connector UnitPrimitive API * **Phase 5.4 in progress:** https://gitlab.com/groups/gitlab-org/-/epics/19071 - Cleaning up the legacy code, removal of AvailableServices, and updating documentation. ### Status 2025-08-25 * **Phase 5.1 completed**: All three methods (`free_access?`, `purchased?`, `allowed_for?`) successfully removed from `AvailableServices` API surface. * **Phase 5.2 in progress**: https://gitlab.com/groups/gitlab-org/-/epics/17999+ continues with `access_token` migration and rollout by feature. All preparation work is done we are now in the process of rolling out new code path for `code suggestions`, `anthropic_proxy` and `vertex_ai_proxy`. After that, we will rollout new code path for all features. When this is done, we should be able to remove the `access_token` function. * **Phase 5.3 initiated**: https://gitlab.com/groups/gitlab-org/-/epics/19060+ created on Aug 22 to migrate `find_by_name` usage. `self_hosted_models` unit primitive is introduced. `UserAuthorizable` module migration (https://gitlab.com/gitlab-org/gitlab/-/issues/562379+) is in progress, with other `find_by_name` replacements (https://gitlab.com/gitlab-org/gitlab/-/issues/564979+) and parameter renaming work queued. ### Status 2025-06-24 * https://gitlab.com/gitlab-org/gitlab/-/issues/542422+ is close to completion. 2 MRs are open and being reviewed. Then, a final removal MR is needed. We expect to wrap this up some time next week. * https://gitlab.com/gitlab-org/gitlab/-/issues/546563+ is in progress. * We found an issue with leaking data caches in tests, which caused a broken-master incident and slowed us down. We already shipped a short-term fix, and are looking to more holistically address this in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194884+. * https://gitlab.com/gitlab-org/gitlab/-/issues/546576+ is dev-done, but is still open because it also got delayed by the cache leak bug. It should help unlock the pending work to remove the legacy `.access_token` implementation. ### Status 2025-06-11 * The whole team continues to work on this Epic to remove usage of the old AvailableServices interface. * https://gitlab.com/gitlab-org/gitlab/-/issues/542422+. Feature flag [cleanup](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192366) from the first part of this issue is complete. We are now working on the refactor of where the `purchased` method is called, starting with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193730+. * https://gitlab.com/gitlab-org/gitlab/-/issues/538100+ is completed, moving the SAST usage of Cloud Connector away from AvailableServices. * Continued work on https://gitlab.com/gitlab-org/gitlab/-/issues/546563+ This issue will remove a number of usages of the AvailableServices.access_token method that we have identified as not being required. There are 5 related MRs that are nearly ready for review. * Continued to work on https://gitlab.com/gitlab-org/gitlab/-/issues/546576+ in order to allow us to migrate safely away from an AvailableServices based way of minting a Cloud Connector token ### Status 2025-06-04 * The whole team are now working on this Epic to remove usage of the old AvailableServices interface. * https://gitlab.com/gitlab-org/gitlab/-/issues/542422+ - the first refactor for this was successfully rolled out behind a feature flag. We are now [cleaning up the feature flag and completing](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192366) the changes now that we are more confident that the refactor will not have any negative impact. * https://gitlab.com/gitlab-org/gitlab/-/issues/538100+ will migrate the SAST service away from using AvailableServices. We have identified the intended approach, and are working on finalising the [MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190818). * https://gitlab.com/gitlab-org/gitlab/-/issues/546576+ in order to migrate safely away from an AvailableServices based way of minting a Cloud Connector token, we are making changes that will allow us to selectively do so on an individual Unit Primitive (and hence AI feature) basis. We are also adding instrumentation to allow us to assess any performance impact. This will give us a safer way of removing this usage of AvailableServices, by moving a select number of AI features at a time. * Started work on https://gitlab.com/gitlab-org/gitlab/-/issues/546563+ this issue will remove a number of usages of the AvailableServices.access_token method that we have identified as not being required. ### Status 2025-05-28 * We continued working on https://gitlab.com/gitlab-org/gitlab/-/issues/542422+ to progress with reducing the API surface area of the AvailableServices interface, in this case removing need for the `purchased?` method. Progress has been slowed due to an [issue in CDot staging](https://gitlab.com/gitlab-org/customers-gitlab-com/-/issues/13056) blocking our testing. ### Status 2025-05-21 * We have started working on https://gitlab.com/gitlab-org/gitlab/-/issues/542422+ to progress with reducing the API surface area of the AvailableServices interface, in this case removing need for the `purchased?` method. ### Status 2025-05-14 * We have refined the scope of this Epic, and carried out a high level estimation exercise. Based on this we have updated the expected Due date of this Epic to be 2025-07-17 (18.2) * We have broken out some of the work into further Epics and are currently working refining those * https://gitlab.com/groups/gitlab-org/-/epics/17836+ * https://gitlab.com/groups/gitlab-org/-/epics/17837+ * Once the Self-Hosted Models Epic is refined, we will likely be working on it in parallel with this Epic. * No further progress on this Epic this week due to team PTO. We instead focussed on finishing Phase 4 and the Rate Limiting clean up work. ### Status 2025-05-07 * Whilst the work in this Epic is not fully refined, the team have started on issues that migrate away usage of the AvailableServices API that we want to deprecate, that are not blocked on Phase 4 being completed. * We [migrated](https://gitlab.com/gitlab-org/gitlab/-/issues/538098) the GitLab Observability Backend (GOB) integration away from `AvailableServices`. * We removed an AvailableServices API method after [refactoring](https://gitlab.com/gitlab-org/gitlab/-/issues/538104) the code that used it * We started on refactoring away the use of AvailableServices by SAST https://gitlab.com/gitlab-org/gitlab/-/issues/538100+ * We started on refactoring away the use of AvailableServices by XRay https://gitlab.com/gitlab-org/gitlab/-/issues/538332+ * Next week we will work on further refining the work required in this Epic to help us clarify the expected completion date. ### Status 2025-05-01 * Whilst the work in this Epic is not fully refined, the team have started on 2 issues that migrate away usage of the AvailableServices API that we want to deprecate, that are not blocked on Phase 4 being completed. * Next week, we will have more of the team available to help with creating issues and estimations for the remaining work currently outlined in the description of this Epic. * This will enable us to update the Due Date to be realistic