@aws/nx-plugin 0.60.2 → 0.61.0

package/src/py/strands-agent/__snapshots__/generator.spec.ts.snap

@@ -20,44 +20,48 @@ CMD ["python", "bin/opentelemetry-instrument", "python", "-m", "proj_test_projec
 
 exports[`py#strands-agent generator > should match snapshot for BedrockAgentCoreRuntime generated constructs files > agent-construct.ts 1`] = `
 "import { Lazy, Names } from 'aws-cdk-lib';
-import { DockerImageAsset, Platform } from 'aws-cdk-lib/aws-ecr-assets';
+import { Platform } from 'aws-cdk-lib/aws-ecr-assets';
 import { Construct } from 'constructs';
 import { execSync } from 'child_process';
 import * as path from 'path';
 import * as url from 'url';
 import {
-  AgentCoreRuntime,
-  AgentCoreRuntimeProps,
-} from '../../../core/agent-core/runtime.js';
+  AgentRuntimeArtifact,
+  ProtocolType,
+  Runtime,
+  RuntimeProps,
+} from '@aws-cdk/aws-bedrock-agentcore-alpha';
 
 export type SnapshotBedrockAgentProps = Omit<
-  AgentCoreRuntimeProps,
-  'runtimeName' | 'serverProtocol' | 'containerUri'
+  RuntimeProps,
+  'runtimeName' | 'protocolConfiguration' | 'agentRuntimeArtifact'
 >;
 
 export class SnapshotBedrockAgent extends Construct {
-  public readonly dockerImage: DockerImageAsset;
-  public readonly agentCoreRuntime: AgentCoreRuntime;
+  public readonly dockerImage: AgentRuntimeArtifact;
+  public readonly agentCoreRuntime: Runtime;
 
   constructor(scope: Construct, id: string, props?: SnapshotBedrockAgentProps) {
     super(scope, id);
 
-    this.dockerImage = new DockerImageAsset(this, 'DockerImage', {
-      platform: Platform.LINUX_ARM64,
-      directory: path.dirname(url.fileURLToPath(new URL(import.meta.url))),
-      extraHash: execSync(
-        \`docker inspect proj-snapshot-bedrock-agent:latest --format '{{.Id}}'\`,
-        { encoding: 'utf-8' },
-      ).trim(),
-    });
+    this.dockerImage = AgentRuntimeArtifact.fromAsset(
+      path.dirname(url.fileURLToPath(new URL(import.meta.url))),
+      {
+        platform: Platform.LINUX_ARM64,
+        extraHash: execSync(
+          \`docker inspect proj-snapshot-bedrock-agent:latest --format '{{.Id}}'\`,
+          { encoding: 'utf-8' },
+        ).trim(),
+      },
+    );
 
-    this.agentCoreRuntime = new AgentCoreRuntime(this, 'SnapshotBedrockAgent', {
+    this.agentCoreRuntime = new Runtime(this, 'SnapshotBedrockAgent', {
       runtimeName: Lazy.string({
         produce: () =>
           Names.uniqueResourceName(this.agentCoreRuntime, { maxLength: 40 }),
       }),
-      serverProtocol: 'HTTP',
-      containerUri: this.dockerImage.imageUri,
+      protocolConfiguration: ProtocolType.HTTP,
+      agentRuntimeArtifact: this.dockerImage,
       ...props,
     });
   }
@@ -65,169 +69,6 @@ export class SnapshotBedrockAgent extends Construct {
 "
 `;
 
