@aws/nx-plugin 0.82.2 → 0.83.1

package/src/ts/strands-agent/__snapshots__/generator.spec.ts.snap

@@ -33,6 +33,7 @@ import {
   Runtime,
   RuntimeProps,
 } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import { RuntimeConfig } from '../../../core/runtime-config.js';
 
 export type SnapshotBedrockAgentProps = Omit<
   RuntimeProps,
@@ -46,6 +47,8 @@ export class SnapshotBedrockAgent extends Construct {
   constructor(scope: Construct, id: string, props?: SnapshotBedrockAgentProps) {
     super(scope, id);
 
+    const rc = RuntimeConfig.ensure(this);
+
     this.dockerImage = AgentRuntimeArtifact.fromAsset(
       path.dirname(url.fileURLToPath(new URL(import.meta.url))),
       {
@@ -65,6 +68,17 @@ export class SnapshotBedrockAgent extends Construct {
       protocolConfiguration: ProtocolType.HTTP,
       agentRuntimeArtifact: this.dockerImage,
       ...props,
+      environmentVariables: {
+        RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
+        ...props?.environmentVariables,
+      },
+    });
+
+    rc.grantReadAppConfig(this.agentCoreRuntime);
+
+    rc.set('connection', 'agentRuntimes', {
+      ...rc.get('connection').agentRuntimes,
+      SnapshotBedrockAgent: this.agentCoreRuntime.agentRuntimeArn,
     });
   }
 }
@@ -111,6 +125,12 @@ variable "tags" {
   default     = {}
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "TerraformSnapshotAgent-runtime-config"
+}
+
 module "agent_core_runtime" {
   source = "../../../core/agent-core"
   agent_runtime_name = "TerraformSnapshotAgent"
@@ -123,9 +143,33 @@ module "agent_core_runtime" {
 #    }
 #  }
 
-  env = var.env
-  additional_iam_policy_statements = var.additional_iam_policy_statements
+  env = merge({
+    RUNTIME_CONFIG_APP_ID = module.appconfig.application_id
+  }, var.env)
+  additional_iam_policy_statements = concat([
+    {
+      Effect   = "Allow"
+      Action   = [
+        "appconfig:StartConfigurationSession",
+        "appconfig:GetLatestConfiguration"
+      ]
+      Resource = ["\${module.appconfig.application_arn}/*"]
+    }
+  ], var.additional_iam_policy_statements)
   tags = var.tags
+
+  depends_on = [module.appconfig]
+}
+
+# Add agent runtime ARN to runtime config
+module "add_agent_runtime_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  namespace = "connection"
+  key       = "agentRuntimes"
+  value     = { "TerraformSnapshotAgent" = module.agent_core_runtime.agent_core_runtime_arn }
+
+  depends_on = [module.agent_core_runtime]
 }
 
 output "agent_core_runtime_role_arn" {
@@ -137,6 +181,11 @@ output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
   value       = module.agent_core_runtime.agent_core_runtime_arn
 }
+
+output "appconfig_application_id" {
+  description = "AppConfig Application ID for runtime config"
+  value       = module.appconfig.application_id
+}
 "
 `;
 
@@ -474,7 +523,7 @@ resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
 
   depends_on = [
     null_resource.docker_publish,
-    aws_iam_role_policy.agent_core_runtime_policy
+    aws_iam_role_policy_attachment.agent_core_policy
   ]
 }
 

package/src/ts/strands-agent/generator.js

@@ -83,9 +83,11 @@ const tsStrandsAgentGenerator = (tree, options) => tslib_1.__awaiter(void 0, voi
         'ws',
         'cors',
         '@aws-sdk/credential-providers',
+        '@aws-sdk/client-appconfigdata',
+        '@aws-lambda-powertools/parameters',
         'aws4fetch',
         '@modelcontextprotocol/sdk',
-    ]), (0, versions_1.withVersions)(['tsx', '@types/ws', '@types/cors']));
+    ]), (0, versions_1.withVersions)(['tsx', '@types/ws', '@types/cors', '@types/node']));
     // NB: we assign the local dev port from 8081 as 8080 is used by vscode server, and so conflicts
     // for those working on remote dev envirionments. The deployed agent in agentcore still runs on
     // 8080 as per the agentcore contract.

