@aws/nx-plugin 0.60.2 → 0.62.0

package/src/utils/agent-core-constructs/files/cdk/app/agent-core/__nameKebabCase__/__nameKebabCase__.ts.template

@@ -1,42 +1,46 @@
 import { Lazy, Names } from 'aws-cdk-lib';
-import { DockerImageAsset, Platform } from 'aws-cdk-lib/aws-ecr-assets';
+import { Platform } from 'aws-cdk-lib/aws-ecr-assets';
 import { Construct } from 'constructs';
 import { execSync } from 'child_process';
 import * as path from 'path';
 import * as url from 'url';
 import {
-  AgentCoreRuntime,
-  AgentCoreRuntimeProps,
-} from '../../../core/agent-core/runtime.js';
+  AgentRuntimeArtifact,
+  ProtocolType,
+  Runtime,
+  RuntimeProps,
+} from '@aws-cdk/aws-bedrock-agentcore-alpha';
 
 export type <%- nameClassName %>Props = Omit<
-  AgentCoreRuntimeProps,
-  'runtimeName' | 'serverProtocol' | 'containerUri'
+  RuntimeProps,
+  'runtimeName' | 'protocolConfiguration' | 'agentRuntimeArtifact'
 >;
 
 export class <%- nameClassName %> extends Construct {
-  public readonly dockerImage: DockerImageAsset;
-  public readonly agentCoreRuntime: AgentCoreRuntime;
+  public readonly dockerImage: AgentRuntimeArtifact;
+  public readonly agentCoreRuntime: Runtime;
 
   constructor(scope: Construct, id: string, props?: <%- nameClassName %>Props) {
     super(scope, id);
 
-    this.dockerImage = new DockerImageAsset(this, 'DockerImage', {
-      platform: Platform.LINUX_ARM64,
-      directory: path.dirname(url.fileURLToPath(new URL(import.meta.url))),
-      extraHash: execSync(
-        `docker inspect <%- dockerImageTag %> --format '{{.Id}}'`,
-        { encoding: 'utf-8' },
-      ).trim(),
-    });
+    this.dockerImage = AgentRuntimeArtifact.fromAsset(
+      path.dirname(url.fileURLToPath(new URL(import.meta.url))),
+      {
+        platform: Platform.LINUX_ARM64,
+        extraHash: execSync(
+          `docker inspect <%- dockerImageTag %> --format '{{.Id}}'`,
+          { encoding: 'utf-8' },
+        ).trim(),
+      },
+    );
 
-    this.agentCoreRuntime = new AgentCoreRuntime(this, '<%- nameClassName %>', {
+    this.agentCoreRuntime = new Runtime(this, '<%- nameClassName %>', {
       runtimeName: Lazy.string({
         produce: () =>
           Names.uniqueResourceName(this.agentCoreRuntime, { maxLength: 40 }),
       }),
-      serverProtocol: '<%- serverProtocol %>',
-      containerUri: this.dockerImage.imageUri,
+      protocolConfiguration: ProtocolType.<%- serverProtocol %>,
+      agentRuntimeArtifact: this.dockerImage,
       ...props,
     });
   }

package/src/utils/agent-core-constructs/files/terraform/app/agent-core/__nameKebabCase__/__nameKebabCase__.tf.template

@@ -25,9 +25,11 @@ module "agent_core_runtime" {
   agent_runtime_name = "<%= nameClassName %>"
   docker_image_tag = "<%= dockerImageTag %>"
   server_protocol = "<%= serverProtocol %>"
-#  customJWTAuthorizer = {
-#    discoveryUrl = "https://xxx/.well-known/openid-configuration",
-#    allowedClients = [ "xxx" ]
+#  authorizer_configuration = {
+#    custom_jwt_authorizer = {
+#      discovery_url = "https://xxx/.well-known/openid-configuration"
+#      allowed_clients = [ "xxx" ]
+#    }
 #  }
 
   env = var.env

package/src/utils/agent-core-constructs/files/terraform/core/agent-core/runtime.tf.template

