Add network validation script executed in the sagemaker_ui_post_startup script

**Description**

This change introduces the network validation script which tests if certain AWS services are reachable by making read only API calls with a set timeout. If the call exceeds the timeout, the script infers that it was caused by a bad network setup such as not having access to the internet/ VPC endpoint to make the call. API calls that resolve (succeed or fail) within the timeout are inferred as having the proper network setup.

AWS services for Compute Connections and Git are checked in this script. More specifically, the script lists the datazone connections to see which services need to be checked.

The unreachable services are aggregated and are displayed by writing to the post-startup-status.json, which displays the error notification in the IDE.

**Testing**

Tested in a SMUS portal containing internet, no internet, and no internet with VPC Endpoints to Datazone and s3.

Author: marfriaz-aws

template/v2/dirs/etc/sagemaker-ui/network_validation.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+set -eux 
+
+# Input parameters with defaults:
+# Default to 1 (Git storage) if no parameter is passed.
+is_s3_storage=${1:-"1"}
+# Output file path for unreachable services JSON 
+network_validation_file=${2:-"/tmp/.network_validation.json"}
+
+# Function to write unreachable services to a JSON file
+write_unreachable_services_to_file() {
+    local value="$1"
+    local file="$network_validation_file"
+
+    # Create the file if it doesn't exist
+    if [ ! -f "$file" ]; then
+        touch "$file" || {
+            echo "Failed to create $file" >&2
+            return 0
+        }
+    fi
+
+    # Check file is writable
+    if [ ! -w "$file" ]; then
+        echo "Error: $file is not writable" >&2
+        return 0
+    fi
+
+    # Write JSON object with UnreachableServices key and the comma-separated list value
+    jq -n --arg value "$value" '{"UnreachableServices": $value}' > "$file"
+}
+
+# Configure AWS CLI region using environment variable REGION_NAME
+aws configure set region "${REGION_NAME}"
+echo "Successfully configured region to ${REGION_NAME}"
+
+# Metadata file location containing DataZone info
+sourceMetaData=/opt/ml/metadata/resource-metadata.json
+
+# Extract necessary DataZone metadata fields via jq
+dataZoneDomainId=$(jq -r '.AdditionalMetadata.DataZoneDomainId' < "$sourceMetaData")
+dataZoneProjectId=$(jq -r '.AdditionalMetadata.DataZoneProjectId' < "$sourceMetaData")
+dataZoneEndPoint=$(jq -r '.AdditionalMetadata.DataZoneEndpoint' < "$sourceMetaData")
+dataZoneDomainRegion=$(jq -r '.AdditionalMetadata.DataZoneDomainRegion' < "$sourceMetaData")
+
+# Call AWS CLI list-connections, including endpoint if specified
+if [ -n "$dataZoneEndPoint" ]; then
+    response=$(aws datazone list-connections \
+        --endpoint-url "$dataZoneEndPoint" \
+        --domain-identifier "$dataZoneDomainId" \
+        --project-identifier "$dataZoneProjectId" \
+        --region "$dataZoneDomainRegion")
+else
+    response=$(aws datazone list-connections \
+        --domain-identifier "$dataZoneDomainId" \
+        --project-identifier "$dataZoneProjectId" \
+        --region "$dataZoneDomainRegion")
+fi
+
+# Extract each connection item as a compact JSON string
+connection_items=$(echo "$response" | jq -c '.items[]')
+
+# Required AWS Services for Compute connections and Git
+# Initialize SERVICE_COMMANDS with always-needed STS and S3 checks
+declare -A SERVICE_COMMANDS=(
+  ["STS"]="aws sts get-caller-identity"
+  ["S3"]="aws s3api list-buckets --max-items 1"
+)
+
+# Track connection types found for conditional checks
+declare -A seen_types=()
+
+# Iterate over each connection to populate service commands conditionally
+while IFS= read -r item; do
+  # Extract connection type
+  type=$(echo "$item" | jq -r '.type')
