Skip to main content

Debugging Distributed Systems Without Losing Your Mind

The logs say the request succeeded. The database says it never arrived. The queue says it was delivered. Welcome to distributed systems debugging - where “it works on my machine” becomes “it works in 3 of 7 services.” If you’ve ever spent hours tracking down a bug that only appears in production, disappears when you add logging, and reappears the moment you think you’ve fixed it, you know the unique pain of distributed systems debugging. The traditional debugging playbook - set a breakpoint, step through the code, inspect variables - falls apart when your “code” is actually seven services running across three availability zones, communicating through message queues, with network latency adding chaos at every hop. This article shares four war stories from building and operating a distributed platform in production. These aren’t theoretical problems from textbooks - they’re the kinds of issues that wake you up at 2 AM, cost real money, and teach hard lessons. More importantly, I’ll share the observability patterns and debugging techniques that transformed these nightmares into manageable problems.

War Story 1: The Case of the Flaky Integration Tests

The Problem

Our integration test suite was a mess. On any given run, 13 out of 15 tests would fail. The failures were random and inconsistent - sometimes test A would fail, sometimes test B, occasionally both would pass. The error messages were cryptic and varied: 
ResourceInUseException: Table 'workflows' already exists
QueueDoesNotExist: The specified queue does not exist
UUID mismatch: Expected workflow_123, found workflow_456
Running the tests locally? Perfect success rate. Running them in CI? Chaos. We had entered the twilight zone where success depended on timing, phase of the moon, and whether Mercury was in retrograde.

The Investigation

The breakthrough came when we ran the tests with detailed logging and noticed something peculiar: timestamps. Tests that should have been running in isolation were overlapping. Test A would create a workflow with ID workflow_123, and while that test was still executing, Test B would start and also try to create resources with the same ID. The root cause was embarrassingly simple: shared resources with hardcoded identifiers. Our tests were written like this: 
#[tokio::test]
async fn test_workflow_creation() {
    let tenant_id = "t1";
    let workflow_id = "workflow_123";
    
    // Create workflow
    create_workflow(tenant_id, workflow_id).await?;
    
    // Assert it exists
    let workflow = get_workflow(workflow_id).await?;
    assert_eq!(workflow.id, workflow_id);
}
When tests ran in parallel (which they did by default), multiple tests would try to create tenant_id = "t1" simultaneously. Some would succeed, some would fail with ResourceInUseException. The race conditions created a cascade of failures:
  1. Table creation races: Multiple tests trying to create the same DynamoDB table
  2. UUID collisions: Hardcoded IDs meant tests would read each other’s data
  3. Cleanup timing: Tests would delete resources while other tests were still using them

The Solution

The fix was straightforward but required disciplined refactoring: unique identifiers for every test resource. 
use uuid::Uuid;

#[tokio::test]
async fn test_workflow_creation() {
    // ✅ Generate unique IDs per test run
    let tenant_id = format!("test-tenant-{}", Uuid::new_v4());
    let workflow_id = format!("test-workflow-{}", Uuid::new_v4());
    
    // Create workflow with unique IDs
    create_workflow(&tenant_id, &workflow_id).await?;
    
    // Assert it exists
    let workflow = get_workflow(&workflow_id).await?;
    assert_eq!(workflow.id, workflow_id);
    
    // Cleanup is now safe - deletes only this test's resources
    cleanup_tenant(&tenant_id).await?;
}
We applied this pattern everywhere:
  • Table names: workflows-{uuid} instead of workflows
  • Queue names: test-queue-{uuid} instead of test-queue
  • Tenant IDs: test-tenant-{uuid} instead of t1
  • All resource identifiers got the UUID treatment

The Results

Test success rate went from 13% to 100%. We could now run the entire suite in parallel with confidence. More importantly, we learned a critical lesson that applied beyond testing: in distributed systems, assume everything runs concurrently. Key Takeaway: Shared mutable state is the enemy of reliable distributed systems. When you can’t avoid it, ensure every operation has a unique identifier that prevents collisions.

