@aws/nx-plugin 0.82.1 → 0.83.0

package/LICENSE-THIRD-PARTY

@@ -3218,12 +3218,12 @@ SOFTWARE.
 
 ---
 
-The following software may be included in this product: @esbuild/linux-x64 (0.27.3)
+The following software may be included in this product: @esbuild/darwin-arm64 (0.27.3)
 This software contains the following license and notice below:
 
 MIT License
 
-Copyright (c) The maintainers of @esbuild/linux-x64 <https://github.com/evanw/esbuild#readme>
+Copyright (c) The maintainers of @esbuild/darwin-arm64 <https://github.com/evanw/esbuild#readme>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
 associated documentation files (the "Software"), to deal in the Software without restriction, including 
@@ -4415,7 +4415,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 ---
 
-The following software may be included in this product: @nx/nx-linux-x64-gnu (22.5.3)
+The following software may be included in this product: @nx/nx-darwin-arm64 (22.5.3)
 This software contains the following license and notice below:
 
 (The MIT License)
@@ -5133,7 +5133,7 @@ THE SOFTWARE.
 
 ---
 
-The following software may be included in this product: @rollup/rollup-linux-x64-gnu (4.50.1)
+The following software may be included in this product: @rollup/rollup-darwin-arm64 (4.50.1)
 This software contains the following license and notice below:
 
 MIT License
@@ -5185,7 +5185,7 @@ SOFTWARE.
 
 ---
 
-The following software may be included in this product: @rspack/binding-linux-x64-gnu (1.6.8)
+The following software may be included in this product: @rspack/binding-darwin-arm64 (1.6.8)
 This software contains the following license and notice below:
 
 MIT License
@@ -12950,6 +12950,34 @@ OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHE
 
 ---
 
+The following software may be included in this product: fsevents (2.3.3)
+This software contains the following license and notice below:
+
+MIT License
+-----------
+
+Copyright (C) 2010-2020 by Philipp Dunkel, Ben Noordhuis, Elan Shankar, Paul Miller
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+---
+
 The following software may be included in this product: function-bind (1.1.2)
 This software contains the following license and notice below:
 
@@ -39785,7 +39813,7 @@ defined by the Mozilla Public License, v. 2.0.
 
 ---
 
-The following software may be included in this product: lightningcss-linux-x64-gnu (1.31.1)
+The following software may be included in this product: lightningcss-darwin-arm64 (1.31.1)
 This software contains the following license and notice below:
 
 Mozilla Public License Version 2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws/nx-plugin",
-  "version": "0.82.1",
+  "version": "0.83.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/awslabs/nx-plugin-for-aws.git",

package/src/infra/app/__snapshots__/generator.spec.ts.snap

@@ -21,7 +21,7 @@ exports[`infra generator > should add required dependencies to package.json > de
   "@swc/core": "~1.15.5",
   "@swc/helpers": "~0.5.18",
   "@types/node": "22.19.13",
-  "@vitest/coverage-v8": "^4.0.0",
+  "@vitest/coverage-v8": "4.0.18",
   "eslint": "^9.8.0",
   "eslint-config-prettier": "^10.0.0",
   "eslint-plugin-prettier": "5.5.5",
@@ -32,7 +32,7 @@ exports[`infra generator > should add required dependencies to package.json > de
   "typescript": "~5.9.2",
   "typescript-eslint": "^8.40.0",
   "vite": "^7.0.0",
-  "vitest": "^4.0.8",
+  "vitest": "4.0.18",
 }
 `;
 
@@ -55,7 +55,7 @@ exports[`infra generator > should add required dependencies to package.json > pa
     "@swc/core": "~1.15.5",
     "@swc/helpers": "~0.5.18",
     "@types/node": "22.19.13",
-    "@vitest/coverage-v8": "^4.0.0",
+    "@vitest/coverage-v8": "4.0.18",
     "eslint": "^9.8.0",
     "eslint-config-prettier": "^10.0.0",
     "eslint-plugin-prettier": "5.5.5",
@@ -66,7 +66,7 @@ exports[`infra generator > should add required dependencies to package.json > pa
     "typescript": "~5.9.2",
     "typescript-eslint": "^8.40.0",
     "vite": "^7.0.0",
-    "vitest": "^4.0.8",
+    "vitest": "4.0.18",
   },
   "name": "@proj/source",
   "type": "module",

package/src/py/fast-api/__snapshots__/generator.spec.ts.snap

@@ -384,10 +384,11 @@ export class HttpApi<
     });
 
