From 72db1a3eeb675e9e9c49367d42ca123984b7fd47 Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Sat, 25 Oct 2025 17:12:24 +0900 Subject: [PATCH 1/8] fix --- .../agentcore/runtime/runtime-base.ts | 8 +- .../agentcore/runtime/runtime.ts | 14 + ...efaultTestDeployAssert640CC592.assets.json | 20 + ...aultTestDeployAssert640CC592.template.json | 36 + .../Dockerfile | 1 + .../app.py | 84 ++ .../requirements.txt | 2 + ...ore-runtime-with-imported-role.assets.json | 34 + ...e-runtime-with-imported-role.template.json | 244 ++++++ .../cdk.out | 1 + .../integ.json | 13 + .../manifest.json | 796 ++++++++++++++++++ .../tree.json | 1 + .../integ.runtime-with-imported-role.ts | 42 + .../test/agentcore/runtime/runtime.test.ts | 88 ++ 15 files changed, 1383 insertions(+), 1 deletion(-) create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.template.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/Dockerfile create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/app.py create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/requirements.txt create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/integ.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts index 210995d340912..40eb7b5668625 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts @@ -219,6 +219,12 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti */ protected _connections: ec2.Connections | undefined; + /** + * Counter for policies attached to imported roles + * @internal + */ + private _policyCounter: number = 0; + constructor(scope: Construct, id: string) { super(scope, id); } @@ -250,7 +256,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti this.role.addToPolicy(statement); } else { // For imported roles (IRole), we need to attach via a new policy - const policy = new iam.Policy(this, `CustomPolicy${Date.now()}`, { + const policy = new iam.Policy(this, `CustomPolicy${this._policyCounter++}`, { statements: [statement], }); this.role.attachInlinePolicy(policy); diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts index 8cfe4fa4b4e1c..a2b6db37a0fda 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts @@ -404,6 +404,20 @@ export class Runtime extends RuntimeBase { if (containerUri) { this.validateContainerUri(containerUri); } + + // Add dependency on the policies for imported roles. + // This ensures the Runtime waits for the policies (including ECR permissions) to be created. + // When the role is created within the construct, it automatically depends on the policies, + // with `this.runtimeResource.node.addDependency(this.role)`. + // However, for imported roles, this dependency is not established, so we need to add it explicitly. + if (!(this.role instanceof iam.Role)) { + this.role.node.children.forEach(child => { + if (child instanceof iam.Policy && child.node.defaultChild) { + this.runtimeResource.addDependency(child.node.defaultChild as iam.CfnPolicy); + } + }); + } + return { containerConfiguration: { containerUri: containerUri, diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets.json new file mode 100644 index 0000000000000..f900ee7cb8d1f --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592 Template", + "source": { + "path": "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.template.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/Dockerfile b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/Dockerfile new file mode 100644 index 0000000000000..9305c261cd4b6 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/Dockerfile @@ -0,0 +1 @@ +FROM public.ecr.aws/lambda/nodejs:22 diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/app.py b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/app.py new file mode 100644 index 0000000000000..f26e945883762 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/app.py @@ -0,0 +1,84 @@ +#!/usr/bin/env python3 +""" +Minimal BedrockAgentCore Runtime Test Application +A simple HTTP server that responds to health checks and basic requests +""" + +import json +import logging +from http.server import HTTPServer, BaseHTTPRequestHandler + +# Configure logging +logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') +logger = logging.getLogger(__name__) + +class AgentRuntimeHandler(BaseHTTPRequestHandler): + """Simple HTTP request handler for BedrockAgentCore Runtime testing""" + + def do_GET(self): + """Handle GET requests - health check""" + if self.path == '/health': + self.send_response(200) + self.send_header('Content-Type', 'application/json') + self.end_headers() + response = {'status': 'healthy', 'service': 'bedrock-agentcore-runtime'} + self.wfile.write(json.dumps(response).encode()) + logger.info("Health check successful") + else: + self.send_response(404) + self.end_headers() + + def do_POST(self): + """Handle POST requests - simulate agent invocation""" + if self.path == '/invoke': + content_length = int(self.headers.get('Content-Length', 0)) + post_data = self.rfile.read(content_length) + + try: + # Parse the request + request_data = json.loads(post_data) if post_data else {} + prompt = request_data.get('prompt', 'No prompt provided') + + # Simple echo response for testing + response = { + 'response': f'Echo: {prompt}', + 'status': 'success', + 'runtime': 'test-runtime' + } + + self.send_response(200) + self.send_header('Content-Type', 'application/json') + self.end_headers() + self.wfile.write(json.dumps(response).encode()) + logger.info(f"Processed request with prompt: {prompt}") + + except Exception as e: + logger.error(f"Error processing request: {e}") + self.send_response(500) + self.send_header('Content-Type', 'application/json') + self.end_headers() + error_response = {'error': str(e), 'status': 'error'} + self.wfile.write(json.dumps(error_response).encode()) + else: + self.send_response(404) + self.end_headers() + + def log_message(self, format, *args): + """Override to use logger instead of stderr""" + logger.info("%s - %s" % (self.address_string(), format % args)) + +def run_server(port=8080): + """Run the HTTP server""" + server_address = ('', port) + httpd = HTTPServer(server_address, AgentRuntimeHandler) + logger.info(f"Starting BedrockAgentCore Runtime test server on port {port}") + logger.info("Server is ready to handle requests...") + + try: + httpd.serve_forever() + except KeyboardInterrupt: + logger.info("Server shutting down...") + httpd.shutdown() + +if __name__ == '__main__': + run_server() diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/requirements.txt b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/requirements.txt new file mode 100644 index 0000000000000..f7a97c18d2b2c --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/requirements.txt @@ -0,0 +1,2 @@ +# No external dependencies required for the test runtime +# The test application uses only Python standard library modules diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json new file mode 100644 index 0000000000000..1e1418914ccbf --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json @@ -0,0 +1,34 @@ +{ + "version": "48.0.0", + "files": { + "251cc5b9daa8ad354027df76af7a8156ee1ceca21e01fef7170cd98490cbeb93": { + "displayName": "aws-cdk-bedrock-agentcore-runtime-with-imported-role Template", + "source": { + "path": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-90d5220b": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "251cc5b9daa8ad354027df76af7a8156ee1ceca21e01fef7170cd98490cbeb93.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": { + "f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240": { + "displayName": "TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e", + "source": { + "directory": "asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240" + }, + "destinations": { + "current_account-current_region-1d39c940": { + "repositoryName": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}", + "imageTag": "f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json new file mode 100644 index 0000000000000..58e7cf87d79b7 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json @@ -0,0 +1,244 @@ +{ + "Resources": { + "ExecutionRole605A040B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "bedrock-agentcore.