package/src/ts/strands-agent/generator.js.map

@@ -1 +1 @@
-{"version":3,"file":"generator.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/ts/strands-agent/generator.ts"],"names":[],"mappings":";;;;AAAA;;;GAGG;AACH,uCASoB;AAEpB,uCAMwB;AACxB,iDAAsE;AACtE,+CAA0D;AAC1D,6CAA2D;AAC3D,mDAAoD;AACpD,qDAAoD;AACpD,sDAAsE;AACtE,yCAAqD;AACrD,qEAA0E;AAC1E,mGAAwF;AACxF,2CAA8C;AAEjC,QAAA,+BAA+B,GAC1C,IAAA,qBAAgB,EAAC,UAAU,CAAC,CAAC;AAExB,MAAM,uBAAuB,GAAG,CACrC,IAAU,EACV,OAAsC,EACV,EAAE;;IAC9B,MAAM,OAAO,GAAG,IAAA,wCAAmC,EAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3E,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAA,0BAAiB,EAAC,OAAO,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,uBAAuB,OAAO,CAAC,OAAO,wDAAwD,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC;IACxE,MAAM,IAAI,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC,CAAC;IACpD,MAAM,kBAAkB,GAAG,IAAA,mBAAW,EAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;IACxD,MAAM,oCAAoC,GAAG,IAAA,0BAAiB,EAC5D,KAAK,EACL,iBAAiB,CAClB,CAAC;IACF,MAAM,eAAe,GAAG,IAAA,0BAAiB,EACvC,OAAO,CAAC,IAAI,EACZ,oCAAoC,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5E,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAExD,MAAM,WAAW,GAAG,MAAA,OAAO,CAAC,WAAW,mCAAI,yBAAyB,CAAC;IAErE,yBAAyB;IACzB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,EAC5C,eAAe,EACf;QACE,IAAI;QACJ,kBAAkB;QAClB,OAAO;KACR,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;IAEF,IAAI,WAAW,KAAK,yBAAyB,EAAE,CAAC;QAC9C,MAAM,cAAc,GAAG,GAAG,IAAA,uBAAW,EAAC,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;QAE7D,oBAAoB;QACpB,IAAA,kCAAyB,EAAC,IAAI,EAAE,OAAO,EAAE;YACvC,cAAc,EAAE,GAAG,oCAAoC,WAAW;YAClE,eAAe,EAAE,IAAA,0BAAiB,EAAC,OAAO,EAAE,IAAI,CAAC;SAClD,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,EAC/C,eAAe,EACf;YACE,OAAO;YACP,IAAI;SACL,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;QAEF,MAAM,gBAAgB,GAAG,GAAG,iBAAiB,SAAS,CAAC;QAEvD,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;YAClC,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,iBAAiB;YAC3B,OAAO,EAAE;gBACP,OAAO,EAAE,0CAA0C,cAAc,IAAI,eAAe,8BAA8B;aACnH;YACD,SAAS,EAAE,CAAC,QAAQ,CAAC;SACtB,CAAC;QAEF,IAAA,sCAAiC,EAAC,OAAO,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QACvE,IAAA,sCAAiC,EAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9D,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAkB,EAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACxE,MAAM,IAAA,6CAAyB,EAAC,IAAI,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAEvD,IAAA,qCAAa,EAAC,IAAI,EAAE;YAClB,kBAAkB,EAAE,IAAI;YACxB,kBAAkB;YAClB,WAAW,EAAE,OAAO,CAAC,IAAI;YACzB,cAAc;YACd,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAA,qCAA4B,EAC1B,IAAI,EACJ,IAAA,uBAAY,EAAC;QACX,cAAc;QACd,cAAc;QACd,KAAK;QACL,qBAAqB;QACrB,IAAI;QACJ,MAAM;QACN,+BAA+B;QAC/B,WAAW;QACX,2BAA2B;KAC5B,CAAC,EACF,IAAA,uBAAY,EAAC,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC,CAClD,CAAC;IAEF,gGAAgG;IAChG,+FAA+F;IAC/F,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAA,iBAAU,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAErD,IAAA,mCAA0B,EAAC,IAAI,EAAE,OAAO,CAAC,IAAI,kCACxC,OAAO,KACV,OAAO,kCACF,OAAO,CAAC,OAAO,KAClB,CAAC,GAAG,iBAAiB,QAAQ,CAAC,EAAE;gBAC9B,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE;oBACP,QAAQ,EAAE,CAAC,eAAe,iBAAiB,WAAW,CAAC;oBACvD,GAAG,EAAE,eAAe;oBACpB,GAAG,EAAE;wBACH,IAAI,EAAE,GAAG,YAAY,EAAE;qBACxB;iBACF;gBACD,UAAU,EAAE,IAAI;aACjB,OAEH,CAAC;IAEH,IAAA,kCAA6B,EAC3B,IAAI,EACJ,OAAO,CAAC,IAAI,EACZ,uCAA+B,EAC/B,oCAAoC,EACpC,iBAAiB,EACjB,EAAE,IAAI,EAAE,YAAY,EAAE,CACvB,CAAC;IAEF,MAAM,IAAA,yCAA+B,EAAC,IAAI,EAAE;QAC1C,uCAA+B;KAChC,CAAC,CAAC;IAEH,MAAM,IAAA,6BAAoB,EAAC,IAAI,CAAC,CAAC;IACjC,OAAO,GAAG,EAAE;QACV,IAAA,4BAAmB,EAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC;AACJ,CAAC,CAAA,CAAC;AAnJW,QAAA,uBAAuB,2BAmJlC;AAEF,kBAAe,+BAAuB,CAAC"}
+{"version":3,"file":"generator.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/ts/strands-agent/generator.ts"],"names":[],"mappings":";;;;AAAA;;;GAGG;AACH,uCASoB;AAEpB,uCAMwB;AACxB,iDAAsE;AACtE,+CAA0D;AAC1D,6CAA2D;AAC3D,mDAAoD;AACpD,qDAAoD;AACpD,sDAAsE;AACtE,yCAAqD;AACrD,qEAA0E;AAC1E,mGAAwF;AACxF,2CAA8C;AAEjC,QAAA,+BAA+B,GAC1C,IAAA,qBAAgB,EAAC,UAAU,CAAC,CAAC;AAExB,MAAM,uBAAuB,GAAG,CACrC,IAAU,EACV,OAAsC,EACV,EAAE;;IAC9B,MAAM,OAAO,GAAG,IAAA,wCAAmC,EAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3E,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAA,0BAAiB,EAAC,OAAO,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,uBAAuB,OAAO,CAAC,OAAO,wDAAwD,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC;IACxE,MAAM,IAAI,GAAG,IAAA,iBAAS,EAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC,CAAC;IACpD,MAAM,kBAAkB,GAAG,IAAA,mBAAW,EAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;IACxD,MAAM,oCAAoC,GAAG,IAAA,0BAAiB,EAC5D,KAAK,EACL,iBAAiB,CAClB,CAAC;IACF,MAAM,eAAe,GAAG,IAAA,0BAAiB,EACvC,OAAO,CAAC,IAAI,EACZ,oCAAoC,CACrC,CAAC;IACF,MAAM,iBAAiB,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5E,MAAM,OAAO,GAAG,IAAA,0BAAiB,EAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAExD,MAAM,WAAW,GAAG,MAAA,OAAO,CAAC,WAAW,mCAAI,yBAAyB,CAAC;IAErE,yBAAyB;IACzB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