WIP

Author: Yuriy Bezsonov

infra/cdk/src/main/java/sample/com/constructs/Ide.java

@@ -8,6 +8,7 @@
 import software.amazon.awscdk.Duration;
 import software.amazon.awscdk.Fn;
 import software.amazon.awscdk.RemovalPolicy;
+import software.amazon.awscdk.SecretValue;
 import software.amazon.awscdk.services.cloudfront.AllowedMethods;
 import software.amazon.awscdk.services.cloudfront.BehaviorOptions;
 import software.amazon.awscdk.services.cloudfront.CachePolicy;
@@ -20,7 +21,9 @@
 import software.amazon.awscdk.services.cloudfront.origins.HttpOriginProps;
 import software.amazon.awscdk.services.ec2.*;
 import software.amazon.awscdk.services.iam.*;
-
+import software.amazon.awscdk.services.lambda.Code;
+import software.amazon.awscdk.services.lambda.Function;
+import software.amazon.awscdk.services.lambda.Runtime;
 import software.amazon.awscdk.services.secretsmanager.Secret;
 import software.amazon.awscdk.services.secretsmanager.SecretStringGenerator;
 import software.constructs.Construct;
@@ -41,6 +44,7 @@ public class Ide extends Construct {
     private final Secret ideSecretsManagerPassword;
     private final Role workshopRole;
     private final Role lambdaRole;
+    private CustomResource passwordResource;
 
     public static class IdeProps {
         private String instanceName = "ide";
@@ -442,15 +446,15 @@ public Ide(final Construct scope, final String id, final IdeProps props) {
         // CloudFront doesn't need to wait for bootstrap - it's just infrastructure
 
         // Outputs - these should only be created if bootstrap succeeds
-        var ideUrlOutput = CfnOutput.Builder.create(this, "IdeUrl")
+        var ideUrlOutput = CfnOutput.Builder.create(this, "Url")
             .value("https://" + distribution.getDistributionDomainName())
             .description("Workshop IDE Url")
             .exportName(instanceName + "-url")
             .build();
         ideUrlOutput.getNode().addDependency(waitCondition);
 
-        var idePasswordOutput = CfnOutput.Builder.create(this, "IdePassword")
-            .value(ideSecretsManagerPassword.secretValueFromJson("password").unsafeUnwrap())
+        var idePasswordOutput = CfnOutput.Builder.create(this, "Password")
+            .value(getIdePassword(instanceName))
             .description("Workshop IDE Password")
             .exportName(instanceName + "-password")
             .build();
@@ -475,4 +479,27 @@ private String loadFile(String filePath) {
             throw new RuntimeException("Failed to load file " + filePath, e);
         }
     }
+
+    private String getIdePassword(String instanceName) {
+        if (passwordResource == null) {
+            Function passwordFunction = Function.Builder.create(this, "PasswordExporterFunction")
+                .code(Code.fromInline(loadFile("/lambda/password-exporter.py")))
+                .handler("index.lambda_handler")
+                .runtime(Runtime.PYTHON_3_13)
+                .timeout(Duration.minutes(3))
+                .functionName(instanceName + "-password-exporter")
+                .build();
+
+            ideSecretsManagerPassword.grantRead(passwordFunction);
+
+            passwordResource = CustomResource.Builder.create(this, "PasswordExporter")
+                .serviceToken(passwordFunction.getFunctionArn())
+                .properties(Map.of(
+                    "PasswordName", this.ideSecretsManagerPassword.getSecretName()
+                ))
+                .build();
+        }
+
+        return passwordResource.getAttString("password");
+    }
 }