     // Register the API URL in runtime configuration for client discovery
-    RuntimeConfig.ensure(this).config.apis = {
-      ...RuntimeConfig.ensure(this).config.apis!,
+    const rc = RuntimeConfig.ensure(this);
+    rc.set('connection', 'apis', {
+      ...rc.get('connection').apis,
       [apiName]: this.defaultStage.url!,
-    };
+    });
   }
 
   /**
@@ -414,6 +415,7 @@ import {
   SnapStartConf,
 } from 'aws-cdk-lib/aws-lambda';
 import { Duration, Stack } from 'aws-cdk-lib';
+import { RuntimeConfig } from '../../core/runtime-config.js';
 import { CorsHttpMethod, CfnApi } from 'aws-cdk-lib/aws-apigatewayv2';
 import { HttpIamAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
 import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
@@ -459,6 +461,7 @@ export class TestApi<
    * @returns An IntegrationBuilder with default lambda integrations
    */
   public static defaultIntegrations = (scope: Construct) => {
+    const rc = RuntimeConfig.ensure(scope);
     return IntegrationBuilder.http({
       pattern: 'isolated',
       operations: OPERATION_DETAILS,
@@ -478,6 +481,7 @@ export class TestApi<
         snapStart: SnapStartConf.ON_PUBLISHED_VERSIONS,
         environment: {
           AWS_CONNECTION_REUSE_ENABLED: '1',
+          RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
           PORT: '8000',
           AWS_LWA_INVOKE_MODE: 'buffered',
           AWS_LAMBDA_EXEC_WRAPPER: '/opt/bootstrap',
@@ -485,6 +489,7 @@ export class TestApi<
       },
       buildDefaultIntegration: (op, props: FunctionProps) => {
         const handler = new Function(scope, \`TestApi\${op}Handler\`, props);
+        rc.grantReadAppConfig(handler);
         const stack = Stack.of(scope);
         handler.addLayers(
           LayerVersion.fromLayerVersionArn(
@@ -529,21 +534,28 @@ export class TestApi<
   }
 
   /**
-   * Restricts CORS to the website CloudFront distribution domains
+   * Restricts CORS to the provided origins
    *
-   * Configures the CloudFront distribution domains as the only permitted CORS origins
-   * (other than local host with default ports) in the API gateway
-   * The CORS origins are not configured within the AWS Lambda integrations since
-   * the associated header is controlled by API Gateway v2
+   * Configures the provided CloudFront distribution domains or origin strings
+   * as the only permitted CORS origins
+   * in the API gateway. The CORS origins are not configured within the AWS Lambda
+   * integrations since the associated header is controlled by API Gateway v2.
    *
-   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   * @param origins - The origin strings, CloudFront distributions, or objects containing a CloudFront distribution to grant CORS from
    */
   public restrictCorsTo(
-    ...websites: { cloudFrontDistribution: Distribution }[]
+    ...origins: (
+      | string
+      | Distribution
+      | { cloudFrontDistribution: Distribution }
+    )[]
   ) {
-    const allowedOrigins = websites.map(
-      ({ cloudFrontDistribution }) =>
-        \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+    const allowedOrigins = origins.map((origin) =>
+      typeof origin === 'string'
+        ? origin
+        : 'cloudFrontDistribution' in origin
+          ? \`https://\${origin.cloudFrontDistribution.distributionDomainName}\`
+          : \`https://\${origin.distributionDomainName}\`,
     );
 
     const cfnApi = this.api.node.defaultChild;
@@ -554,11 +566,7 @@ export class TestApi<
     }
 
     cfnApi.corsConfiguration = {
-      allowOrigins: [
-        'http://localhost:4200',
-        'http://localhost:4300',
-        ...allowedOrigins,
-      ],
+      allowOrigins: allowedOrigins,
       allowMethods: [CorsHttpMethod.ANY],
       allowHeaders: [
         'authorization',
@@ -936,13 +944,16 @@ export class IntegrationBuilder<
 `;
 
 exports[`fastapi project generator > should set up shared constructs for rest > rest-api.ts 1`] = `
-"import { Construct } from 'constructs';
+"import { Construct, IConstruct } from 'constructs';
 import {
+  Cors,
+  Resource,
   RestApi as _RestApi,
   RestApiProps as _RestApiProps,
   IResource,
   Stage,
 } from 'aws-cdk-lib/aws-apigateway';
+import { IAspect } from 'aws-cdk-lib';
 import { RuntimeConfig } from '../runtime-config.js';
 import {
   ApiIntegrations,
@@ -1041,7 +1052,7 @@ export class RestApi<
     };
 
