@mavogel/cdk-vscode-server 0.0.61 → 0.0.63

package/CLAUDE.md

@@ -4,18 +4,25 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Repository Overview
 
-This is a JSII-enabled CDK construct library published to npm, PyPI, and Go that deploys VS Code Server on AWS. It's designed for workshop/development purposes and creates infrastructure for running a cloud-based VS Code instance accessible through CloudFront.
+A JSII-enabled CDK construct library that deploys VS Code Server on AWS. Published to npm and PyPI. Designed for workshop/development environments with intentionally permissive security for ease of use.
 
-**Key Characteristics**:
-- **Projen-managed**: All project configuration is in `.projenrc.ts` - run `npx projen` after modifying it
-- **Multi-language**: TypeScript source published to Python and Go via JSII
-- **Not production-ready**: Intentionally permissive for workshop scenarios
+**Key Characteristic**: This is **NOT production-ready** by design - it's optimized for quick workshop setup and learning environments.
+
+## Projen-Managed Project
+
+**Critical**: ALL project configuration is in `.projenrc.ts`. After modifying it, run `npx projen` to regenerate managed files.
+
+**Never manually edit**:
+- `package.json`
+- Task definitions
+- GitHub workflows
+- Any file with "~~ Generated by projen" header
 
 ## Development Commands
 
 ### Build and Test
 ```bash
-# Build project (compiles TS, bundles Lambdas, generates API docs)
+# Full build (compiles TS, bundles Lambdas, generates API docs)
 npx projen build
 
 # Run unit tests
@@ -24,10 +31,10 @@ npx projen test
 # Run single test file
 npx jest test/vscode-server.test.ts
 
-# Run tests in watch mode
+# Watch mode for tests
 npx projen test:watch
 
-# Integration tests (deploys to eu-west-1, eu-west-2, eu-north-1)
+# Integration tests (deploys to eu-west-1, eu-west-2, eu-north-1, eu-west-3)
 npm run integ-test
 ```
 
@@ -44,82 +51,232 @@ npm run awslint
 ```bash
 # Bundle specific Lambda
 npx projen bundle:installer/installer.lambda
+npx projen bundle:idle-monitor/idle-monitor.lambda
+npx projen bundle:idle-monitor-enabler/idle-monitor-enabler.lambda
 npx projen bundle:secret-retriever/secret-retriever.lambda
 
-# Watch mode for development
+# Watch mode for Lambda development
 npx projen bundle:installer/installer.lambda:watch
 ```
 
 ### Publishing
 ```bash
-# Package for all targets (JS, Python, Go)
+# Package for all targets (npm, Python)
 npx projen package-all
 
 # Package specific target
 npx projen package:js
 npx projen package:python
-npx projen package:go
 ```
 
-## Architecture
+## Architecture Overview
+
+### Main Construct: `VSCodeServer` (src/vscode-server.ts)
 
-### Main Construct (`VSCodeServer`)
-Located in `src/vscode-server.ts`, orchestrates:
+Orchestrates the entire infrastructure:
 - VPC with single public subnet
 - EC2 instance (default: m7g.xlarge Graviton3 ARM)
-- CloudFront distribution with custom cache policies for VS Code Server
+- CloudFront distribution with custom cache policies
 - Security groups (CloudFront prefix list restriction only)
-- IAM role with CDK permissions for workshop use
-- Optional Route53 + ACM certificate integration via `domainName` prop
+- IAM role with broad CDK permissions (workshop-friendly)
+- Optional: Route53 + ACM certificate integration
+- Optional: Auto-stop feature with idle monitoring
+
+### Custom Resource Pattern
 
-### Custom Resources Pattern
 Uses Lambda-backed custom resources via CDK Provider construct:
-- **Installer** (`src/installer/`): OS-specific VS Code Server installation via SSM documents
-- **SecretRetriever** (`src/secret-retriever/`): Extracts generated password from Secrets Manager
-- **PrefixListRetriever** (`src/prefixlist-retriever/`): Fetches AWS-managed CloudFront prefix lists
 