+  seen_types["$type"]=1
+
+  # For SPARK connections, check for Glue and EMR properties
+  if [[ "$type" == "SPARK" ]]; then
+    # If sparkGlueProperties present, add Glue check
+    if echo "$item" | jq -e '.props.sparkGlueProperties' > /dev/null; then
+      SERVICE_COMMANDS["Glue"]="aws glue get-crawlers --max-items 1"
+    fi
+
+    # Check for emr-serverless in sparkEmrProperties.computeArn for EMR Serverless check
+    emr_arn=$(echo "$item" | jq -r '.props.sparkEmrProperties.computeArn // empty')
+    if [[ "$emr_arn" == *"emr-serverless"* ]]; then
+      SERVICE_COMMANDS["EMR Serverless"]="aws emr-serverless list-applications --max-results 1"
+    fi
+  fi
+done <<< "$connection_items"
+
+# Add Athena if ATHENA connection found
+[[ -n "${seen_types["ATHENA"]}" ]] && SERVICE_COMMANDS["Athena"]="aws athena list-data-catalogs --max-results 1"
+
+# Add Redshift checks if REDSHIFT connection found
+if [[ -n "${seen_types["REDSHIFT"]}" ]]; then
+  SERVICE_COMMANDS["Redshift Cluster"]="aws redshift describe-clusters --max-records 1"
+  SERVICE_COMMANDS["Redshift Serverless"]="aws redshift-serverless list-namespaces --max-results 1"
+fi
+
+# Optionally add CodeConnections if S3 storage flag is true (Git storage)
+if [[ "$is_s3_storage" == "1" ]]; then
+  SERVICE_COMMANDS["CodeConnections"]="aws codeconnections list-hosts --max-results 1"
+fi
+
+# Timeout (seconds) for each API call
+api_time_out_limit=5
+# Array to accumulate unreachable services
+unreachable_services=()
+# Create a temporary directory to store individual service results
+temp_dir=$(mktemp -d)
+
+# Launch all service API checks in parallel background jobs
+for service in "${!SERVICE_COMMANDS[@]}"; do
+  {
+    # Run command with timeout, discard stdout/stderr
+    if timeout "${api_time_out_limit}s" bash -c "${SERVICE_COMMANDS[$service]}" > /dev/null 2>&1; then
+      # Success: write OK to temp file
+      echo "OK" > "$temp_dir/$service"
+    else
+      # Get exit code to differentiate timeout or other errors
+      exit_code=$?
+      if [ "$exit_code" -eq 124 ]; then
+        # Timeout exit code
+        echo "TIMEOUT" > "$temp_dir/$service"
+      else
+        # Other errors (e.g., permission denied)
+        echo "ERROR" > "$temp_dir/$service"
+      fi
+    fi
+  } &
+done
+
+# Wait for all background jobs to complete before continuing
+wait
+
+# Process each service's result file to identify unreachable ones
+for service in "${!SERVICE_COMMANDS[@]}"; do
+  result_file="$temp_dir/$service"
+  if [ -f "$result_file" ]; then
+    result=$(<"$result_file")
+    if [[ "$result" == "TIMEOUT" ]]; then
+      echo "$service API did NOT resolve within ${api_time_out_limit}s. Marking as unreachable."
+      unreachable_services+=("$service")
+    elif [[ "$result" == "OK" ]]; then
+      echo "$service API is reachable."
+    else
+      echo "$service API returned an error (but not a timeout). Ignored for network check."
+    fi
+  else
+    echo "$service check did not produce a result file. Skipping."
+  fi
+done
+
+# Cleanup temporary directory
+rm -rf "$temp_dir"
+
+# Write unreachable services to file if any, else write empty string
+if (( ${#unreachable_services[@]} > 0 )); then
+  joined_services=$(IFS=','; echo "${unreachable_services[*]}")
+  # Add spaces after commas for readability
+  joined_services_with_spaces=${joined_services//,/,\ }
+  write_unreachable_services_to_file "$joined_services_with_spaces"
+  echo "Unreachable AWS Services: ${joined_services_with_spaces}"
+else
+  write_unreachable_services_to_file ""
+  echo "All required AWS services reachable within ${api_time_out_limit}s"
+fi

template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh

@@ -204,4 +204,22 @@ if [ "${SAGEMAKER_APP_TYPE_LOWERCASE}" = "jupyterlab" ]; then
     bash /etc/sagemaker-ui/workflows/sm-spark-cli-install.sh
 fi
 