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ecr:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":repository/", + { + "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + }, + { + "Action": "ecr:GetAuthorizationToken", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7", + "Roles": [ + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + } + }, + "TestRuntime65042BB5": { + "Type": "AWS::BedrockAgentCore::Runtime", + "Properties": { + "AgentRuntimeArtifact": { + "ContainerConfiguration": { + "ContainerUri": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240" + } + } + }, + "AgentRuntimeName": "integ_test_runtime", + "NetworkConfiguration": { + "NetworkMode": "PUBLIC" + }, + "ProtocolConfiguration": "HTTP", + "RoleArn": { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + } + }, + "DependsOn": [ + "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC" + ] + }, + "TestRuntimeCustomPolicy0BD35B9F3": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:GetObject", + "Effect": "Allow", + "Resource": "arn:aws:s3:::my-bucket/my-object" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "TestRuntimeCustomPolicy0BD35B9F3", + "Roles": [ + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + } + }, + "TestRuntimeCustomPolicy16EAF0B5F": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "dynamodb:Query", + "Effect": "Allow", + "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "TestRuntimeCustomPolicy16EAF0B5F", + "Roles": [ + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/cdk.out b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/integ.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/integ.json new file mode 100644 index 0000000000000..c5c65eba7bb39 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "BedrockAgentCoreRuntimeWithImportedRole/DefaultTest": { + "stacks": [ + "aws-cdk-bedrock-agentcore-runtime-with-imported-role" + ], + "assertionStack": "BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert", + "assertionStackName": "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json new file mode 100644 index 0000000000000..521f7ff6ab709 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json @@ -0,0 +1,796 @@ +{ + "version": "48.0.0", + "artifacts": { + "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-bedrock-agentcore-runtime-with-imported-role": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/251cc5b9daa8ad354027df76af7a8156ee1ceca21e01fef7170cd98490cbeb93.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets" + ], + "metadata": { + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/ImportExecutionRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRole605A040B" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "policyName": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:info", + "data": "Container URI validation skipped as it contains unresolved CDK tokens. The URI will be validated at deployment time." + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestRuntime65042BB5" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "statements": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestRuntimeCustomPolicy0BD35B9F3" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "statements": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestRuntimeCustomPolicy16EAF0B5F" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-bedrock-agentcore-runtime-with-imported-role" + }, + "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets" + ], + "metadata": { + "/BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json new file mode 100644 index 0000000000000..86f6088fce8ae --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-bedrock-agentcore-runtime-with-imported-role":{"id":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ExecutionRole":{"id":"ExecutionRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"bedrock-agentcore.amazonaws.com"}}],"Version":"2012-10-17"}}}}}},"ImportedRole":{"id":"ImportedRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*","*","*","*","*","*"]},"children":{"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7":{"id":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}]}]}]}]}]}}}}}}},"TestRuntime":{"id":"TestRuntime","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_bedrockagentcore.CfnRuntime","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::BedrockAgentCore::Runtime","aws:cdk:cloudformation:props":{"agentRuntimeArtifact":{"containerConfiguration":{"containerUri":{"Fn::Sub":"${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240"}}},"agentRuntimeName":"integ_test_runtime","networkConfiguration":{"networkMode":"PUBLIC"},"protocolConfiguration":"HTTP","roleArn":{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}}}},"CustomPolicy0":{"id":"CustomPolicy0","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"s3:GetObject","Effect":"Allow","Resource":"arn:aws:s3:::my-bucket/my-object"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy0BD35B9F3","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}]}]}]}]}]}}}}},"CustomPolicy1":{"id":"CustomPolicy1","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"dynamodb:Query","Effect":"Allow","Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/my-table"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy16EAF0B5F","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}]}]}]}]}]}}}}},"AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e":{"id":"AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr_assets.DockerImageAsset","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Repository":{"id":"Repository","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.RepositoryBase","version":"0.0.0","metadata":[]}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"BedrockAgentCoreRuntimeWithImportedRole":{"id":"BedrockAgentCoreRuntimeWithImportedRole","path":"BedrockAgentCoreRuntimeWithImportedRole","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts new file mode 100644 index 0000000000000..9aa0b1b0e26b6 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts @@ -0,0 +1,42 @@ +/** + * Integration test for Bedrock AgentCore Runtime constructs with imported role + */ + +/// !cdk-integ aws-cdk-bedrock-agentcore-runtime + +import * as path from 'path'; +import * as cdk from 'aws-cdk-lib'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as agentcore from '../../../agentcore'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role'); + +const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromAsset( + path.join(__dirname, 'testArtifact'), +); + +const role = new iam.Role(stack, 'ExecutionRole', { + assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'), +}); +const imported = iam.Role.fromRoleArn(stack, 'ImportedRole', role.roleArn); + +const runtime = new agentcore.Runtime(stack, 'TestRuntime', { + runtimeName: 'integ_test_runtime', + agentRuntimeArtifact: runtimeArtifact, + executionRole: imported, +}); + +runtime.addToRolePolicy(new iam.PolicyStatement({ + actions: ['s3:GetObject'], + resources: ['arn:aws:s3:::my-bucket/my-object'], +})); +runtime.addToRolePolicy(new iam.PolicyStatement({ + actions: ['dynamodb:Query'], + resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/my-table'], +})); + +new integ.IntegTest(app, 'BedrockAgentCoreRuntimeWithImportedRole', { + testCases: [stack], +}); diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts index ca1f551865090..cb694229a65a4 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts @@ -1342,6 +1342,94 @@ describe('Runtime metrics and grant methods tests', () => { const result = imported.addToRolePolicy(statement); expect(result).toBe(imported); }); + + test('Should create sequentially named policies when addToRolePolicy is called multiple times on imported role', () => { + const importedRole = iam.Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/imported-role'); + + const artifact = AgentRuntimeArtifact.fromEcrRepository(repository, 'v1.0.0'); + const runtimeWithImportedRole = new Runtime(stack, 'RuntimeWithImportedRole', { + runtimeName: 'imported_runtime', + agentRuntimeArtifact: artifact, + executionRole: importedRole, + }); + + runtimeWithImportedRole.addToRolePolicy( + new iam.PolicyStatement({ + actions: ['s3:GetObject'], + resources: ['arn:aws:s3:::bucket/*'], + }), + ); + runtimeWithImportedRole.addToRolePolicy( + new iam.PolicyStatement({ + actions: ['s3:PutObject'], + resources: ['arn:aws:s3:::bucket/*'], + }), + ); + runtimeWithImportedRole.addToRolePolicy( + new iam.PolicyStatement({ + actions: ['s3:DeleteObject'], + resources: ['arn:aws:s3:::bucket/*'], + }), + ); + + const template = Template.fromStack(stack); + + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyName: Match.stringLikeRegexp('RuntimeWithImportedRoleCustomPolicy0*'), + PolicyDocument: Match.objectLike({ + Statement: [ + Match.objectLike({ + Action: 's3:GetObject', + Resource: 'arn:aws:s3:::bucket/*', + }), + ], + }), + }); + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyName: Match.stringLikeRegexp('RuntimeWithImportedRoleCustomPolicy1*'), + PolicyDocument: Match.objectLike({ + Statement: [ + Match.objectLike({ + Action: 's3:PutObject', + Resource: 'arn:aws:s3:::bucket/*', + }), + ], + }), + }); + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyName: Match.stringLikeRegexp('RuntimeWithImportedRoleCustomPolicy2*'), + PolicyDocument: Match.objectLike({ + Statement: [ + Match.objectLike({ + Action: 's3:DeleteObject', + Resource: 'arn:aws:s3:::bucket/*', + }), + ], + }), + }); + }); + + test('Should add dependency to new policy including ECR permissions on imported role', () => { + const importedRole = iam.Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/imported-role'); + + const artifact = AgentRuntimeArtifact.fromEcrRepository(repository, 'v1.0.0'); + new Runtime(stack, 'RuntimeWithImportedRole', { + runtimeName: 'imported_runtime', + agentRuntimeArtifact: artifact, + executionRole: importedRole, + }); + + const template = Template.fromStack(stack); + + template.hasResource('AWS::BedrockAgentCore::Runtime', { + Properties: Match.objectLike({ + AgentRuntimeName: 'imported_runtime', + }), + DependsOn: [ + 'ImportedRolePolicyB363E365', + ], + }); + }); }); describe('Runtime with VPC network configuration tests', () => { From 275aa34f6425f29ed82cb8854287f92df2c01970 Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Sat, 25 Oct 2025 17:56:23 +0900 Subject: [PATCH 2/8] comment --- .../aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts index a2b6db37a0fda..8bf4463ac034a 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts @@ -407,8 +407,8 @@ export class Runtime extends RuntimeBase { // Add dependency on the policies for imported roles. // This ensures the Runtime waits for the policies (including ECR permissions) to be created. - // When the role is created within the construct, it automatically depends on the policies, - // with `this.runtimeResource.node.addDependency(this.role)`. + // In the case where the role is created within the construct, it automatically depends on + // the policies with `this.runtimeResource.node.addDependency(this.role)` in the constructor. // However, for imported roles, this dependency is not established, so we need to add it explicitly. if (!(this.role instanceof iam.Role)) { this.role.node.children.forEach(child => { From a2fc26073e92d0c8a566da16ffc314da3adb49ab Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Sat, 25 Oct 2025 20:02:04 +0900 Subject: [PATCH 3/8] _addMissingPolicyDependencies --- .../agentcore/runtime/runtime-artifact.ts | 30 +++++++++++++++++++ .../agentcore/runtime/runtime.ts | 14 --------- 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts index 646136e9f8c6e..0a40c267d2609 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts @@ -18,6 +18,7 @@ import { md5hash } from 'aws-cdk-lib/core/lib/helpers-internal'; import { Construct } from 'constructs'; import { Runtime } from './runtime'; import { ValidationError } from './validation-helpers'; +import { CfnPolicy, Policy } from 'aws-cdk-lib/aws-iam'; /** * Abstract base class for agent runtime artifacts. @@ -50,6 +51,33 @@ export abstract class AgentRuntimeArtifact { * @internal */ public abstract _render(): CfnRuntime.AgentRuntimeArtifactProperty; + + /** + * Add any missing policy dependencies to the runtime resource + * + * TODO: add docs + * @internal + */ + protected _addMissingPolicyDependencies(runtime: Runtime) { + const runtimeResource = runtime.node.defaultChild as CfnRuntime; + for (const child of runtime.role.node.children) { + if (!(child instanceof Policy)) { + continue; + } + if (!runtimeResource.node.dependencies.includes(child)) { + // This `_addMissingPolicyDependencies` method is executed in the `bind` method, which is called by a `Lazy` + // method in the Runtime constructor. The `Lazy` method executes during the Synthesize phase at the end of + // the CDK application lifecycle. + // On the other hand, `runtimeResource.node.addDependency(child)` is executed during the Prepare phase, which is + // before the Synthesize phase. This means that calling `node.addDependency` here would not actually add + // the dependency. + // Therefore, we use the `addDependency` method of the L1 Construct, which is executed during the Synthesize phase, + // instead of calling `node.addDependency`. + const cfnPolicy = child.node.defaultChild as CfnPolicy; + runtimeResource.addDependency(cfnPolicy); + } + } + } } class EcrImage extends AgentRuntimeArtifact { @@ -63,6 +91,7 @@ class EcrImage extends AgentRuntimeArtifact { // Handle permissions (only once) if (!this.bound && runtime.role) { this.repository.grantPull(runtime.role); + this._addMissingPolicyDependencies(runtime); this.bound = true; } } @@ -97,6 +126,7 @@ class AssetImage extends AgentRuntimeArtifact { // Grant permissions (only once) if (!this.bound) { this.asset.repository.grantPull(runtime.role); + this._addMissingPolicyDependencies(runtime); this.bound = true; } } diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts index 8bf4463ac034a..8cfe4fa4b4e1c 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts @@ -404,20 +404,6 @@ export class Runtime extends RuntimeBase { if (containerUri) { this.validateContainerUri(containerUri); } - - // Add dependency on the policies for imported roles. - // This ensures the Runtime waits for the policies (including ECR permissions) to be created. - // In the case where the role is created within the construct, it automatically depends on - // the policies with `this.runtimeResource.node.addDependency(this.role)` in the constructor. - // However, for imported roles, this dependency is not established, so we need to add it explicitly. - if (!(this.role instanceof iam.Role)) { - this.role.node.children.forEach(child => { - if (child instanceof iam.Policy && child.node.defaultChild) { - this.runtimeResource.addDependency(child.node.defaultChild as iam.CfnPolicy); - } - }); - } - return { containerConfiguration: { containerUri: containerUri, From 3455d591e29e3d5ebf6ea0bd26de772a1bde41f6 Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Sat, 25 Oct 2025 20:19:29 +0900 Subject: [PATCH 4/8] doc --- .../agentcore/runtime/runtime-artifact.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts index 0a40c267d2609..8b4dbacc9a533 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts @@ -53,9 +53,13 @@ export abstract class AgentRuntimeArtifact { public abstract _render(): CfnRuntime.AgentRuntimeArtifactProperty; /** - * Add any missing policy dependencies to the runtime resource + * Add any missing policy dependencies to the runtime resource. + * + * This ensures the Runtime waits for the policies (including ECR permissions) to be created. + * While the Runtime constructor already adds dependencies to the policies and their role, in the case + * where the role is imported, the policies are not yet generated in the role at that point, so the policy + * dependencies are not added. Therefore, this method explicitly adds the policy dependencies for the imported role. * - * TODO: add docs * @internal */ protected _addMissingPolicyDependencies(runtime: Runtime) { From f47281bf4f9bb5dc772149fa92d814af42026b3b Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Sat, 25 Oct 2025 20:29:55 +0900 Subject: [PATCH 5/8] doc --- .../agentcore/runtime/runtime-artifact.