Merge master into feature/cloudformation

Author: aws-toolkit-automation

packages/core/resources/hyperpod_connect

@@ -6,25 +6,15 @@
 # HyperPod is AWS's managed service for distributed machine learning training at scale.
 #
 # OVERVIEW:
-# The script acts as a wrapper around the AWS SSM CLI to create a secure session tunnel to a HyperPod 
-# compute instance. It validates required parameters, logs the connection attempt, and executes the 
-# SSM StartSession command with HyperPod-specific connection details.
-#
-# REQUIRED ENVIRONMENT VARIABLES:
-#   AWS_REGION          - AWS region where the HyperPod cluster is located (e.g., us-west-2)
-#   AWS_SSM_CLI         - Path to the AWS SSM CLI executable
-#   STREAM_URL          - WebSocket stream URL for the HyperPod session connection
-#   TOKEN               - Authentication token for the HyperPod session
-#   SESSION_ID          - Unique identifier for the HyperPod session
+# The script always gets fresh credentials from the reconnection manager and uses them to establish
+# a secure session tunnel to a HyperPod compute instance.
 #
 # OPTIONAL ENVIRONMENT VARIABLES:
 #   LOG_FILE_LOCATION   - Path to log file (default: /tmp/hyperpod_connect.log)
 #   DEBUG_LOG           - Enable debug logging (default: 0)
 #
 # USAGE:
-#   AWS_REGION=us-west-2 AWS_SSM_CLI=/usr/local/bin/session-manager-plugin \
-#   STREAM_URL=wss://... TOKEN=abc123... SESSION_ID=session-xyz \
-#   ./hyperpod_connect
+#   ./hyperpod_connect hp_demo1
 #
 # SECURITY NOTE:
 # This script handles sensitive authentication tokens. Ensure proper file permissions
@@ -57,6 +47,28 @@ _require() {
     _log "$1=$2"
 }
 
+_url_encode() {
+    python3 -c "import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))" "$1"
+}
+
+_resolve_connection_key() {
+    local DEVSPACE_NAME=$1
+    local PROFILES_FILE="$HOME/.aws/.hyperpod-space-profiles"
+    
+    [ ! -f "$PROFILES_FILE" ] && echo "$DEVSPACE_NAME" && return
+    
+    python3 -c "
+import json
+try:
+    with open('$PROFILES_FILE', 'r') as f:
+        profiles = json.load(f)
+    matches = sorted([k for k in profiles.keys() if k.endswith(':$DEVSPACE_NAME')])
+    print(matches[0] if matches else '$DEVSPACE_NAME')
+except:
+    print('$DEVSPACE_NAME')
+" 2>/dev/null
+}
+
 _hyperpod() {
     # Function inputs
     local AWS_SSM_CLI=$1
@@ -68,19 +80,129 @@ _hyperpod() {
     exec "$AWS_SSM_CLI" "{\"streamUrl\":\"$STREAM_URL\",\"tokenValue\":\"$TOKEN\",\"sessionId\":\"$SESSION_ID\"}" "$AWS_REGION" "StartSession"
 }
 