@@ -4,16 +4,12 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.23"
     }
     null = {
       source  = "hashicorp/null"
       version = ">= 3.0"
     }
-    local = {
-      source  = "hashicorp/local"
-      version = ">= 2.0"
-    }
     random = {
       source  = "hashicorp/random"
       version = ">= 3.0"
@@ -32,20 +28,23 @@ variable "agent_runtime_name" {
 }
 
 variable "server_protocol" {
-  description = "Whether this is an Agent (HTTP) or MCP Server (MCP)"
+  description = "Server protocol for the agent runtime (HTTP, MCP, or A2A)"
   type        = string
+  default     = "HTTP"
   validation {
-    condition     = contains(["MCP", "HTTP"], var.server_protocol)
-    error_message = "Protocol type must be either 'MCP' or 'HTTP'."
+    condition     = contains(["MCP", "HTTP", "A2A"], var.server_protocol)
+    error_message = "Protocol type must be either 'MCP', 'HTTP', or 'A2A'."
   }
 }
 
-variable "customJWTAuthorizer" {
-  description = "Custom JWTAuthorizer Configuration"
+variable "authorizer_configuration" {
+  description = "Authorization configuration for authenticating incoming requests"
   type = object({
-    discoveryUrl    = optional(string)
-    allowedAudience = optional(list(string))
-    allowedClients  = optional(list(string))
+    custom_jwt_authorizer = optional(object({
+      discovery_url    = string
+      allowed_audience = optional(list(string))
+      allowed_clients  = optional(list(string))
+    }))
   })
   default = null
 }
@@ -83,7 +82,7 @@ data "aws_region" "current" {}
 
 locals {
   aws_account_id = data.aws_caller_identity.current.account_id
-  aws_region = data.aws_region.current.name
+  aws_region     = data.aws_region.current.id
 }
 
 # Random ID for bucket suffix to ensure uniqueness
@@ -94,7 +93,7 @@ resource "random_id" "unique_suffix" {
 # ECR Repository
 resource "aws_ecr_repository" "agent_core_repository" {
   #checkov:skip=CKV_AWS_136:AES256 encryption is sufficient for ECR repositories
-  name                 = "${lower(var.agent_runtime_name)}_repository_${random_id.unique_suffix.hex}"
+  name = "${lower(var.agent_runtime_name)}_repository_${random_id.unique_suffix.hex}"
 
   #checkov:skip=CKV_AWS_51:Image tag is reused for latest deployments
   image_tag_mutability = "MUTABLE"
@@ -163,7 +162,7 @@ resource "aws_iam_role" "agent_core_runtime_role" {
   tags = var.tags
 }
 
-# IAM Policy for Query Agent with restricted Athena permissions
+# IAM Policy for Agent Core Runtime
 resource "aws_iam_policy" "agent_core_runtime_policy" {
   name        = "${var.agent_runtime_name}-QueryAgentPolicy-${random_id.unique_suffix.hex}"
   description = "Restricted policy for Agent"
@@ -179,7 +178,7 @@ resource "aws_iam_policy" "agent_core_runtime_policy" {
           "ecr:GetDownloadUrlForLayer"
         ]
         Resource = [
-          "arn:aws:ecr:${local.aws_region}:${local.aws_account_id}:repository/*"
+          aws_ecr_repository.agent_core_repository.arn
         ]
       },
       {
@@ -253,17 +252,6 @@ resource "aws_iam_policy" "agent_core_runtime_policy" {
           "arn:aws:bedrock-agentcore:${local.aws_region}:${local.aws_account_id}:workload-identity-directory/default",
           "arn:aws:bedrock-agentcore:${local.aws_region}:${local.aws_account_id}:workload-identity-directory/default/workload-identity/*"
         ]
-      },
-      { "Sid" : "BedrockModelInvocation",
-        "Effect" : "Allow",
-        "Action" : [
-          "bedrock:InvokeModel",
-          "bedrock:InvokeModelWithResponseStream"
-        ],
-        "Resource" : [
-          "arn:aws:bedrock:*::foundation-model/*",
-          "arn:aws:bedrock:${local.aws_region}:${local.aws_account_id}:*"
-        ]
       }
     ], var.additional_iam_policy_statements)
   })
@@ -277,6 +265,7 @@ resource "aws_iam_role_policy_attachment" "agent_core_policy" {
   policy_arn = aws_iam_policy.agent_core_runtime_policy.arn
 }
 
