Merge pull request #119 from awslabs/request_timeouts

fix: Refactor AWS timeouts and capacity-aware status handling

Author: kirillsc

config/README.md

@@ -14,15 +14,17 @@ This section configures AWS SDK behavior:
 "aws": {
   "region": "us-east-1",
   "profile": "default",
-  "max_retries": 3,
-  "timeout": 30
+  "aws_max_retries": 3,
+  "aws_connect_timeout": 10,
+  "aws_read_timeout": 30
 }
 ```
 
 - `region`: AWS region to use for API calls
 - `profile`: AWS profile to use for credentials
-- `max_retries`: Number of retries for AWS API calls
-- `timeout`: Timeout in seconds for AWS API calls
+- `aws_max_retries`: Number of retries for AWS API calls
+- `aws_connect_timeout`: Connection timeout in seconds for AWS API calls
+- `aws_read_timeout`: Timeout in seconds for AWS API calls
 
 ### Logging Configuration (`logging`)
 

dev-tools/admin/README.md

@@ -0,0 +1,5 @@
+# Admin Tools
+
+Utilities intended for administrative maintenance tasks.
+
+- `dev-tools/admin/terminate_req_instances.py`: terminates EC2 instances whose `Name` tag starts with a prefix (default `req-`) in a chosen region, with optional dry-run.

dev-tools/admin/terminate_req_instances.py

@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+
+import argparse
+import sys
+from typing import Iterable, List
+
+import boto3
+from botocore.exceptions import ClientError
+
+ACTIVE_STATES = [
+    "pending",
+    "running",
+    "stopping",
+    "stopped",
+    "shutting-down",
+]
+
+
+def _chunked(items: List[str], size: int) -> Iterable[List[str]]:
+    for start in range(0, len(items), size):
+        yield items[start : start + size]
+
+
+def _collect_instance_ids(ec2_client, name_prefix: str) -> List[str]:
+    paginator = ec2_client.get_paginator("describe_instances")
+    filters = [
+        {"Name": "tag:Name", "Values": [f"{name_prefix}*"]},
+        {"Name": "instance-state-name", "Values": ACTIVE_STATES},
+    ]
+
+    instance_ids: List[str] = []
+    for page in paginator.paginate(Filters=filters):
+        for reservation in page.get("Reservations", []):
+            for instance in reservation.get("Instances", []):
+                instance_id = instance.get("InstanceId")
+                if instance_id:
+                    instance_ids.append(instance_id)
+
+    return instance_ids
+
+
+def _terminate_instances(ec2_client, instance_ids: List[str], dry_run: bool) -> None:
+    if not instance_ids:
+        print("No instances found to terminate.")
+        return
+
+    print(f"Found {len(instance_ids)} instance(s) to terminate.")
+    for chunk in _chunked(instance_ids, 1000):
+        try:
+            ec2_client.terminate_instances(InstanceIds=chunk, DryRun=dry_run)
+            if dry_run:
+                print(f"Dry run succeeded for {len(chunk)} instance(s): {chunk}")
+            else:
+                print(f"Termination started for {len(chunk)} instance(s): {chunk}")
+        except ClientError as exc:
+            if dry_run and exc.response.get("Error", {}).get("Code") == "DryRunOperation":
+                print(f"Dry run succeeded for {len(chunk)} instance(s): {chunk}")
+                continue
+            raise
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(
+        description="Terminate EC2 instances in a region whose Name tag starts with a prefix."
+    )
+    parser.add_argument("--region", default="eu-west-1", help="AWS region (default: eu-west-1)")
+    parser.add_argument(
+        "--prefix",
+        default="req-",
+        help='Name tag prefix to match (default: "req-")',
+    )
+    parser.add_argument(
+        "--dry-run",
+        action="store_true",
+        help="Validate permissions without terminating instances.",
+    )
+    args = parser.parse_args()
+
+    session = boto3.session.Session()
+    ec2_client = session.client("ec2", region_name=args.region)
+
+    try:
+        instance_ids = _collect_instance_ids(ec2_client, args.prefix)
+        _terminate_instances(ec2_client, instance_ids, args.dry_run)
+    except ClientError as exc:
+        print(f"AWS error: {exc}", file=sys.stderr)
+        return 1
+
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

src/api/documentation/openapi_config.py

@@ -141,9 +141,9 @@ def _get_api_description() -> str:
 def _get_security_scheme_name(strategy: str) -> str:
     """Get security scheme name for the given auth strategy."""
