feat(migration): Enable using AWS CodeArtifact as maven mirror in Migration agent (#58)

Author: lyzustc

examples/strands_migration_agent/.bedrock_agentcore/aws_maven_mirror/Dockerfile

@@ -0,0 +1,163 @@
+# Dockerfile for the Migration agent, configured to use an AWS CodeArtifact
+# mirror of Maven Central instead of hitting repo.maven.apache.org directly.
+# This eliminates the HTTP 429 rate-limit failures seen under high-concurrency
+# RL training.
+#
+# Prerequisites (run once outside this Dockerfile):
+#   aws codeartifact create-domain --domain migration-aws-maven-mirror --region us-west-2
+#   aws codeartifact create-repository --domain migration-aws-maven-mirror --repository maven-central-cache --region us-west-2
+#   aws codeartifact associate-external-connection \
+#       --domain migration-aws-maven-mirror --repository maven-central-cache \
+#       --external-connection public:maven-central --region us-west-2
+#   # Grant the AgentCoreRuntime IAM role codeartifact:GetAuthorizationToken
+#   # and codeartifact:ReadFromRepository:
+#   aws iam put-role-policy \
+#       --role-name AgentCoreRuntime \
+#       --policy-name CodeArtifactReadAccess \
+#       --policy-document '{
+#           "Version": "2012-10-17",
+#           "Statement": [
+#               {
+#                   "Sid": "CodeArtifactRead",
+#                   "Effect": "Allow",
+#                   "Action": [
+#                       "codeartifact:GetAuthorizationToken",
+#                       "codeartifact:ReadFromRepository",
+#                       "codeartifact:GetRepositoryEndpoint"
+#                   ],
+#                   "Resource": "*"
+#               },
+#               {
+#                   "Sid": "STSServiceBearerToken",
+#                   "Effect": "Allow",
+#                   "Action": "sts:GetServiceBearerToken",
+#                   "Resource": "*",
+#                   "Condition": {
+#                       "StringEquals": {
+#                           "sts:AWSServiceName": "codeartifact.amazonaws.com"
+#                       }
+#                   }
+#               }
+#           ]
+#       }'
+
+FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+WORKDIR /app
+
+# All environment variables in one layer
+ENV UV_SYSTEM_PYTHON=1 \
+    UV_COMPILE_BYTECODE=1 \
+    UV_NO_PROGRESS=1 \
+    PYTHONUNBUFFERED=1 \
+    DOCKER_CONTAINER=1 \
+    AWS_REGION=us-west-2 \
+    AWS_DEFAULT_REGION=us-west-2 \
+    CODEARTIFACT_DOMAIN=migration-aws-maven-mirror \
+    CODEARTIFACT_DOMAIN_OWNER={your-aws-account-number}
+
+# ---------- Java code migration specific requirements ----------
+# 1. Install Java 17 as root user
+RUN apt-get update && \
+    apt-get install -y openjdk-17-jdk && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Verify Java installation
+RUN echo "=== Java Installation Verification ===" && \
+    java --version && \
+    which java
+
+# 2. Install maven
+# install tools needed for Maven first
+RUN apt-get update && \
+    apt-get install -y curl unzip && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN curl -O https://archive.apache.org/dist/maven/maven-3/3.9.6/binaries/apache-maven-3.9.6-bin.zip && \
+    unzip apache-maven-3.9.6-bin.zip -d /opt/ && \
+    rm apache-maven-3.9.6-bin.zip && \
+    ln -s /opt/apache-maven-3.9.6 /opt/maven
+
+# Set Maven environment variables
+ENV MAVEN_HOME=/opt/maven
+ENV PATH=$MAVEN_HOME/bin:$PATH
+
+RUN echo "=== Maven Installation Verification ===" && mvn --version
+
+# 3. Install Node.js (prevents some frontend plugins from downloading it
+#    at runtime, which incurs latency & introduces spammy logs)
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends nodejs && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# 4. Install git
+RUN apt-get update && \
+    apt-get install -y git && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    git config --system --add safe.directory '*' && \
+    git config --system user.email "no-reply@amazon.com" && \
+    git config --system user.name "NoReply Amazon"
+
+# 5. Install AWS CLI v2 (needed at runtime to fetch CodeArtifact auth tokens).
+#    The uv base image doesn't include it.
+RUN ARCH=$(uname -m) && \
+    case "$ARCH" in \
+      x86_64)  AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" ;; \
+      aarch64) AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" ;; \
+      *) echo "Unsupported architecture: $ARCH"; exit 1 ;; \
+    esac && \
+    curl -sSL "$AWS_URL" -o /tmp/awscliv2.zip && \
+    unzip -q /tmp/awscliv2.zip -d /tmp && \
+    /tmp/aws/install && \
+    rm -rf /tmp/awscliv2.zip /tmp/aws && \
+    aws --version
+
+# ----------
+
+COPY . .
+# Install local toolkit from build context, then install example deps
+RUN --mount=type=bind,from=toolkit,source=.,target=/toolkit \
+    uv pip install /toolkit && uv pip install .
+
+
+
+RUN uv pip install aws-opentelemetry-distro==0.12.2
+
+# 6. Install Maven settings.xml that mirrors all traffic through AWS CodeArtifact.
+#    Placed at two locations:
+#      - /opt/maven/conf/settings.xml (global, used by any user running mvn)
+#      - /home/bedrock_agentcore/.m2/settings.xml (per-user, explicit)
+#    Both point to the same file; Maven reads the user location if present,
+#    otherwise the global.
+COPY maven-settings.xml /opt/maven/conf/settings.xml
+
+# 7. Install entrypoint script that fetches a CodeArtifact auth token at
+#    container startup. No in-container refresh loop is needed because
+#    AgentCore spawns a fresh container per session (<= 30min lifetime),
+#    always within a single 12h token TTL. Future containers spawned hours
+#    or days later will fetch their own fresh tokens at their own startup.
+COPY entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# 8. Create non-root user and set up their Maven config.
+#    The symlink points the user-level settings at the global one so there's
+#    only one file to maintain.
+RUN useradd -m -u 1000 bedrock_agentcore && \
+    mkdir -p /home/bedrock_agentcore/.m2 && \
+    ln -sf /opt/maven/conf/settings.xml /home/bedrock_agentcore/.m2/settings.xml && \
+    chown -R bedrock_agentcore:bedrock_agentcore /home/bedrock_agentcore
+
+USER bedrock_agentcore
+
+EXPOSE 9000
+EXPOSE 8000
+EXPOSE 8080
+
+
+# Use the full module path
+# Entrypoint obtains the CodeArtifact auth token, starts a background
+# token-refresh loop, then execs the original agent command.
+CMD ["/app/entrypoint.sh"]