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts index 8b4dbacc9a533..52943dcbecf07 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts @@ -58,7 +58,7 @@ export abstract class AgentRuntimeArtifact { * This ensures the Runtime waits for the policies (including ECR permissions) to be created. * While the Runtime constructor already adds dependencies to the policies and their role, in the case * where the role is imported, the policies are not yet generated in the role at that point, so the policy - * dependencies are not added. Therefore, this method explicitly adds the policy dependencies for the imported role. + * dependencies are not added. Therefore, this method explicitly adds the policy dependencies. * * @internal */ From 5b518be6935d6b75c47339977a188ed89fc3b425 Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Sat, 25 Oct 2025 23:49:10 +0900 Subject: [PATCH 6/8] separate PR --- .../agentcore/runtime/runtime-artifact.ts | 34 ---- ...ore-runtime-with-imported-role.assets.json | 22 +-- ...e-runtime-with-imported-role.template.json | 64 +++----- .../manifest.json | 151 ++++++++++++++++-- .../pre-stack.assets.json | 34 ++++ .../pre-stack.template.json | 120 ++++++++++++++ .../tree.json | 2 +- .../integ.runtime-with-imported-role.ts | 73 ++++++--- .../test/agentcore/runtime/runtime.test.ts | 22 --- 9 files changed, 377 insertions(+), 145 deletions(-) create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.assets.json create mode 100644 packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.template.json diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts index 52943dcbecf07..646136e9f8c6e 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts @@ -18,7 +18,6 @@ import { md5hash } from 'aws-cdk-lib/core/lib/helpers-internal'; import { Construct } from 'constructs'; import { Runtime } from './runtime'; import { ValidationError } from './validation-helpers'; -import { CfnPolicy, Policy } from 'aws-cdk-lib/aws-iam'; /** * Abstract base class for agent runtime artifacts. @@ -51,37 +50,6 @@ export abstract class AgentRuntimeArtifact { * @internal */ public abstract _render(): CfnRuntime.AgentRuntimeArtifactProperty; - - /** - * Add any missing policy dependencies to the runtime resource. - * - * This ensures the Runtime waits for the policies (including ECR permissions) to be created. - * While the Runtime constructor already adds dependencies to the policies and their role, in the case - * where the role is imported, the policies are not yet generated in the role at that point, so the policy - * dependencies are not added. Therefore, this method explicitly adds the policy dependencies. - * - * @internal - */ - protected _addMissingPolicyDependencies(runtime: Runtime) { - const runtimeResource = runtime.node.defaultChild as CfnRuntime; - for (const child of runtime.role.node.children) { - if (!(child instanceof Policy)) { - continue; - } - if (!runtimeResource.node.dependencies.includes(child)) { - // This `_addMissingPolicyDependencies` method is executed in the `bind` method, which is called by a `Lazy` - // method in the Runtime constructor. The `Lazy` method executes during the Synthesize phase at the end of - // the CDK application lifecycle. - // On the other hand, `runtimeResource.node.addDependency(child)` is executed during the Prepare phase, which is - // before the Synthesize phase. This means that calling `node.addDependency` here would not actually add - // the dependency. - // Therefore, we use the `addDependency` method of the L1 Construct, which is executed during the Synthesize phase, - // instead of calling `node.addDependency`. - const cfnPolicy = child.node.defaultChild as CfnPolicy; - runtimeResource.addDependency(cfnPolicy); - } - } - } } class EcrImage extends AgentRuntimeArtifact { @@ -95,7 +63,6 @@ class EcrImage extends AgentRuntimeArtifact { // Handle permissions (only once) if (!this.bound && runtime.role) { this.repository.grantPull(runtime.role); - this._addMissingPolicyDependencies(runtime); this.bound = true; } } @@ -130,7 +97,6 @@ class AssetImage extends AgentRuntimeArtifact { // Grant permissions (only once) if (!this.bound) { this.asset.repository.grantPull(runtime.role); - this._addMissingPolicyDependencies(runtime); this.bound = true; } } diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json index 1e1418914ccbf..d02555292ba6f 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json @@ -1,34 +1,20 @@ { "version": "48.0.0", "files": { - "251cc5b9daa8ad354027df76af7a8156ee1ceca21e01fef7170cd98490cbeb93": { + "058a76af06f7c115ff37ab1cee995f292f76dfd264bf3dd1e19d19588850a24a": { "displayName": "aws-cdk-bedrock-agentcore-runtime-with-imported-role Template", "source": { "path": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region-90d5220b": { + "current_account-current_region-227f2f2a": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "251cc5b9daa8ad354027df76af7a8156ee1ceca21e01fef7170cd98490cbeb93.json", + "objectKey": "058a76af06f7c115ff37ab1cee995f292f76dfd264bf3dd1e19d19588850a24a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } } }, - "dockerImages": { - "f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240": { - "displayName": "TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e", - "source": { - "directory": "asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240" - }, - "destinations": { - "current_account-current_region-1d39c940": { - "repositoryName": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}", - "imageTag": "f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - } + "dockerImages": {} } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json index 58e7cf87d79b7..829dbed8d588c 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json @@ -1,22 +1,5 @@ { "Resources": { - "ExecutionRole605A040B": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "bedrock-agentcore.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC": { "Type": "AWS::IAM::Policy", "Properties": { @@ -76,10 +59,7 @@ "Fn::Split": [ ":", { - "Fn::GetAtt": [ - "ExecutionRole605A040B", - "Arn" - ] + "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" } ] } @@ -98,7 +78,27 @@ "AgentRuntimeArtifact": { "ContainerConfiguration": { "ContainerUri": { - "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240" + "Fn::Join": [ + "", + [ + { + "Ref": "AWS::AccountId" + }, + ".dkr.ecr.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}" + }, + ":f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240" + ] + ] } } }, @@ -108,15 +108,9 @@ }, "ProtocolConfiguration": "HTTP", "RoleArn": { - "Fn::GetAtt": [ - "ExecutionRole605A040B", - "Arn" - ] + "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" } - }, - "DependsOn": [ - "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC" - ] + } }, "TestRuntimeCustomPolicy0BD35B9F3": { "Type": "AWS::IAM::Policy", @@ -146,10 +140,7 @@ "Fn::Split": [ ":", { - "Fn::GetAtt": [ - "ExecutionRole605A040B", - "Arn" - ] + "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" } ] } @@ -190,10 +181,7 @@ "Fn::Split": [ ":", { - "Fn::GetAtt": [ - "ExecutionRole605A040B", - "Arn" - ] + "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" } ] } diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json index 521f7ff6ab709..29c99c4c5a3c1 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json @@ -1,28 +1,28 @@ { "version": "48.0.0", "artifacts": { - "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets": { + "pre-stack.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json", + "file": "pre-stack.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "aws-cdk-bedrock-agentcore-runtime-with-imported-role": { + "pre-stack": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json", + "templateFile": "pre-stack.template.json", "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/251cc5b9daa8ad354027df76af7a8156ee1ceca21e01fef7170cd98490cbeb93.