     scheme_mapping = {
-        "bearer_token": "BearerAuth",
-        "iam": "AWSAuth",
-        "cognito": "CognitoAuth",
+        "bearer_token": "BearerAuth",  # nosec B105
+        "iam": "AWSAuth",  # nosec B105
+        "cognito": "CognitoAuth",  # nosec B105
     }
     return scheme_mapping.get(strategy)
 

src/application/queries/handlers.py

@@ -931,6 +931,31 @@ def _determine_request_status_from_machines(
             request_type = request.request_type
             provider_metadata = provider_metadata or {}
 
+            # If provisioning already recorded a failure, keep the request terminal.
+            metadata = getattr(request, "metadata", {}) or {}
+            error_details = getattr(request, "error_details", {}) or {}
+
+            provisioning_error_type = metadata.get("error_type")
+            provisioning_error_message = metadata.get("error_message")
+            fleet_errors = metadata.get("fleet_errors")
+            ec2_fleet_errors = (error_details.get("ec2_fleet") or {}).get("errors")
+
+            if provisioning_error_type or fleet_errors or ec2_fleet_errors:
+                status_message = provisioning_error_message or "Provisioning failed"
+                if not status_message.lower().startswith("provisioning failed"):
+                    status_message = f"Provisioning failed: {status_message}"
+                if current_status != RequestStatus.FAILED:
+                    return (RequestStatus.FAILED.value, status_message)
+                return (None, None)
+
+            if current_status in [
+                RequestStatus.COMPLETED,
+                RequestStatus.FAILED,
+                RequestStatus.CANCELLED,
+                RequestStatus.TIMEOUT,
+            ]:
+                return (None, None)
+
             # Count machines by status from provider data (most up-to-date)
             provider_machine_count = len(machine_objects_from_provider)
             database_machine_count = len(machine_objects_from_database)

src/config/README.md

@@ -53,8 +53,9 @@ Comprehensive validation system for all configuration sections.
   "aws": {
     "region": "us-east-1",
     "profile": "default",
-    "max_retries": 3,
-    "timeout": 30,
+    "aws_max_retries": 3,
+    "aws_connect_timeout": 10,
+    "aws_read_timeout": 30,
     "access_key_id": null,
     "secret_access_key": null,
     "session_token": null
@@ -65,8 +66,9 @@ Comprehensive validation system for all configuration sections.
 **Fields:**
 - `region`: Cloud region for API calls
 - `profile`: Credential profile to use
-- `max_retries`: Number of API call retries
-- `timeout`: API call timeout in seconds
+- `aws_max_retries`: Number of API call retries
+- `aws_connect_timeout`: Connection timeout in seconds
+- `aws_read_timeout`: API call timeout in seconds
 - `access_key_id`: Direct access key (optional)
 - `secret_access_key`: Direct secret key (optional)
 - `session_token`: Session token for temporary credentials (optional)
@@ -236,8 +238,9 @@ log_level = config.get_logging_config().level
 # Configuration is type-safe with dataclasses
 aws_config = config.get_aws_config()
 assert isinstance(aws_config.region, str)
-assert isinstance(aws_config.max_retries, int)
-assert isinstance(aws_config.timeout, int)
+assert isinstance(aws_config.aws_max_retries, int)
+assert isinstance(aws_config.aws_connect_timeout, int)
+assert isinstance(aws_config.aws_read_timeout, int)
 
 # Optional fields are properly typed
 if aws_config.access_key_id is not None:
@@ -323,11 +326,15 @@ def validate_aws_config(aws_config: AWSConfig) -> None:
         raise ValueError("AWS region is required")
 
     # Retry validation
-    if aws_config.max_retries < 0:
+    if aws_config.aws_max_retries < 0:
         raise ValueError("Max retries cannot be negative")
 
+    # Connection timeout validation