infra/cdk/src/main/resources/lambda/password-exporter.py

@@ -0,0 +1,44 @@
+import boto3
+import json
+import traceback
+import cfnresponse
+
+secretsmanager = boto3.client('secretsmanager')
+
+def lambda_handler(event, context):
+    print(f'Event: {event}')
+    responseData = {}
+    status = cfnresponse.SUCCESS
+    physical_id = event.get('PhysicalResourceId', 'PasswordExporter')
+
+    try:
+        if event['RequestType'] == 'Delete':
+            # Nothing to clean up for password export
+            responseData = {'Message': 'Password exporter deleted'}
+            cfnresponse.send(event, context, status, responseData, physical_id)
+            return
+
+        if event['RequestType'] in ['Create', 'Update']:
+            # Get password from Secrets Manager
+            props = event['ResourceProperties']
+            password_name = props['PasswordName']
+
+            print(f'Retrieving password from secret: {password_name}')
+
+            response = secretsmanager.get_secret_value(SecretId=password_name)
+            secret_data = json.loads(response['SecretString'])
+
+            # Return the password value for CloudFormation output
+            responseData = {
+                'password': secret_data['password']
+            }
+
+            print('Successfully retrieved password from Secrets Manager')
+
+    except Exception as e:
+        status = cfnresponse.FAILED
+        tb_err = traceback.format_exc()
+        print(tb_err)
+        responseData = {'Error': tb_err}
+
+    cfnresponse.send(event, context, status, responseData, physical_id)

infra/scripts/ide/base.sh

@@ -33,14 +33,18 @@ retry_critical() {
     if command -v retry_command >/dev/null 2>&1; then
         retry_command 5 5 "FAIL" "$@"
     else
-        eval "$*"
+        local tool_name="$1"
+        shift
+        eval "$*" || { echo "💥 FATAL: $tool_name failed"; exit 1; }
     fi
 }
 retry_optional() {
     if command -v retry_command >/dev/null 2>&1; then
         retry_command 5 5 "LOG" "$@"
     else
-        eval "$*" || echo "⚠️  Warning: $* failed (continuing)"
+        local tool_name="$1"
+        shift
+        eval "$*" || echo "⚠️  Warning: $tool_name failed (continuing)"
     fi
 }
 
@@ -62,7 +66,7 @@ download_and_verify() {
     local description="$3"
 
     log_info "Downloading $description..."
-    retry_critical "wget -q '$url' -O '$output'"
+    retry_critical "$description download" "wget -q '$url' -O '$output'"
 }
 
 cd /tmp
@@ -75,7 +79,7 @@ install_java() {
     log_info "Installing Java versions 8, 17, 21, 25 and setting ${JAVA_VERSION} as default..."
 
     # Install all Java versions
-    retry_critical "sudo dnf install -y -q java-1.8.0-amazon-corretto-devel java-17-amazon-corretto-devel java-21-amazon-corretto-devel java-25-amazon-corretto-devel >/dev/null"
+    retry_critical "Java versions (8,17,21,25)" "sudo dnf install -y -q java-1.8.0-amazon-corretto-devel java-17-amazon-corretto-devel java-21-amazon-corretto-devel java-25-amazon-corretto-devel >/dev/null"
 
     # Set default Java version
     sudo update-alternatives --set java /usr/lib/jvm/java-${JAVA_VERSION}-amazon-corretto.x86_64/bin/java
@@ -95,17 +99,17 @@ install_nodejs() {
     log_info "Installing Node.js ${NODE_VERSION} and tools..."
 
     # Install NVM
-    retry_critical "curl -sS -o- https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh | bash"
+    retry_critical "NVM ${NVM_VERSION}" "curl -sS -o- https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh | bash"
 
     # Setup NVM environment
     export NVM_DIR="$HOME/.nvm"
     [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
     [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"
 
     # Install Node.js and tools
-    nvm install ${NODE_VERSION}
-    nvm install-latest-npm
-    npm install -g aws-cdk artillery
+    retry_critical "Node.js ${NODE_VERSION}" "nvm install ${NODE_VERSION}"
+    retry_critical "npm (latest)" "nvm install-latest-npm"
+    retry_critical "CDK and Artillery" "npm install -g aws-cdk artillery"
 
     # Verify installations
     log_info "Node.js version: $(node -v)"
@@ -124,7 +128,7 @@ install_maven() {
     local mvn_filename=apache-maven-${MAVEN_VERSION}-bin.tar.gz
     local mvn_url="https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/${mvn_filename}"
 