,EAC5C,eAAe,EACf;QACE,IAAI;QACJ,kBAAkB;QAClB,OAAO;KACR,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;IAEF,IAAI,WAAW,KAAK,yBAAyB,EAAE,CAAC;QAC9C,MAAM,cAAc,GAAG,GAAG,IAAA,uBAAW,EAAC,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;QAE7D,oBAAoB;QACpB,IAAA,kCAAyB,EAAC,IAAI,EAAE,OAAO,EAAE;YACvC,cAAc,EAAE,GAAG,oCAAoC,WAAW;YAClE,eAAe,EAAE,IAAA,0BAAiB,EAAC,OAAO,EAAE,IAAI,CAAC;SAClD,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,EAC/C,eAAe,EACf;YACE,OAAO;YACP,IAAI;SACL,EACD,EAAE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY,EAAE,CACtD,CAAC;QAEF,MAAM,gBAAgB,GAAG,GAAG,iBAAiB,SAAS,CAAC;QAEvD,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG;YAClC,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,iBAAiB;YAC3B,OAAO,EAAE;gBACP,OAAO,EAAE,0CAA0C,cAAc,IAAI,eAAe,8BAA8B;aACnH;YACD,SAAS,EAAE,CAAC,QAAQ,CAAC;SACtB,CAAC;QAEF,IAAA,sCAAiC,EAAC,OAAO,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QACvE,IAAA,sCAAiC,EAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9D,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAkB,EAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACxE,MAAM,IAAA,6CAAyB,EAAC,IAAI,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAEvD,IAAA,qCAAa,EAAC,IAAI,EAAE;YAClB,kBAAkB,EAAE,IAAI;YACxB,kBAAkB;YAClB,WAAW,EAAE,OAAO,CAAC,IAAI;YACzB,cAAc;YACd,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAA,qCAA4B,EAC1B,IAAI,EACJ,IAAA,uBAAY,EAAC;QACX,cAAc;QACd,cAAc;QACd,KAAK;QACL,qBAAqB;QACrB,IAAI;QACJ,MAAM;QACN,+BAA+B;QAC/B,+BAA+B;QAC/B,mCAAmC;QACnC,WAAW;QACX,2BAA2B;KAC5B,CAAC,EACF,IAAA,uBAAY,EAAC,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC,CACjE,CAAC;IAEF,gGAAgG;IAChG,+FAA+F;IAC/F,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAA,iBAAU,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAErD,IAAA,mCAA0B,EAAC,IAAI,EAAE,OAAO,CAAC,IAAI,kCACxC,OAAO,KACV,OAAO,kCACF,OAAO,CAAC,OAAO,KAClB,CAAC,GAAG,iBAAiB,QAAQ,CAAC,EAAE;gBAC9B,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE;oBACP,QAAQ,EAAE,CAAC,eAAe,iBAAiB,WAAW,CAAC;oBACvD,GAAG,EAAE,eAAe;oBACpB,GAAG,EAAE;wBACH,IAAI,EAAE,GAAG,YAAY,EAAE;qBACxB;iBACF;gBACD,UAAU,EAAE,IAAI;aACjB,OAEH,CAAC;IAEH,IAAA,kCAA6B,EAC3B,IAAI,EACJ,OAAO,CAAC,IAAI,EACZ,uCAA+B,EAC/B,oCAAoC,EACpC,iBAAiB,EACjB,EAAE,IAAI,EAAE,YAAY,EAAE,CACvB,CAAC;IAEF,MAAM,IAAA,yCAA+B,EAAC,IAAI,EAAE;QAC1C,uCAA+B;KAChC,CAAC,CAAC;IAEH,MAAM,IAAA,6BAAoB,EAAC,IAAI,CAAC,CAAC;IACjC,OAAO,GAAG,EAAE;QACV,IAAA,4BAAmB,EAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC;AACJ,CAAC,CAAA,CAAC;AArJW,QAAA,uBAAuB,2BAqJlC;AAEF,kBAAe,+BAAuB,CAAC"}