War Story 2: The $454 Compilation Incident

The Problem

It was a Tuesday morning. A developer pushed code to main. Within minutes, our CI pipeline exploded with errors. Not just a few errors - over 700 compilation errors across the workspace. The build was completely broken. No one could deploy. No one could merge their PRs. Development ground to a halt. The incident lasted 2 hours. The direct cost in terms of developer time blocked was $454. But the real cost was higher - 4.5 hours of productive work lost, context switching penalties, and the stress of scrambling to fix a broken main branch.

The Root Cause

How did 700+ errors make it to main? The answer was uncomfortable: trust-based verification without automated checks. Our workflow looked like this:
  1. Developer makes changes locally
  2. Developer claims “I tested it, it works”
  3. Code review focuses on logic, not compilation
  4. PR gets merged
  5. CI runs post-merge (but doesn’t block)
The specific incident was triggered by a dependency update that changed function signatures across multiple crates. The developer tested one crate, saw it compiled, and assumed everything was fine. They didn’t run cargo test --workspace, which would have caught the errors immediately.

The Solution

We implemented mandatory pre-merge CI checks: 
# .github/workflows/pr-check.yml
name: PR Validation
on: [pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install Rust
        uses: actions-rs/toolchain@v1
        
      - name: Check all crates compile
        run: cargo check --workspace
        
      - name: Run all tests
        run: cargo test --workspace
        
      - name: Lint
        run: cargo clippy --workspace -- -D warnings
The critical change: PRs cannot merge unless all checks pass. No exceptions. No “I’ll fix it later.” No “trust me, it works.”

The ROI

Running these checks costs approximately 23perPRinCIcomputetime.Theincidentwepreventedcost2-3 per PR** in CI compute time. The incident we prevented cost **454. That’s an ROI of 150-225x. Even if we only prevent one incident per year, the checks pay for themselves. But the real value isn’t just financial. It’s the confidence that main is always deployable, that Friday afternoon merges won’t ruin weekends, and that “works on my machine” is backed by “works in CI.”

Lessons Learned

  1. Automate what you can trust: Humans forget. Computers don’t.
  2. Fail fast, fail early: Catch errors before merge, not after.
  3. Make the right thing easy: CI should be so simple that not using it feels wrong.
  4. Trust, but verify: Trust that developers test their code, but verify with automation.
Key Takeaway: In distributed systems, the cost of prevention is always lower than the cost of incidents. A few dollars in CI costs can prevent hundreds in lost productivity.

War Story 3: The Secret Rotation Race Condition

The Problem

We had a routine operation: rotating AWS secrets across our distributed platform. The process seemed straightforward:
  1. Service A detects secret needs rotation
  2. Service A creates new secret in AWS Secrets Manager
  3. Service A updates references to new secret
  4. Old secret is marked for deletion
In testing, this worked perfectly. In production with multiple services running simultaneously, we started seeing errors: 
ResourceExistsException: A secret with this name already exists

The Investigation

The race condition was subtle. Here’s what was happening:
  1. Service A checks: “Does secret X exist?” → No
  2. Service B checks: “Does secret X exist?” → No (happened before A created it)
  3. Service A creates secret X → Success
  4. Service B tries to create secret X → ResourceExistsException
Both services were trying to do the right thing - ensure the secret exists. But without coordination, they collided.

The Solution

We implemented an idempotent check-then-create pattern: 
async fn ensure_secret_exists(secret_name: &str, secret_value: &str) -> Result<()> {
    // Try to create the secret
    match secrets_client
        .create_secret()
        .name(secret_name)
        .secret_string(secret_value)
        .send()
        .await
    {
        Ok(_) => {
            info!("Created secret: {}", secret_name);
            Ok(())
        }
        Err(e) if is_already_exists_error(&e) => {
            // Secret already exists - this is fine!
            info!("Secret already exists: {}", secret_name);
            
            // Optionally verify the value matches
            verify_secret_value(secret_name, secret_value).await?;
            Ok(())
        }
        Err(e) => Err(e.into()),
    }
}

fn is_already_exists_error(error: &SdkError) -> bool {
    matches!(
        error,
        SdkError::ServiceError { err, .. }
        if err.is_resource_exists_exception()
    )
}
The key insight: treat “already exists” as success, not failure. In distributed systems, you can’t reliably check-then-create atomically across network boundaries. Instead, try to create, and if it already exists, that’s fine.