+# Execute network validation script, to check if any required AWS Services are unreachable
+echo "Starting network validation script..."
+
+network_validation_file="/tmp/.network_validation.json"
+
+# Run the validation script; only if it succeeds, check unreachable services
+if bash ./network_validation.sh "$is_s3_storage_flag" "$network_validation_file"; then
+    # Read unreachable services from JSON file
+    failed_services=$(jq -r '.UnreachableServices // empty' "$network_validation_file" || echo "")
+    if [[ -n "$failed_services" ]]; then
+        error_message="Network issue detected. The following AWS services are not reachable: $failed_services. Please contact your admin."
+        write_status_to_file "error" "$error_message"
+        echo "$error_message"
+    fi
+else
+    echo "Warning: network_validation.sh failed, skipping unreachable services check."
+fi
+
 write_status_to_file_on_script_complete

template/v3/dirs/etc/sagemaker-ui/network_validation.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+set -eux 
+
+# Input parameters with defaults:
+# Default to 1 (Git storage) if no parameter is passed.
+is_s3_storage=${1:-"1"}
+# Output file path for unreachable services JSON 
+network_validation_file=${2:-"/tmp/.network_validation.json"}
+
+# Function to write unreachable services to a JSON file
+write_unreachable_services_to_file() {
+    local value="$1"
+    local file="$network_validation_file"
+
+    # Create the file if it doesn't exist
+    if [ ! -f "$file" ]; then
+        touch "$file" || {
+            echo "Failed to create $file" >&2
+            return 0
+        }
+    fi
+
+    # Check file is writable
+    if [ ! -w "$file" ]; then
+        echo "Error: $file is not writable" >&2
+        return 0
+    fi
+
+    # Write JSON object with UnreachableServices key and the comma-separated list value
+    jq -n --arg value "$value" '{"UnreachableServices": $value}' > "$file"
+}
+
+# Configure AWS CLI region using environment variable REGION_NAME
+aws configure set region "${REGION_NAME}"
+echo "Successfully configured region to ${REGION_NAME}"
+
+# Metadata file location containing DataZone info
+sourceMetaData=/opt/ml/metadata/resource-metadata.json
+
+# Extract necessary DataZone metadata fields via jq
+dataZoneDomainId=$(jq -r '.AdditionalMetadata.DataZoneDomainId' < "$sourceMetaData")
+dataZoneProjectId=$(jq -r '.AdditionalMetadata.DataZoneProjectId' < "$sourceMetaData")
+dataZoneEndPoint=$(jq -r '.AdditionalMetadata.DataZoneEndpoint' < "$sourceMetaData")
+dataZoneDomainRegion=$(jq -r '.AdditionalMetadata.DataZoneDomainRegion' < "$sourceMetaData")
+
+# Call AWS CLI list-connections, including endpoint if specified
+if [ -n "$dataZoneEndPoint" ]; then
+    response=$(aws datazone list-connections \
+        --endpoint-url "$dataZoneEndPoint" \
+        --domain-identifier "$dataZoneDomainId" \
+        --project-identifier "$dataZoneProjectId" \
+        --region "$dataZoneDomainRegion")
+else
+    response=$(aws datazone list-connections \
+        --domain-identifier "$dataZoneDomainId" \
+        --project-identifier "$dataZoneProjectId" \
+        --region "$dataZoneDomainRegion")
+fi
+
+# Extract each connection item as a compact JSON string
+connection_items=$(echo "$response" | jq -c '.items[]')
+
+# Required AWS Services for Compute connections and Git
+# Initialize SERVICE_COMMANDS with always-needed STS and S3 checks
+declare -A SERVICE_COMMANDS=(
+  ["STS"]="aws sts get-caller-identity"
+  ["S3"]="aws s3api list-buckets --max-items 1"
+)
+
+# Track connection types found for conditional checks
+declare -A seen_types=()
+
+# Iterate over each connection to populate service commands conditionally
+while IFS= read -r item; do
+  # Extract connection type
+  type=$(echo "$item" | jq -r '.type')
+  seen_types["$type"]=1
+
+  # For SPARK connections, check for Glue and EMR properties
+  if [[ "$type" == "SPARK" ]]; then
+    # If sparkGlueProperties present, add Glue check
+    if echo "$item" | jq -e '.props.sparkGlueProperties' > /dev/null; then
+      SERVICE_COMMANDS["Glue"]="aws glue get-crawlers --max-items 1"
+    fi
+
+    # Check for emr-serverless in sparkEmrProperties.computeArn for EMR Serverless check
+    emr_arn=$(echo "$item" | jq -r '.props.sparkEmrProperties.computeArn // empty')
