ENG-2740 Use elapsed time for SSH retry timeout

[fabgo]

Use elapsed time to determine the SSH retry timeout instead of the number of retries.

[nbrahms]

My biggest concern is why we changed from a 30 second to 10 minute (!) timeout for AWS access.

[nbrahms]

What's the motivation to change from 30 seconds to 10 minutes?

I'd be surprised if any end user is willing to wait 10 minutes.

Suggested change

	* It can take up to 1 minute for access to propagate on AWS, so set the time limit to 10 minutes.
	// It takes around 8 seconds for access to propagate on AWS, so allow 30 seconds as a safe ceiling.

Also, this should just be a normal comment as it's explaining why the value is chosen, rather than what it does.

[fabgo]

The timeout is based on existing comments in ssh/index.ts:

AWS takes about 8 minutes, GCP takes under 1 minute to fully resolve access after it is granted.
During this time, calls to aws ssm start-session / gcloud compute start-iap-tunnel
will fail randomly with an various error messages.

See also this PR, which also mentions 10 minutes: #19

[fabgo]

@gergas3 @nbrahms I can change the timeout if you want. Just let me know what to set it to.

[gergas3]

Was it a typo in #19 then? I didn't observe such a long propagation time for AWS. 30 seconds makes more sense.

GCP takes significantly longer, it's mostly under 1 minute. But my guess would be it's not >99th percentile. We can continue with the 2m in this PR imo.

[fabgo]

Changed it to 30 seconds.

[nbrahms]

The full info is that it takes AWS 30 minutes to get to 100% success rate. But we don't need to wait this long. We only need to wait until the chance that a single SSH attempt succeeds is high.

I'm not sure what we've changed in terms of delays, as those will affect this. But, when we were hammering it repeatedly in a loop, that took about 12 seconds.

[nbrahms]

Suggested change

	const TIME_LIMIT_MS = 10 * 60 * 1000;
	const TIME_LIMIT_MS = 60 * 1000;

Seems already long enough.

When I analyzed this previously, 99% + of provisioning finished within 8 seconds. Has that changed?

[nbrahms]

Would be good to understand the CDF of successful attempts by time.

[nbrahms]

Seems like we should display

Suggested change

	print2(`Waiting for access to propagate. ${gerund} SSH session...)`);
	const remainingS = ((endTime - Date.now()) / 1e3 ).toFixed(1)
	print2(`Waiting for access to propagate. ${gerund} SSH session... (will wait up to ${remainingS} seconds)`);

[fabgo]

Done

[nbrahms]

This should have some jsdoc describing what it does. I might also suggest giving it a more descriptive name:

Suggested change

	timeLimit: number;
	/** Amount of time, in ms, to wait between granting access and giving up on attempting an SSH connection */
	propagationTimeoutMs: number;

[fabgo]

Done

[gergas3]

With this change does this check in plugins/ssh/index.ts:

    if (
      match &&
      Date.now() <=
        beforeStart + (match.validationWindowMs || DEFAULT_VALIDATION_WINDOW_MS)
    ) {
      isEphemeralAccessDeniedException = true;
    }

still make sense? Do we want to have a timeout on individual subprocesses and consider the error non-ephemeral if we read it off the stderr too late.

I think it can be removed or set to a larger value because we have an overall cap on the time.

[gergas3]

To globally wait max propagationTimeoutMs, we would have to the endTime once before calling preTestAccessPropagationIfNeeded (above), and pass the same endTime to spawnSshNode (here).

Now for a GCP sudo access the total propagationTimeoutMs is 2m * 2.

[fabgo]

Done