     // Create API resources and methods for each operation
-    (Object.entries(operations) as [TOperation, OperationDetails][]).map(
+    (Object.entries(operations) as [TOperation, OperationDetails][]).forEach(
       ([op, details]) => {
         const integration = resolveIntegration(op);
         const resource = this.getOrCreateResource(
@@ -1060,10 +1071,11 @@ export class RestApi<
     );
 
     // Register the API URL in runtime configuration for client discovery
-    RuntimeConfig.ensure(this).config.apis = {
-      ...RuntimeConfig.ensure(this).config.apis!,
+    const rc = RuntimeConfig.ensure(this);
+    rc.set('connection', 'apis', {
+      ...rc.get('connection').apis,
       [apiName]: this.api.url!,
-    };
+    });
   }
 
   /**
@@ -1085,6 +1097,21 @@ export class RestApi<
     return this.getOrCreateResource(childResource, pathParts);
   }
 }
+
+export class AddCorsPreflightAspect implements IAspect {
+  private getAllowedOrigins: () => readonly string[];
+  constructor(getAllowedOrigins: () => readonly string[]) {
+    this.getAllowedOrigins = getAllowedOrigins;
+  }
+  public visit(node: IConstruct): void {
+    if (node instanceof Resource) {
+      node.addCorsPreflight({
+        allowOrigins: [...this.getAllowedOrigins()],
+        allowMethods: Cors.ALL_METHODS,
+      });
+    }
+  }
+}
 "
 `;
 
@@ -1101,13 +1128,13 @@ import {
   LayerVersion,
   SnapStartConf,
 } from 'aws-cdk-lib/aws-lambda';
+import { RuntimeConfig } from '../../core/runtime-config.js';
 import {
   AuthorizationType,
-  Cors,
   LambdaIntegration,
   ResponseTransferMode,
 } from 'aws-cdk-lib/aws-apigateway';
-import { Duration, Stack } from 'aws-cdk-lib';
+import { Aspects, Duration, Stack } from 'aws-cdk-lib';
 import {
   PolicyDocument,
   PolicyStatement,
@@ -1121,7 +1148,7 @@ import {
   IntegrationBuilder,
   RestApiIntegration,
 } from '../../core/api/utils.js';
-import { RestApi } from '../../core/api/rest-api.js';
+import { AddCorsPreflightAspect, RestApi } from '../../core/api/rest-api.js';
 import {
   OPERATION_DETAILS,
   Operations,
@@ -1149,6 +1176,8 @@ export interface TestApiProps<
 export class TestApi<
   TIntegrations extends ApiIntegrations<Operations, RestApiIntegration>,
 > extends RestApi<Operations, TIntegrations> {
+  private allowedOrigins: readonly string[] = ['*'];
+
   /**
    * Creates default integrations for all operations, which implement each operation as
    * its own individual lambda function.
@@ -1157,6 +1186,7 @@ export class TestApi<
    * @returns An IntegrationBuilder with default lambda integrations
    */
   public static defaultIntegrations = (scope: Construct) => {
+    const rc = RuntimeConfig.ensure(scope);
     return IntegrationBuilder.rest({
       pattern: 'isolated',
       operations: OPERATION_DETAILS,
@@ -1176,6 +1206,7 @@ export class TestApi<
         snapStart: SnapStartConf.ON_PUBLISHED_VERSIONS,
         environment: {
           AWS_CONNECTION_REUSE_ENABLED: '1',
+          RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
           PORT: '8000',
           AWS_LWA_INVOKE_MODE: 'response_stream',
           AWS_LAMBDA_EXEC_WRAPPER: '/opt/bootstrap',
@@ -1183,6 +1214,7 @@ export class TestApi<
       },
       buildDefaultIntegration: (op, props: FunctionProps) => {
         const handler = new Function(scope, \`TestApi\${op}Handler\`, props);
+        rc.grantReadAppConfig(handler);
         const stack = Stack.of(scope);
         handler.addLayers(
           LayerVersion.fromLayerVersionArn(
@@ -1211,10 +1243,6 @@ export class TestApi<
       defaultMethodOptions: {
         authorizationType: AuthorizationType.IAM,
       },
-      defaultCorsPreflightOptions: {
-        allowOrigins: Cors.ALL_ORIGINS,
-        allowMethods: Cors.ALL_METHODS,
-      },
       deployOptions: {
         tracingEnabled: true,
       },
@@ -1232,32 +1260,42 @@ export class TestApi<
       operations: OPERATION_DETAILS,
       ...props,
     });
+    Aspects.of(this).add(new AddCorsPreflightAspect(() => this.allowedOrigins));
   }
 
