@aws/nx-plugin 0.82.1 → 0.83.0

package/src/ts/strands-agent/__snapshots__/generator.spec.ts.snap

@@ -33,6 +33,7 @@ import {
   Runtime,
   RuntimeProps,
 } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import { RuntimeConfig } from '../../../core/runtime-config.js';
 
 export type SnapshotBedrockAgentProps = Omit<
   RuntimeProps,
@@ -46,6 +47,8 @@ export class SnapshotBedrockAgent extends Construct {
   constructor(scope: Construct, id: string, props?: SnapshotBedrockAgentProps) {
     super(scope, id);
 
+    const rc = RuntimeConfig.ensure(this);
+
     this.dockerImage = AgentRuntimeArtifact.fromAsset(
       path.dirname(url.fileURLToPath(new URL(import.meta.url))),
       {
@@ -65,6 +68,17 @@ export class SnapshotBedrockAgent extends Construct {
       protocolConfiguration: ProtocolType.HTTP,
       agentRuntimeArtifact: this.dockerImage,
       ...props,
+      environmentVariables: {
+        RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
+        ...props?.environmentVariables,
+      },
+    });
+
+    rc.grantReadAppConfig(this.agentCoreRuntime);
+
+    rc.set('connection', 'agentRuntimes', {
+      ...rc.get('connection').agentRuntimes,
+      SnapshotBedrockAgent: this.agentCoreRuntime.agentRuntimeArn,
     });
   }
 }
@@ -111,6 +125,12 @@ variable "tags" {
   default     = {}
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TerraformSnapshotAgent-runtime-config"
+}
+
 module "agent_core_runtime" {
   source = "../../../core/agent-core"
   agent_runtime_name = "TerraformSnapshotAgent"
@@ -123,9 +143,33 @@ module "agent_core_runtime" {
 #    }
 #  }
 
-  env = var.env
-  additional_iam_policy_statements = var.additional_iam_policy_statements
+  env = merge({
+    RUNTIME_CONFIG_APP_ID = module.appconfig.application_id
+  }, var.env)
+  additional_iam_policy_statements = concat([
+    {
+      Effect   = "Allow"
+      Action   = [
+        "appconfig:StartConfigurationSession",
+        "appconfig:GetLatestConfiguration"
+      ]
+      Resource = ["\${module.appconfig.application_arn}/*"]
+    }
+  ], var.additional_iam_policy_statements)
   tags = var.tags
+
+  depends_on = [module.appconfig]
+}
+
+# Add agent runtime ARN to runtime config
+module "add_agent_runtime_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  namespace = "connection"
+  key       = "agentRuntimes"
+  value     = { "TerraformSnapshotAgent" = module.agent_core_runtime.agent_core_runtime_arn }
+
+  depends_on = [module.agent_core_runtime]
 }
 
 output "agent_core_runtime_role_arn" {
@@ -137,6 +181,11 @@ output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
   value       = module.agent_core_runtime.agent_core_runtime_arn
 }
+
+output "appconfig_application_id" {
+  description = "AppConfig Application ID for runtime config"
+  value       = module.appconfig.application_id
+}
 "
 `;
 
@@ -474,7 +523,7 @@ resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
 
   depends_on = [
     null_resource.docker_publish,
-    aws_iam_role_policy.agent_core_runtime_policy
+    aws_iam_role_policy_attachment.agent_core_policy
   ]
 }
 

package/src/ts/strands-agent/generator.js

@@ -83,9 +83,11 @@ const tsStrandsAgentGenerator = (tree, options) => tslib_1.__awaiter(void 0, voi
         'ws',
         'cors',
         '@aws-sdk/credential-providers',
+        '@aws-sdk/client-appconfigdata',
+        '@aws-lambda-powertools/parameters',
         'aws4fetch',
         '@modelcontextprotocol/sdk',
-    ]), (0, versions_1.withVersions)(['tsx', '@types/ws', '@types/cors']));
+    ]), (0, versions_1.withVersions)(['tsx', '@types/ws', '@types/cors', '@types/node']));
     // NB: we assign the local dev port from 8081 as 8080 is used by vscode server, and so conflicts
     // for those working on remote dev envirionments. The deployed agent in agentcore still runs on
     // 8080 as per the agentcore contract.