+_get_fresh_credentials() {
+    local CONNECTION_KEY=$1
+    
+    _log "Getting fresh credentials for connection key: $CONNECTION_KEY"
+    
+    # Read server info to get port
+    if [ -z "$SAGEMAKER_LOCAL_SERVER_FILE_PATH" ]; then
+        _log "Error: SAGEMAKER_LOCAL_SERVER_FILE_PATH environment variable is not set"
+        exit 1
+    fi
+    
+    if [ ! -f "$SAGEMAKER_LOCAL_SERVER_FILE_PATH" ]; then
+        _log "Error: Server info file not found: $SAGEMAKER_LOCAL_SERVER_FILE_PATH"
+        exit 1
+    fi
+    
+    local PORT=$(jq -r '.port' "$SAGEMAKER_LOCAL_SERVER_FILE_PATH")
+    if [ -z "$PORT" ] || [ "$PORT" == "null" ]; then
+        _log "Error: 'port' field is missing or invalid in $SAGEMAKER_LOCAL_SERVER_FILE_PATH"
+        exit 1
+    fi
+    
+    # Call API to get fresh credentials using the determined connection key
+    local API_URL
+    if [[ "$CONNECTION_KEY" =~ ^[^:]+:[^:]+:[^:]+$ ]]; then
+        # Use full connection key for precise lookup (preferred)
+        API_URL="http://localhost:$PORT/get_hyperpod_session?connection_key=$(_url_encode "$CONNECTION_KEY")"
+    elif [ -n "$CLUSTER_NAME" ] && [ -n "$NAMESPACE" ]; then
+        # Use individual parameters if available
+        API_URL="http://localhost:$PORT/get_hyperpod_session?devspace_name=$(_url_encode "$DEVSPACE_NAME")&namespace=$(_url_encode "$NAMESPACE")&cluster_name=$(_url_encode "$CLUSTER_NAME")"
+    else
+        # Fallback for legacy format
+        API_URL="http://localhost:$PORT/get_hyperpod_session?connection_key=$(_url_encode "$CONNECTION_KEY")"
+    fi
+    API_RESPONSE=$(curl -s "$API_URL")
+    
+    if [ $? -ne 0 ] || [ -z "$API_RESPONSE" ]; then
+        _log "Error: Failed to get credentials from API"
+        exit 1
+    fi
+    
+    # Parse JSON once and check for error response
+    read -r STATUS ERROR_MSG CONNECTION_URL < <(echo "$API_RESPONSE" | python3 -c "import sys, json; data=json.load(sys.stdin); print(data.get('status', 'success'), data.get('message', ''), data.get('connection', {}).get('url', ''))" 2>/dev/null) || {
+        _log "Error: Failed to parse API response JSON"
+        exit 1
+    }
+    if [ "$STATUS" = "error" ]; then
+        _log "Error from API: ${ERROR_MSG:-Unknown error}"
+        exit 1
+    fi
+    
+    _log "Fresh credentials obtained from API"
+}
+
 _main() {
     # Set defaults for missing environment variables
     DEBUG_LOG=${DEBUG_LOG:-0}
     LOG_FILE_LOCATION=${LOG_FILE_LOCATION:-/tmp/hyperpod_connect.log}
 
+    if [ $# -ne 1 ]; then
+        _log "Usage: $0 hp_<devspace_name>"
+        exit 1
+    fi
+
+    # Extract devspace name, cluster name, and namespace from hostname
+    # New format: hp_{cluster_name}_{namespace}_{space_name}_{region}_{account_id}
+    # Old format: hp_{devspace} (for backward compatibility)
+    if [[ "$1" =~ ^hp_([^_]+)_([^_]+)_([^_]+)_([^_]+)_([^_]+)$ ]]; then
+        # New format: cluster_namespace_space_region_account
+        CLUSTER_NAME="${BASH_REMATCH[1]}"
+        NAMESPACE="${BASH_REMATCH[2]}"
+        DEVSPACE_NAME="${BASH_REMATCH[3]}"
+        # Construct the expected connection key (cluster:namespace:devspace)
+        CONNECTION_KEY="${CLUSTER_NAME}:${NAMESPACE}:${DEVSPACE_NAME}"