   /**
-   * Restricts CORS to the website CloudFront distribution domains
-   *
-   * Configures the CloudFront distribution domains as the only permitted CORS origins
-   * (other than local host) in the AWS Lambda integrations
+   * Restricts CORS to the provided origins
    *
-   * Note that this restriction is not applied to preflight OPTIONS
+   * Configures the provided CloudFront distribution domains or origin strings
+   * as the only permitted CORS origins in API Gateway preflight responses and the
+   * AWS Lambda integrations.
    *
-   * @param websites - The CloudFront distribution to grant CORS from
+   * @param origins - The origin strings, CloudFront distributions, or objects containing a CloudFront distribution to grant CORS from
    */
   public restrictCorsTo(
-    ...websites: { cloudFrontDistribution: Distribution }[]
+    ...origins: (
+      | string
+      | Distribution
+      | { cloudFrontDistribution: Distribution }
+    )[]
   ) {
-    const allowedOrigins = websites
-      .map(
-        ({ cloudFrontDistribution }) =>
-          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
-      )
-      .join(',');
+    const allowedOrigins = origins.map((origin) =>
+      typeof origin === 'string'
+        ? origin
+        : 'cloudFrontDistribution' in origin
+          ? \`https://\${origin.cloudFrontDistribution.distributionDomainName}\`
+          : \`https://\${origin.distributionDomainName}\`,
+    );
+
+    this.allowedOrigins = allowedOrigins;
 
     // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
     Object.values(this.integrations).forEach((integration) => {
       if ('handler' in integration && integration.handler instanceof Function) {
-        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+        integration.handler.addEnvironment(
+          'ALLOWED_ORIGINS',
+          allowedOrigins.join(','),
+        );
       }
     });
   }
@@ -2157,12 +2195,21 @@ resource "aws_apigatewayv2_route" "proxy_routes" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.TestApi"
-  value    = module.http_api.stage_invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "TestApi" = module.http_api.stage_invoke_url }
 
   depends_on = [module.http_api]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TestApi-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Lambda permission for API Gateway to invoke the function via alias
 resource "aws_lambda_permission" "api_gateway_invoke" {
   statement_id  = "AllowExecutionFromAPIGateway"
@@ -2784,12 +2831,21 @@ resource "aws_apigatewayv2_route" "proxy_routes" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.TestApi"
-  value    = module.http_api.stage_invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "TestApi" = module.http_api.stage_invoke_url }
 
   depends_on = [module.http_api]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TestApi-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Lambda permission for API Gateway to invoke the function via alias
 resource "aws_lambda_permission" "api_gateway_invoke" {
   statement_id  = "AllowExecutionFromAPIGateway"
@@ -3413,12 +3469,21 @@ resource "aws_apigatewayv2_route" "proxy_routes" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.TestApi"
-  value    = module.http_api.stage_invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "TestApi" = module.http_api.stage_invoke_url }
 
   depends_on = [module.http_api]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TestApi-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Lambda permission for API Gateway to invoke the function via alias
 resource "aws_lambda_permission" "api_gateway_invoke" {
   statement_id  = "AllowExecutionFromAPIGateway"
@@ -4084,12 +4149,21 @@ resource "aws_lambda_permission" "api_gateway_invoke_streaming" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.TestApi"
-  value    = aws_api_gateway_stage.api_stage.invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "TestApi" = aws_api_gateway_stage.api_stage.invoke_url }
 
   depends_on = [aws_api_gateway_stage.api_stage]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TestApi-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Outputs
 
 # API Gateway Outputs (from core module)
@@ -4746,12 +4820,21 @@ resource "aws_lambda_permission" "api_gateway_invoke_streaming" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.TestApi"
-  value    = aws_api_gateway_stage.api_stage.invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "TestApi" = aws_api_gateway_stage.api_stage.invoke_url }
 
   depends_on = [aws_api_gateway_stage.api_stage]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TestApi-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Outputs
 