-### AMI Selection
-`src/mappings.ts` contains SSM parameter paths for:
+1. **Installer** (`src/installer/`)
+   - Runs SSM documents to install VS Code Server
+   - OS-specific installation for Ubuntu 22/24 and Amazon Linux 2023
+   - Returns SUCCESS when installation completes
+   - Custom resource name: `SSMInstallerCustomResource`
+
+2. **SecretRetriever** (`src/secret-retriever/`)
+   - Extracts generated password from Secrets Manager
+   - Returns password as CloudFormation output
+
+3. **PrefixListRetriever** (`src/prefixlist-retriever/`)
+   - Fetches AWS-managed CloudFront prefix lists
+   - Used to restrict security group ingress
+
+4. **IdleMonitorEnabler** (`src/idle-monitor-enabler/`)
+   - Enables EventBridge rule ONLY after installation completes
+   - Prevents race condition where IdleMonitor stops instance mid-installation
+   - Critical dependency chain: `Installer → IdleMonitorEnabler → IdleMonitor active`
+
+### Auto-Stop Feature Architecture
+
+**Problem Solved**: Race condition where IdleMonitor could stop instance during installation.
+
+**Solution Flow**:
+1. EventBridge rule created in **DISABLED** state (`src/idle-monitor/idle-monitor.ts:118`)
+2. Installer runs and completes VS Code Server setup
+3. IdleMonitorEnabler custom resource **enables** the rule after installation succeeds
+4. IdleMonitor now safely monitors CloudFront metrics for idle detection
+
+**Key Files**:
+- `src/idle-monitor/idle-monitor.ts` - EventBridge rule + Lambda for monitoring
+- `src/idle-monitor/idle-monitor.lambda.ts` - Checks CloudWatch metrics, stops instance if idle
+- `src/idle-monitor-enabler/idle-monitor-enabler.ts` - Custom resource construct
+- `src/idle-monitor-enabler/idle-monitor-enabler.lambda.ts` - Enables EventBridge rule via AWS SDK
+
+**Dependency Wiring** (`src/vscode-server.ts:984`):
+```typescript
+const installerCustomResource = this.node.findChild('SSMInstallerCustomResource');
+enabler.node.addDependency(installerCustomResource);
+```
+
+### AMI Selection (`src/mappings.ts`)
+
+Contains SSM parameter paths for:
 - Ubuntu 22/24 (ARM + x86_64)
 - Amazon Linux 2023 (ARM + x86_64)
 
 Function `getAmiSSMParameterForLinuxArchitectureAndFlavor()` returns region-specific SSM parameter for latest AMI.
 
-### Key Props
-`VSCodeServerProps` in `src/vscode-server.ts:27-155`:
-- **Instance**: `instanceClass`, `instanceSize`, `instanceVolumeSize`
-- **OS**: `instanceOperatingSystem` (LinuxFlavorType enum), `instanceCpuArchitecture` (LinuxArchitectureType enum)
-- **VS Code**: `vscodeUser`, `vscodePassword`, `homeFolder`, `devServerPort`, `devServerBasePath`
-- **Domain**: `domainName`, `hostedZoneId`, `certificateArn`, `autoCreateCertificate`
-- **Extensions**: `additionalInstanceRolePolicies`, `additionalTags`
+### Key Props (`src/vscode-server.ts:27-200`)
 
-## Important Patterns
+**Instance Configuration**:
+- `instanceClass`, `instanceSize`, `instanceVolumeSize`
+- `instanceOperatingSystem` (LinuxFlavorType enum)
+- `instanceCpuArchitecture` (LinuxArchitectureType enum)
 
-### Projen Workflow
-1. Edit `.projenrc.ts` for project changes (dependencies, build config, etc.)
-2. Run `npx projen` to regenerate managed files
-3. Never manually edit `package.json`, task definitions, or GitHub workflows
+**VS Code Configuration**:
+- `vscodeUser`, `vscodePassword`, `homeFolder`
+- `devServerPort`, `devServerBasePath`
 
