fix(bedrock-alpha): apply permission dependency to existing and non-existing roles

[mellevanderlinde]

Issue # (if applicable)

Closes #35120

Reason for this change

Dependency on permission was only applied to new roles, not to existing roles.

Description of changes

The dependency on permission now applies to both new and existing roles.

Describe any new or updated permissions being added

Not applicable.

Description of how you validated changes

I've added an integration test for an agent with an existing/custom role attached to it.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[pahud]

Thank you for the PR!

Consider to add a unit test that explicitly verifies grant.applyBefore() is called for existing roles:

   test('applies dependency for existing role', () => {
     const existingRole = new iam.Role(stack, 'ExistingRole', {
       assumedBy: new iam.ServicePrincipal('bedrock.amazonaws.com'),
     });

     new Agent(stack, 'Agent', {
       instruction: 'test',
       foundationModel: BedrockFoundationModel.ANTHROPIC_CLAUDE_3_5_SONNET_V2_0,
       existingRole,
     });

     // Verify CloudFormation template has DependsOn
     const template = Template.fromStack(stack);
     template.hasResource('AWS::Bedrock::Agent', {
       DependsOn: [Match.stringLikeRegexp('.*DefaultPolicy.*')]
     });
   });

[mellevanderlinde]

@pahud That was indeed missing, I've added a test for existing roles and roles created by the Agent construct

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: de431d1
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[pahud]

LGTM! Thanks!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[vishaalmehrishi]

@mellevanderlinde Thank you for the contribution - this is an important one! The change looks good; however, it looks like some conflicts need to be resolved before this can be merged.

Pull request has been modified.

[pahud]

CI failed

@aws-cdk/aws-iotevents-actions-alpha: Killed
@aws-cdk/aws-iotevents-actions-alpha: Error: /codebuild/output/src3433504843/src/actions-runner/_work/aws-cdk/aws-cdk/node_modules/jsii/bin/jsii --silence-warnings=reserved-word --add-deprecation-warnings exited with error code 137
@aws-cdk/aws-iotevents-actions-alpha: Build failed.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@aws-cdk/aws-iotevents-actions-alpha: 
@aws-cdk/aws-iotevents-actions-alpha: @aws-cdk/aws-iotevents-actions-alpha: error Command failed with exit code 1.

Looks like some test was being killed?

Pull request has been modified.

[mellevanderlinde]

@pahud I couldn't replicate this failure locally, so I retriggered the CI. For some reason it's passing now

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/codecov-collect.yml without workflows permission.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[ozelalisen]

@Mergifyio refresh

[mergify]

refresh

✅ Pull request refreshed

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/codebuild-pr-build.yml without workflows permission.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.