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/84963acbb8dcd54d3d751c43e3c9a8fae7312f7babb4e5a55f5cc29a36cd930a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets" + "pre-stack.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -31,10 +31,10 @@ } }, "dependencies": [ - "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets" + "pre-stack.assets" ], "metadata": { - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole": [ + "/pre-stack/ExecutionRole": [ { "type": "aws:cdk:analytics:construct", "data": { @@ -43,20 +43,151 @@ "assumeRoleAction": "*" } } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } } ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/ImportExecutionRole": [ + "/pre-stack/ExecutionRole/ImportExecutionRole": [ { "type": "aws:cdk:analytics:construct", "data": "*" } ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/Resource": [ + "/pre-stack/ExecutionRole/Resource": [ { "type": "aws:cdk:logicalId", "data": "ExecutionRole605A040B" } ], + "/pre-stack/ExecutionRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/pre-stack/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRoleDefaultPolicyA5B92313" + } + ], + "/pre-stack/Exports/Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}": [ + { + "type": "aws:cdk:logicalId", + "data": "ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" + } + ], + "/pre-stack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/pre-stack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "pre-stack" + }, + "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-bedrock-agentcore-runtime-with-imported-role": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/058a76af06f7c115ff37ab1cee995f292f76dfd264bf3dd1e19d19588850a24a.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "pre-stack", + "aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets" + ], + "metadata": { "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole": [ { "type": "aws:cdk:analytics:construct", diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.assets.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.assets.json new file mode 100644 index 0000000000000..7e0a2ca9a48b2 --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.assets.json @@ -0,0 +1,34 @@ +{ + "version": "48.0.0", + "files": { + "84963acbb8dcd54d3d751c43e3c9a8fae7312f7babb4e5a55f5cc29a36cd930a": { + "displayName": "pre-stack Template", + "source": { + "path": "pre-stack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-da58c66b": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "84963acbb8dcd54d3d751c43e3c9a8fae7312f7babb4e5a55f5cc29a36cd930a.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": { + "f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240": { + "displayName": "TestAsset", + "source": { + "directory": "asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240" + }, + "destinations": { + "current_account-current_region-1d39c940": { + "repositoryName": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}", + "imageTag": "f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.template.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.template.json new file mode 100644 index 0000000000000..f3373262b20ec --- /dev/null +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/pre-stack.template.json @@ -0,0 +1,120 @@ +{ + "Resources": { + "ExecutionRole605A040B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "bedrock-agentcore.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "ExecutionRoleDefaultPolicyA5B92313": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ecr:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":repository/", + { + "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + }, + { + "Action": "ecr:GetAuthorizationToken", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ExecutionRoleDefaultPolicyA5B92313", + "Roles": [ + { + "Ref": "ExecutionRole605A040B" + } + ] + } + } + }, + "Outputs": { + "ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE": { + "Value": { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + }, + "Export": { + "Name": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json index 86f6088fce8ae..8a9db68f030e3 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json @@ -1 +1 @@ -{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-bedrock-agentcore-runtime-with-imported-role":{"id":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ExecutionRole":{"id":"ExecutionRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"bedrock-agentcore.amazonaws.com"}}],"Version":"2012-10-17"}}}}}},"ImportedRole":{"id":"ImportedRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*","*","*","*","*","*"]},"children":{"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7":{"id":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}]}]}]}]}]}}}}}}},"TestRuntime":{"id":"TestRuntime","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_bedrockagentcore.CfnRuntime","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::BedrockAgentCore::Runtime","aws:cdk:cloudformation:props":{"agentRuntimeArtifact":{"containerConfiguration":{"containerUri":{"Fn::Sub":"${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240"}}},"agentRuntimeName":"integ_test_runtime","networkConfiguration":{"networkMode":"PUBLIC"},"protocolConfiguration":"HTTP","roleArn":{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}}}},"CustomPolicy0":{"id":"CustomPolicy0","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"s3:GetObject","Effect":"Allow","Resource":"arn:aws:s3:::my-bucket/my-object"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy0BD35B9F3","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}]}]}]}]}]}}}}},"CustomPolicy1":{"id":"CustomPolicy1","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"dynamodb:Query","Effect":"Allow","Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/my-table"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy16EAF0B5F","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]}]}]}]}]}]}}}}},"AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e":{"id":"AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr_assets.DockerImageAsset","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Repository":{"id":"Repository","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/AgentRuntimeArtifactcd827e16ec3ca16deb7c41e16784a73e/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.RepositoryBase","version":"0.0.0","metadata":[]}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"BedrockAgentCoreRuntimeWithImportedRole":{"id":"BedrockAgentCoreRuntimeWithImportedRole","path":"BedrockAgentCoreRuntimeWithImportedRole","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"pre-stack":{"id":"pre-stack","path":"pre-stack","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ExecutionRole":{"id":"ExecutionRole","path":"pre-stack/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"pre-stack/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"pre-stack/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"bedrock-agentcore.