+    if aws_config.aws_connect_timeout <= 0:
+        raise ValueError("Connect timeout must be positive")
+
     # Timeout validation
-    if aws_config.timeout <= 0:
+    if aws_config.aws_read_timeout <= 0:
         raise ValueError("Timeout must be positive")
 
     # Credential validation
@@ -392,8 +399,9 @@ def validate_repository_config(repo_config: RepositoryConfig) -> None:
 {
   "aws": {
     "region": "us-east-1",
-    "max_retries": 5,
-    "timeout": 60
+    "aws_max_retries": 5,
+    "aws_connect_timeout": 10,
+    "aws_read_timeout": 60
   },
   "logging": {
     "level": "INFO",

src/config/loader.py

@@ -67,6 +67,7 @@ class ConfigurationLoader:
         "AWS_KEY_FILE": ("aws", "key_file"),
         "AWS_PROXY_HOST": ("aws", "proxy_host"),
         "AWS_PROXY_PORT": ("aws", "proxy_port"),
+        "AWS_CONNECT_TIMEOUT": ("aws", "aws_connect_timeout"),
         "AWS_CONNECTION_TIMEOUT_MS": ("aws", "connection_timeout_ms"),
         "AWS_REQUEST_RETRY_ATTEMPTS": ("aws", "request_retry_attempts"),
         "AWS_INSTANCE_PENDING_TIMEOUT_SEC": ("aws", "instance_pending_timeout_sec"),

src/config/validators/config_validator.py

@@ -71,14 +71,17 @@ def _validate_business_rules(self, config: AppConfig, result: ValidationResult)
                     aws_config = provider.config
 
                     # Validate AWS-specific business rules
-                    if hasattr(aws_config, "max_retries") and aws_config.max_retries > 10:
+                    if hasattr(aws_config, "aws_max_retries") and aws_config.aws_max_retries > 10:
                         result.add_warning(
-                            f"AWS provider '{provider.name}' max_retries is very high, consider reducing for better performance"
+                            f"AWS provider '{provider.name}' aws_max_retries is very high, consider reducing for better performance"
                         )
 
-                    if hasattr(aws_config, "timeout") and aws_config.timeout > 300:
+                    if (
+                        hasattr(aws_config, "aws_read_timeout")
+                        and aws_config.aws_read_timeout > 300
+                    ):
                         result.add_warning(
-                            f"AWS provider '{provider.name}' timeout is very high, consider reducing to avoid long waits"
+                            f"AWS provider '{provider.name}' aws_read_timeout is very high, consider reducing to avoid long waits"
                         )
 
         # Validate template configuration

src/infrastructure/auth/strategy/no_auth_strategy.py

@@ -57,7 +57,7 @@ async def validate_token(self, token: str) -> AuthResult:
             user_id="anonymous",
             user_roles=["anonymous"],
             permissions=["*"],
-            metadata={"strategy": "no_auth", "token_validation": "skipped"},
+            metadata={"strategy": "no_auth", "token_validation": "skipped"},  # nosec B105
         )
 
     async def refresh_token(self, refresh_token: str) -> AuthResult:
@@ -73,7 +73,7 @@ async def refresh_token(self, refresh_token: str) -> AuthResult:
         return AuthResult(
             status=AuthStatus.SUCCESS,
             user_id="anonymous",
-            metadata={"strategy": "no_auth", "token_refresh": "not_applicable"},
+            metadata={"strategy": "no_auth", "token_refresh": "not_applicable"},  # nosec B105
         )
 
     async def revoke_token(self, token: str) -> bool:

src/interface/mcp_command_handlers.py

@@ -323,7 +323,7 @@ def _format_validation_table(result: dict[str, Any]) -> dict[str, Any]:
     rows = []
 
     for check in result["checks"]:
-        status_symbol = {"PASS": "PASS", "WARNING": "WARN", "FAIL": "FAIL"}.get(
+        status_symbol = {"PASS": "PASS", "WARNING": "WARN", "FAIL": "FAIL"}.get(  # nosec B105
             check["status"], "UNKNOWN"
         )