…mples/strands_migration_agent/Dockerfile …edrock_agentcore/public_maven/Dockerfileexamples/strands_migration_agent/Dockerfile renamed to examples/strands_migration_agent/.bedrock_agentcore/public_maven/Dockerfile examples/strands_migration_agent/Dockerfile renamed to examples/strands_migration_agent/.bedrock_agentcore/public_maven/Dockerfile

@@ -168,7 +168,7 @@ Build the docker image:
 docker buildx build \
   --build-context toolkit=$TOOLKIT_ROOT \
   -t migration:dev --load \
-  -f $MIGRATION_DIR/Dockerfile \
+  -f $MIGRATION_DIR/.bedrock_agentcore/public_maven/Dockerfile \
   $MIGRATION_DIR
 ```
 
@@ -207,12 +207,57 @@ cp .env.example .env
 # Make sure this is configured (e.g., run `aws configure`) before proceeding.
 
 ./scripts/build_docker_image_and_push_to_ecr.sh \
-  --dockerfile=$MIGRATION_DIR/Dockerfile \
+  --dockerfile=$MIGRATION_DIR/.bedrock_agentcore/public_maven/Dockerfile \
   --tag=dev \
   --context=$MIGRATION_DIR \
   --additional-context=toolkit=$TOOLKIT_ROOT
 ```
 
+### Maven Mirror
+
+The docker file `$MIGRATION_DIR/.bedrock_agentcore/public_maven/Dockerfile` in above commands uses public maven [source](https://repo.maven.apache.org/) to download Java dependencies. While it works reliably at most scenarios, we found sometimes in RL training, public maven source may restrict Internet acess as too many AgentCore Runtime sessions are downloading from maven at the same time, causing these sessions fail due to timeout. If you meet the same issue, please use the docker file `$MIGRATION_DIR/.bedrock_agentcore/aws_maven_mirror/Dockerfile` to build Migration agent instead. It creates a maven download mirror source at AWS CodeArtifact, which caches all downloaded Java dependencies so AgentCore Runtime sessions can directly fetch them instead of always downloading them from public maven.
+
+First run the following commands to setup your AWS CodeArtifact repo for maven mirror source:
+```bash
+aws codeartifact create-domain --domain migration-aws-maven-mirror --region us-west-2
+aws codeartifact create-repository --domain migration-aws-maven-mirror --repository maven-central-cache --region us-west-2
+aws codeartifact associate-external-connection \
+    --domain migration-aws-maven-mirror --repository maven-central-cache \
+    --external-connection public:maven-central --region us-west-2
+# Grant the AgentCoreRuntime IAM role codeartifact:GetAuthorizationToken
+# and codeartifact:ReadFromRepository:
+aws iam put-role-policy \
+    --role-name AgentCoreRuntime \
+    --policy-name CodeArtifactReadAccess \
+    --policy-document '{
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "CodeArtifactRead",
+                "Effect": "Allow",
+                "Action": [
+                    "codeartifact:GetAuthorizationToken",
+                    "codeartifact:ReadFromRepository",
+                    "codeartifact:GetRepositoryEndpoint"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "STSServiceBearerToken",
+                "Effect": "Allow",
+                "Action": "sts:GetServiceBearerToken",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "sts:AWSServiceName": "codeartifact.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }'
+```
+Then replace all `{your-aws-account-number}` in maven-setting.xml, entrypoint.sh and .bedrock_agentcore/aws_maven_mirror/Dockerfile with your AWS account number, finally follow the same commands but changing the docker file path in above sections to build Migration agent.
+
 ## Deploy
 