+    else
+        # Old format or fallback - extract devspace name only
+        DEVSPACE_NAME=$(echo "$1" | sed 's/hp_//')
+        CLUSTER_NAME=""
+        NAMESPACE=""
+        CONNECTION_KEY=""
+    fi
+    
+    # For new format, we already have the connection key constructed from hostname
+    # For old format, look up the connection key from the hyperpod profiles file
+    [ -z "$CONNECTION_KEY" ] && CONNECTION_KEY=$(_resolve_connection_key "$DEVSPACE_NAME")
+    
+    if [ -z "$CONNECTION_KEY" ]; then
+        _log "Error: Could not determine connection key for devspace: $DEVSPACE_NAME"
+        exit 1
+    fi
+    
     _log "=============================================================================="
-    _require AWS_REGION "${AWS_REGION:-}"
-    _require AWS_SSM_CLI "${AWS_SSM_CLI:-}"
-    _require SESSION_ID "${SESSION_ID:-}"
-    _require_nolog STREAM_URL "${STREAM_URL:-}"
-    _require_nolog TOKEN "${TOKEN:-}"
+    _log "Connecting to HyperPod devspace: $DEVSPACE_NAME (connection key: $CONNECTION_KEY)"
+    
+    # Always get fresh credentials (CONNECTION_URL is set by _get_fresh_credentials)
+    _get_fresh_credentials "$CONNECTION_KEY"
+    
+    if [[ "$CONNECTION_URL" =~ ^wss:// ]]; then
+        # Presigned URL format - extract session ID from path and token from cell-number param
+        SESSION_ID=$(echo "$CONNECTION_URL" | python3 -c "import sys, urllib.parse; url=sys.stdin.read().strip(); path=urllib.parse.urlparse(url).path; session_id=path.split('/')[-1] if path else ''; print(session_id)" 2>/dev/null)
+        TOKEN=$(echo "$CONNECTION_URL" | python3 -c "import sys, urllib.parse; url=sys.stdin.read().strip(); params=urllib.parse.parse_qs(urllib.parse.urlparse(url).query); print(params.get('cell-number', [''])[0])" 2>/dev/null)
+        STREAM_URL="$CONNECTION_URL"
+    else
+        # Kubectl format - extract from query params
+        SESSION_ID=$(echo "$CONNECTION_URL" | python3 -c "import sys, urllib.parse; url=sys.stdin.read().strip(); params=urllib.parse.parse_qs(urllib.parse.urlparse(url).query); print(params.get('sessionId', [''])[0])" 2>/dev/null)
+        TOKEN=$(echo "$CONNECTION_URL" | python3 -c "import sys, urllib.parse; url=sys.stdin.read().strip(); params=urllib.parse.parse_qs(urllib.parse.urlparse(url).query); print(params.get('sessionToken', [''])[0])" 2>/dev/null)
+        STREAM_URL=$(echo "$CONNECTION_URL" | python3 -c "import sys, urllib.parse; url=sys.stdin.read().strip(); params=urllib.parse.parse_qs(urllib.parse.urlparse(url).query); print(params.get('streamUrl', [''])[0])" 2>/dev/null)
+    fi
+    
+    # Extract region from stream URL
+    AWS_REGION=$(echo "$STREAM_URL" | grep -o '\.[a-z0-9-]*\.amazonaws\.com' | sed 's/^\.//;s/\.amazonaws\.com$//')
+    AWS_SSM_CLI="${AWS_SSM_CLI:-session-manager-plugin}"
+    
+    # Validate required parameters (SESSION_ID, STREAM_URL, TOKEN are fetched from API, not validated here)
+    _require AWS_REGION "${AWS_REGION}"
+    _require AWS_SSM_CLI "${AWS_SSM_CLI}"
+    
+    if [ -z "${SESSION_ID}" ] || [ -z "${STREAM_URL}" ] || [ -z "${TOKEN}" ]; then
+        _log "Error: Failed to retrieve valid session credentials from API"
+        exit 1
+    fi
 