+# Data source to get Docker image digest
 data "external" "docker_digest" {
   program = ["sh", "-c", "echo '{\"digest\":\"'$(docker inspect ${var.docker_image_tag} --format '{{.Id}}')'\"}' "]
 }
@@ -284,9 +273,7 @@ data "external" "docker_digest" {
 # Null resource for Docker publish
 resource "null_resource" "docker_publish" {
   triggers = {
-    # Trigger rebuild when the image changes
     docker_digest    = data.external.docker_digest.result.digest
-
     repository_url   = aws_ecr_repository.agent_core_repository.repository_url
     docker_image_tag = var.docker_image_tag
   }
@@ -307,206 +294,45 @@ resource "null_resource" "docker_publish" {
   depends_on = [aws_ecr_repository_policy.agent_core_ecr_policy]
 }
 
-# Null resource for agent core deployment with proper lifecycle management
-resource "null_resource" "agent_core_runtime_deployment" {
-  triggers = {
-    container_uri  = "${aws_ecr_repository.agent_core_repository.repository_url}:latest"
-    role_arn       = aws_iam_role.agent_core_runtime_role.arn
-    config_hash = md5(join("", [jsonencode(var.customJWTAuthorizer), var.server_protocol]))
-    env_hash = md5(jsonencode(var.env))
-  }
+# Bedrock AgentCore Agent Runtime
+resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
+  agent_runtime_name = "${var.agent_runtime_name}_${random_id.unique_suffix.hex}"
+  description        = "Agent Runtime for ${var.agent_runtime_name}"
+  role_arn           = aws_iam_role.agent_core_runtime_role.arn
 
-  provisioner "local-exec" {
-    command = <<-EOT
-      uv run --with boto3 python -c '
-import boto3
-import json
-import sys
-
-# Create the client
-client = boto3.client("bedrock-agentcore-control", region_name="${local.aws_region}")
-
-# Environment variables for QueryAgentConfig
-environment_variables = json.loads("""${jsonencode(var.env)}""")
-agent_name = "${var.agent_runtime_name}_${random_id.unique_suffix.hex}"
-authorization_config = json.loads("""{"customJWTAuthorizer": ${jsonencode(var.customJWTAuthorizer != null ? {
-  for k, v in var.customJWTAuthorizer : k => v if v != null
-} : {})}}""")
-
-try:
-    # First, check if an agent runtime with this name already exists
-    existing_agent_runtime_id = None
-    try:
-        list_response = client.list_agent_runtimes()
-        for runtime in list_response.get("agentRuntimes", []):
-            if runtime.get("agentRuntimeName") == agent_name:
-                existing_agent_runtime_id = runtime.get("agentRuntimeId")
-                print(f"Found existing agent runtime with ID: {existing_agent_runtime_id}")
-                break
-    except Exception as e:
-        print(f"Error listing agent runtimes: {e}")
-
-    if existing_agent_runtime_id:
-        # Update the existing agent runtime
-        try:
-            update_response = client.update_agent_runtime(
-                agentRuntimeId=existing_agent_runtime_id,
-                agentRuntimeArtifact={
-                    "containerConfiguration": {
-                        "containerUri": "${aws_ecr_repository.agent_core_repository.repository_url}:latest"
-                    }
-                },
-                environmentVariables=environment_variables,
-                networkConfiguration={"networkMode": "PUBLIC"},
-                protocolConfiguration={"serverProtocol": "${var.server_protocol}"},
-                ${var.customJWTAuthorizer == null ? "" : "authorizerConfiguration=authorization_config,"}
-                roleArn="${aws_iam_role.agent_core_runtime_role.arn}"
-            )
-            agent_runtime_id = existing_agent_runtime_id
-            print(f"Agent runtime updated successfully: {agent_runtime_id}")
-        except Exception as e:
-            print(f"Error updating agent runtime: {e}")
-            # If update fails, try to create a new one
-            existing_agent_runtime_id = None
-
-    if not existing_agent_runtime_id:
-        # Agent runtime doesn"t exist or update failed, create it
-        response = client.create_agent_runtime(
-            agentRuntimeName=agent_name,
-            agentRuntimeArtifact={
-                "containerConfiguration": {
-                    "containerUri": "${aws_ecr_repository.agent_core_repository.repository_url}:latest"
-                }
-            },
-            environmentVariables=environment_variables,
-            networkConfiguration={"networkMode": "PUBLIC"},
-            protocolConfiguration={"serverProtocol": "${var.server_protocol}"},
-            ${var.customJWTAuthorizer == null ? "" : "authorizerConfiguration=authorization_config,"}
-            roleArn="${aws_iam_role.agent_core_runtime_role.arn}"
-        )
-
-        agent_runtime_id = response.get("agentRuntimeId", "")
-        print(f"Agent runtime created successfully with ID: {agent_runtime_id}")
-
-except Exception as e:
-    print(f"Error managing agent runtime: {str(e)}")
-    sys.exit(1)
-'
-    EOT
+  agent_runtime_artifact {
+    container_configuration {
+      container_uri = "${aws_ecr_repository.agent_core_repository.repository_url}:latest"
+    }
   }
 