-### JSII Constraints
+**Domain/Certificate**:
+- `domainName`, `hostedZoneId`, `certificateArn`, `autoCreateCertificate`
+
+**Auto-Stop**:
+- `enableAutoStop` - Enable automatic instance stop when idle
+- `idleTimeoutMinutes` - Minutes of inactivity before stopping (default: 30)
+- `idleCheckIntervalMinutes` - How often to check (default: 5)
+- `skipStatusChecks` - Skip EC2 status checks before stopping (for testing only)
+
+**Extensions**:
+- `additionalInstanceRolePolicies`, `additionalTags`
+
+## JSII Constraints
+
+**Critical for JSII compatibility**:
 - All public APIs must be JSII-compatible (no TS-specific types)
-- Bundled dependencies (like `node-html-parser`) in Lambda code must be listed in `.projenrc.ts` `bundledDeps`
-- Lambda functions use esbuild bundling configured via Projen
-
-### CDK-nag Integration
-- `src/suppress-nags.ts` contains suppression patterns
-- Suppressions are applied via `NagSuppressions.addResourceSuppressions()` throughout construct code
-- Necessary because workshop design intentionally violates production best practices (e.g., broad IAM permissions)
-
-### Integration Tests
-- Located in `integ-tests/`
-- Use `@aws-cdk/integ-tests-alpha` framework
-- Deploy actual stacks to 3 regions in parallel
-- Include assertion tests (e.g., login test via Lambda in `integ-tests/functions/`)
-- Run with `npm run integ-test` (requires AWS credentials)
-
-## Domain/Certificate Feature (feat/route53-domain branch)
-When `domainName` prop is provided:
-- Creates Route53 A record pointing to CloudFront distribution
-- Supports `autoCreateCertificate` flag to create ACM cert in us-east-1 with DNS validation
-- Alternatively accepts existing `certificateArn`
-- Auto-discovers hosted zone if `hostedZoneId` not provided
+- Bundled dependencies (like `node-html-parser`) must be in `.projenrc.ts` `bundledDeps`
+- Lambda functions use esbuild bundling configured via Projen (auto-discovered in `src/**/*.lambda.ts`)
+
+## CDK-nag Integration
+
+Suppressions defined in `src/suppress-nags.ts` and applied throughout construct code.
+
+**Why suppressions are needed**: Workshop design intentionally violates production best practices:
+- Broad IAM permissions for ease of use
+- Permissive security groups
+- Public subnet deployment
+- No VPC endpoints
+
+Apply suppressions via `NagSuppressions.addResourceSuppressions()`.
+
+## Integration Tests
+
+Located in `integ-tests/`, using `@aws-cdk/integ-tests-alpha` framework.
+
+**Test Files**:
+- `integ.ubuntu.ts` - Basic Ubuntu 22 deployment + login test
+- `integ.al2023.ts` - Amazon Linux 2023 deployment
+- `integ.custom-domain.ts` - Custom domain + ACM certificate
+- `integ.stop-on-idle.ts` - **4-phase auto-stop workflow test**
+
+**Stop-on-Idle Test Phases** (`integ-tests/integ.stop-on-idle.ts`):
+1. `verify-auto-stop` - Wait for instance to stop after idle timeout
+2. `disable-idle-monitor` - Disable EventBridge rule to prevent re-stopping
+3. `start-instance` - Start instance and wait for running state
+4. `verify-login` - Check VS Code Server accessibility via CloudFront
+
+**Run Integration Tests**:
+```bash
+npm run integ-test  # Deploys to 4 regions in parallel
+```
+
+**Important**: Integration tests deploy actual stacks and incur AWS costs.
+
+## Lambda Bundling
+
+Projen automatically discovers Lambda functions matching `src/**/*.lambda.ts` pattern.
+
+**Auto-generated tasks** for each Lambda:
+- `bundle:<path>/name.lambda` - Bundle Lambda code
+- `bundle:<path>/name.lambda:watch` - Watch mode for development
+
+**Bundled output**: `assets/<path>/name.lambda/index.js`
+
+## Common Workflows
+
+### Adding a New Lambda Function
+
+1. Create `src/my-feature/my-feature.lambda.ts`
+2. Create `src/my-feature/my-feature-function.ts` (CDK construct wrapper)
+3. Run `npx projen` - auto-discovers and creates bundle task
+4. Import in construct: `import { MyFeatureFunction } from './my-feature/my-feature-function'`
+
+### Modifying VSCodeServer Props
+
+1. Edit `src/vscode-server.ts` - update `VSCodeServerProps` interface
+2. Run `npx projen build` - regenerates JSII artifacts + API docs
+3. Update README.md with usage examples
+
+### Testing Changes
+
+1. Unit tests: `npx jest test/vscode-server.test.ts`
+2. Build validation: `npx projen build` (includes awslint checks)
+3. Integration test: `npm run integ-test` (full deployment test)
+
+## Race Condition Prevention (Auto-Stop)
+
+**Issue**: IdleMonitor EventBridge rule triggers immediately on stack creation, potentially stopping instance during installation (observed: instance stopped 72 seconds after installer started).
+
+**Fix**: Three-stage dependency chain ensures safe operation:
+
+```
+EC2 Instance
+    ↓
+Installer Custom Resource (waits for VS Code Server installation)
+    ↓
+IdleMonitorEnabler Custom Resource (enables EventBridge rule)
+    ↓
+IdleMonitor Active (now safe to monitor)
+```
+
+**Implementation Details**:
+- EventBridge rule created with `enabled: false` (`src/idle-monitor/idle-monitor.ts:118`)
+- IdleMonitorEnabler depends on `SSMInstallerCustomResource` via `node.addDependency()`
+- CloudFormation enforces ordering automatically
+
+This pattern can be applied to any future features requiring post-installation activation.
+
+## Multi-Language Publishing
+
+Project publishes to:
+- **npm**: `@mavogel/cdk-vscode-server`
+- **PyPI**: `cdk-vscode-server`
+
+JSII compiles TypeScript to:
+- JavaScript (npm)
+- Python (PyPI)
+
+**Publishing** (requires credentials):
+```bash
+npx projen release
+```
+
+## Workshop-Specific Considerations
+
+**Remember**: This construct is intentionally designed for workshops, NOT production:
+
+- IAM roles have broad permissions (all CDK operations)
+- Security groups allow CloudFront only (but permissive within that constraint)
+- No private subnets or VPC endpoints (cost optimization for workshops)
+- Single public subnet (simplicity over high availability)
+- Password-based authentication (ease of use over MFA/SSO)
+
+When reviewing changes, prioritize **ease of use** and **quick setup** over security hardening.