     _hyperpod "$AWS_SSM_CLI" "$AWS_REGION" "$STREAM_URL" "$TOKEN" "$SESSION_ID"
 }
 
-_main
+_main "$@"

packages/core/resources/hyperpod_connect.ps1

@@ -0,0 +1,135 @@
+# HyperPod Connection Script (PowerShell)
+# 
+# This script establishes a connection to an AWS SageMaker HyperPod instance using AWS Systems Manager (SSM).
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$HostName
+)
+
+$ErrorActionPreference = "Stop"
+
+$DebugLog = $env:DEBUG_LOG -eq "1"
+$LogFileLocation = if ($env:LOG_FILE_LOCATION) { $env:LOG_FILE_LOCATION } else { "$env:TEMP\hyperpod_connect.log" }
+
+function Write-Log {
+    param([string]$Message)
+    $timestamp = Get-Date -Format "yyyy/MM/dd HH:mm:ss"
+    "$timestamp $Message" | Out-File -FilePath $LogFileLocation -Append -Encoding utf8
+}
+
+function Get-FreshCredentials {
+    param([string]$ConnectionKey)
+    
+    Write-Log "Getting fresh credentials for connection key: $ConnectionKey"
+    
+    # Read server info to get port
+    $serverInfoFile = "$env:APPDATA\Code\User\globalStorage\amazonwebservices.aws-toolkit-vscode\sagemaker-local-server-info.json"
+    if (-not (Test-Path $serverInfoFile)) {
+        Write-Log "Error: Server info file not found: $serverInfoFile"
+        exit 1
+    }
+    
+    $serverInfo = Get-Content $serverInfoFile | ConvertFrom-Json
+    $port = $serverInfo.port
+    
+    if (-not $port) {
+        Write-Log "Error: Could not extract port from server info file"
+        exit 1
+    }
+    
+    # Call API to get fresh credentials
+    $apiUrl = "http://localhost:$port/get_hyperpod_session?connection_key=$ConnectionKey"
+    
+    try {
+        $response = Invoke-RestMethod -Uri $apiUrl -Method Get
+        Write-Log "Fresh credentials obtained from API"
+        return $response
+    } catch {
+        Write-Log "Error: Failed to get credentials from API: $_"
+        exit 1
+    }
+}
+
+function Main {
+    Write-Log "=============================================================================="
+    
+    # Parse hostname format: hp_{cluster_name}_{namespace}_{space_name}_{region}_{account_id}
+    if ($HostName -match '^hp_([^_]+)_([^_]+)_([^_]+)_([^_]+)_([^_]+)$') {
+        $clusterName = $Matches[1]
+        $namespace = $Matches[2]
+        $devspaceName = $Matches[3]
+        $connectionKey = "${clusterName}:${namespace}:${devspaceName}"
+    } else {
+        # Old format fallback
+        $devspaceName = $HostName -replace '^hp_', ''
+        $profilesFile = "$env:USERPROFILE\.aws\.hyperpod-space-profiles"
+        
+        if (Test-Path $profilesFile) {
+            $profiles = Get-Content $profilesFile | ConvertFrom-Json
+            $matches = $profiles.PSObject.Properties.Name | Where-Object { $_ -match ":$devspaceName$" } | Sort-Object
+            $connectionKey = if ($matches) { $matches[0] } else { $devspaceName }
+        } else {
+            $connectionKey = $devspaceName
+        }
+    }
+    
+    if (-not $connectionKey) {
+        Write-Log "Error: Could not determine connection key for devspace: $devspaceName"
+        exit 1
+    }
+    
+    Write-Log "Connecting to HyperPod devspace: $devspaceName (connection key: $connectionKey)"
+    
+    # Get fresh credentials
+    $apiResponse = Get-FreshCredentials -ConnectionKey $connectionKey
+    
+    # Parse connection URL
+    $connectionUrl = [System.Web.HttpUtility]::HtmlDecode($apiResponse.connection.url)
+    $uri = [System.Uri]$connectionUrl
+    $queryParams = [System.Web.HttpUtility]::ParseQueryString($uri.Query)
+    
+    $sessionId = $queryParams['sessionId']
+    $token = $queryParams['sessionToken'] -replace ' ', '+'
+    $streamUrl = [System.Web.HttpUtility]::UrlDecode($queryParams['streamUrl']) -replace ' ', '+'
+    
+    # Add cell-number if present (and fix spaces)
+    $cellNumber = $queryParams['cell-number']
+    if ($cellNumber) {
+        $cellNumberDecoded = [System.Web.HttpUtility]::UrlDecode($cellNumber) -replace ' ', '+'
+        $streamUrl += "&cell-number=$cellNumberDecoded"
+    }
+    
+    # Extract region from stream URL
+    if ($streamUrl -match '\.([a-z0-9-]+)\.amazonaws\.com') {
+        $awsRegion = $Matches[1]
+    } else {
+        Write-Log "Error: Could not extract region from stream URL"
+        exit 1
+    }
+    
+    # Find session-manager-plugin
+    $awsSsmCli = $env:AWS_SSM_CLI
+    if (-not $awsSsmCli) {
+        # Try bundled version first
+        $bundledPath = "$env:APPDATA\Code\User\globalStorage\amazonwebservices.aws-toolkit-vscode\tools\Amazon\sessionmanagerplugin\bin\session-manager-plugin.exe"
+        if (Test-Path $bundledPath) {
+            $awsSsmCli = $bundledPath
+        } else {
+            # Fallback to PATH
+            $awsSsmCli = "session-manager-plugin"
+        }
+    }
+    
+    Write-Log "AWS_REGION=$awsRegion"
+    Write-Log "AWS_SSM_CLI=$awsSsmCli"
+    Write-Log "SESSION_ID=$sessionId"
+    
+    # Execute session-manager-plugin with proper JSON escaping (same as Studio script)
+    & $awsSsmCli "{\`"streamUrl\`":\`"${streamUrl}\`",\`"tokenValue\`":\`"${token}\`",\`"sessionId\`":\`"${sessionId}\`"}" "$awsRegion" "StartSession"
+}
+
+# Load required assembly for URL decoding
+Add-Type -AssemblyName System.Web
+
+Main

packages/core/src/awsService/sagemaker/commands.ts

@@ -146,7 +146,10 @@ export async function deeplinkConnect(
             wsUrl,
             token,
             domain,
-            appType
+            appType,
+            workspaceName,
+            undefined,
+            namespace
         )
 
         try {