@pulumi/aws 7.10.0-alpha.1761243490 → 7.10.0

package/bedrock/agentcoreOauth2CredentialProvider.js

@@ -0,0 +1,123 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentcoreOauth2CredentialProvider = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * ## Example Usage
+ *
+ * ### GitHub OAuth Provider
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const github = new aws.bedrock.AgentcoreOauth2CredentialProvider("github", {
+ *     name: "github-oauth-provider",
+ *     credentialProviderVendor: "GithubOauth2",
+ *     oauth2ProviderConfig: {
+ *         githubOauth2ProviderConfig: {
+ *             clientId: "your-github-client-id",
+ *             clientSecret: "your-github-client-secret",
+ *         },
+ *     },
+ * });
+ * ```
+ *
+ * ### Custom OAuth Provider with Discovery URL
+ *
+ * ### Custom OAuth Provider with Authorization Server Metadata
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const keycloak = new aws.bedrock.AgentcoreOauth2CredentialProvider("keycloak", {
+ *     name: "keycloak-oauth-provider",
+ *     credentialProviderVendor: "CustomOauth2",
+ *     oauth2ProviderConfig: {
+ *         customOauth2ProviderConfig: {
+ *             clientIdWo: "keycloak-client-id",
+ *             clientSecretWo: "keycloak-client-secret",
+ *             clientCredentialsWoVersion: 1,
+ *             oauthDiscovery: {
+ *                 authorizationServerMetadata: {
+ *                     issuer: "https://auth.company.com/realms/production",
+ *                     authorizationEndpoint: "https://auth.company.com/realms/production/protocol/openid-connect/auth",
+ *                     tokenEndpoint: "https://auth.company.com/realms/production/protocol/openid-connect/token",
+ *                     responseTypes: [
+ *                         "code",
+ *                         "id_token",
+ *                     ],
+ *                 },
+ *             },
+ *         },
+ *     },
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * Using `pulumi import`, import Bedrock AgentCore OAuth2 Credential Provider using the provider name. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:bedrock/agentcoreOauth2CredentialProvider:AgentcoreOauth2CredentialProvider example oauth2-provider-name
+ * ```
+ */
+class AgentcoreOauth2CredentialProvider extends pulumi.CustomResource {
+    /**
+     * Get an existing AgentcoreOauth2CredentialProvider resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new AgentcoreOauth2CredentialProvider(name, state, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of AgentcoreOauth2CredentialProvider.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === AgentcoreOauth2CredentialProvider.__pulumiType;
+    }
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["clientSecretArns"] = state?.clientSecretArns;
+            resourceInputs["credentialProviderArn"] = state?.credentialProviderArn;
+            resourceInputs["credentialProviderVendor"] = state?.credentialProviderVendor;
+            resourceInputs["name"] = state?.name;
+            resourceInputs["oauth2ProviderConfig"] = state?.oauth2ProviderConfig;
+            resourceInputs["region"] = state?.region;
+        }
+        else {
+            const args = argsOrState;
+            if (args?.credentialProviderVendor === undefined && !opts.urn) {
+                throw new Error("Missing required property 'credentialProviderVendor'");
+            }
+            resourceInputs["credentialProviderVendor"] = args?.credentialProviderVendor;
+            resourceInputs["name"] = args?.name;
+            resourceInputs["oauth2ProviderConfig"] = args?.oauth2ProviderConfig;
+            resourceInputs["region"] = args?.region;
+            resourceInputs["clientSecretArns"] = undefined /*out*/;
+            resourceInputs["credentialProviderArn"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(AgentcoreOauth2CredentialProvider.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.AgentcoreOauth2CredentialProvider = AgentcoreOauth2CredentialProvider;
+/** @internal */
+AgentcoreOauth2CredentialProvider.__pulumiType = 'aws:bedrock/agentcoreOauth2CredentialProvider:AgentcoreOauth2CredentialProvider';
+//# sourceMappingURL=agentcoreOauth2CredentialProvider.js.map