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"pre-stack/ExecutionRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"pre-stack/ExecutionRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"ExecutionRoleDefaultPolicyA5B92313","roles":[{"Ref":"ExecutionRole605A040B"}]}}}}}}},"TestAsset":{"id":"TestAsset","path":"pre-stack/TestAsset","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr_assets.DockerImageAsset","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"pre-stack/TestAsset/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Repository":{"id":"Repository","path":"pre-stack/TestAsset/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.RepositoryBase","version":"0.0.0","metadata":[]}}}},"Exports":{"id":"Exports","path":"pre-stack/Exports","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"children":{"Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}":{"id":"Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}","path":"pre-stack/Exports/Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}","constructInfo":{"fqn":"aws-cdk-lib.CfnOutput","version":"0.0.0"}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"pre-stack/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"pre-stack/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"aws-cdk-bedrock-agentcore-runtime-with-imported-role":{"id":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ImportedRole":{"id":"ImportedRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*","*","*","*","*","*"]},"children":{"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7":{"id":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}}}},"TestRuntime":{"id":"TestRuntime","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_bedrockagentcore.CfnRuntime","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::BedrockAgentCore::Runtime","aws:cdk:cloudformation:props":{"agentRuntimeArtifact":{"containerConfiguration":{"containerUri":{"Fn::Join":["",[{"Ref":"AWS::AccountId"},".dkr.ecr.",{"Ref":"AWS::Region"},".",{"Ref":"AWS::URLSuffix"},"/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"},":f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240"]]}}},"agentRuntimeName":"integ_test_runtime","networkConfiguration":{"networkMode":"PUBLIC"},"protocolConfiguration":"HTTP","roleArn":{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}}}},"CustomPolicy0":{"id":"CustomPolicy0","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"s3:GetObject","Effect":"Allow","Resource":"arn:aws:s3:::my-bucket/my-object"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy0BD35B9F3","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}},"CustomPolicy1":{"id":"CustomPolicy1","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"dynamodb:Query","Effect":"Allow","Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/my-table"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy16EAF0B5F","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"BedrockAgentCoreRuntimeWithImportedRole":{"id":"BedrockAgentCoreRuntimeWithImportedRole","path":"BedrockAgentCoreRuntimeWithImportedRole","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts index 9aa0b1b0e26b6..d1007b62cf393 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts @@ -9,34 +9,63 @@ import * as cdk from 'aws-cdk-lib'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as integ from '@aws-cdk/integ-tests-alpha'; import * as agentcore from '../../../agentcore'; +import { DockerImageAsset } from 'aws-cdk-lib/aws-ecr-assets'; const app = new cdk.App(); -const stack = new cdk.Stack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role'); -const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromAsset( - path.join(__dirname, 'testArtifact'), -); +// Pre stack for imported resources +class PreStack extends cdk.Stack { + public readonly role: iam.Role; + public readonly asset: DockerImageAsset; -const role = new iam.Role(stack, 'ExecutionRole', { - assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'), -}); -const imported = iam.Role.fromRoleArn(stack, 'ImportedRole', role.roleArn); + constructor(scope: cdk.App, id: string) { + super(scope, id); -const runtime = new agentcore.Runtime(stack, 'TestRuntime', { - runtimeName: 'integ_test_runtime', - agentRuntimeArtifact: runtimeArtifact, - executionRole: imported, -}); + this.role = new iam.Role(this, 'ExecutionRole', { + assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'), + }); + this.asset = new DockerImageAsset(this, 'TestAsset', { + directory: path.join(__dirname, 'testArtifact'), + }); + this.asset.repository.grantPull(this.role); + } +} + +interface TestStackProps extends cdk.StackProps { + readonly role: iam.IRole; + readonly asset: DockerImageAsset; +} + +class TestStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props: TestStackProps) { + super(scope, id); -runtime.addToRolePolicy(new iam.PolicyStatement({ - actions: ['s3:GetObject'], - resources: ['arn:aws:s3:::my-bucket/my-object'], -})); -runtime.addToRolePolicy(new iam.PolicyStatement({ - actions: ['dynamodb:Query'], - resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/my-table'], -})); + const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromEcrRepository(props.asset.repository, props.asset.imageTag); + const imported = iam.Role.fromRoleArn(this, 'ImportedRole', props.role.roleArn); + const runtime = new agentcore.Runtime(this, 'TestRuntime', { + runtimeName: 'integ_test_runtime', + agentRuntimeArtifact: runtimeArtifact, + executionRole: imported, + }); + + runtime.addToRolePolicy(new iam.PolicyStatement({ + actions: ['s3:GetObject'], + resources: ['arn:aws:s3:::my-bucket/my-object'], + })); + runtime.addToRolePolicy(new iam.PolicyStatement({ + actions: ['dynamodb:Query'], + resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/my-table'], + })); + } +} + +const preStack = new PreStack(app, 'pre-stack'); + +const stack = new TestStack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role', { + role: preStack.role, + asset: preStack.asset, +}); new integ.IntegTest(app, 'BedrockAgentCoreRuntimeWithImportedRole', { - testCases: [stack], + testCases: [stack], // don't need to check preStack }); diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts index cb694229a65a4..06d55606f99b7 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts @@ -1408,28 +1408,6 @@ describe('Runtime metrics and grant methods tests', () => { }), }); }); - - test('Should add dependency to new policy including ECR permissions on imported role', () => { - const importedRole = iam.Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/imported-role'); - - const artifact = AgentRuntimeArtifact.fromEcrRepository(repository, 'v1.0.0'); - new Runtime(stack, 'RuntimeWithImportedRole', { - runtimeName: 'imported_runtime', - agentRuntimeArtifact: artifact, - executionRole: importedRole, - }); - - const template = Template.fromStack(stack); - - template.hasResource('AWS::BedrockAgentCore::Runtime', { - Properties: Match.objectLike({ - AgentRuntimeName: 'imported_runtime', - }), - DependsOn: [ - 'ImportedRolePolicyB363E365', - ], - }); - }); }); describe('Runtime with VPC network configuration tests', () => { From 3e7497c8a7818beeea8c736c7a172e1e5f481859 Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Mon, 27 Oct 2025 00:44:15 +0900 Subject: [PATCH 7/8] tweak --- .../test/agentcore/runtime/integ.runtime-with-imported-role.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts index d1007b62cf393..ed5234e8feac7 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.ts @@ -2,7 +2,7 @@ * Integration test for Bedrock AgentCore Runtime constructs with imported role */ -/// !cdk-integ aws-cdk-bedrock-agentcore-runtime +/// !cdk-integ aws-cdk-bedrock-agentcore-runtime-with-imported-role import * as path from 'path'; import * as cdk from 'aws-cdk-lib'; From 63fe336df4eca3369467527f004544c5f1aaace8 Mon Sep 17 00:00:00 2001 From: go-to-k <24818752+go-to-k@users.noreply.github.com> Date: Tue, 28 Oct 2025 17:39:13 +0900 Subject: [PATCH 8/8] use addToPrincipalPolicy tweak --- .../agentcore/runtime/runtime-base.ts | 17 +--- ...ore-runtime-with-imported-role.assets.json | 6 +- ...e-runtime-with-imported-role.template.json | 97 +++---------------- .../manifest.json | 90 +++-------------- .../tree.json | 2 +- .../test/agentcore/runtime/runtime.test.ts | 90 ++++------------- 6 files changed, 47 insertions(+), 255 deletions(-) diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts index 40eb7b5668625..255df5002bd49 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts @@ -219,12 +219,6 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti */ protected _connections: ec2.Connections | undefined; - /** - * Counter for policies attached to imported roles - * @internal - */ - private _policyCounter: number = 0; - constructor(scope: Construct, id: string) { super(scope, id); } @@ -251,16 +245,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti * @returns The runtime instance for chaining */ public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime { - // Check if role is a concrete Role instance - if (this.role instanceof iam.Role) { - this.role.addToPolicy(statement); - } else { - // For imported roles (IRole), we need to attach via a new policy - const policy = new iam.Policy(this, `CustomPolicy${this._policyCounter++}`, { - statements: [statement], - }); - this.role.attachInlinePolicy(policy); - } + this.role.addToPrincipalPolicy(statement); return this; } diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json index d02555292ba6f..ef3e5406e3521 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json @@ -1,16 +1,16 @@ { "version": "48.0.0", "files": { - "058a76af06f7c115ff37ab1cee995f292f76dfd264bf3dd1e19d19588850a24a": { + "0e5ec3659f778e905074a9b120f22641730a5b31520f0c1a4ba357150d1e1096": { "displayName": "aws-cdk-bedrock-agentcore-runtime-with-imported-role Template", "source": { "path": "aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region-227f2f2a": { + "current_account-current_region-6a03810c": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "058a76af06f7c115ff37ab1cee995f292f76dfd264bf3dd1e19d19588850a24a.json", + "objectKey": "0e5ec3659f778e905074a9b120f22641730a5b31520f0c1a4ba357150d1e1096.