-exports[`py#strands-agent generator > should match snapshot for BedrockAgentCoreRuntime generated constructs files > agent-core-runtime.ts 1`] = `
-"import {
-  Role,
-  ServicePrincipal,
-  PolicyStatement,
-  Effect,
-  PolicyDocument,
-  IGrantable,
-  Grant,
-  IPrincipal,
-} from 'aws-cdk-lib/aws-iam';
-import { Construct } from 'constructs';
-import { Stack } from 'aws-cdk-lib';
-import { CfnRuntime } from 'aws-cdk-lib/aws-bedrockagentcore';
-
-/**
- * Options for the AgentCoreRuntime construct
- */
-export interface AgentCoreRuntimeProps {
-  runtimeName: string;
-  description?: string;
-  containerUri: string;
-  serverProtocol: 'MCP' | 'HTTP';
-  environment?: Record<string, string>;
-  authorizerConfiguration?: CfnRuntime.AuthorizerConfigurationProperty;
-}
-
-/**
- * A construct for creating a Bedrock AgentCore Runtime
- */
-export class AgentCoreRuntime extends Construct implements IGrantable {
-  public readonly role: Role;
-  public readonly arn: string;
-
-  public readonly grantPrincipal: IPrincipal;
-
-  constructor(scope: Construct, id: string, props: AgentCoreRuntimeProps) {
-    super(scope, id);
-
-    const region = Stack.of(this).region;
-    const accountId = Stack.of(this).account;
-
-    this.role = new Role(this, 'AgentCoreRole', {
-      assumedBy: new ServicePrincipal('bedrock-agentcore.amazonaws.com'),
-      inlinePolicies: {
-        AgentCorePolicy: new PolicyDocument({
-          statements: [
-            new PolicyStatement({
-              sid: 'ECRImageAccess',
-              effect: Effect.ALLOW,
-              actions: ['ecr:BatchGetImage', 'ecr:GetDownloadUrlForLayer'],
-              resources: [\`arn:aws:ecr:\${region}:\${accountId}:repository/*\`],
-            }),
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: ['logs:DescribeLogStreams', 'logs:CreateLogGroup'],
-              resources: [
-                \`arn:aws:logs:\${region}:\${accountId}:log-group:/aws/bedrock-agentcore/runtimes/*\`,
-              ],
-            }),
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: ['logs:DescribeLogGroups'],
-              resources: [\`arn:aws:logs:\${region}:\${accountId}:log-group:*\`],
-            }),
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
-              resources: [
-                \`arn:aws:logs:\${region}:\${accountId}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*\`,
-              ],
-            }),
-            new PolicyStatement({
-              sid: 'ECRTokenAccess',
-              effect: Effect.ALLOW,
-              actions: ['ecr:GetAuthorizationToken'],
-              resources: ['*'],
-            }),
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: [
-                'xray:PutTraceSegments',
-                'xray:PutTelemetryRecords',
-                'xray:GetSamplingRules',
-                'xray:GetSamplingTargets',
-              ],
-              resources: ['*'],
-            }),
-            new PolicyStatement({
-              effect: Effect.ALLOW,
-              actions: ['cloudwatch:PutMetricData'],
-              resources: ['*'],
-              conditions: {
-                StringEquals: {
-                  'cloudwatch:namespace': 'bedrock-agentcore',
-                },
-              },
-            }),
-            new PolicyStatement({
-              sid: 'GetAgentAccessToken',
-              effect: Effect.ALLOW,
-              actions: [
-                'bedrock-agentcore:GetWorkloadAccessToken',
-                'bedrock-agentcore:GetWorkloadAccessTokenForJWT',
-                'bedrock-agentcore:GetWorkloadAccessTokenForUserId',
-              ],
-              resources: [
-                \`arn:aws:bedrock-agentcore:\${region}:\${accountId}:workload-identity-directory/default\`,
-                \`arn:aws:bedrock-agentcore:\${region}:\${accountId}:workload-identity-directory/default/workload-identity/*\`,
-              ],
-            }),
-            new PolicyStatement({
-              sid: 'BedrockModelInvocation',
-              effect: Effect.ALLOW,
-              actions: [
-                'bedrock:InvokeModel',
-                'bedrock:InvokeModelWithResponseStream',
-              ],
-              resources: [
-                'arn:aws:bedrock:*::foundation-model/*',
-                \`arn:aws:bedrock:\${region}:\${accountId}:*\`,
-              ],
-            }),
-          ],
-        }),
-      },
-    });
-    this.grantPrincipal = this.role.grantPrincipal;
-
-    const agentRuntime = new CfnRuntime(this, 'MCPServerRuntime', {
-      agentRuntimeName: props.runtimeName,
-      agentRuntimeArtifact: {
-        containerConfiguration: {
-          containerUri: props.containerUri,
-        },
-      },
-      description: props.description,
-      environmentVariables: props.environment,
-      networkConfiguration: {
-        networkMode: 'PUBLIC',
-      },
-      protocolConfiguration: props.serverProtocol,
-      roleArn: this.role.roleArn,
-      authorizerConfiguration: props.authorizerConfiguration,
-    });
-
-    this.arn = agentRuntime.attrAgentRuntimeArn;
-  }
-
-  /**
-   * Grant permissions to invoke the agent runtime (if using IAM auth - not required for JWT auth)
-   */
-  public grantInvoke = (grantee: IGrantable) => {
-    Grant.addToPrincipal({
-      grantee,
-      actions: ['bedrock-agentcore:InvokeAgentRuntime'],
-      resourceArns: [this.arn, \`\${this.arn}/*\`],
-    });
-  };
-}
-"
-`;
-
 exports[`py#strands-agent generator > should match snapshot for BedrockAgentCoreRuntime generated constructs files > agents-index.ts 1`] = `
 "export * from './snapshot-bedrock-agent/snapshot-bedrock-agent.js';
 "
@@ -273,9 +114,11 @@ module "agent_core_runtime" {
   agent_runtime_name = "TerraformSnapshotAgent"
   docker_image_tag = "proj-terraform-snapshot-agent:latest"
   server_protocol = "HTTP"
-#  customJWTAuthorizer = {
-#    discoveryUrl = "https://xxx/.well-known/openid-configuration",
-#    allowedClients = [ "xxx" ]
+#  authorizer_configuration = {
+#    custom_jwt_authorizer = {
+#      discovery_url = "https://xxx/.well-known/openid-configuration"
+#      allowed_clients = [ "xxx" ]
+#    }
 #  }
 