package/bedrock/agentcoreOauth2CredentialProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentcoreOauth2CredentialProvider.js","sourceRoot":"","sources":["../../bedrock/agentcoreOauth2CredentialProvider.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4DG;AACH,MAAa,iCAAkC,SAAQ,MAAM,CAAC,cAAc;IACxE;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA8C,EAAE,IAAmC;QAC5I,OAAO,IAAI,iCAAiC,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACxF,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,iCAAiC,CAAC,YAAY,CAAC;IAClF,CAAC;IAqCD,YAAY,IAAY,EAAE,WAA4F,EAAE,IAAmC;QACvJ,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAiE,CAAC;YAChF,cAAc,CAAC,kBAAkB,CAAC,GAAG,KAAK,EAAE,gBAAgB,CAAC;YAC7D,cAAc,CAAC,uBAAuB,CAAC,GAAG,KAAK,EAAE,qBAAqB,CAAC;YACvE,cAAc,CAAC,0BAA0B,CAAC,GAAG,KAAK,EAAE,wBAAwB,CAAC;YAC7E,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC;YACrC,cAAc,CAAC,sBAAsB,CAAC,GAAG,KAAK,EAAE,oBAAoB,CAAC;YACrE,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;SAC5C;aAAM;YACH,MAAM,IAAI,GAAG,WAAgE,CAAC;YAC9E,IAAI,IAAI,EAAE,wBAAwB,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC3D,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;aAC3E;YACD,cAAc,CAAC,0BAA0B,CAAC,GAAG,IAAI,EAAE,wBAAwB,CAAC;YAC5E,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,sBAAsB,CAAC,GAAG,IAAI,EAAE,oBAAoB,CAAC;YACpE,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,uBAAuB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/D;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,iCAAiC,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACtF,CAAC;;AAxFL,8EAyFC;AA3EG,gBAAgB;AACO,8CAAY,GAAG,iFAAiF,CAAC"}

package/bedrock/agentcoreTokenVaultCmk.d.ts

@@ -0,0 +1,99 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+/**
+ * Manages the AWS KMS customer master key (CMK) for a token vault.
+ *
+ * > Deletion of this resource will not modify the CMK, only remove the resource from state.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.bedrock.AgentcoreTokenVaultCmk("example", {kmsConfiguration: {
+ *     keyType: "CustomerManagedKey",
+ *     kmsKeyArn: exampleAwsKmsKey.arn,
+ * }});
+ * ```
+ *
+ * ## Import
+ *
+ * Using `pulumi import`, import token vault CMKs using the token vault ID. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:bedrock/agentcoreTokenVaultCmk:AgentcoreTokenVaultCmk example "default"
+ * ```
+ */
+export declare class AgentcoreTokenVaultCmk extends pulumi.CustomResource {
+    /**
+     * Get an existing AgentcoreTokenVaultCmk resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AgentcoreTokenVaultCmkState, opts?: pulumi.CustomResourceOptions): AgentcoreTokenVaultCmk;
+    /**
+     * Returns true if the given object is an instance of AgentcoreTokenVaultCmk.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is AgentcoreTokenVaultCmk;
+    /**
+     * KMS configuration for the token vault. See `kmsConfiguration` below.
+     */
+    readonly kmsConfiguration: pulumi.Output<outputs.bedrock.AgentcoreTokenVaultCmkKmsConfiguration | undefined>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    readonly region: pulumi.Output<string>;
+    /**
+     * Token vault ID. Defaults to `default`.
+     */
+    readonly tokenVaultId: pulumi.Output<string>;
+    /**
+     * Create a AgentcoreTokenVaultCmk resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: AgentcoreTokenVaultCmkArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering AgentcoreTokenVaultCmk resources.
+ */
+export interface AgentcoreTokenVaultCmkState {
+    /**
+     * KMS configuration for the token vault. See `kmsConfiguration` below.
+     */
+    kmsConfiguration?: pulumi.Input<inputs.bedrock.AgentcoreTokenVaultCmkKmsConfiguration>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    region?: pulumi.Input<string>;
+    /**
+     * Token vault ID. Defaults to `default`.
+     */
+    tokenVaultId?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a AgentcoreTokenVaultCmk resource.
+ */
+export interface AgentcoreTokenVaultCmkArgs {
+    /**
+     * KMS configuration for the token vault. See `kmsConfiguration` below.
+     */
+    kmsConfiguration?: pulumi.Input<inputs.bedrock.AgentcoreTokenVaultCmkKmsConfiguration>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    region?: pulumi.Input<string>;
+    /**
+     * Token vault ID. Defaults to `default`.
+     */
+    tokenVaultId?: pulumi.Input<string>;
+}