 Create your `config.toml` file and fill in the `[agentcore]` section:

examples/strands_migration_agent/README.md

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Container entrypoint: obtain a CodeArtifact auth token, then exec the agent.
+
+set -e
+
+DOMAIN="${CODEARTIFACT_DOMAIN:-migration-aws-maven-mirror}"
+DOMAIN_OWNER="${CODEARTIFACT_DOMAIN_OWNER:-{your-aws-account-number}}"
+REGION="${AWS_REGION:-us-west-2}"
+
+echo "$(date -Iseconds) [entrypoint] fetching CodeArtifact auth token (domain=${DOMAIN}, region=${REGION})" >&2
+
+# Fetch token. If this fails, Maven will get 401/403 from CodeArtifact and
+# all builds in the session will fail. A hard exit here surfaces the problem
+# early rather than causing confusing Maven errors later.
+if ! CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
+        --domain "${DOMAIN}" \
+        --domain-owner "${DOMAIN_OWNER}" \
+        --region "${REGION}" \
+        --query authorizationToken \
+        --output text); then
+    echo "$(date -Iseconds) [entrypoint] ERROR: failed to obtain CodeArtifact token" >&2
+    echo "$(date -Iseconds) [entrypoint] Check that the runtime IAM role has codeartifact:GetAuthorizationToken permission" >&2
+    echo "$(date -Iseconds) [entrypoint] and that CodeArtifact domain '${DOMAIN}' exists in account ${DOMAIN_OWNER}" >&2
+    exit 1
+fi
+export CODEARTIFACT_AUTH_TOKEN
+
+echo "$(date -Iseconds) [entrypoint] token obtained, launching agent" >&2
+exec opentelemetry-instrument python -m rl_app

examples/strands_migration_agent/entrypoint.sh

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Maven settings pointing all Maven traffic at an AWS CodeArtifact mirror.
+  CodeArtifact caches Maven Central artifacts inside AWS, eliminating the
+  public Maven Central per-IP HTTP 429 rate limit.
+  Prerequisites and AWS CLI setup commands are in the aws_maven_mirror
+  Dockerfile header; see also entrypoint.sh which populates
+  CODEARTIFACT_AUTH_TOKEN at container startup.
+-->
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
+
+  <servers>
+    <server>
+      <id>aws-codeartifact</id>
+      <username>aws</username>
+      <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
+    </server>
+  </servers>
+
+  <mirrors>
+    <mirror>
+      <id>aws-codeartifact</id>
+      <name>AWS CodeArtifact Maven Central cache</name>
+      <!-- Update domain/repo/account/region here if you use different names -->
+      <url>https://migration-aws-maven-mirror-{your-aws-account-number}.d.codeartifact.us-west-2.amazonaws.com/maven/maven-central-cache/</url>
+      <mirrorOf>*</mirrorOf>
+    </mirror>
+  </mirrors>
+
+  <profiles>
+    <profile>
+      <id>aws-codeartifact</id>
+      <repositories>
+        <repository>
+          <id>aws-codeartifact</id>
+          <url>https://migration-aws-maven-mirror-{your-aws-account-number}.d.codeartifact.us-west-2.amazonaws.com/maven/maven-central-cache/</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>true</enabled></snapshots>
+        </repository>
+      </repositories>
+      <pluginRepositories>
+        <pluginRepository>
+          <id>aws-codeartifact</id>
+          <url>https://migration-aws-maven-mirror-{your-aws-account-number}.d.codeartifact.us-west-2.amazonaws.com/maven/maven-central-cache/</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>true</enabled></snapshots>
+        </pluginRepository>
+      </pluginRepositories>
+    </profile>
+  </profiles>
+
+  <activeProfiles>
+    <activeProfile>aws-codeartifact</activeProfile>
+  </activeProfiles>
+
+</settings>