-    retry_critical "curl -sS -4 -L '$mvn_url' | tar -xz"
+    retry_critical "Maven ${MAVEN_VERSION}" "curl -sS -4 -L '$mvn_url' | tar -xz"
 
     sudo mv "$mvn_foldername" /usr/lib/maven
     echo "export M2_HOME=/usr/lib/maven" | sudo tee -a /etc/profile.d/workshop.sh >/dev/null
@@ -142,14 +146,14 @@ install_aws_tools() {
     download_and_verify "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip" "aws-sam-cli-linux-x86_64.zip" "AWS SAM CLI"
 
     unzip -q aws-sam-cli-linux-x86_64.zip -d sam-installation
-    sudo ./sam-installation/install --update
+    retry_critical "SAM CLI installation" "sudo ./sam-installation/install --update"
     rm -rf ./sam-installation/ aws-sam-cli-linux-x86_64.zip
 
     log_info "SAM CLI version: $(/usr/local/bin/sam --version)"
 
     log_info "Installing Session Manager Plugin..."
     download_and_verify "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" "session-manager-plugin.rpm" "Session Manager Plugin"
-    sudo dnf -q install -y session-manager-plugin.rpm
+    retry_critical "Session Manager Plugin" "sudo dnf -q install -y session-manager-plugin.rpm"
     rm session-manager-plugin.rpm
 }
 
@@ -175,7 +179,7 @@ install_kubernetes_tools() {
     # log_info "eksctl version: $(eksctl version)"
 
     log_info "Installing Helm ${HELM_VERSION}..."
-    retry_critical "curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3"
+    retry_critical "Helm ${HELM_VERSION}" "curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3"
     chmod 700 get_helm.sh
     ./get_helm.sh --version v${HELM_VERSION}
     helm completion bash >> ~/.bash_completion
@@ -187,10 +191,10 @@ install_kubernetes_tools() {
     sudo mv eks-node-viewer /usr/local/bin
 
     log_info "Installing k9s..."
-    retry_optional "curl -sS https://webinstall.dev/k9s | bash"
+    retry_optional "k9s" "curl -sS https://webinstall.dev/k9s | bash"
 
     log_info "Installing e1s..."
-    retry_optional "curl -sL https://raw.githubusercontent.com/keidarcy/e1s-install/master/cloudshell-install.sh | bash"
+    retry_optional "e1s" "curl -sL https://raw.githubusercontent.com/keidarcy/e1s-install/master/cloudshell-install.sh | bash"
 }
 
 install_kubernetes_tools

infra/scripts/ide/bootstrap.sh

@@ -13,22 +13,22 @@ echo "Full bootstrap started at $(date)"
 echo "Parameters: GIT_BRANCH=$GIT_BRANCH, TEMPLATE_TYPE=$TEMPLATE_TYPE"
 
 # Retry utility function
-# Usage: retry_command <attempts> <delay> <fail_mode> <command...>
+# Usage: retry_command <attempts> <delay> <fail_mode> <tool_name> <command...>
 # fail_mode: "FAIL" (exit on failure), "LOG" (log and continue)
 retry_command() {
     local max_attempts="$1"
     local delay="$2"
     local fail_mode="$3"
-    shift 3
+    local tool_name="$4"
+    shift 4
     local cmd="$*"
 
     for attempt in $(seq 1 $max_attempts); do
-        echo "Attempt $attempt/$max_attempts: $cmd"
         if eval "$cmd"; then
-            echo "✅ Success on attempt $attempt"
+            echo "✅ Success: $tool_name"
             return 0
         fi
-        echo "❌ Failed on attempt $attempt"
+        echo "❌ Failed attempt $attempt/$max_attempts: $tool_name"
 
         if [ $attempt -lt $max_attempts ]; then
             echo "Waiting ${delay}s before retry..."
@@ -37,10 +37,10 @@ retry_command() {
     done
 
     if [ "$fail_mode" = "FAIL" ]; then
-        echo "💥 FATAL: Command failed after $max_attempts attempts: $cmd"
+        echo "💥 FATAL: $tool_name failed after $max_attempts attempts"
         exit 1
     else
-        echo "⚠️  WARNING: Command failed after $max_attempts attempts (continuing): $cmd"
+        echo "⚠️  WARNING: $tool_name failed after $max_attempts attempts (continuing)"
         return 1
     fi
 }
@@ -56,10 +56,10 @@ echo "$(date '+%Y-%m-%d %H:%M:%S') - Installing jq (required for secret parsing)
 dnf install -y -q jq
 