The Pattern

This pattern applies broadly:
  • Database records: INSERT ... ON CONFLICT DO NOTHING
  • File systems: Create with O_EXCL flag, handle EEXIST
  • Cloud resources: Create with idempotency tokens
  • Message queues: Use deduplication IDs
The mantra: Make operations idempotent by default. Key Takeaway: In distributed systems, “check then act” patterns are inherently racy. Design operations to be safely retried, and treat “already done” as success.

War Story 4: The Cross-Tenant Isolation Bug

The Problem

This was the kind of bug that makes you wake up in a cold sweat: a potential cross-tenant data leak. Our platform was designed to be multi-tenant, with strict isolation between customers. Each tenant’s resources should be completely invisible to other tenants. During a routine architectural audit, we discovered a critical flaw: our IAM policies weren’t properly scoped to tenant boundaries. A user from Tenant A could potentially access resources belonging to Tenant B if they knew (or guessed) the resource identifiers.

The Investigation

The vulnerable code looked like this: 
// ❌ Vulnerable: No tenant scoping
let policy = PolicyDocument {
    statement: vec![
        Statement {
            effect: "Allow",
            action: vec!["s3:GetObject", "s3:PutObject"],
            resource: vec!["arn:aws:s3:::bucket/*"],
        }
    ]
};
This policy allowed access to all objects in the bucket, regardless of which tenant owned them. If an attacker knew the bucket structure, they could access any tenant’s data.

The Solution

We implemented resource-level IAM policies with tenant-scoped conditions: 
// ✅ Secure: Tenant-scoped access
let policy = PolicyDocument {
    statement: vec![
        Statement {
            effect: "Allow",
            action: vec!["s3:GetObject", "s3:PutObject"],
            resource: vec![format!("arn:aws:s3:::bucket/{tenant_id}/*")],
            condition: Some(Condition {
                string_equals: hashmap! {
                    "s3:ExistingObjectTag/tenant_id" => tenant_id,
                }
            })
        }
    ]
};
Every resource was tagged with tenant_id, and IAM policies enforced that users could only access resources matching their tenant. We applied this pattern across:
  • S3 buckets: Object tags with tenant IDs
  • DynamoDB tables: Partition keys included tenant ID
  • SQS queues: Message attributes filtered by tenant
  • Lambda functions: Environment variables scoped per tenant

The Verification

We created a test suite that actively tried to violate tenant isolation: 
#[tokio::test]
async fn test_cross_tenant_isolation() {
    let tenant_a = "tenant-a";
    let tenant_b = "tenant-b";
    
    // Create resource as Tenant A
    let resource_id = create_resource(tenant_a, "secret-data").await?;
    
    // Try to access as Tenant B - should fail
    let result = get_resource(tenant_b, &resource_id).await;
    assert!(result.is_err(), "Cross-tenant access should be denied");
    
    // Verify error is permission denied, not "not found"
    assert!(matches!(result, Err(Error::AccessDenied)));
}
The distinction between “not found” and “access denied” matters - “not found” can leak information about resource existence. Key Takeaway: Security in distributed systems requires defense in depth. Don’t rely on application-level checks alone - enforce isolation at the infrastructure level with IAM, tagging, and resource boundaries.

Tools That Saved Us

Through these incidents and many others, we built a debugging toolkit that transformed how we handle distributed systems issues. Here are the tools and patterns that made the difference:

1. Correlation IDs

Every request gets a unique ID that flows through all services: 
use uuid::Uuid;

#[derive(Debug, Clone)]
pub struct RequestContext {
    pub correlation_id: String,
    pub tenant_id: String,
    pub user_id: Option<String>,
}

impl RequestContext {
    pub fn new(tenant_id: String) -> Self {
        Self {
            correlation_id: Uuid::new_v4().to_string(),
            tenant_id,
            user_id: None,
        }
    }
}

// In every service
info!(
    correlation_id = %ctx.correlation_id,
    tenant_id = %ctx.tenant_id,
    "Processing request"
);
With correlation IDs, debugging becomes: “Show me all logs for correlation_id=abc123” instead of trying to reconstruct a timeline across scattered logs.

