feat(AIP-122): disallow embedding resources in resources (#1196)

noahdietz · web-flow · commit 8ab1fd02e343 · 2023-08-24T08:38:19.000-07:00
diff --git a/aip/general/0122.md b/aip/general/0122.md
@@ -282,6 +282,11 @@ When a field represents another resource, the field **should** be of type
 `string` and accept the resource name of the other resource. The field name
 **should** be equivalent to the corresponding message's name in snake case.
 
+The field **should not** be of type `message` using the `message` that 
+implements the resource, _unless_ the API is internal-only, has tight lifecycle
+relationships, and has a permission model that enables inherited access to
+embedded resources.
+
 - Field names **may** include a leading adjective if appropriate (such as
   `string dusty_book`).
 - Field names **should not** use the `_name` suffix unless the field would be
@@ -320,8 +325,31 @@ message Book {
   [AIP-180](./0180.md#changing-resource-names).
 - For resource types, see [AIP-123][].
 
+## Rationale
+
+### Disallow embedding of resources
+
+Using a resource message directly as the type of a field within another resource
+is problematic for a number of reasons, which are as follows:
+
+* Complicates the resource lifecycle: If the dependency resource is
+  deleted, what happens to the embedded reference in the dependent resource?
+  Data retention and clean up operations will be significantly complicated.
+* Bypasses permissions: If every resource has its own set of permissions, a user
+  with read permission on the dependent resource that doesn't have the same
+  permission on the dependency resource suddenly cannot see the full resource.
+* Tightly couples resources in all aspects: Changing the requirements in the
+  schema, permissions, or otherwise for either resource impacts the other,
+  significantly increasing complexity of roll outs.
+
+Referencing by name, as is recommended, eliminates all of this complexity by
+preventing resource data duplication, and forcing the owning service to be
+involved in the resolution of the reference (via Standard Methods), guaranteeing
+isolation of logical concerns per-resource.
+
 ## Changelog
 
+- **2023-08-10**: Explicitly disallow embedding resource messages in a resource.
 - **2023-03-24**: Correction: full resource name contains the service name rather
   than the service endpoint
 - **2023-03-17**: Add `OUTPUT_ONLY` guidance for resource ID fields.