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json index 829dbed8d588c..b480cd0a03da9 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.template.json @@ -5,6 +5,16 @@ "Properties": { "PolicyDocument": { "Statement": [ + { + "Action": "s3:GetObject", + "Effect": "Allow", + "Resource": "arn:aws:s3:::my-bucket/my-object" + }, + { + "Action": "dynamodb:Query", + "Effect": "Allow", + "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table" + }, { "Action": [ "ecr:BatchCheckLayerAvailability", @@ -110,89 +120,10 @@ "RoleArn": { "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" } - } - }, - "TestRuntimeCustomPolicy0BD35B9F3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:GetObject", - "Effect": "Allow", - "Resource": "arn:aws:s3:::my-bucket/my-object" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestRuntimeCustomPolicy0BD35B9F3", - "Roles": [ - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" - } - ] - } - ] - } - ] - } - ] - } - ] - } - }, - "TestRuntimeCustomPolicy16EAF0B5F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "dynamodb:Query", - "Effect": "Allow", - "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestRuntimeCustomPolicy16EAF0B5F", - "Roles": [ - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE" - } - ] - } - ] - } - ] - } - ] - } - ] - } + }, + "DependsOn": [ + "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC" + ] } }, "Parameters": { diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json index 29c99c4c5a3c1..cb8ad81181850 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/manifest.json @@ -171,7 +171,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/058a76af06f7c115ff37ab1cee995f292f76dfd264bf3dd1e19d19588850a24a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0e5ec3659f778e905074a9b120f22641730a5b31520f0c1a4ba357150d1e1096.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -213,14 +213,6 @@ "type": "aws:cdk:analytics:method", "data": "*" }, - { - "type": "aws:cdk:analytics:method", - "data": "*" - }, - { - "type": "aws:cdk:analytics:method", - "data": "*" - }, { "type": "aws:cdk:analytics:method", "data": "*" @@ -264,36 +256,6 @@ {} ] } - } - ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC" - } - ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime": [ - { - "type": "aws:cdk:analytics:construct", - "data": "*" - }, - { - "type": "aws:cdk:info", - "data": "Container URI validation skipped as it contains unresolved CDK tokens. The URI will be validated at deployment time." - } - ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TestRuntime65042BB5" - } - ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0": [ - { - "type": "aws:cdk:analytics:construct", - "data": { - "statements": "*" - } }, { "type": "aws:cdk:analytics:method", @@ -306,62 +268,32 @@ { "type": "aws:cdk:analytics:method", "data": { - "attachToRole": [ - "*" - ] - } - }, - { - "type": "aws:cdk:analytics:method", - "data": { - "attachToRole": [ - "*" + "addStatements": [ + {} ] } } ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0/Resource": [ + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TestRuntimeCustomPolicy0BD35B9F3" + "data": "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC" } ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1": [ + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime": [ { "type": "aws:cdk:analytics:construct", - "data": { - "statements": "*" - } - }, - { - "type": "aws:cdk:analytics:method", - "data": { - "addStatements": [ - {} - ] - } - }, - { - "type": "aws:cdk:analytics:method", - "data": { - "attachToRole": [ - "*" - ] - } + "data": "*" }, { - "type": "aws:cdk:analytics:method", - "data": { - "attachToRole": [ - "*" - ] - } + "type": "aws:cdk:info", + "data": "Container URI validation skipped as it contains unresolved CDK tokens. The URI will be validated at deployment time." } ], - "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1/Resource": [ + "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TestRuntimeCustomPolicy16EAF0B5F" + "data": "TestRuntime65042BB5" } ], "/aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion": [ diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json index 8a9db68f030e3..54951c3ec2f25 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/tree.json @@ -1 +1 @@ -{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"pre-stack":{"id":"pre-stack","path":"pre-stack","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ExecutionRole":{"id":"ExecutionRole","path":"pre-stack/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"pre-stack/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"pre-stack/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"bedrock-agentcore.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"pre-stack/ExecutionRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"pre-stack/ExecutionRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"ExecutionRoleDefaultPolicyA5B92313","roles":[{"Ref":"ExecutionRole605A040B"}]}}}}}}},"TestAsset":{"id":"TestAsset","path":"pre-stack/TestAsset","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr_assets.DockerImageAsset","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"pre-stack/TestAsset/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Repository":{"id":"Repository","path":"pre-stack/TestAsset/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.RepositoryBase","version":"0.0.0","metadata":[]}}}},"Exports":{"id":"Exports","path":"pre-stack/Exports","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"children":{"Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}":{"id":"Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}","path":"pre-stack/Exports/Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}","constructInfo":{"fqn":"aws-cdk-lib.CfnOutput","version":"0.0.0"}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"pre-stack/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"pre-stack/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"aws-cdk-bedrock-agentcore-runtime-with-imported-role":{"id":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ImportedRole":{"id":"ImportedRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*","*","*","*","*","*"]},"children":{"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7":{"id":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}}}},"TestRuntime":{"id":"TestRuntime","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_bedrockagentcore.CfnRuntime","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::BedrockAgentCore::Runtime","aws:cdk:cloudformation:props":{"agentRuntimeArtifact":{"containerConfiguration":{"containerUri":{"Fn::Join":["",[{"Ref":"AWS::AccountId"},".dkr.ecr.",{"Ref":"AWS::Region"},".",{"Ref":"AWS::URLSuffix"},"/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"},":f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240"]]}}},"agentRuntimeName":"integ_test_runtime","networkConfiguration":{"networkMode":"PUBLIC"},"protocolConfiguration":"HTTP","roleArn":{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}}}},"CustomPolicy0":{"id":"CustomPolicy0","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy0/