package/src/ts/strands-agent/generator.js.map

@@ -1 +1 @@
-{"version":3,"file":"generator.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/ts/strands-agent/generator.ts"],"names":[],"mappings":";;;;AAAA;;;GAGG;AACH,uCASoB;AAEpB,uCAMwB;AACxB,iDAAsE;AACtE,+CAA0D;AAC1D,6CAA2D;AAC3D,mDAAoD;AACpD,qDAAoD;AACpD,sDAAsE;AACtE,yCAAqD;AACrD,qEAA0E;AAC1E,mGAAwF;AACxF,2CAA8C;AAEjC,QAAA,+BAA+B,GAC1C,IAAA,qBAAgB,EAAC,UAAU,CAAC,CAAC;AAExB,MAAM,uBAAuB,GAAG,CACrC,IAAU,EACV,OAAsC,EACV,EAAE;;IAC9B,MAAM,OAAO,GAAG,IAAA,wCAAmC,EAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3E,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAA,0BAAiB,EAAC,OAAO,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,uBAAuB,OAAO,CAAC,OAAO,wDAAwD,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC;IACxE,MAAM,IAAI,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC,CAAC;IACpD,MAAM,kBAAkB,GAAG,IAAA,mBAAW,EAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;IACxD,MAAM,oCAAoC,GAAG,IAAA,0BAAiB,EAC5D,KAAK,EACL,iBAAiB,CAClB,CAAC;IACF,MAAM,eAAe,GAAG,IAAA,0BAAiB,EACvC,OAAO,CAAC,IAAI,EACZ,oCAAoC,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5E,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAExD,MAAM,WAAW,GAAG,MAAA,OAAO,CAAC,WAAW,mCAAI,yBAAyB,CAAC;IAErE,yBAAyB;IACzB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,EAC5C,eAAe,EACf;QACE,IAAI;QACJ,kBAAkB;QAClB,OAAO;KACR,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;IAEF,IAAI,WAAW,KAAK,yBAAyB,EAAE,CAAC;QAC9C,MAAM,cAAc,GAAG,GAAG,IAAA,uBAAW,EAAC,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;QAE7D,oBAAoB;QACpB,IAAA,kCAAyB,EAAC,IAAI,EAAE,OAAO,EAAE;YACvC,cAAc,EAAE,GAAG,oCAAoC,WAAW;YAClE,eAAe,EAAE,IAAA,0BAAiB,EAAC,OAAO,EAAE,IAAI,CAAC;SAClD,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,EAC/C,eAAe,EACf;YACE,OAAO;YACP,IAAI;SACL,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;QAEF,MAAM,gBAAgB,GAAG,GAAG,iBAAiB,SAAS,CAAC;QAEvD,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;YAClC,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,iBAAiB;YAC3B,OAAO,EAAE;gBACP,OAAO,EAAE,0CAA0C,cAAc,IAAI,eAAe,8BAA8B;aACnH;YACD,SAAS,EAAE,CAAC,QAAQ,CAAC;SACtB,CAAC;QAEF,IAAA,sCAAiC,EAAC,OAAO,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QACvE,IAAA,sCAAiC,EAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9D,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAkB,EAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACxE,MAAM,IAAA,6CAAyB,EAAC,IAAI,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAEvD,IAAA,qCAAa,EAAC,IAAI,EAAE;YAClB,kBAAkB,EAAE,IAAI;YACxB,kBAAkB;YAClB,WAAW,EAAE,OAAO,CAAC,IAAI;YACzB,cAAc;YACd,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAA,qCAA4B,EAC1B,IAAI,EACJ,IAAA,uBAAY,EAAC;QACX,cAAc;QACd,cAAc;QACd,KAAK;QACL,qBAAqB;QACrB,IAAI;QACJ,MAAM;QACN,+BAA+B;QAC/B,WAAW;QACX,2BAA2B;KAC5B,CAAC,EACF,IAAA,uBAAY,EAAC,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC,CAClD,CAAC;IAEF,gGAAgG;IAChG,+FAA+F;IAC/F,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAA,iBAAU,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAErD,IAAA,mCAA0B,EAAC,IAAI,EAAE,OAAO,CAAC,IAAI,kCACxC,OAAO,KACV,OAAO,kCACF,OAAO,CAAC,OAAO,KAClB,CAAC,GAAG,iBAAiB,QAAQ,CAAC,EAAE;gBAC9B,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE;oBACP,QAAQ,EAAE,CAAC,eAAe,iBAAiB,WAAW,CAAC;oBACvD,GAAG,EAAE,eAAe;oBACpB,GAAG,EAAE;wBACH,IAAI,EAAE,GAAG,YAAY,EAAE;qBACxB;iBACF;gBACD,UAAU,EAAE,IAAI;aACjB,OAEH,CAAC;IAEH,IAAA,kCAA6B,EAC3B,IAAI,EACJ,OAAO,CAAC,IAAI,EACZ,uCAA+B,EAC/B,oCAAoC,EACpC,iBAAiB,EACjB,EAAE,IAAI,EAAE,YAAY,EAAE,CACvB,CAAC;IAEF,MAAM,IAAA,yCAA+B,EAAC,IAAI,EAAE;QAC1C,uCAA+B;KAChC,CAAC,CAAC;IAEH,MAAM,IAAA,6BAAoB,EAAC,IAAI,CAAC,CAAC;IACjC,OAAO,GAAG,EAAE;QACV,IAAA,4BAAmB,EAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC;AACJ,CAAC,CAAA,CAAC;AAnJW,QAAA,uBAAuB,2BAmJlC;AAEF,kBAAe,+BAAuB,CAAC"}