package/src/utils/__snapshots__/shared-constructs.spec.ts.snap

@@ -87,13 +87,44 @@ export * from './runtime-config.js';
 `;
 
 exports[`shared-constructs utils > sharedConstructsGenerator > should generate shared constructs when they do not exist > packages/common/constructs/src/core/runtime-config.ts 1`] = `
-"import { Stack, Stage } from 'aws-cdk-lib';
-import { Construct } from 'constructs';
+"import {
+  ArnFormat,
+  Aspects,
+  CfnOutput,
+  Lazy,
+  Names,
+  Stack,
+  Stage,
+} from 'aws-cdk-lib';
+import {
+  CfnApplication,
+  CfnConfigurationProfile,
+  CfnDeployment,
+  CfnDeploymentStrategy,
+  CfnEnvironment,
+  CfnHostedConfigurationVersion,
+} from 'aws-cdk-lib/aws-appconfig';
+import { Grant, IGrantable } from 'aws-cdk-lib/aws-iam';
+import { Construct, IConstruct } from 'constructs';
 
 const RuntimeConfigKey = '__RuntimeConfig__';
 
+/**
+ * Stage-scoped singleton that collects runtime configuration from CDK constructs
+ * and delivers it to server-side (AppConfig) and client-side (S3) consumers.
+ *
+ * Configuration is organised into namespaces (mapped to AppConfig Configuration Profiles):
+ * \`\`\`ts
+ * const rc = RuntimeConfig.ensure(this);
+ * rc.set('connection', 'cognitoProps', { region: '...', userPoolId: '...' });
+ * rc.set('tables', 'users', { tableName: '...', arn: '...' });
+ * \`\`\`
+ */
 export class RuntimeConfig extends Construct {
-  private readonly _runtimeConfig: any = {};
+  private readonly _namespaces = new Map<string, Record<string, any>>();
+  private _appConfigApplicationId?: string;
+  private _appConfigApplicationArn?: string;
+  private _aspectRegistered = false;
 
   static ensure(scope: Construct): RuntimeConfig {
     const parent = Stage.of(scope) ?? Stack.of(scope);
@@ -113,8 +144,129 @@ export class RuntimeConfig extends Construct {
     super(scope, id);
   }
 
-  get config(): any {
-    return this._runtimeConfig;
+  /** Sets a key in the given namespace. Creates the namespace if it doesn't exist. */
+  set(namespace: string, key: string, value: any): void {
+    let data = this._namespaces.get(namespace);
+    if (!data) {
+      data = {};
+      this._namespaces.set(namespace, data);
+    }
+    data[key] = value;
+  }
+
+  /** Returns the config data for a namespace. Creates it if it doesn't exist. */
+  get(namespace: string): Record<string, any> {
+    let data = this._namespaces.get(namespace);
+    if (!data) {
+      data = {};
+      this._namespaces.set(namespace, data);
+    }
+    return data;
+  }
+
+  /** Returns a lazy token resolving to the AppConfig Application ID. */
+  get appConfigApplicationId(): string {
+    this.ensureAspect();
+    return Lazy.string({
+      produce: () => {
+        if (!this._appConfigApplicationId) {
+          throw new Error(
+            'RuntimeConfig AppConfig resources were not created.',
+          );
+        }
+        return this._appConfigApplicationId;
+      },
+    });
+  }
+
+  /** Grants a server-side consumer permission to read from AppConfig. */
+  grantReadAppConfig(grantee: IGrantable): Grant {
+    this.ensureAspect();
+    return Grant.addToPrincipal({
+      grantee,
+      actions: [
+        'appconfig:StartConfigurationSession',
+        'appconfig:GetLatestConfiguration',
+      ],
+      resourceArns: [
+        Lazy.string({ produce: () => this._appConfigApplicationArn }),
+      ],
+    });
+  }
+
+  private ensureAspect(): void {
+    if (this._aspectRegistered) return;
+    this._aspectRegistered = true;
+    let created = false;
+
+    Aspects.of(this.node.scope!).add({
+      visit: (node: IConstruct) => {
+        if (created || !(node instanceof Stack)) return;
+        created = true;
+
+        const stack = node;
+        const name = Names.uniqueResourceName(this, {
+          maxLength: 64,
+          separator: '-',
+        });
+
+        const app = new CfnApplication(stack, 'RcAppConfigApp', { name });
+        const strategy = new CfnDeploymentStrategy(
+          stack,
+          'RcAppConfigStrategy',
+          {
+            name,
+            deploymentDurationInMinutes: 0,
+            growthFactor: 100,
+            replicateTo: 'NONE',
+            finalBakeTimeInMinutes: 0,
+          },
+        );
+        const env = new CfnEnvironment(stack, 'RcAppConfigEnv', {
+          applicationId: app.ref,
+          name: 'default',
+        });
+
+        for (const [ns, data] of this._namespaces.entries()) {
+          const profile = new CfnConfigurationProfile(
+            stack,
+            \`RcAppConfigProfile\${ns}\`,
+            {
+              applicationId: app.ref,
+              name: ns,
+              locationUri: 'hosted',
+              type: 'AWS.Freeform',
+            },
+          );
+          const version = new CfnHostedConfigurationVersion(
+            stack,
+            \`RcAppConfigVersion\${ns}\`,
+            {
+              applicationId: app.ref,
+              configurationProfileId: profile.ref,
+              contentType: 'application/json',
+              content: Lazy.string({ produce: () => stack.toJsonString(data) }),
+            },
+          );
+          new CfnDeployment(stack, \`RcAppConfigDeploy\${ns}\`, {
+            applicationId: app.ref,
+            environmentId: env.ref,
+            configurationProfileId: profile.ref,
+            configurationVersion: version.ref,
+            deploymentStrategyId: strategy.ref,
+          });
+        }
+
+        new CfnOutput(stack, 'RuntimeConfigApplicationId', { value: app.ref });
+        this._appConfigApplicationId = app.ref;
+        this._appConfigApplicationArn = stack.formatArn({
+          service: 'appconfig',
+          resource: 'application',
+          resourceName: \`\${app.ref}/*\`,
+          arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
+        });
+      },
+    });
   }
 }
 "