-  depends_on = [
-    null_resource.docker_publish,
-    aws_iam_role_policy_attachment.agent_core_policy
-  ]
-}
+  environment_variables = length(var.env) > 0 ? var.env : null
 
+  dynamic "authorizer_configuration" {
+    for_each = var.authorizer_configuration != null && var.authorizer_configuration.custom_jwt_authorizer != null ? [var.authorizer_configuration.custom_jwt_authorizer] : []
+    content {
+      custom_jwt_authorizer {
+        discovery_url    = authorizer_configuration.value.discovery_url
+        allowed_audience = authorizer_configuration.value.allowed_audience
+        allowed_clients  = authorizer_configuration.value.allowed_clients
+      }
+    }
+  }
 
-# Null resource for cleanup/destroy
-resource "null_resource" "agent_core_cleanup" {
-  triggers = {
-    aws_region    = local.aws_region
-    agent_name    = var.agent_runtime_name
-    unique_suffix = random_id.unique_suffix.hex
+  network_configuration {
+    network_mode = "PUBLIC"
   }
 
-  provisioner "local-exec" {
-    when    = destroy
-    command = <<-EOT
-      uv run --with boto3 python -c "
-import boto3
-import json
-import os
-
-# Create the client
-client = boto3.client('bedrock-agentcore-control', region_name='${self.triggers.aws_region}')
-
-agent_name = '${self.triggers.agent_name}_${self.triggers.unique_suffix}'
-
-try:
-    # Find the agent runtime by name
-    agent_runtime_id = None
-    try:
-        list_response = client.list_agent_runtimes()
-        for runtime in list_response.get('agentRuntimes', []):
-            if runtime.get('agentRuntimeName') == agent_name:
-                agent_runtime_id = runtime.get('agentRuntimeId')
-                print(f'Found agent runtime to delete: {agent_name} (ID: {agent_runtime_id})')
-                break
-    except Exception as e:
-        print(f'Error listing agent runtimes: {e}')
-
-    if not agent_runtime_id:
-        print(f'No agent runtime found with name: {agent_name}')
-        exit(0)
-
-    # Delete the agent runtime using the found ID
-    response = client.delete_agent_runtime(
-        agentRuntimeId=agent_runtime_id
-    )
-    print(f'Agent runtime {agent_name} (ID: {agent_runtime_id}) deleted successfully:', json.dumps(response, indent=2, default=str))
-
-except client.exceptions.ResourceNotFoundException:
-    print(f'Agent runtime {agent_name} not found, may have been already deleted')
-except Exception as e:
-    print(f'Error deleting agent runtime {agent_name}:', str(e))
-    # Don't exit with error code during destroy to avoid blocking cleanup
-"
-    EOT
+  protocol_configuration {
+    server_protocol = var.server_protocol
   }
 
-  depends_on = [null_resource.agent_core_runtime_deployment]
-}
+  tags = var.tags
 