package/README.md

@@ -21,7 +21,9 @@ we implement new features. Therefore make sure you use an exact version in your
 - [Features](#features)
 - [Usage](#usage)
   - [Standard](#Standard)
+  - [Pre-populate with Git Repository](#pre-populate-with-git-repository)
   - [Custom Domain Configuration](#custom-domain-configuration)
+  - [Auto-Stop Configuration](#auto-stop-configuration)
 - [Solution Design](#solution-design)
 - [Inspiration](#inspiration)
 
@@ -31,7 +33,7 @@ we implement new features. Therefore make sure you use an exact version in your
 - 📏 **Best Practice Setup**: Set up with [projen](https://projen.io/) and a [single configuration file](./.projenrc.ts) to keep your changes centralized.
 - 🤹‍♂️ **Pre-installed packages**: Besides the [vscode](https://code.visualstudio.com/) server, other tools and software packages such as `git`, `docker`, `awscli` `nodejs` and `python` are pre-installed on the EC2 instance.
 - 🌐 **Custom Domain Support**: Use your own domain name with automatic ACM certificate creation and Route53 DNS configuration, or bring your existing certificate.
-- 💰 **Auto-Stop**: Automatically stop EC2 instances after inactivity with Elastic IP retention - save up to 75% on costs for development environments
+- 💰 **Auto-Stop**: Automatically stop EC2 instances after inactivity with Elastic IP retention - save up to 75% on costs for development environments.
 - 🏗️ **Extensibility**: Pass in properties to the construct, which start with `additional*`. They allow you to extend the configuration to your needs. There are more to come...
 
 ## Usage
@@ -115,6 +117,41 @@ dev.vscodepassword64FBCA12 = foobarbaz
 
 See the [examples](./examples) folder for more inspiration.
 