2. Structured Logging

JSON logs with consistent schemas enable powerful querying: 
use tracing::{info, error};
use serde_json::json;

// Structured event logging
info!(
    event = "workflow_started",
    correlation_id = %ctx.correlation_id,
    workflow_id = %workflow.id,
    tenant_id = %ctx.tenant_id,
    duration_ms = 0,
);

// Later in the workflow
info!(
    event = "workflow_completed",
    correlation_id = %ctx.correlation_id,
    workflow_id = %workflow.id,
    duration_ms = duration.as_millis(),
    status = "success",
);
CloudWatch Insights query to find slow workflows: 
fields @timestamp, workflow_id, duration_ms
| filter event = "workflow_completed"
| filter duration_ms > 5000
| sort duration_ms desc
| limit 20

3. Distributed Tracing

We integrated OpenTelemetry to visualize request flows: 
use opentelemetry::trace::{Tracer, SpanKind};

async fn process_workflow(ctx: &RequestContext) -> Result<()> {
    let tracer = global::tracer("workflow-service");
    let span = tracer
        .span_builder("process_workflow")
        .with_kind(SpanKind::Server)
        .start(&tracer);
    
    let _guard = span.enter();
    
    // All operations within this scope are traced
    let result = execute_workflow_steps(ctx).await;
    
    result
}
Distributed tracing shows you exactly where time is spent and where failures occur in your service call graph.

4. Pre-built Debugging Queries

We maintain a library of 20+ CloudWatch Insights queries for common scenarios:
  • “Show all errors in the last hour”
  • “Find requests slower than 5 seconds”
  • “Trace a specific correlation ID”
  • “Show failed authentication attempts”
  • “List all database timeouts”
These queries are versioned in code and deployed with infrastructure: 
# terraform/monitoring.tf
resource "aws_cloudwatch_query_definition" "slow_requests" {
  name = "Slow Requests (>5s)"
  
  log_group_names = [
    "/aws/lambda/workflow-service",
    "/aws/lambda/execution-service",
  ]
  
  query_string = <<-EOF
    fields @timestamp, correlation_id, duration_ms, service
    | filter duration_ms > 5000
    | sort duration_ms desc
  EOF
}

5. Runbooks for Incident Response

Each alarm has a corresponding runbook: 
# Runbook: High Error Rate in Workflow Service

## Symptoms
- CloudWatch alarm: `WorkflowErrorRate > 5%`
- Users reporting failed workflow executions

## Immediate Actions
1. Check CloudWatch dashboard: [link]
2. Query recent errors:
fields @timestamp, correlation_id, error_message | filter level = “ERROR” | filter service = “workflow-service” | sort @timestamp desc | limit 50 

## Common Causes
- **Database timeout**: Check RDS performance metrics
- **Queue backlog**: Check SQS message count
- **Dependency failure**: Check X-Ray service map

## Resolution Steps
1. Identify error pattern from logs
2. Check dependent services status
3. If database timeout: Scale RDS or optimize queries
4. If queue backlog: Add workers or increase batch size

6. Circuit Breaker Pattern

We classify errors and handle them differently: 
#[derive(Debug)]
enum ErrorClassification {
    Transient,  // Retry
    Permanent,  // Don't retry, send to DLQ
}

fn classify_error(error: &Error) -> ErrorClassification {
    match error {
        Error::NetworkTimeout => ErrorClassification::Transient,
        Error::DatabaseUnavailable => ErrorClassification::Transient,
        Error::ValidationFailed => ErrorClassification::Permanent,
        Error::ResourceNotFound => ErrorClassification::Permanent,
        _ => ErrorClassification::Permanent,
    }
}

async fn with_retry<F, T>(
    operation: F,
    max_attempts: u32,
) -> Result<T>
where
    F: Fn() -> Future<Output = Result<T>>,
{
    let mut attempts = 0;
    
    loop {
        match operation().await {
            Ok(result) => return Ok(result),
            Err(e) => {
                attempts += 1;
                
                match classify_error(&e) {
                    ErrorClassification::Transient if attempts < max_attempts => {
                        let backoff = Duration::from_millis(100 * 2_u64.pow(attempts));
                        tokio::time::sleep(backoff).await;
                        continue;
                    }
                    _ => return Err(e),
                }
            }
        }
    }
}