-# Data source to find the agent runtime by name and get its ID
-data "external" "agent_runtime_lookup" {
-  program = ["uv", "run", "--with", "boto3", "python", "-c", <<-EOT
-import boto3
-import json
-import sys
-
-# Create the client
-client = boto3.client("bedrock-agentcore-control", region_name="${local.aws_region}")
-
-agent_name = "${var.agent_runtime_name}_${random_id.unique_suffix.hex}"
-
-try:
-    # Find the agent runtime by name
-    list_response = client.list_agent_runtimes()
-    for runtime in list_response.get("agentRuntimes", []):
-        if runtime.get("agentRuntimeName") == agent_name:
-            agent_runtime_id = runtime.get("agentRuntimeId")
-            runtime_arn = f"arn:aws:bedrock-agentcore:${local.aws_region}:${local.aws_account_id}:runtime/{agent_runtime_id}"
-
-            result = {
-                "agent_runtime_id": agent_runtime_id,
-                "agent_runtime_arn": runtime_arn,
-                "agent_name": agent_name
-            }
-            print(json.dumps(result))
-            sys.exit(0)
-
-    # If not found, return empty values
-    result = {
-        "agent_runtime_id": "",
-        "agent_runtime_arn": "",
-        "agent_name": agent_name
-    }
-    print(json.dumps(result))
-
-except Exception as e:
-    print(f"Error looking up agent runtime: {str(e)}", file=sys.stderr)
-    # Return empty values on error to avoid breaking Terraform
-    result = {
-        "agent_runtime_id": "",
-        "agent_runtime_arn": "",
-        "agent_name": agent_name
-    }
-    print(json.dumps(result))
-EOT
+  depends_on = [
+    null_resource.docker_publish,
+    aws_iam_role_policy.agent_core_runtime_policy
   ]
-
-  depends_on = [null_resource.agent_core_runtime_deployment]
 }
 
 # Outputs
@@ -522,15 +348,20 @@ output "agent_core_runtime_role_name" {
 
 output "agent_runtime_name" {
   description = "Name of the deployed agent runtime"
-  value       = "${var.agent_runtime_name}-${random_id.unique_suffix.hex}"
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_name
 }
 
 output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
-  value       = data.external.agent_runtime_lookup.result.agent_runtime_arn
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_arn
 }
 
 output "agent_runtime_id" {
   description = "ID of the Bedrock Agent Core runtime"
-  value       = data.external.agent_runtime_lookup.result.agent_runtime_id
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_id
+}
+
+output "agent_runtime_version" {
+  description = "Version of the Bedrock Agent Core runtime"
+  value       = aws_bedrockagentcore_agent_runtime.agent_runtime.agent_runtime_version
 }

package/src/utils/api-constructs/files/cdk/app/apis/rest/__apiNameKebabCase__.ts.template

@@ -15,19 +15,13 @@ import {
   CognitoUserPoolsAuthorizer,
   <%_ } _%>
 } from 'aws-cdk-lib/aws-apigateway';
-import {
-  Duration,
-  <%_ if (auth === 'IAM') { _%>
-  Stack,
-  <%_ } _%>
-} from 'aws-cdk-lib';
+import { Duration } from 'aws-cdk-lib';
 import {
   PolicyDocument,
   PolicyStatement,
   Effect,
   AnyPrincipal,
   <%_ if (auth === 'IAM') { _%>
-  AccountPrincipal,
   IGrantable,
   Grant,
   <%_ } _%>
@@ -163,15 +157,6 @@ export class <%= apiNameClassName %><
       policy: new PolicyDocument({
         statements: [
           <%_ if (auth === 'IAM') { _%>
-          // Here we grant any AWS credentials from the account that the project is deployed in to call the api.
-          // Machine to machine fine-grained access can be defined here using more specific principals (eg roles or
-          // users) and resources (eg which api paths may be invoked by which principal) if required.
-          new PolicyStatement({
-            effect: Effect.ALLOW,
-            principals: [new AccountPrincipal(Stack.of(scope).account)],
-            actions: ['execute-api:Invoke'],
-            resources: ['execute-api:/*'],
-          }),
           // Open up OPTIONS to allow browsers to make unauthenticated preflight requests
           new PolicyStatement({
             effect: Effect.ALLOW,
@@ -206,6 +191,18 @@ export class <%= apiNameClassName %><
    * @param grantee - The IAM principal to grant permissions to
    */
   public grantInvokeAccess(grantee: IGrantable) {
+    // Here we grant grantee permission to call the api.
+    // Machine to machine fine-grained access can be defined here using more specific principals (eg roles or
+    // users) and resources (eg which api paths may be invoked by which principal) if required.
+    this.api.addToResourcePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        principals: [grantee.grantPrincipal],
+        actions: ['execute-api:Invoke'],
+        resources: ['execute-api:/*'],
+      }),
+    );
+
     Grant.addToPrincipal({
       grantee,
       actions: ['execute-api:Invoke'],