+### Pre-populate with Git Repository
+
+Clone a git repository into the VS Code Server's home folder during instance setup - perfect for workshops or development environments with starter code:
+
+```ts
+new VSCodeServer(this, 'vscode', {
+  // Clone a git repository into the home folder
+  repoUrl: 'https://github.com/aws-samples/my-workshop-repo.git',
+
+  // Optional: customize the home folder path (default: /Workshop)
+  homeFolder: '/MyWorkshop',
+
+  // Optional: specify VS Code user (default: vscode-user)
+  vscodeUser: 'workshop-user',
+});
+```
+
+**What happens:**
+1. During instance setup, the specified git repository is cloned into the user's home folder
+2. VS Code Server opens with the repository already loaded and ready to use
+3. Participants can start coding immediately without manual git clone steps
+
+**Use cases:**
+- Workshop environments with pre-configured starter code
+- Development environments with boilerplate projects
+- Training sessions with example applications
+- Code review sessions with pre-loaded repositories
+
+**Repository requirements:**
+- Must be publicly accessible (no authentication required)
+- HTTPS URLs only (SSH git URLs are not supported)
+- Repository will be cloned using `git clone` during instance initialization
+
+For complete examples, see [examples/](./examples).
+
 ### Custom Domain Configuration
 
 You can configure your VS Code Server with a custom domain name instead of using the default CloudFront domain. The construct supports three different configuration options:
@@ -200,6 +237,7 @@ new VSCodeServer(this, 'vscode', {
 - Elastic IP for consistent public addressing
 - EventBridge rule triggering idle monitoring at configured intervals
 - IdleMonitor Lambda function checking CloudWatch metrics for request activity
+- IdleMonitorEnabler custom resource ensuring monitoring only starts after installation completes
 - CloudWatch metrics from CloudFront distribution
 
 **Integration Testing:**

package/assets/idle-monitor-enabler/idle-monitor-enabler.lambda/index.js

@@ -0,0 +1,67 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/idle-monitor-enabler/idle-monitor-enabler.lambda.ts
+var idle_monitor_enabler_lambda_exports = {};
+__export(idle_monitor_enabler_lambda_exports, {
+  handler: () => handler
+});
+module.exports = __toCommonJS(idle_monitor_enabler_lambda_exports);
+var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
+var eventBridge = new import_client_eventbridge.EventBridge();
+var handler = async (event) => {
+  console.log("Event: %j", { ...event, ResponseURL: "..." });
+  const ruleName = event.ResourceProperties.RuleName;
+  if (!ruleName) {
+    throw new Error("RuleName is required in ResourceProperties");
+  }
+  switch (event.RequestType) {
+    case "Create":
+    case "Update":
+      console.log(`Enabling EventBridge rule: ${ruleName}`);
+      await eventBridge.send(
+        new import_client_eventbridge.EnableRuleCommand({
+          Name: ruleName
+        })
+      );
+      console.log(`Successfully enabled rule: ${ruleName}`);
+      return {
+        PhysicalResourceId: `idle-monitor-enabler-${ruleName}`
+      };
+    case "Delete":
+      console.log(`Disabling EventBridge rule on deletion: ${ruleName}`);
+      try {
+        await eventBridge.send(
+          new import_client_eventbridge.DisableRuleCommand({
+            Name: ruleName
+          })
+        );
+        console.log(`Successfully disabled rule: ${ruleName}`);
+      } catch (error) {
+        console.log(`Error disabling rule (ignoring): ${error.message}`);
+      }
+      return {};
+    default:
+      throw new Error(`Unsupported RequestType: ${event.RequestType}`);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handler
+});

