feat(bedrock-agentcore): add fromImageUri method to AgentRuntimeArtifact

[kimsbrian]

Issue # (if applicable)

N/A

Reason for this change

Users currently need ECR repository constructs (fromEcrRepository) or local Docker assets (fromAsset) to reference container images in AgentCore runtimes. This creates friction when:

• Container URIs come from CloudFormation parameters or stack outputs
• Referencing images in external registries (Docker Hub, private registries)
• Working with cross-stack or cross-account image references

Description of changes

Added fromImageUri() static method to AgentRuntimeArtifact class:

• Created ImageUriArtifact class extending AgentRuntimeArtifact
• Accepts container URI as a string (supports CloudFormation tokens/expressions)
• No automatic IAM permissions granted (user manages permissions separately)
• Follows existing patterns from EcrImage and AssetImage classes

This provides a fourth deployment option alongside fromEcrRepository(), fromAsset(), and fromS3().

Description of how you validated changes

Unit tests added:

• Basic URI reference test
• CloudFormation token support test
• Verification that no permissions are required

Manual testing:
bash
cd packages/@aws-cdk/aws-bedrock-agentcore-alpha
yarn build
yarn test

All tests pass.

Production usage:
This change has been built locally and used successfully in my application to reference container images via CloudFormation parameters.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[kimsbrian]

Exemption Request

This doesn't need an integration test. It's adding another way to pass a container URI to the same CloudFormation property that fromEcrRepository() and fromAsset() already use.

The method is a simple pass-through. It takes a string and sets containerUri. No new CloudFormation resources, no cross-service configuration, just an alternative to the existing methods.

Unit tests cover the behavior (URI reference, CloudFormation tokens, no auto-permissions).

[alvazjor]

Lets add here documentation for the permissions limitation. Something like:

Use this method when you have a pre-existing image URI from CloudFormation parameters, cross-stack references, or external registries.
 
Note: No IAM permissions are automatically granted. You must ensure the runtime has appropriate permissions to pull from the registry.

[alvazjor]

Add a small coment here stating why this will be empty

[alvazjor]

A validation here for the containerUri is needed. CFN requires a string format, feel free to reuse it: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-runtime-containerconfiguration.html

[kimsbrian]

@alvazjor Thanks for the feedback. Reading the container uri pattern requirement shows it only accepts ECR which means that external repos unfortunately can't be used. Maybe it's worthwhile to eventually enable this from the Bedrock agentcore side. At least for my use case, I'm still happy to have this change in. Updated the documentation and comments to reflect ECR only containers are supported.