   env = var.env
@@ -302,16 +145,12 @@ exports[`py#strands-agent generator > should match snapshot for Terraform genera
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.23"
     }
     null = {
       source  = "hashicorp/null"
       version = ">= 3.0"
     }
-    local = {
-      source  = "hashicorp/local"
-      version = ">= 2.0"
-    }
     random = {
       source  = "hashicorp/random"
       version = ">= 3.0"
@@ -330,20 +169,23 @@ variable "agent_runtime_name" {
 }
 
 variable "server_protocol" {
-  description = "Whether this is an Agent (HTTP) or MCP Server (MCP)"
+  description = "Server protocol for the agent runtime (HTTP, MCP, or A2A)"
   type        = string
+  default     = "HTTP"
   validation {
-    condition     = contains(["MCP", "HTTP"], var.server_protocol)
-    error_message = "Protocol type must be either 'MCP' or 'HTTP'."
+    condition     = contains(["MCP", "HTTP", "A2A"], var.server_protocol)
+    error_message = "Protocol type must be either 'MCP', 'HTTP', or 'A2A'."
   }
 }
 
-variable "customJWTAuthorizer" {
-  description = "Custom JWTAuthorizer Configuration"
+variable "authorizer_configuration" {
+  description = "Authorization configuration for authenticating incoming requests"
   type = object({
-    discoveryUrl    = optional(string)
-    allowedAudience = optional(list(string))
-    allowedClients  = optional(list(string))
+    custom_jwt_authorizer = optional(object({
+      discovery_url    = string
+      allowed_audience = optional(list(string))
+      allowed_clients  = optional(list(string))
+    }))
   })
   default = null
 }
@@ -381,7 +223,7 @@ data "aws_region" "current" {}
 
 locals {
   aws_account_id = data.aws_caller_identity.current.account_id
-  aws_region = data.aws_region.current.name
+  aws_region     = data.aws_region.current.id
 }
 