package/assets/installer/installer.lambda/index.js

@@ -59,47 +59,89 @@ var handler = async (event, context) => {
     parameters[key] = [value];
   }
   console.log("mapped parameters: %j", parameters);
-  let attemptNo = 0;
-  let timeRemaining = context.getRemainingTimeInMillis();
   console.log(
     `Running SSM Document '${documentName}' on EC2 instance '${instanceId}'. Logging to '${cloudWatchLogGroupName}' with parameters: '${JSON.stringify(parameters)}'`
   );
+  let commandId;
+  let attemptNo = 0;
   while (true) {
     attemptNo += 1;
+    const timeRemaining = context.getRemainingTimeInMillis();
     console.log(
-      `Attempt: ${attemptNo}. Time Remaining: ${timeRemaining / 1e3}s`
+      `Send attempt: ${attemptNo}. Time Remaining: ${timeRemaining / 1e3}s`
     );
     try {
-      const response = await ssm.sendCommand({
-        DocumentName: documentName,
-        InstanceIds: [instanceId],
-        CloudWatchOutputConfig: {
-          CloudWatchLogGroupName: cloudWatchLogGroupName,
-          CloudWatchOutputEnabled: true
-        },
-        Parameters: parameters
-      });
-      console.log(`response: ${JSON.stringify(response)}`);
+      const response = await ssm.send(
+        new import_client_ssm.SendCommandCommand({
+          DocumentName: documentName,
+          InstanceIds: [instanceId],
+          CloudWatchOutputConfig: {
+            CloudWatchLogGroupName: cloudWatchLogGroupName,
+            CloudWatchOutputEnabled: true
+          },
+          Parameters: parameters
+        })
+      );
+      console.log(`sendCommand response: ${JSON.stringify(response)}`);
       const command = response.Command;
-      const commandId = command.CommandId;
-      const responseData = { CommandId: commandId };
-      switch (command.Status) {
+      commandId = command.CommandId;
+      console.log(`Command sent successfully. CommandId: ${commandId}`);
+      break;
+    } catch (error) {
+      console.log("Error sending command:", error);
+      const isUnauthorized = error.name === "UnauthorizedException" || error.name === "AccessDeniedException" || error.message && error.message.includes("not authorized");
+      const isThrottled = error.name === "ThrottlingException" || error.name === "TooManyRequestsException";
+      const isRetryable = isUnauthorized || isThrottled;
+      const remainingTime = context.getRemainingTimeInMillis();
+      if (isRetryable && remainingTime > SLEEP_MS) {
+        console.log(
+          `Retryable error encountered (${error.name}). Attempt ${attemptNo}. Sleeping: ${SLEEP_MS / 1e3}s before retry`
+        );
+        await new Promise((resolve) => setTimeout(resolve, SLEEP_MS));
+      } else {
+        console.log("Non-retryable error or timeout. Failing...");
+        throw error;
+      }
+    }
+  }
+  let pollAttemptNo = 0;
+  const responseData = { CommandId: commandId };
+  while (true) {
+    pollAttemptNo += 1;
+    const timeRemaining = context.getRemainingTimeInMillis();
+    console.log(
+      `Poll attempt: ${pollAttemptNo}. Time Remaining: ${timeRemaining / 1e3}s`
+    );
+    try {
+      const invocationResponse = await ssm.send(
+        new import_client_ssm.GetCommandInvocationCommand({
+          CommandId: commandId,
+          InstanceId: instanceId
+        })
+      );
+      console.log(
+        `getCommandInvocation response: ${JSON.stringify(invocationResponse)}`
+      );
+      const status = invocationResponse.Status;
+      switch (status) {
         case "Pending":
         case "InProgress":
-          timeRemaining = context.getRemainingTimeInMillis();
+        case "Delayed":
           if (timeRemaining > SLEEP_MS) {
             console.log(
-              `Instance ${instanceId} not ready: 'InProgress'. Sleeping: ${SLEEP_MS / 1e3}s`
+              `Command ${commandId} status: '${status}'. Sleeping: ${SLEEP_MS / 1e3}s`
             );
             await new Promise((resolve) => setTimeout(resolve, SLEEP_MS));
             break;
           } else {
             throw new Error(
-              `SSM Document ${documentName} on EC2 instance ${instanceId} timed out while lambda in progress`
+              `SSM Document ${documentName} on EC2 instance ${instanceId} timed out while lambda waiting (status: ${status})`
             );
           }
         case "Success":
-          console.log(`Instance ${instanceId} successfully bootstrapped`);
+          console.log(
+            `Instance ${instanceId} successfully bootstrapped. Command ${commandId} completed.`
+          );
           return { Data: responseData };
         case "TimedOut":
           throw new Error(
@@ -115,23 +157,18 @@ var handler = async (event, context) => {
           );
         default:
           throw new Error(
-            `SSM Document ${documentName} on EC2 instance ${instanceId} status ${command.Status}`
+            `SSM Document ${documentName} on EC2 instance ${instanceId} unknown status: ${status}`
           );
       }
-      return { Data: responseData };
     } catch (error) {
-      console.log("Error occurred:", error);
-      const isUnauthorized = error.name === "UnauthorizedException" || error.name === "AccessDeniedException" || error.message && error.message.includes("not authorized");
-      const isThrottled = error.name === "ThrottlingException" || error.name === "TooManyRequestsException";
-      const isRetryable = isUnauthorized || isThrottled;
-      timeRemaining = context.getRemainingTimeInMillis();
-      if (isRetryable && timeRemaining > SLEEP_MS) {
+      const remainingTime = context.getRemainingTimeInMillis();
+      if (error.name === "InvocationDoesNotExist" && remainingTime > SLEEP_MS) {
         console.log(
-          `Retryable error encountered (${error.name}). Attempt ${attemptNo}. Sleeping: ${SLEEP_MS / 1e3}s before retry`
+          `Invocation not yet available. Sleeping: ${SLEEP_MS / 1e3}s`
         );
         await new Promise((resolve) => setTimeout(resolve, SLEEP_MS));
       } else {
-        console.log("Non-retryable error or timeout. Failing...");
+        console.log("Error checking command status:", error);
         throw error;
       }
     }

