fix(bedrock-alpha): apply permission dependency to existing and non-existing roles (#35123)

### Issue # (if applicable)

Closes #35120 

### Reason for this change

Dependency on permission was only applied to new roles, not to existing roles.

### Description of changes

The dependency on permission now applies to both new and existing roles.

### Describe any new or updated permissions being added

Not applicable.

### Description of how you validated changes

I've added an integration test for an agent with an existing/custom role attached to it.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mellevanderlinde

packages/@aws-cdk/aws-bedrock-alpha/bedrock/agents/agent.ts

@@ -575,11 +575,8 @@ export class Agent extends AgentBase implements IAgent {
 
     // Add explicit dependency between the agent resource and the agent's role default policy
     // See https://github.com/awslabs/generative-ai-cdk-constructs/issues/899
-    if (!props.existingRole) {
-      // add the appropriate permissions to use the FM
-      const grant = this.foundationModel.grantInvoke(this.role);
-      grant.applyBefore(this.__resource);
-    }
+    const grant = this.foundationModel.grantInvoke(this.role);
+    grant.applyBefore(this.__resource);
 
     this.testAlias = AgentAlias.fromAttributes(this, 'DefaultAlias', {
       aliasId: 'TSTALIASID',

packages/@aws-cdk/aws-bedrock-alpha/test/bedrock/agents/agent.test.ts

@@ -769,6 +769,35 @@ describe('Agent', () => {
       });
     });
 
+    test('applies dependency for existing role', () => {
+      const existingRole = new iam.Role(stack, 'ExistingRole', {
+        assumedBy: new iam.ServicePrincipal('bedrock.amazonaws.com'),
+      });
+
+      new bedrock.Agent(stack, 'Agent', {
+        instruction: 'This is a test instruction that must be at least 40 characters long to be valid',
+        foundationModel: bedrock.BedrockFoundationModel.ANTHROPIC_CLAUDE_3_5_SONNET_V2_0,
+        existingRole,
+      });
+
+      // Verify CloudFormation template has DependsOn
+      Template.fromStack(stack).hasResource('AWS::Bedrock::Agent', {
+        DependsOn: [Match.stringLikeRegexp('ExistingRoleDefaultPolicy.*')],
+      });
+    });
+
+    test('applies dependency for role created by Agent', () => {
+      new bedrock.Agent(stack, 'Agent', {
+        instruction: 'This is a test instruction that must be at least 40 characters long to be valid',
+        foundationModel: bedrock.BedrockFoundationModel.ANTHROPIC_CLAUDE_3_5_SONNET_V2_0,
+      });
+
+      // Verify CloudFormation template has DependsOn
+      Template.fromStack(stack).hasResource('AWS::Bedrock::Agent', {
+        DependsOn: [Match.stringLikeRegexp('AgentRoleDefaultPolicy.*')],
+      });
+    });
+
     test('creates agent with guardrail', () => {
       const guardrail = new bedrock.Guardrail(stack, 'TestGuardrail', {
         guardrailName: 'TestGuardrail',

packages/@aws-cdk/aws-bedrock-alpha/test/bedrock/agents/integ.agent-existing-role.js.snapshot/BedrockAgentExistingRoleDefaultTestDeployAssertD5C55EAB.assets.json

@@ -0,0 +1,144 @@
+{
+ "Resources": {
+  "AgentRoleF4A42D6B": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "bedrock.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "AgentRoleDefaultPolicy1027F5D2": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "bedrock:GetFoundationModel",
+        "bedrock:InvokeModel*"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":bedrock:",
+          {
+           "Ref": "AWS::Region"
+          },
+          "::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0"
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "AgentRoleDefaultPolicy1027F5D2",
+    "Roles": [
+     {
+      "Ref": "AgentRoleF4A42D6B"
+     }
+    ]
+   }
+  },
+  "Agent255F68E9": {
+   "Type": "AWS::Bedrock::Agent",
+   "Properties": {
+    "ActionGroups": [
+     {
+      "ActionGroupName": "UserInputAction",
+      "ActionGroupState": "DISABLED",
+      "ParentActionGroupSignature": "AMAZON.UserInput",
+      "SkipResourceInUseCheckOnDelete": false
+     },
+     {
+      "ActionGroupName": "CodeInterpreterAction",
+      "ActionGroupState": "DISABLED",
+      "ParentActionGroupSignature": "AMAZON.CodeInterpreter",
+      "SkipResourceInUseCheckOnDelete": false
+     }
+    ],
+    "AgentName": "agent-awscdkbedrockagentistingrole1-agent-70062d50-bedrockagent",
+    "AgentResourceRoleArn": {
+     "Fn::GetAtt": [
+      "AgentRoleF4A42D6B",
+      "Arn"
+     ]
+    },
+    "AutoPrepare": false,
+    "FoundationModel": {
+     "Fn::Join": [
+      "",
+      [
+       "arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":bedrock:",
+       {
+        "Ref": "AWS::Region"
+       },
+       "::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0"
+      ]
+     ]
+    },
+    "IdleSessionTTLInSeconds": 600,
+    "Instruction": "This is a test agent that uses an existing IAM role.",
+    "OrchestrationType": "DEFAULT",
+    "SkipResourceInUseCheckOnDelete": true
+   },
+   "DependsOn": [
+    "AgentRoleDefaultPolicy1027F5D2"
+   ]
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}