+{"version":3,"file":"generator.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/ts/strands-agent/generator.ts"],"names":[],"mappings":";;;;AAAA;;;GAGG;AACH,uCASoB;AAEpB,uCAMwB;AACxB,iDAAsE;AACtE,+CAA0D;AAC1D,6CAA2D;AAC3D,mDAAoD;AACpD,qDAAoD;AACpD,sDAAsE;AACtE,yCAAqD;AACrD,qEAA0E;AAC1E,mGAAwF;AACxF,2CAA8C;AAEjC,QAAA,+BAA+B,GAC1C,IAAA,qBAAgB,EAAC,UAAU,CAAC,CAAC;AAExB,MAAM,uBAAuB,GAAG,CACrC,IAAU,EACV,OAAsC,EACV,EAAE;;IAC9B,MAAM,OAAO,GAAG,IAAA,wCAAmC,EAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3E,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAA,0BAAiB,EAAC,OAAO,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,uBAAuB,OAAO,CAAC,OAAO,wDAAwD,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC;IACxE,MAAM,IAAI,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC,CAAC;IACpD,MAAM,kBAAkB,GAAG,IAAA,mBAAW,EAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;IACxD,MAAM,oCAAoC,GAAG,IAAA,0BAAiB,EAC5D,KAAK,EACL,iBAAiB,CAClB,CAAC;IACF,MAAM,eAAe,GAAG,IAAA,0BAAiB,EACvC,OAAO,CAAC,IAAI,EACZ,oCAAoC,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5E,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAExD,MAAM,WAAW,GAAG,MAAA,OAAO,CAAC,WAAW,mCAAI,yBAAyB,CAAC;IAErE,yBAAyB;IACzB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,EAC5C,eAAe,EACf;QACE,IAAI;QACJ,kBAAkB;QAClB,OAAO;KACR,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;IAEF,IAAI,WAAW,KAAK,yBAAyB,EAAE,CAAC;QAC9C,MAAM,cAAc,GAAG,GAAG,IAAA,uBAAW,EAAC,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;QAE7D,oBAAoB;QACpB,IAAA,kCAAyB,EAAC,IAAI,EAAE,OAAO,EAAE;YACvC,cAAc,EAAE,GAAG,oCAAoC,WAAW;YAClE,eAAe,EAAE,IAAA,0BAAiB,EAAC,OAAO,EAAE,IAAI,CAAC;SAClD,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,EAC/C,eAAe,EACf;YACE,OAAO;YACP,IAAI;SACL,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;QAEF,MAAM,gBAAgB,GAAG,GAAG,iBAAiB,SAAS,CAAC;QAEvD,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;YAClC,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,iBAAiB;YAC3B,OAAO,EAAE;gBACP,OAAO,EAAE,0CAA0C,cAAc,IAAI,eAAe,8BAA8B;aACnH;YACD,SAAS,EAAE,CAAC,QAAQ,CAAC;SACtB,CAAC;QAEF,IAAA,sCAAiC,EAAC,OAAO,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QACvE,IAAA,sCAAiC,EAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9D,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAkB,EAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACxE,MAAM,IAAA,6CAAyB,EAAC,IAAI,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAEvD,IAAA,qCAAa,EAAC,IAAI,EAAE;YAClB,kBAAkB,EAAE,IAAI;YACxB,kBAAkB;YAClB,WAAW,EAAE,OAAO,CAAC,IAAI;YACzB,cAAc;YACd,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAA,qCAA4B,EAC1B,IAAI,EACJ,IAAA,uBAAY,EAAC;QACX,cAAc;QACd,cAAc;QACd,KAAK;QACL,qBAAqB;QACrB,IAAI;QACJ,MAAM;QACN,+BAA+B;QAC/B,+BAA+B;QAC/B,mCAAmC;QACnC,WAAW;QACX,2BAA2B;KAC5B,CAAC,EACF,IAAA,uBAAY,EAAC,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC,CACjE,CAAC;IAEF,gGAAgG;IAChG,+FAA+F;IAC/F,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAA,iBAAU,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAErD,IAAA,mCAA0B,EAAC,IAAI,EAAE,OAAO,CAAC,IAAI,kCACxC,OAAO,KACV,OAAO,kCACF,OAAO,CAAC,OAAO,KAClB,CAAC,GAAG,iBAAiB,QAAQ,CAAC,EAAE;gBAC9B,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE;oBACP,QAAQ,EAAE,CAAC,eAAe,iBAAiB,WAAW,CAAC;oBACvD,GAAG,EAAE,eAAe;oBACpB,GAAG,EAAE;wBACH,IAAI,EAAE,GAAG,YAAY,EAAE;qBACxB;iBACF;gBACD,UAAU,EAAE,IAAI;aACjB,OAEH,CAAC;IAEH,IAAA,kCAA6B,EAC3B,IAAI,EACJ,OAAO,CAAC,IAAI,EACZ,uCAA+B,EAC/B,oCAAoC,EACpC,iBAAiB,EACjB,EAAE,IAAI,EAAE,YAAY,EAAE,CACvB,CAAC;IAEF,MAAM,IAAA,yCAA+B,EAAC,IAAI,EAAE;QAC1C,uCAA+B;KAChC,CAAC,CAAC;IAEH,MAAM,IAAA,6BAAoB,EAAC,IAAI,CAAC,CAAC;IACjC,OAAO,GAAG,EAAE;QACV,IAAA,4BAAmB,EAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC;AACJ,CAAC,CAAA,CAAC;AArJW,QAAA,uBAAuB,2BAqJlC;AAEF,kBAAe,+BAAuB,CAAC"}