package/src/utils/agent-core-constructs/files/cdk/app/agent-core/__nameKebabCase__/__nameKebabCase__.ts.template

@@ -10,6 +10,7 @@ import {
   Runtime,
   RuntimeProps,
 } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import { RuntimeConfig } from '../../../core/runtime-config.js';
 
 export type <%- nameClassName %>Props = Omit<
   RuntimeProps,
@@ -23,6 +24,8 @@ export class <%- nameClassName %> extends Construct {
   constructor(scope: Construct, id: string, props?: <%- nameClassName %>Props) {
     super(scope, id);
 
+    const rc = RuntimeConfig.ensure(this);
+
     this.dockerImage = AgentRuntimeArtifact.fromAsset(
       path.dirname(url.fileURLToPath(new URL(import.meta.url))),
       {
@@ -42,6 +45,17 @@ export class <%- nameClassName %> extends Construct {
       protocolConfiguration: ProtocolType.<%- serverProtocol %>,
       agentRuntimeArtifact: this.dockerImage,
       ...props,
+      environmentVariables: {
+        RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
+        ...props?.environmentVariables,
+      },
+    });
+
+    rc.grantReadAppConfig(this.agentCoreRuntime);
+
+    rc.set('connection', 'agentRuntimes', {
+      ...rc.get('connection').agentRuntimes,
+      <%- nameClassName %>: this.agentCoreRuntime.agentRuntimeArn,
     });
   }
 }

package/src/utils/agent-core-constructs/files/terraform/app/agent-core/__nameKebabCase__/__nameKebabCase__.tf.template

@@ -20,6 +20,12 @@ variable "tags" {
   default     = {}
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "<%= nameClassName %>-runtime-config"
+}
+
 module "agent_core_runtime" {
   source = "../../../core/agent-core"
   agent_runtime_name = "<%= nameClassName %>"
@@ -32,9 +38,33 @@ module "agent_core_runtime" {
 #    }
 #  }
 