 # Random ID for bucket suffix to ensure uniqueness
@@ -392,7 +234,7 @@ resource "random_id" "unique_suffix" {
 # ECR Repository
 resource "aws_ecr_repository" "agent_core_repository" {
   #checkov:skip=CKV_AWS_136:AES256 encryption is sufficient for ECR repositories
-  name                 = "\${lower(var.agent_runtime_name)}_repository_\${random_id.unique_suffix.hex}"
+  name = "\${lower(var.agent_runtime_name)}_repository_\${random_id.unique_suffix.hex}"
 
   #checkov:skip=CKV_AWS_51:Image tag is reused for latest deployments
   image_tag_mutability = "MUTABLE"
@@ -461,7 +303,7 @@ resource "aws_iam_role" "agent_core_runtime_role" {
   tags = var.tags
 }
 
-# IAM Policy for Query Agent with restricted Athena permissions
+# IAM Policy for Agent Core Runtime
 resource "aws_iam_policy" "agent_core_runtime_policy" {
   name        = "\${var.agent_runtime_name}-QueryAgentPolicy-\${random_id.unique_suffix.hex}"
   description = "Restricted policy for Agent"
@@ -477,7 +319,7 @@ resource "aws_iam_policy" "agent_core_runtime_policy" {
           "ecr:GetDownloadUrlForLayer"
         ]
         Resource = [
-          "arn:aws:ecr:\${local.aws_region}:\${local.aws_account_id}:repository/*"
+          aws_ecr_repository.agent_core_repository.arn
         ]
       },
       {
@@ -551,17 +393,6 @@ resource "aws_iam_policy" "agent_core_runtime_policy" {
           "arn:aws:bedrock-agentcore:\${local.aws_region}:\${local.aws_account_id}:workload-identity-directory/default",
           "arn:aws:bedrock-agentcore:\${local.aws_region}:\${local.aws_account_id}:workload-identity-directory/default/workload-identity/*"
         ]
-      },
-      { "Sid" : "BedrockModelInvocation",
-        "Effect" : "Allow",
-        "Action" : [
-          "bedrock:InvokeModel",
-          "bedrock:InvokeModelWithResponseStream"
-        ],
-        "Resource" : [
-          "arn:aws:bedrock:*::foundation-model/*",
-          "arn:aws:bedrock:\${local.aws_region}:\${local.aws_account_id}:*"
-        ]
       }
     ], var.additional_iam_policy_statements)
   })
@@ -575,6 +406,7 @@ resource "aws_iam_role_policy_attachment" "agent_core_policy" {
   policy_arn = aws_iam_policy.agent_core_runtime_policy.arn
 }
 
+# Data source to get Docker image digest
 data "external" "docker_digest" {
   program = ["sh", "-c", "echo '{\\"digest\\":\\"'$(docker inspect \${var.docker_image_tag} --format '{{.Id}}')'\\"}' "]
 }
@@ -582,9 +414,7 @@ data "external" "docker_digest" {
 # Null resource for Docker publish
 resource "null_resource" "docker_publish" {
   triggers = {
-    # Trigger rebuild when the image changes
     docker_digest    = data.external.docker_digest.result.digest
-
     repository_url   = aws_ecr_repository.agent_core_repository.repository_url
     docker_image_tag = var.docker_image_tag
   }
@@ -605,206 +435,45 @@ resource "null_resource" "docker_publish" {
   depends_on = [aws_ecr_repository_policy.agent_core_ecr_policy]
 }
 