package/src/utils/__snapshots__/shared-constructs.spec.ts.snap

@@ -87,13 +87,44 @@ export * from './runtime-config.js';
 `;
 
 exports[`shared-constructs utils > sharedConstructsGenerator > should generate shared constructs when they do not exist > packages/common/constructs/src/core/runtime-config.ts 1`] = `
-"import { Stack, Stage } from 'aws-cdk-lib';
-import { Construct } from 'constructs';
+"import {
+  ArnFormat,
+  Aspects,
+  CfnOutput,
+  Lazy,
+  Names,
+  Stack,
+  Stage,
+} from 'aws-cdk-lib';
+import {
+  CfnApplication,
+  CfnConfigurationProfile,
+  CfnDeployment,
+  CfnDeploymentStrategy,
+  CfnEnvironment,
+  CfnHostedConfigurationVersion,
+} from 'aws-cdk-lib/aws-appconfig';
+import { Grant, IGrantable } from 'aws-cdk-lib/aws-iam';
+import { Construct, IConstruct } from 'constructs';
 
 const RuntimeConfigKey = '__RuntimeConfig__';
 
+/**
+ * Stage-scoped singleton that collects runtime configuration from CDK constructs
+ * and delivers it to server-side (AppConfig) and client-side (S3) consumers.
+ *
+ * Configuration is organised into namespaces (mapped to AppConfig Configuration Profiles):
+ * \`\`\`ts
+ * const rc = RuntimeConfig.ensure(this);
+ * rc.set('connection', 'cognitoProps', { region: '...', userPoolId: '...' });
+ * rc.set('tables', 'users', { tableName: '...', arn: '...' });
+ * \`\`\`
+ */
 export class RuntimeConfig extends Construct {
-  private readonly _runtimeConfig: any = {};
+  private readonly _namespaces = new Map<string, Record<string, any>>();
+  private _appConfigApplicationId?: string;
+  private _appConfigApplicationArn?: string;
+  private _aspectRegistered = false;
 
   static ensure(scope: Construct): RuntimeConfig {
     const parent = Stage.of(scope) ?? Stack.of(scope);
@@ -113,8 +144,129 @@ export class RuntimeConfig extends Construct {
     super(scope, id);
   }
 