package/bedrock/agentcoreTokenVaultCmk.js

@@ -0,0 +1,78 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentcoreTokenVaultCmk = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * Manages the AWS KMS customer master key (CMK) for a token vault.
+ *
+ * > Deletion of this resource will not modify the CMK, only remove the resource from state.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.bedrock.AgentcoreTokenVaultCmk("example", {kmsConfiguration: {
+ *     keyType: "CustomerManagedKey",
+ *     kmsKeyArn: exampleAwsKmsKey.arn,
+ * }});
+ * ```
+ *
+ * ## Import
+ *
+ * Using `pulumi import`, import token vault CMKs using the token vault ID. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:bedrock/agentcoreTokenVaultCmk:AgentcoreTokenVaultCmk example "default"
+ * ```
+ */
+class AgentcoreTokenVaultCmk extends pulumi.CustomResource {
+    /**
+     * Get an existing AgentcoreTokenVaultCmk resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new AgentcoreTokenVaultCmk(name, state, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of AgentcoreTokenVaultCmk.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === AgentcoreTokenVaultCmk.__pulumiType;
+    }
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["kmsConfiguration"] = state?.kmsConfiguration;
+            resourceInputs["region"] = state?.region;
+            resourceInputs["tokenVaultId"] = state?.tokenVaultId;
+        }
+        else {
+            const args = argsOrState;
+            resourceInputs["kmsConfiguration"] = args?.kmsConfiguration;
+            resourceInputs["region"] = args?.region;
+            resourceInputs["tokenVaultId"] = args?.tokenVaultId;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(AgentcoreTokenVaultCmk.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.AgentcoreTokenVaultCmk = AgentcoreTokenVaultCmk;
+/** @internal */
+AgentcoreTokenVaultCmk.__pulumiType = 'aws:bedrock/agentcoreTokenVaultCmk:AgentcoreTokenVaultCmk';
+//# sourceMappingURL=agentcoreTokenVaultCmk.js.map

package/bedrock/agentcoreTokenVaultCmk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentcoreTokenVaultCmk.js","sourceRoot":"","sources":["../../bedrock/agentcoreTokenVaultCmk.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAa,sBAAuB,SAAQ,MAAM,CAAC,cAAc;IAC7D;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAmC,EAAE,IAAmC;QACjI,OAAO,IAAI,sBAAsB,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAC7E,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,sBAAsB,CAAC,YAAY,CAAC;IACvE,CAAC;IAuBD,YAAY,IAAY,EAAE,WAAsE,EAAE,IAAmC;QACjI,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAsD,CAAC;YACrE,cAAc,CAAC,kBAAkB,CAAC,GAAG,KAAK,EAAE,gBAAgB,CAAC;YAC7D,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;YACzC,cAAc,CAAC,cAAc,CAAC,GAAG,KAAK,EAAE,YAAY,CAAC;SACxD;aAAM;YACH,MAAM,IAAI,GAAG,WAAqD,CAAC;YACnE,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,EAAE,gBAAgB,CAAC;YAC5D,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;SACvD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,sBAAsB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAC3E,CAAC;;AAjEL,wDAkEC;AApDG,gBAAgB;AACO,mCAAY,GAAG,2DAA2D,CAAC"}