 echo "$(date '+%Y-%m-%d %H:%M:%S') - Installing AWS CLI..."
-retry_critical "curl -LSsf -o /tmp/aws-cli.zip https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip && rm -rf /tmp/aws && unzip -q -d /tmp /tmp/aws-cli.zip && /tmp/aws/install --update && rm -rf /tmp/aws*"
+retry_critical "AWS CLI" "curl -LSsf -o /tmp/aws-cli.zip https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip && rm -rf /tmp/aws && unzip -q -d /tmp /tmp/aws-cli.zip && /tmp/aws/install --update && rm -rf /tmp/aws*"
 
 echo "$(date '+%Y-%m-%d %H:%M:%S') - Installing CloudFormation helper scripts..."
-retry_critical "dnf install -y aws-cfn-bootstrap"
+retry_critical "CloudFormation helper scripts" "dnf install -y aws-cfn-bootstrap"
 
 echo "$(date '+%Y-%m-%d %H:%M:%S') - Fetching IDE password from Secrets Manager..."
 IDE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id "ide-password" --query SecretString --output text | jq -r .password)

infra/scripts/ide/vscode.sh

@@ -18,14 +18,18 @@ retry_critical() {
     if command -v retry_command >/dev/null 2>&1; then
         retry_command 5 5 "FAIL" "$@"
     else
-        eval "$*"
+        local tool_name="$1"
+        shift
+        eval "$*" || { echo "💥 FATAL: $tool_name failed"; exit 1; }
     fi
 }
 retry_optional() {
     if command -v retry_command >/dev/null 2>&1; then
         retry_command 5 5 "LOG" "$@"
     else
-        eval "$*" || echo "⚠️  Warning: $* failed (continuing)"
+        local tool_name="$1"
+        shift
+        eval "$*" || echo "⚠️  Warning: $tool_name failed (continuing)"
     fi
 }
 
@@ -46,8 +50,8 @@ echo "$(date '+%Y-%m-%d %H:%M:%S') - Installing code-server..."
 codeServer=$(dnf list installed code-server 2>/dev/null | wc -l)
 if [ "$codeServer" -eq "0" ]; then
   # Install as ec2-user with retry logic - pass version as environment variable
-  retry_critical "sudo -u ec2-user bash -c 'curl -fsSL https://code-server.dev/install.sh | sh -s -- --version $VSCODE_VERSION'"
-  retry_critical "systemctl enable --now code-server@ec2-user"
+  retry_critical "VS Code Server" "sudo -u ec2-user bash -c 'curl -fsSL https://code-server.dev/install.sh | sh -s -- --version $VSCODE_VERSION'"
+  retry_critical "VS Code Server service" "systemctl enable --now code-server@ec2-user"
 fi
 
 # Configure code-server
@@ -94,7 +98,7 @@ if [ ! -z "$EXTENSIONS" ]; then
         extension=$(echo "$extension" | xargs)
         if [ ! -z "$extension" ]; then
             echo "Installing extension: $extension"
-            retry_optional "run_as_user 'code-server --install-extension $extension --force'"
+            retry_optional "VS Code extension $extension" "run_as_user 'code-server --install-extension $extension --force'"
         fi
     done
 else
@@ -105,9 +109,9 @@ echo "Restarting code-server..."
 systemctl restart code-server@ec2-user
 
 echo "$(date '+%Y-%m-%d %H:%M:%S') - Installing Caddy..."
-retry_critical "dnf copr enable -y -q @caddy/caddy epel-9-x86_64"
-retry_critical "dnf install -y -q caddy"
-retry_critical "systemctl enable --now caddy"
+retry_critical "Caddy repository" "dnf copr enable -y -q @caddy/caddy epel-9-x86_64"
+retry_critical "Caddy" "dnf install -y -q caddy"
+retry_critical "Caddy service" "systemctl enable --now caddy"
 
 tee /etc/caddy/Caddyfile <<EOF
 :80 {