-  get config(): any {
-    return this._runtimeConfig;
+  /** Sets a key in the given namespace. Creates the namespace if it doesn't exist. */
+  set(namespace: string, key: string, value: any): void {
+    let data = this._namespaces.get(namespace);
+    if (!data) {
+      data = {};
+      this._namespaces.set(namespace, data);
+    }
+    data[key] = value;
+  }
+
+  /** Returns the config data for a namespace. Creates it if it doesn't exist. */
+  get(namespace: string): Record<string, any> {
+    let data = this._namespaces.get(namespace);
+    if (!data) {
+      data = {};
+      this._namespaces.set(namespace, data);
+    }
+    return data;
+  }
+
+  /** Returns a lazy token resolving to the AppConfig Application ID. */
+  get appConfigApplicationId(): string {
+    this.ensureAspect();
+    return Lazy.string({
+      produce: () => {
+        if (!this._appConfigApplicationId) {
+          throw new Error(
+            'RuntimeConfig AppConfig resources were not created.',
+          );
+        }
+        return this._appConfigApplicationId;
+      },
+    });
+  }
+
+  /** Grants a server-side consumer permission to read from AppConfig. */
+  grantReadAppConfig(grantee: IGrantable): Grant {
+    this.ensureAspect();
+    return Grant.addToPrincipal({
+      grantee,
+      actions: [
+        'appconfig:StartConfigurationSession',
+        'appconfig:GetLatestConfiguration',
+      ],
+      resourceArns: [
+        Lazy.string({ produce: () => this._appConfigApplicationArn }),
+      ],
+    });
+  }
+
+  private ensureAspect(): void {
+    if (this._aspectRegistered) return;
+    this._aspectRegistered = true;
+    let created = false;
+
+    Aspects.of(this.node.scope!).add({
+      visit: (node: IConstruct) => {
+        if (created || !(node instanceof Stack)) return;
+        created = true;
+
+        const stack = node;
+        const name = Names.uniqueResourceName(this, {
+          maxLength: 64,
+          separator: '-',
+        });
+
+        const app = new CfnApplication(stack, 'RcAppConfigApp', { name });
+        const strategy = new CfnDeploymentStrategy(
+          stack,
+          'RcAppConfigStrategy',
+          {
+            name,
+            deploymentDurationInMinutes: 0,
+            growthFactor: 100,
+            replicateTo: 'NONE',
+            finalBakeTimeInMinutes: 0,
+          },
+        );
+        const env = new CfnEnvironment(stack, 'RcAppConfigEnv', {
+          applicationId: app.ref,
+          name: 'default',
+        });
+
+        for (const [ns, data] of this._namespaces.entries()) {
+          const profile = new CfnConfigurationProfile(
+            stack,
+            \`RcAppConfigProfile\${ns}\`,
+            {
+              applicationId: app.ref,
+              name: ns,
+              locationUri: 'hosted',
+              type: 'AWS.Freeform',
+            },
+          );
+          const version = new CfnHostedConfigurationVersion(
+            stack,
+            \`RcAppConfigVersion\${ns}\`,
+            {
+              applicationId: app.ref,
+              configurationProfileId: profile.ref,
+              contentType: 'application/json',
+              content: Lazy.string({ produce: () => stack.toJsonString(data) }),
+            },
+          );
+          new CfnDeployment(stack, \`RcAppConfigDeploy\${ns}\`, {
+            applicationId: app.ref,
+            environmentId: env.ref,
+            configurationProfileId: profile.ref,
+            configurationVersion: version.ref,
+            deploymentStrategyId: strategy.ref,
+          });
+        }
+
+        new CfnOutput(stack, 'RuntimeConfigApplicationId', { value: app.ref });
+        this._appConfigApplicationId = app.ref;
+        this._appConfigApplicationArn = stack.formatArn({
+          service: 'appconfig',
+          resource: 'application',
+          resourceName: \`\${app.ref}/*\`,
+          arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
+        });
+      },
+    });
   }
 }
 "

package/src/utils/agent-core-constructs/files/cdk/app/agent-core/__nameKebabCase__/__nameKebabCase__.ts.template