-  env = var.env
-  additional_iam_policy_statements = var.additional_iam_policy_statements
+  env = merge({
+    RUNTIME_CONFIG_APP_ID = module.appconfig.application_id
+  }, var.env)
+  additional_iam_policy_statements = concat([
+    {
+      Effect   = "Allow"
+      Action   = [
+        "appconfig:StartConfigurationSession",
+        "appconfig:GetLatestConfiguration"
+      ]
+      Resource = ["${module.appconfig.application_arn}/*"]
+    }
+  ], var.additional_iam_policy_statements)
   tags = var.tags
+
+  depends_on = [module.appconfig]
+}
+
+# Add agent runtime ARN to runtime config
+module "add_agent_runtime_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  namespace = "connection"
+  key       = "agentRuntimes"
+  value     = { "<%= nameClassName %>" = module.agent_core_runtime.agent_core_runtime_arn }
+
+  depends_on = [module.agent_core_runtime]
 }
 
 output "agent_core_runtime_role_arn" {
@@ -46,3 +76,8 @@ output "agent_core_runtime_arn" {
   description = "ARN of the Bedrock Agent Core runtime"
   value       = module.agent_core_runtime.agent_core_runtime_arn
 }
+
+output "appconfig_application_id" {
+  description = "AppConfig Application ID for runtime config"
+  value       = module.appconfig.application_id
+}

package/src/utils/agent-core-constructs/files/terraform/core/agent-core/runtime.tf.template

@@ -331,7 +331,7 @@ resource "aws_bedrockagentcore_agent_runtime" "agent_runtime" {
 
   depends_on = [
     null_resource.docker_publish,
-    aws_iam_role_policy.agent_core_runtime_policy
+    aws_iam_role_policy_attachment.agent_core_policy
   ]
 }
 

package/src/utils/api-constructs/files/cdk/app/apis/http/__apiNameKebabCase__.ts.template

@@ -13,6 +13,7 @@ import {
   <%_ } _%>
 } from 'aws-cdk-lib/aws-lambda';
 import { Duration<%_ if (backend.type === 'fastapi') { _%>, Stack<%_ } _%> } from 'aws-cdk-lib';
+import { RuntimeConfig } from '../../core/runtime-config.js';
 import {
   CorsHttpMethod,
   CfnApi,
@@ -99,6 +100,7 @@ export class <%= apiNameClassName %><
    * @returns An IntegrationBuilder with default lambda integrations
   */
   public static defaultIntegrations = (scope: Construct) => {
+    const rc = RuntimeConfig.ensure(scope);
     return IntegrationBuilder.http({
       pattern: '<%= backend.integrationPattern %>',
       <%_ if (backend.type === 'trpc') { _%>
@@ -137,6 +139,7 @@ export class <%= apiNameClassName %><
         <%_ } _%>
         environment: {
           AWS_CONNECTION_REUSE_ENABLED: '1',
+          RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
           <%_ if (backend.type === 'fastapi') { _%>
           PORT: '8000',
           AWS_LWA_INVOKE_MODE: 'buffered',
@@ -148,6 +151,7 @@ export class <%= apiNameClassName %><
         <%_ const lambdaTarget = backend.type === 'fastapi' ? 'handler.currentVersion' : 'handler'; _%>
         <%_ const integrationOptions = backend.integrationPattern === 'shared' ? ', { scopePermissionToRoute: false }' : ''; _%>
         const handler = new Function(scope, `<%= apiNameClassName %>${op}Handler`, props);
+        rc.grantReadAppConfig(handler);
         <%_ if (backend.type === 'fastapi') { _%>
         const stack = Stack.of(scope);
         handler.addLayers(

package/src/utils/api-constructs/files/cdk/app/apis/rest/__apiNameKebabCase__.ts.template