package/bedrock/agentcoreWorkloadIdentity.d.ts

@@ -0,0 +1,127 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * Manages an AWS Bedrock AgentCore Workload Identity. Workload Identity provides OAuth2-based authentication and authorization for AI agents to access external resources securely.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.bedrock.AgentcoreWorkloadIdentity("example", {
+ *     name: "example-workload-identity",
+ *     allowedResourceOauth2ReturnUrls: ["https://example.com/callback"],
+ * });
+ * ```
+ *
+ * ### Workload Identity with Multiple Return URLs
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.bedrock.AgentcoreWorkloadIdentity("example", {
+ *     name: "example-workload-identity",
+ *     allowedResourceOauth2ReturnUrls: [
+ *         "https://app.example.com/oauth/callback",
+ *         "https://api.example.com/auth/return",
+ *         "https://example.com/callback",
+ *     ],
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * Using `pulumi import`, import Bedrock AgentCore Workload Identity using the workload identity name. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:bedrock/agentcoreWorkloadIdentity:AgentcoreWorkloadIdentity example example-workload-identity
+ * ```
+ */
+export declare class AgentcoreWorkloadIdentity extends pulumi.CustomResource {
+    /**
+     * Get an existing AgentcoreWorkloadIdentity resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AgentcoreWorkloadIdentityState, opts?: pulumi.CustomResourceOptions): AgentcoreWorkloadIdentity;
+    /**
+     * Returns true if the given object is an instance of AgentcoreWorkloadIdentity.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is AgentcoreWorkloadIdentity;
+    /**
+     * Set of allowed OAuth2 return URLs for resources associated with this workload identity. These URLs are used as valid redirect targets during OAuth2 authentication flows.
+     */
+    readonly allowedResourceOauth2ReturnUrls: pulumi.Output<string[] | undefined>;
+    /**
+     * Name of the workload identity. Must be 3-255 characters and contain only alphanumeric characters, hyphens, periods, and underscores.
+     *
+     * The following arguments are optional:
+     */
+    readonly name: pulumi.Output<string>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    readonly region: pulumi.Output<string>;
+    /**
+     * ARN of the Workload Identity.
+     */
+    readonly workloadIdentityArn: pulumi.Output<string>;
+    /**
+     * Create a AgentcoreWorkloadIdentity resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: AgentcoreWorkloadIdentityArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering AgentcoreWorkloadIdentity resources.
+ */
+export interface AgentcoreWorkloadIdentityState {
+    /**
+     * Set of allowed OAuth2 return URLs for resources associated with this workload identity. These URLs are used as valid redirect targets during OAuth2 authentication flows.
+     */
+    allowedResourceOauth2ReturnUrls?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Name of the workload identity. Must be 3-255 characters and contain only alphanumeric characters, hyphens, periods, and underscores.
+     *
+     * The following arguments are optional:
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    region?: pulumi.Input<string>;
+    /**
+     * ARN of the Workload Identity.
+     */
+    workloadIdentityArn?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a AgentcoreWorkloadIdentity resource.
+ */
+export interface AgentcoreWorkloadIdentityArgs {
+    /**
+     * Set of allowed OAuth2 return URLs for resources associated with this workload identity. These URLs are used as valid redirect targets during OAuth2 authentication flows.
+     */
+    allowedResourceOauth2ReturnUrls?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Name of the workload identity. Must be 3-255 characters and contain only alphanumeric characters, hyphens, periods, and underscores.
+     *
+     * The following arguments are optional:
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+     */
+    region?: pulumi.Input<string>;
+}