@@ -10,6 +10,7 @@ import {
   Runtime,
   RuntimeProps,
 } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import { RuntimeConfig } from '../../../core/runtime-config.js';
 
 export type <%- nameClassName %>Props = Omit<
   RuntimeProps,
@@ -23,6 +24,8 @@ export class <%- nameClassName %> extends Construct {
   constructor(scope: Construct, id: string, props?: <%- nameClassName %>Props) {
     super(scope, id);
 
+    const rc = RuntimeConfig.ensure(this);
+
     this.dockerImage = AgentRuntimeArtifact.fromAsset(
       path.dirname(url.fileURLToPath(new URL(import.meta.url))),
       {
@@ -42,6 +45,17 @@ export class <%- nameClassName %> extends Construct {
       protocolConfiguration: ProtocolType.<%- serverProtocol %>,
       agentRuntimeArtifact: this.dockerImage,
       ...props,
+      environmentVariables: {
+        RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
+        ...props?.environmentVariables,
+      },
+    });
+
+    rc.grantReadAppConfig(this.agentCoreRuntime);
+
+    rc.set('connection', 'agentRuntimes', {
+      ...rc.get('connection').agentRuntimes,
+      <%- nameClassName %>: this.agentCoreRuntime.agentRuntimeArn,
     });
   }
 }

package/src/utils/agent-core-constructs/files/terraform/app/agent-core/__nameKebabCase__/__nameKebabCase__.tf.template

@@ -20,6 +20,12 @@ variable "tags" {
   default     = {}
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "<%= nameClassName %>-runtime-config"
+}
+
 module "agent_core_runtime" {
   source = "../../../core/agent-core"
   agent_runtime_name = "<%= nameClassName %>"
@@ -32,9 +38,33 @@ module "agent_core_runtime" {
 #    }
 #  }
 
-  env = var.env
-  additional_iam_policy_statements = var.additional_iam_policy_statements
+  env = merge({
+    RUNTIME_CONFIG_APP_ID = module.appconfig.application_id
+  }, var.env)
+  additional_iam_policy_statements = concat([
+    {
+      Effect   = "Allow"
+      Action   = [
+        "appconfig:StartConfigurationSession",
+        "appconfig:GetLatestConfiguration"
+      ]
+      Resource = ["${module.appconfig.application_arn}/*"]
+    }
+  ], var.additional_iam_policy_statements)
   tags = var.tags
+
+  depends_on = [module.appconfig]
+}
+
+# Add agent runtime ARN to runtime config
+module "add_agent_runtime_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  namespace = "connection"
+  key       = "agentRuntimes"
+  value     = { "<%= nameClassName %>" = module.agent_core_runtime.agent_core_runtime_arn }
+
+  depends_on = [module.agent_core_runtime]
 }
 
 output "agent_core_runtime_role_arn" {
@@ -46,3 +76,8 @@ output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
   value       = module.agent_core_runtime.agent_core_runtime_arn
 }
+
+output "appconfig_application_id" {
+  description = "AppConfig Application ID for runtime config"
+  value       = module.appconfig.application_id
+}

package/src/utils/agent-core-constructs/files/terraform/core/agent-core/runtime.tf.template

@@ -331,7 +331,7 @@ resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
 
   depends_on = [
     null_resource.docker_publish,
-    aws_iam_role_policy.agent_core_runtime_policy
+    aws_iam_role_policy_attachment.agent_core_policy
   ]
 }
 

package/src/utils/api-constructs/files/cdk/app/apis/http/__apiNameKebabCase__.ts.template

@@ -13,6 +13,7 @@ import {
   <%_ } _%>
 } from 'aws-cdk-lib/aws-lambda';
 import { Duration<%_ if (backend.type === 'fastapi') { _%>, Stack<%_ } _%> } from 'aws-cdk-lib';
+import { RuntimeConfig } from '../../core/runtime-config.js';
 import {
   CorsHttpMethod,
   CfnApi,
@@ -99,6 +100,7 @@ export class <%= apiNameClassName %><
    * @returns An IntegrationBuilder with default lambda integrations
   */
   public static defaultIntegrations = (scope: Construct) => {
+    const rc = RuntimeConfig.ensure(scope);
     return IntegrationBuilder.http({
       pattern: '<%= backend.integrationPattern %>',
       <%_ if (backend.type === 'trpc') { _%>
@@ -137,6 +139,7 @@ export class <%= apiNameClassName %><
         <%_ } _%>
         environment: {
           AWS_CONNECTION_REUSE_ENABLED: '1',
+          RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
           <%_ if (backend.type === 'fastapi') { _%>
           PORT: '8000',
           AWS_LWA_INVOKE_MODE: 'buffered',
@@ -148,6 +151,7 @@ export class <%= apiNameClassName %><
         <%_ const lambdaTarget = backend.type === 'fastapi' ? 'handler.currentVersion' : 'handler'; _%>
         <%_ const integrationOptions = backend.integrationPattern === 'shared' ? ', { scopePermissionToRoute: false }' : ''; _%>
         const handler = new Function(scope, `<%= apiNameClassName %>${op}Handler`, props);
+        rc.grantReadAppConfig(handler);
         <%_ if (backend.type === 'fastapi') { _%>
         const stack = Stack.of(scope);
         handler.addLayers(
@@ -206,23 +210,25 @@ export class <%= apiNameClassName %><
   }
 