The Day 1 Observability Checklist

If you’re starting a new distributed system or improving an existing one, here’s your checklist:

Logging

  • Correlation IDs in all requests: Generate at API gateway, pass to all services
  • Structured JSON logging: Use consistent field names across services
  • Log levels properly used: DEBUG for verbose, INFO for key events, WARN for recoverable issues, ERROR for failures
  • Sensitive data redacted: No passwords, tokens, or PII in logs

Metrics

  • Request rate, latency, error rate per service: The RED method
  • Resource utilization: CPU, memory, disk, network
  • Business metrics: Workflows created, jobs completed, users active
  • Custom metrics for critical paths: Database query time, external API latency

Tracing

  • Distributed tracing setup: OpenTelemetry or similar
  • Trace sampling configured: 100% for errors, sample for success
  • Service map visualization: Understand dependencies
  • Critical path instrumentation: Know where time goes

Querying

  • Pre-built queries for common scenarios: Don’t reinvent during incidents
  • Query library versioned in code: Infrastructure as code
  • Team training on query tools: Everyone can debug

Alerting

  • Alerts on symptoms, not causes: Alert on “users can’t log in” not “CPU is high”
  • Runbooks for every alert: What to do when it fires
  • Alert fatigue prevention: Tune thresholds, group related alerts
  • Escalation paths defined: Who gets paged when

Testing

  • Integration tests with unique IDs: No shared mutable state
  • Chaos engineering experiments: Test failure modes
  • Load testing under realistic conditions: Know your limits
  • Security testing for isolation: Verify tenant boundaries

Patterns That Work

After years of debugging distributed systems, these patterns consistently make life easier:

Idempotency Everywhere

Operations should be safely retryable:
  • Check if resource exists before creating
  • Use unique tokens for deduplication
  • Treat “already done” as success

Error Classification

Not all errors are equal:
  • Transient: Network blips, temporary unavailability → Retry
  • Permanent: Validation failures, not found → Don’t retry, alert
  • Poison pills: Messages that always fail → Dead letter queue

Timeouts at Every Layer

Never wait forever:
  • HTTP clients: 30 second timeout
  • Database queries: 5 second timeout
  • Message processing: 5 minute visibility timeout
  • Always have a maximum wait time

Graceful Degradation

Fail partially, not completely:
  • Return cached data if fresh data unavailable
  • Disable non-critical features under load
  • Queue writes if database is slow
  • Always have a fallback path

Closing Thoughts

Debugging distributed systems is hard. It requires different mental models, different tools, and different instincts than debugging monolithic applications. The problems in this article - race conditions, compilation failures, secret rotation races, and cross-tenant isolation - are just a sample of the creative ways distributed systems can fail. But with the right observability foundation, these problems become manageable. Correlation IDs turn chaos into traceable request flows. Structured logging turns mountains of text into queryable data. Distributed tracing turns “where is this slow?” into a visual timeline. Pre-built queries turn incidents into pattern matching. The key is to build these capabilities before you need them. Set up correlation IDs on day one, not during your first production incident. Write runbooks before you’re paged at 3 AM. Build retry logic before you hit your first network timeout. Distributed systems will always have emergent behaviors that surprise you. But with proper observability, you can turn those surprises from existential crises into interesting debugging sessions. You might not love debugging distributed systems, but at least you won’t lose your mind doing it. The logs will still sometimes contradict each other. The race conditions will still occasionally appear. But you’ll have the tools to understand what’s happening, the patterns to fix it systematically, and the confidence that you can handle whatever distributed chaos comes next. Now go forth and debug. Your correlation IDs are waiting.