package/awslint.json

@@ -0,0 +1,5 @@
+{
+  "exclude": [
+    "props-no-arn-refs:@mavogel/cdk-vscode-server.VSCodeServerProps.certificateArn"
+  ]
+}

package/examples/git-repo/main.ts

@@ -0,0 +1,30 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { VSCodeServer } from '../../src/index'
+
+export class MyStack extends Stack {
+    constructor(scope: Construct, id: string, props: StackProps = {}) {
+        super(scope, id, props);
+
+        new VSCodeServer(this, 'vscode', {
+            // Clone a git repository into the home folder during instance setup
+            // Perfect for workshops, training sessions, or development environments
+            repoUrl: 'https://github.com/aws-samples/aws-cdk-examples.git',
+
+            // Optional: customize the home folder path (default: /Workshop)
+            homeFolder: '/CdkWorkshop',
+
+            // Optional: specify VS Code user (default: vscode-user)
+            vscodeUser: 'workshop-user',
+        });
+    }
+}
+
+const env = {
+    account: '123456789912',
+    region: 'eu-central-1',
+};
+
+const app = new App();
+new MyStack(app, 'vscode-server-git-repo', { env });
+app.synth();

package/integ-tests/integ.al2023.ts.snapshot/IntegSetupVSCodeOnAl2023DefaultTestDeployAssert74D8F645.assets.json

@@ -14,7 +14,7 @@
         }
       }
     },
-    "e5a8816554ca9fe1e7bf41d7d9fcc2f77bb6af7b02cb83746f5f815104b12306": {
+    "73ca3102a170a72edfc485eaa1468c73bbccd6bf566fd94f904e35c82f0fb905": {
       "displayName": "IntegSetupVSCodeOnAl2023DefaultTestDeployAssert74D8F645 Template",
       "source": {
         "path": "IntegSetupVSCodeOnAl2023DefaultTestDeployAssert74D8F645.template.json",
@@ -23,7 +23,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "e5a8816554ca9fe1e7bf41d7d9fcc2f77bb6af7b02cb83746f5f815104b12306.json",
+          "objectKey": "73ca3102a170a72edfc485eaa1468c73bbccd6bf566fd94f904e35c82f0fb905.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

package/integ-tests/integ.al2023.ts.snapshot/IntegSetupVSCodeOnAl2023DefaultTestDeployAssert74D8F645.template.json

@@ -45,7 +45,7 @@
      }
     },
     "flattenResponse": "false",
-    "salt": "1759320082329"
+    "salt": "1762251879959"
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"