   /**
-   * Restricts CORS to the website CloudFront distribution domains
+   * Restricts CORS to the provided origins
    *
-   * Configures the CloudFront distribution domains as the only permitted CORS origins
-   * (other than local host with default ports) in the API gateway
-   * The CORS origins are not configured within the AWS Lambda integrations since
-   * the associated header is controlled by API Gateway v2
+   * Configures the provided CloudFront distribution domains or origin strings
+   * as the only permitted CORS origins
+   * in the API gateway. The CORS origins are not configured within the AWS Lambda
+   * integrations since the associated header is controlled by API Gateway v2.
    *
-   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   * @param origins - The origin strings, CloudFront distributions, or objects containing a CloudFront distribution to grant CORS from
    */
   public restrictCorsTo(
-    ...websites: { cloudFrontDistribution: Distribution }[]
+    ...origins: (string | Distribution | { cloudFrontDistribution: Distribution })[]
   ) {
-    const allowedOrigins = websites
-      .map(
-        ({ cloudFrontDistribution }) =>
-          `https://${cloudFrontDistribution.distributionDomainName}`,
-      );
+    const allowedOrigins = origins.map((origin) =>
+      typeof origin === 'string'
+        ? origin
+        : 'cloudFrontDistribution' in origin
+          ? `https://${origin.cloudFrontDistribution.distributionDomainName}`
+          : `https://${origin.distributionDomainName}`,
+    );
 
     const cfnApi = this.api.node.defaultChild;
     if (!(cfnApi instanceof CfnApi)) {
@@ -232,11 +238,7 @@ export class <%= apiNameClassName %><
     }
 
     cfnApi.corsConfiguration = {
-      allowOrigins: [
-        'http://localhost:4200',
-        'http://localhost:4300',
-        ...allowedOrigins,
-      ],
+      allowOrigins: allowedOrigins,
       allowMethods: [CorsHttpMethod.ANY],
       allowHeaders: [
         'authorization',

package/src/utils/api-constructs/files/cdk/app/apis/rest/__apiNameKebabCase__.ts.template