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"s3:GetObject","Effect":"Allow","Resource":"arn:aws:s3:::my-bucket/my-object"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy0BD35B9F3","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}},"CustomPolicy1":{"id":"CustomPolicy1","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"statements":"*"},{"addStatements":[{}]},{"attachToRole":["*"]},{"attachToRole":["*"]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/CustomPolicy1/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"dynamodb:Query","Effect":"Allow","Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/my-table"}],"Version":"2012-10-17"},"policyName":"TestRuntimeCustomPolicy16EAF0B5F","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"BedrockAgentCoreRuntimeWithImportedRole":{"id":"BedrockAgentCoreRuntimeWithImportedRole","path":"BedrockAgentCoreRuntimeWithImportedRole","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"pre-stack":{"id":"pre-stack","path":"pre-stack","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ExecutionRole":{"id":"ExecutionRole","path":"pre-stack/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"pre-stack/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"pre-stack/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"bedrock-agentcore.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"pre-stack/ExecutionRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"pre-stack/ExecutionRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"ExecutionRoleDefaultPolicyA5B92313","roles":[{"Ref":"ExecutionRole605A040B"}]}}}}}}},"TestAsset":{"id":"TestAsset","path":"pre-stack/TestAsset","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr_assets.DockerImageAsset","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"pre-stack/TestAsset/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Repository":{"id":"Repository","path":"pre-stack/TestAsset/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.RepositoryBase","version":"0.0.0","metadata":[]}}}},"Exports":{"id":"Exports","path":"pre-stack/Exports","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"children":{"Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}":{"id":"Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}","path":"pre-stack/Exports/Output{\"Fn::GetAtt\":[\"ExecutionRole605A040B\",\"Arn\"]}","constructInfo":{"fqn":"aws-cdk-lib.CfnOutput","version":"0.0.0"}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"pre-stack/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"pre-stack/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"aws-cdk-bedrock-agentcore-runtime-with-imported-role":{"id":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ImportedRole":{"id":"ImportedRole","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*","*","*","*","*","*","*"]},"children":{"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7":{"id":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":[{"policyName":"*"},{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/ImportedRole/PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"s3:GetObject","Effect":"Allow","Resource":"arn:aws:s3:::my-bucket/my-object"},{"Action":"dynamodb:Query","Effect":"Allow","Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/my-table"},{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7","roles":[{"Fn::Select":[1,{"Fn::Split":["/",{"Fn::Select":[5,{"Fn::Split":[":",{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}]}]}]}]}]}}}}}}},"TestRuntime":{"id":"TestRuntime","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/TestRuntime/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_bedrockagentcore.CfnRuntime","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::BedrockAgentCore::Runtime","aws:cdk:cloudformation:props":{"agentRuntimeArtifact":{"containerConfiguration":{"containerUri":{"Fn::Join":["",[{"Ref":"AWS::AccountId"},".dkr.ecr.",{"Ref":"AWS::Region"},".",{"Ref":"AWS::URLSuffix"},"/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"},":f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240"]]}}},"agentRuntimeName":"integ_test_runtime","networkConfiguration":{"networkMode":"PUBLIC"},"protocolConfiguration":"HTTP","roleArn":{"Fn::ImportValue":"pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-bedrock-agentcore-runtime-with-imported-role/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"BedrockAgentCoreRuntimeWithImportedRole":{"id":"BedrockAgentCoreRuntimeWithImportedRole","path":"BedrockAgentCoreRuntimeWithImportedRole","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"BedrockAgentCoreRuntimeWithImportedRole/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts index 06d55606f99b7..0823109d4f0cb 100644 --- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts +++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts @@ -1312,13 +1312,18 @@ describe('Runtime metrics and grant methods tests', () => { }); test('Should add policy statement to runtime role', () => { - const statement = new iam.PolicyStatement({ + const result = runtime.addToRolePolicy(new iam.PolicyStatement({ actions: ['s3:GetObject'], resources: ['arn:aws:s3:::bucket/*'], - }); - - const result = runtime.addToRolePolicy(statement); + })); expect(result).toBe(runtime); + + // Can call multiple times + const result2 = runtime.addToRolePolicy(new iam.PolicyStatement({ + actions: ['dynamodb:Query'], + resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/test-table'], + })); + expect(result2).toBe(runtime); }); test('Should add policy to imported runtime role', () => { @@ -1334,79 +1339,18 @@ describe('Runtime metrics and grant methods tests', () => { agentRuntimeVersion: '1', }); - const statement = new iam.PolicyStatement({ + const result = imported.addToRolePolicy(new iam.PolicyStatement({ actions: ['s3:GetObject'], resources: ['arn:aws:s3:::bucket/*'], - }); - - const result = imported.addToRolePolicy(statement); + })); expect(result).toBe(imported); - }); - - test('Should create sequentially named policies when addToRolePolicy is called multiple times on imported role', () => { - const importedRole = iam.Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/imported-role'); - - const artifact = AgentRuntimeArtifact.fromEcrRepository(repository, 'v1.0.0'); - const runtimeWithImportedRole = new Runtime(stack, 'RuntimeWithImportedRole', { - runtimeName: 'imported_runtime', - agentRuntimeArtifact: artifact, - executionRole: importedRole, - }); - - runtimeWithImportedRole.addToRolePolicy( - new iam.PolicyStatement({ - actions: ['s3:GetObject'], - resources: ['arn:aws:s3:::bucket/*'], - }), - ); - runtimeWithImportedRole.addToRolePolicy( - new iam.PolicyStatement({ - actions: ['s3:PutObject'], - resources: ['arn:aws:s3:::bucket/*'], - }), - ); - runtimeWithImportedRole.addToRolePolicy( - new iam.PolicyStatement({ - actions: ['s3:DeleteObject'], - resources: ['arn:aws:s3:::bucket/*'], - }), - ); - - const template = Template.fromStack(stack); - template.hasResourceProperties('AWS::IAM::Policy', { - PolicyName: Match.stringLikeRegexp('RuntimeWithImportedRoleCustomPolicy0*'), - PolicyDocument: Match.objectLike({ - Statement: [ - Match.objectLike({ - Action: 's3:GetObject', - Resource: 'arn:aws:s3:::bucket/*', - }), - ], - }), - }); - template.hasResourceProperties('AWS::IAM::Policy', { - PolicyName: Match.stringLikeRegexp('RuntimeWithImportedRoleCustomPolicy1*'), - PolicyDocument: Match.objectLike({ - Statement: [ - Match.objectLike({ - Action: 's3:PutObject', - Resource: 'arn:aws:s3:::bucket/*', - }), - ], - }), - }); - template.hasResourceProperties('AWS::IAM::Policy', { - PolicyName: Match.stringLikeRegexp('RuntimeWithImportedRoleCustomPolicy2*'), - PolicyDocument: Match.objectLike({ - Statement: [ - Match.objectLike({ - Action: 's3:DeleteObject', - Resource: 'arn:aws:s3:::bucket/*', - }), - ], - }), - }); + // Can call multiple times + const result2 = imported.addToRolePolicy(new iam.PolicyStatement({ + actions: ['dynamodb:Query'], + resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/test-table'], + })); + expect(result2).toBe(imported); }); });