+    if [[ "$emr_arn" == *"emr-serverless"* ]]; then
+      SERVICE_COMMANDS["EMR Serverless"]="aws emr-serverless list-applications --max-results 1"
+    fi
+  fi
+done <<< "$connection_items"
+
+# Add Athena if ATHENA connection found
+[[ -n "${seen_types["ATHENA"]}" ]] && SERVICE_COMMANDS["Athena"]="aws athena list-data-catalogs --max-results 1"
+
+# Add Redshift checks if REDSHIFT connection found
+if [[ -n "${seen_types["REDSHIFT"]}" ]]; then
+  SERVICE_COMMANDS["Redshift Cluster"]="aws redshift describe-clusters --max-records 1"
+  SERVICE_COMMANDS["Redshift Serverless"]="aws redshift-serverless list-namespaces --max-results 1"
+fi
+
+# Optionally add CodeConnections if S3 storage flag is true (Git storage)
+if [[ "$is_s3_storage" == "1" ]]; then
+  SERVICE_COMMANDS["CodeConnections"]="aws codeconnections list-hosts --max-results 1"
+fi
+
+# Timeout (seconds) for each API call
+api_time_out_limit=5
+# Array to accumulate unreachable services
+unreachable_services=()
+# Create a temporary directory to store individual service results
+temp_dir=$(mktemp -d)
+
+# Launch all service API checks in parallel background jobs
+for service in "${!SERVICE_COMMANDS[@]}"; do
+  {
+    # Run command with timeout, discard stdout/stderr
+    if timeout "${api_time_out_limit}s" bash -c "${SERVICE_COMMANDS[$service]}" > /dev/null 2>&1; then
+      # Success: write OK to temp file
+      echo "OK" > "$temp_dir/$service"
+    else
+      # Get exit code to differentiate timeout or other errors
+      exit_code=$?
+      if [ "$exit_code" -eq 124 ]; then
+        # Timeout exit code
+        echo "TIMEOUT" > "$temp_dir/$service"
+      else
+        # Other errors (e.g., permission denied)
+        echo "ERROR" > "$temp_dir/$service"
+      fi
+    fi
+  } &
+done
+
+# Wait for all background jobs to complete before continuing
+wait
+
+# Process each service's result file to identify unreachable ones
+for service in "${!SERVICE_COMMANDS[@]}"; do
+  result_file="$temp_dir/$service"
+  if [ -f "$result_file" ]; then
+    result=$(<"$result_file")
+    if [[ "$result" == "TIMEOUT" ]]; then
+      echo "$service API did NOT resolve within ${api_time_out_limit}s. Marking as unreachable."
+      unreachable_services+=("$service")
+    elif [[ "$result" == "OK" ]]; then
+      echo "$service API is reachable."
+    else
+      echo "$service API returned an error (but not a timeout). Ignored for network check."
+    fi
+  else
+    echo "$service check did not produce a result file. Skipping."
+  fi
+done
+
+# Cleanup temporary directory
+rm -rf "$temp_dir"
+
+# Write unreachable services to file if any, else write empty string
+if (( ${#unreachable_services[@]} > 0 )); then
+  joined_services=$(IFS=','; echo "${unreachable_services[*]}")
+  # Add spaces after commas for readability
+  joined_services_with_spaces=${joined_services//,/,\ }
+  write_unreachable_services_to_file "$joined_services_with_spaces"
+  echo "Unreachable AWS Services: ${joined_services_with_spaces}"
+else
+  write_unreachable_services_to_file ""
+  echo "All required AWS services reachable within ${api_time_out_limit}s"
+fi

template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh

@@ -204,4 +204,22 @@ if [ "${SAGEMAKER_APP_TYPE_LOWERCASE}" = "jupyterlab" ]; then
     bash /etc/sagemaker-ui/workflows/sm-spark-cli-install.sh
 fi
 
+# Execute network validation script, to check if any required AWS Services are unreachable
+echo "Starting network validation script..."
+
+network_validation_file="/tmp/.network_validation.json"
+
+# Run the validation script; only if it succeeds, check unreachable services
+if bash ./network_validation.sh "$is_s3_storage_flag" "$network_validation_file"; then
+    # Read unreachable services from JSON file
+    failed_services=$(jq -r '.UnreachableServices // empty' "$network_validation_file" || echo "")
+    if [[ -n "$failed_services" ]]; then
+        error_message="Network issue detected. The following AWS services are not reachable: $failed_services. Please contact your admin."
+        write_status_to_file "error" "$error_message"
+        echo "$error_message"
+    fi
+else
+    echo "Warning: network_validation.sh failed, skipping unreachable services check."
+fi
+
 write_status_to_file_on_script_complete