@@ -12,9 +12,9 @@ import {
   SnapStartConf,
   <%_ } _%>
 } from 'aws-cdk-lib/aws-lambda';
+import { RuntimeConfig } from '../../core/runtime-config.js';
 import {
   AuthorizationType,
-  Cors,
   LambdaIntegration,
   <%_ if (['trpc', 'fastapi'].includes(backend.type)) { _%>
   ResponseTransferMode,
@@ -23,7 +23,7 @@ import {
   CognitoUserPoolsAuthorizer,
   <%_ } _%>
 } from 'aws-cdk-lib/aws-apigateway';
-import { Duration<%_ if (backend.type === 'fastapi') { _%>, Stack<%_ } _%> } from 'aws-cdk-lib';
+import { Aspects, Duration<%_ if (backend.type === 'fastapi') { _%>, Stack<%_ } _%> } from 'aws-cdk-lib';
 import {
   PolicyDocument,
   PolicyStatement,
@@ -42,7 +42,7 @@ import {
   IntegrationBuilder,
   RestApiIntegration,
 } from '../../core/api/utils.js';
-import { RestApi } from '../../core/api/rest-api.js';
+import { AddCorsPreflightAspect, RestApi } from '../../core/api/rest-api.js';
 <%_ if (backend.type === 'trpc') { _%>
 import { Procedures, routerToOperations } from '../../core/api/trpc-utils.js';
 import { AppRouter, appRouter } from '<%= backend.projectAlias %>';
@@ -86,6 +86,8 @@ export interface <%= apiNameClassName %>Props<
 export class <%= apiNameClassName %><
   TIntegrations extends ApiIntegrations<Operations, RestApiIntegration>,
 > extends RestApi<Operations, TIntegrations> {
+  private allowedOrigins: readonly string[] = ['*'];
+
   /**
    <%_ if (backend.integrationPattern === 'shared') { _%>
    * Creates default integrations for all operations using a single shared
@@ -99,6 +101,7 @@ export class <%= apiNameClassName %><
    * @returns An IntegrationBuilder with default lambda integrations
   */
   public static defaultIntegrations = (scope: Construct) => {
+    const rc = RuntimeConfig.ensure(scope);
     return IntegrationBuilder.rest({
       pattern: '<%= backend.integrationPattern %>',
       <%_ if (backend.type === 'trpc') { _%>
@@ -137,6 +140,7 @@ export class <%= apiNameClassName %><
         <%_ } _%>
         environment: {
           AWS_CONNECTION_REUSE_ENABLED: '1',
+          RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
           <%_ if (backend.type === 'fastapi') { _%>
           PORT: '8000',
           AWS_LWA_INVOKE_MODE: 'response_stream',
@@ -161,6 +165,7 @@ export class <%= apiNameClassName %><
           : '';
         _%>
         const handler = new Function(scope, `<%= apiNameClassName %>${op}Handler`, props);
+        rc.grantReadAppConfig(handler);
         <%_ if (backend.type === 'fastapi') { _%>
         const stack = Stack.of(scope);
         handler.addLayers(
@@ -198,10 +203,6 @@ export class <%= apiNameClassName %><
         authorizationType: AuthorizationType.NONE,
         <%_ } _%>
       },
-      defaultCorsPreflightOptions: {
-        allowOrigins: Cors.ALL_ORIGINS,
-        allowMethods: Cors.ALL_METHODS,
-      },
       deployOptions: {
         tracingEnabled: true,
       },
@@ -233,32 +234,38 @@ export class <%= apiNameClassName %><
       <%_ } _%>
       ...props,
     });
+    Aspects.of(this).add(new AddCorsPreflightAspect(() => this.allowedOrigins));
   }
 
   /**
-   * Restricts CORS to the website CloudFront distribution domains
+   * Restricts CORS to the provided origins
    *
-   * Configures the CloudFront distribution domains as the only permitted CORS origins
-   * (other than local host) in the AWS Lambda integrations
-   * 
-   * Note that this restriction is not applied to preflight OPTIONS
+   * Configures the provided CloudFront distribution domains or origin strings
+   * as the only permitted CORS origins in API Gateway preflight responses and the
+   * AWS Lambda integrations.
    *
-   * @param websites - The CloudFront distribution to grant CORS from
+   * @param origins - The origin strings, CloudFront distributions, or objects containing a CloudFront distribution to grant CORS from
    */
   public restrictCorsTo(
-    ...websites: { cloudFrontDistribution: Distribution }[]
+    ...origins: (string | Distribution | { cloudFrontDistribution: Distribution })[]
   ) {
-    const allowedOrigins = websites
-      .map(
-        ({ cloudFrontDistribution }) =>
-          `https://${cloudFrontDistribution.distributionDomainName}`,
-      )
-      .join(',');
+    const allowedOrigins = origins.map((origin) =>
+      typeof origin === 'string'
+        ? origin
+        : 'cloudFrontDistribution' in origin
+          ? `https://${origin.cloudFrontDistribution.distributionDomainName}`
+          : `https://${origin.distributionDomainName}`,
+    );
+
+    this.allowedOrigins = allowedOrigins;
 
     // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
     Object.values(this.integrations).forEach((integration) => {
       if ('handler' in integration && integration.handler instanceof Function) {
-        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+        integration.handler.addEnvironment(
+          'ALLOWED_ORIGINS',
+          allowedOrigins.join(','),
+        );
       }
     });
   }

package/src/utils/api-constructs/files/cdk/core/api/http/http-api.ts.template

@@ -138,10 +138,11 @@ export class HttpApi<
     });
 
     // Register the API URL in runtime configuration for client discovery
-    RuntimeConfig.ensure(this).config.apis = {
-      ...RuntimeConfig.ensure(this).config.apis!,
+    const rc = RuntimeConfig.ensure(this);
+    rc.set('connection', 'apis', {
+      ...rc.get('connection').apis,
       [apiName]: this.defaultStage.url!,
-    };
+    });
   }
 
   /**