-# Null resource for agent core deployment with proper lifecycle management
-resource "null_resource" "agent_core_runtime_deployment" {
-  triggers = {
-    container_uri  = "\${aws_ecr_repository.agent_core_repository.repository_url}:latest"
-    role_arn       = aws_iam_role.agent_core_runtime_role.arn
-    config_hash = md5(join("", [jsonencode(var.customJWTAuthorizer), var.server_protocol]))
-    env_hash = md5(jsonencode(var.env))
-  }
+# Bedrock AgentCore Agent Runtime
+resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
+  agent_runtime_name = "\${var.agent_runtime_name}_\${random_id.unique_suffix.hex}"
+  description        = "Agent Runtime for \${var.agent_runtime_name}"
+  role_arn           = aws_iam_role.agent_core_runtime_role.arn
 
-  provisioner "local-exec" {
-    command = <<-EOT
-      uv run --with boto3 python -c '
-import boto3
-import json
-import sys
-
-# Create the client
-client = boto3.client("bedrock-agentcore-control", region_name="\${local.aws_region}")
-
-# Environment variables for QueryAgentConfig
-environment_variables = json.loads("""\${jsonencode(var.env)}""")
-agent_name = "\${var.agent_runtime_name}_\${random_id.unique_suffix.hex}"
-authorization_config = json.loads("""{"customJWTAuthorizer": \${jsonencode(var.customJWTAuthorizer != null ? {
-  for k, v in var.customJWTAuthorizer : k => v if v != null
-} : {})}}""")
-
-try:
-    # First, check if an agent runtime with this name already exists
-    existing_agent_runtime_id = None
-    try:
-        list_response = client.list_agent_runtimes()
-        for runtime in list_response.get("agentRuntimes", []):
-            if runtime.get("agentRuntimeName") == agent_name:
-                existing_agent_runtime_id = runtime.get("agentRuntimeId")
-                print(f"Found existing agent runtime with ID: {existing_agent_runtime_id}")
-                break
-    except Exception as e:
-        print(f"Error listing agent runtimes: {e}")
-
-    if existing_agent_runtime_id:
-        # Update the existing agent runtime
-        try:
-            update_response = client.update_agent_runtime(
-                agentRuntimeId=existing_agent_runtime_id,
-                agentRuntimeArtifact={
-                    "containerConfiguration": {
-                        "containerUri": "\${aws_ecr_repository.agent_core_repository.repository_url}:latest"
-                    }
-                },
-                environmentVariables=environment_variables,
-                networkConfiguration={"networkMode": "PUBLIC"},
-                protocolConfiguration={"serverProtocol": "\${var.server_protocol}"},
-                \${var.customJWTAuthorizer == null ? "" : "authorizerConfiguration=authorization_config,"}
-                roleArn="\${aws_iam_role.agent_core_runtime_role.arn}"
-            )
-            agent_runtime_id = existing_agent_runtime_id
-            print(f"Agent runtime updated successfully: {agent_runtime_id}")
-        except Exception as e:
-            print(f"Error updating agent runtime: {e}")
-            # If update fails, try to create a new one
-            existing_agent_runtime_id = None
-
-    if not existing_agent_runtime_id:
-        # Agent runtime doesn"t exist or update failed, create it
-        response = client.create_agent_runtime(
-            agentRuntimeName=agent_name,
-            agentRuntimeArtifact={
-                "containerConfiguration": {
-                    "containerUri": "\${aws_ecr_repository.agent_core_repository.repository_url}:latest"
-                }
-            },
-            environmentVariables=environment_variables,
-            networkConfiguration={"networkMode": "PUBLIC"},
-            protocolConfiguration={"serverProtocol": "\${var.server_protocol}"},
-            \${var.customJWTAuthorizer == null ? "" : "authorizerConfiguration=authorization_config,"}
-            roleArn="\${aws_iam_role.agent_core_runtime_role.arn}"
-        )
-
-        agent_runtime_id = response.get("agentRuntimeId", "")
-        print(f"Agent runtime created successfully with ID: {agent_runtime_id}")
-
-except Exception as e:
-    print(f"Error managing agent runtime: {str(e)}")
-    sys.exit(1)
-'
-    EOT
+  agent_runtime_artifact {
+    container_configuration {
+      container_uri = "\${aws_ecr_repository.agent_core_repository.repository_url}:latest"
+    }
   }
 