@@ -12,6 +12,7 @@ import {
   SnapStartConf,
   <%_ } _%>
 } from 'aws-cdk-lib/aws-lambda';
+import { RuntimeConfig } from '../../core/runtime-config.js';
 import {
   AuthorizationType,
   LambdaIntegration,
@@ -100,6 +101,7 @@ export class <%= apiNameClassName %><
    * @returns An IntegrationBuilder with default lambda integrations
   */
   public static defaultIntegrations = (scope: Construct) => {
+    const rc = RuntimeConfig.ensure(scope);
     return IntegrationBuilder.rest({
       pattern: '<%= backend.integrationPattern %>',
       <%_ if (backend.type === 'trpc') { _%>
@@ -138,6 +140,7 @@ export class <%= apiNameClassName %><
         <%_ } _%>
         environment: {
           AWS_CONNECTION_REUSE_ENABLED: '1',
+          RUNTIME_CONFIG_APP_ID: rc.appConfigApplicationId,
           <%_ if (backend.type === 'fastapi') { _%>
           PORT: '8000',
           AWS_LWA_INVOKE_MODE: 'response_stream',
@@ -162,6 +165,7 @@ export class <%= apiNameClassName %><
           : '';
         _%>
         const handler = new Function(scope, `<%= apiNameClassName %>${op}Handler`, props);
+        rc.grantReadAppConfig(handler);
         <%_ if (backend.type === 'fastapi') { _%>
         const stack = Stack.of(scope);
         handler.addLayers(

package/src/utils/api-constructs/files/cdk/core/api/http/http-api.ts.template

@@ -138,10 +138,11 @@ export class HttpApi<
     });
 
     // Register the API URL in runtime configuration for client discovery
-    RuntimeConfig.ensure(this).config.apis = {
-      ...RuntimeConfig.ensure(this).config.apis!,
+    const rc = RuntimeConfig.ensure(this);
+    rc.set('connection', 'apis', {
+      ...rc.get('connection').apis,
       [apiName]: this.defaultStage.url!,
-    };
+    });
   }
 
   /**

package/src/utils/api-constructs/files/cdk/core/api/rest/rest-api.ts.template

@@ -125,10 +125,11 @@ export class RestApi<
     );
 
     // Register the API URL in runtime configuration for client discovery
-    RuntimeConfig.ensure(this).config.apis = {
-      ...RuntimeConfig.ensure(this).config.apis!,
+    const rc = RuntimeConfig.ensure(this);
+    rc.set('connection', 'apis', {
+      ...rc.get('connection').apis,
       [apiName]: this.api.url!,
-    };
+    });
   }
 
   /**

package/src/utils/api-constructs/files/terraform/app/apis/http/__apiNameKebabCase__/__apiNameKebabCase__.tf.template

@@ -297,12 +297,21 @@ resource "aws_apigatewayv2_route" "proxy_routes" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.<%- apiNameClassName %>"
-  value    = module.http_api.stage_invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "<%- apiNameClassName %>" = module.http_api.stage_invoke_url }
 
   depends_on = [module.http_api]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "<%- apiNameClassName %>-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Lambda permission for API Gateway to invoke the function<% if (backend.type === 'fastapi') { %> via alias<% } %>
 resource "aws_lambda_permission" "api_gateway_invoke" {
   statement_id  = "AllowExecutionFromAPIGateway"

package/src/utils/api-constructs/files/terraform/app/apis/rest/__apiNameKebabCase__/__apiNameKebabCase__.tf.template

@@ -454,12 +454,21 @@ resource "aws_lambda_permission" "api_gateway_invoke_streaming" {
 module "add_url_to_runtime_config" {
   source = "../../../core/runtime-config/entry"
 
-  key_path = "apis.<%- apiNameClassName %>"
-  value    = aws_api_gateway_stage.api_stage.invoke_url
+  namespace = "connection"
+  key       = "apis"
+  value     = { "<%- apiNameClassName %>" = aws_api_gateway_stage.api_stage.invoke_url }
 
   depends_on = [aws_api_gateway_stage.api_stage]
 }
 
+module "appconfig" {
+  source = "../../../core/runtime-config/appconfig"
+
+  application_name = "<%- apiNameClassName %>-runtime-config"
+
+  depends_on = [module.add_url_to_runtime_config]
+}
+
 # Outputs
 
 # API Gateway Outputs (from core module)