 # API Gateway Outputs (from core module)
@@ -5399,12 +5482,21 @@ resource "aws_lambda_permission" "api_gateway_invoke_streaming" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.TestApi"
-  value    = aws_api_gateway_stage.api_stage.invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "TestApi" = aws_api_gateway_stage.api_stage.invoke_url }
 
   depends_on = [aws_api_gateway_stage.api_stage]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TestApi-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Outputs
 
 # API Gateway Outputs (from core module)

package/src/py/mcp-server/__snapshots__/generator.spec.ts.snap

@@ -25,6 +25,7 @@ import {
   Runtime,
   RuntimeProps,
 } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import { RuntimeConfig } from '../../../core/runtime-config.js';
 
 export type SnapshotBedrockServerProps = Omit<
   RuntimeProps,
@@ -42,6 +43,8 @@ export class SnapshotBedrockServer extends Construct {
   ) {
     super(scope, id);
 
+    const rc = RuntimeConfig.ensure(this);
+
     this.dockerImage = AgentRuntimeArtifact.fromAsset(
       path.dirname(url.fileURLToPath(new URL(import.meta.url))),
       {
@@ -61,6 +64,17 @@ export class SnapshotBedrockServer extends Construct {
       protocolConfiguration: ProtocolType.MCP,
       agentRuntimeArtifact: this.dockerImage,
       ...props,
+      environmentVariables: {
+        RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
+        ...props?.environmentVariables,
+      },
+    });
+
+    rc.grantReadAppConfig(this.agentCoreRuntime);
+
+    rc.set('connection', 'agentRuntimes', {
+      ...rc.get('connection').agentRuntimes,
+      SnapshotBedrockServer: this.agentCoreRuntime.agentRuntimeArn,
     });
   }
 }
@@ -406,7 +420,7 @@ resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
 
   depends_on = [
     null_resource.docker_publish,
-    aws_iam_role_policy.agent_core_runtime_policy
+    aws_iam_role_policy_attachment.agent_core_policy
   ]
 }
 
@@ -466,6 +480,12 @@ variable "tags" {
   default     = {}
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TerraformSnapshotServer-runtime-config"
+}
+
 module "agent_core_runtime" {
   source = "../../../core/agent-core"
   agent_runtime_name = "TerraformSnapshotServer"
@@ -478,9 +498,33 @@ module "agent_core_runtime" {
 #    }
 #  }
 
-  env = var.env
-  additional_iam_policy_statements = var.additional_iam_policy_statements
+  env = merge({
+    RUNTIME_CONFIG_APP_ID = module.appconfig.application_id
+  }, var.env)
+  additional_iam_policy_statements = concat([
+    {
+      Effect   = "Allow"
+      Action   = [
+        "appconfig:StartConfigurationSession",
+        "appconfig:GetLatestConfiguration"
+      ]
+      Resource = ["\${module.appconfig.application_arn}/*"]
+    }
+  ], var.additional_iam_policy_statements)
   tags = var.tags
+
+  depends_on = [module.appconfig]
+}
+
+# Add agent runtime ARN to runtime config
+module "add_agent_runtime_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  namespace = "connection"
+  key       = "agentRuntimes"
+  value     = { "TerraformSnapshotServer" = module.agent_core_runtime.agent_core_runtime_arn }
+
+  depends_on = [module.agent_core_runtime]
 }
 
 output "agent_core_runtime_role_arn" {
@@ -492,6 +536,11 @@ output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
   value       = module.agent_core_runtime.agent_core_runtime_arn
 }
+
+output "appconfig_application_id" {
+  description = "AppConfig Application ID for runtime config"
+  value       = module.appconfig.application_id
+}
 "
 `;
 
@@ -561,6 +610,7 @@ exports[`py#mcp-server generator > should match snapshot for generated files > u
 name = "proj.test_project"
 version = "0.1.0"
 dependencies = [
+  "aws-lambda-powertools==3.25.0",
   "mcp==1.26.0",
   "uvicorn==0.41.0",
   "boto3==1.42.63",

package/src/py/mcp-server/generator.js

@@ -50,6 +50,7 @@ const pyMcpServerGenerator = (tree, options) => tslib_1.__awaiter(void 0, void 0
         moduleName,
     }, { overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting });
     (0, py_1.addDependenciesToPyProjectToml)(tree, project.root, [
+        'aws-lambda-powertools',
         'mcp',
         'uvicorn',
         'boto3',