-  depends_on = [
-    null_resource.docker_publish,
-    aws_iam_role_policy_attachment.agent_core_policy
-  ]
-}
-
+  environment_variables = length(var.env) > 0 ? var.env : null
 
-# Null resource for cleanup/destroy
-resource "null_resource" "agent_core_cleanup" {
-  triggers = {
-    aws_region    = local.aws_region
-    agent_name    = var.agent_runtime_name
-    unique_suffix = random_id.unique_suffix.hex
+  dynamic "authorizer_configuration" {
+    for_each = var.authorizer_configuration != null && var.authorizer_configuration.custom_jwt_authorizer != null ? [var.authorizer_configuration.custom_jwt_authorizer] : []
+    content {
+      custom_jwt_authorizer {
+        discovery_url    = authorizer_configuration.value.discovery_url
+        allowed_audience = authorizer_configuration.value.allowed_audience
+        allowed_clients  = authorizer_configuration.value.allowed_clients
+      }
+    }
   }
 
-  provisioner "local-exec" {
-    when    = destroy
-    command = <<-EOT
-      uv run --with boto3 python -c "
-import boto3
-import json
-import os
-
-# Create the client
-client = boto3.client('bedrock-agentcore-control', region_name='\${self.triggers.aws_region}')
-
-agent_name = '\${self.triggers.agent_name}_\${self.triggers.unique_suffix}'
-
-try:
-    # Find the agent runtime by name
-    agent_runtime_id = None
-    try:
-        list_response = client.list_agent_runtimes()
-        for runtime in list_response.get('agentRuntimes', []):
-            if runtime.get('agentRuntimeName') == agent_name:
-                agent_runtime_id = runtime.get('agentRuntimeId')
-                print(f'Found agent runtime to delete: {agent_name} (ID: {agent_runtime_id})')
-                break
-    except Exception as e:
-        print(f'Error listing agent runtimes: {e}')
-
-    if not agent_runtime_id:
-        print(f'No agent runtime found with name: {agent_name}')
-        exit(0)
-
-    # Delete the agent runtime using the found ID
-    response = client.delete_agent_runtime(
-        agentRuntimeId=agent_runtime_id
-    )
-    print(f'Agent runtime {agent_name} (ID: {agent_runtime_id}) deleted successfully:', json.dumps(response, indent=2, default=str))
+  network_configuration {
+    network_mode = "PUBLIC"
+  }
 
-except client.exceptions.ResourceNotFoundException:
-    print(f'Agent runtime {agent_name} not found, may have been already deleted')
-except Exception as e:
-    print(f'Error deleting agent runtime {agent_name}:', str(e))
-    # Don't exit with error code during destroy to avoid blocking cleanup
-"
-    EOT
+  protocol_configuration {
+    server_protocol = var.server_protocol
   }
 
-  depends_on = [null_resource.agent_core_runtime_deployment]
-}
+  tags = var.tags
 
-# Data source to find the agent runtime by name and get its ID
-data "external" "agent_runtime_lookup" {
-  program = ["uv", "run", "--with", "boto3", "python", "-c", <<-EOT
-import boto3
-import json
-import sys
-
-# Create the client
-client = boto3.client("bedrock-agentcore-control", region_name="\${local.aws_region}")
-
-agent_name = "\${var.agent_runtime_name}_\${random_id.unique_suffix.hex}"
-
-try:
-    # Find the agent runtime by name
-    list_response = client.list_agent_runtimes()
-    for runtime in list_response.get("agentRuntimes", []):
-        if runtime.get("agentRuntimeName") == agent_name:
-            agent_runtime_id = runtime.get("agentRuntimeId")
-            runtime_arn = f"arn:aws:bedrock-agentcore:\${local.aws_region}:\${local.aws_account_id}:runtime/{agent_runtime_id}"
-
-            result = {
-                "agent_runtime_id": agent_runtime_id,
-                "agent_runtime_arn": runtime_arn,
-                "agent_name": agent_name
-            }
-            print(json.dumps(result))
-            sys.exit(0)
-
-    # If not found, return empty values
-    result = {
-        "agent_runtime_id": "",
-        "agent_runtime_arn": "",
-        "agent_name": agent_name
-    }
-    print(json.dumps(result))
-
-except Exception as e:
-    print(f"Error looking up agent runtime: {str(e)}", file=sys.stderr)
-    # Return empty values on error to avoid breaking Terraform
-    result = {
-        "agent_runtime_id": "",
-        "agent_runtime_arn": "",
-        "agent_name": agent_name
-    }
-    print(json.dumps(result))
-EOT
+  depends_on = [
+    null_resource.docker_publish,
+    aws_iam_role_policy.agent_core_runtime_policy
   ]
-
-  depends_on = [null_resource.agent_core_runtime_deployment]
 }
 
 # Outputs
@@ -820,17 +489,22 @@ output "agent_core_runtime_role_name" {
 
 output "agent_runtime_name" {
   description = "Name of the deployed agent runtime"
-  value       = "\${var.agent_runtime_name}-\${random_id.unique_suffix.hex}"
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_name
 }
 
 output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
-  value       = data.external.agent_runtime_lookup.result.agent_runtime_arn
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_arn
 }
 
 output "agent_runtime_id" {
   description = "ID of the Bedrock Agent Core runtime"
-  value       = data.external.agent_runtime_lookup.result.agent_runtime_id
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_id
+}
+
+output "agent_runtime_version" {
+  description = "Version of the Bedrock Agent Core runtime"
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_version
 }
 "
 `;

package/src/smithy/ts/api/__snapshots__/generator.spec.ts.snap

@@ -181,13 +181,12 @@ import {
   Cors,
   LambdaIntegration,
 } from 'aws-cdk-lib/aws-apigateway';
-import { Duration, Stack } from 'aws-cdk-lib';
+import { Duration } from 'aws-cdk-lib';
 import {
   PolicyDocument,
   PolicyStatement,
   Effect,
   AnyPrincipal,
-  AccountPrincipal,
   IGrantable,
   Grant,
 } from 'aws-cdk-lib/aws-iam';
@@ -276,15 +275,6 @@ export class TestApi<
       },
       policy: new PolicyDocument({
         statements: [
-          // Here we grant any AWS credentials from the account that the project is deployed in to call the api.
-          // Machine to machine fine-grained access can be defined here using more specific principals (eg roles or
-          // users) and resources (eg which api paths may be invoked by which principal) if required.
-          new PolicyStatement({
-            effect: Effect.ALLOW,
-            principals: [new AccountPrincipal(Stack.of(scope).account)],
-            actions: ['execute-api:Invoke'],
-            resources: ['execute-api:/*'],
-          }),
           // Open up OPTIONS to allow browsers to make unauthenticated preflight requests
           new PolicyStatement({
             effect: Effect.ALLOW,
@@ -305,6 +295,18 @@ export class TestApi<
    * @param grantee - The IAM principal to grant permissions to
    */
   public grantInvokeAccess(grantee: IGrantable) {
+    // Here we grant grantee permission to call the api.
+    // Machine to machine fine-grained access can be defined here using more specific principals (eg roles or
+    // users) and resources (eg which api paths may be invoked by which principal) if required.
+    this.api.addToResourcePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        principals: [grantee.grantPrincipal],
+        actions: ['execute-api:Invoke'],
+        resources: ['execute-api:/*'],
+      }),
+    );
+
     Grant.addToPrincipal({
       grantee,
       actions: ['execute-api:Invoke'],