package/bedrock/agentcoreWorkloadIdentity.js

@@ -0,0 +1,96 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentcoreWorkloadIdentity = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * Manages an AWS Bedrock AgentCore Workload Identity. Workload Identity provides OAuth2-based authentication and authorization for AI agents to access external resources securely.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.bedrock.AgentcoreWorkloadIdentity("example", {
+ *     name: "example-workload-identity",
+ *     allowedResourceOauth2ReturnUrls: ["https://example.com/callback"],
+ * });
+ * ```
+ *
+ * ### Workload Identity with Multiple Return URLs
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.bedrock.AgentcoreWorkloadIdentity("example", {
+ *     name: "example-workload-identity",
+ *     allowedResourceOauth2ReturnUrls: [
+ *         "https://app.example.com/oauth/callback",
+ *         "https://api.example.com/auth/return",
+ *         "https://example.com/callback",
+ *     ],
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * Using `pulumi import`, import Bedrock AgentCore Workload Identity using the workload identity name. For example:
+ *
+ * ```sh
+ * $ pulumi import aws:bedrock/agentcoreWorkloadIdentity:AgentcoreWorkloadIdentity example example-workload-identity
+ * ```
+ */
+class AgentcoreWorkloadIdentity extends pulumi.CustomResource {
+    /**
+     * Get an existing AgentcoreWorkloadIdentity resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new AgentcoreWorkloadIdentity(name, state, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of AgentcoreWorkloadIdentity.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === AgentcoreWorkloadIdentity.__pulumiType;
+    }
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["allowedResourceOauth2ReturnUrls"] = state?.allowedResourceOauth2ReturnUrls;
+            resourceInputs["name"] = state?.name;
+            resourceInputs["region"] = state?.region;
+            resourceInputs["workloadIdentityArn"] = state?.workloadIdentityArn;
+        }
+        else {
+            const args = argsOrState;
+            resourceInputs["allowedResourceOauth2ReturnUrls"] = args?.allowedResourceOauth2ReturnUrls;
+            resourceInputs["name"] = args?.name;
+            resourceInputs["region"] = args?.region;
+            resourceInputs["workloadIdentityArn"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(AgentcoreWorkloadIdentity.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.AgentcoreWorkloadIdentity = AgentcoreWorkloadIdentity;
+/** @internal */
+AgentcoreWorkloadIdentity.__pulumiType = 'aws:bedrock/agentcoreWorkloadIdentity:AgentcoreWorkloadIdentity';
+//# sourceMappingURL=agentcoreWorkloadIdentity.js.map

package/bedrock/agentcoreWorkloadIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentcoreWorkloadIdentity.js","sourceRoot":"","sources":["../../bedrock/agentcoreWorkloadIdentity.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,MAAa,yBAA0B,SAAQ,MAAM,CAAC,cAAc;IAChE;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAsC,EAAE,IAAmC;QACpI,OAAO,IAAI,yBAAyB,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAChF,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,yBAAyB,CAAC,YAAY,CAAC;IAC1E,CAAC;IA6BD,YAAY,IAAY,EAAE,WAA4E,EAAE,IAAmC;QACvI,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAyD,CAAC;YACxE,cAAc,CAAC,iCAAiC,CAAC,GAAG,KAAK,EAAE,+BAA+B,CAAC;YAC3F,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC;YACrC,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;YACzC,cAAc,CAAC,qBAAqB,CAAC,GAAG,KAAK,EAAE,mBAAmB,CAAC;SACtE;aAAM;YACH,MAAM,IAAI,GAAG,WAAwD,CAAC;YACtE,cAAc,CAAC,iCAAiC,CAAC,GAAG,IAAI,EAAE,+BAA+B,CAAC;YAC1F,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,qBAAqB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7D;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,yBAAyB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAC9E,CAAC;;AAzEL,8DA0EC;AA5DG,gBAAgB;AACO,sCAAY,GAAG,iEAAiE,CAAC"}

package/bedrock/index.d.ts

@@ -46,6 +46,21 @@ export declare const AgentcoreGateway: typeof import("./agentcoreGateway").Agent
 export { AgentcoreGatewayTargetArgs, AgentcoreGatewayTargetState } from "./agentcoreGatewayTarget";
 export type AgentcoreGatewayTarget = import("./agentcoreGatewayTarget").AgentcoreGatewayTarget;
 export declare const AgentcoreGatewayTarget: typeof import("./agentcoreGatewayTarget").AgentcoreGatewayTarget;
+export { AgentcoreMemoryArgs, AgentcoreMemoryState } from "./agentcoreMemory";
+export type AgentcoreMemory = import("./agentcoreMemory").AgentcoreMemory;
+export declare const AgentcoreMemory: typeof import("./agentcoreMemory").AgentcoreMemory;
+export { AgentcoreMemoryStrategyArgs, AgentcoreMemoryStrategyState } from "./agentcoreMemoryStrategy";
+export type AgentcoreMemoryStrategy = import("./agentcoreMemoryStrategy").AgentcoreMemoryStrategy;
+export declare const AgentcoreMemoryStrategy: typeof import("./agentcoreMemoryStrategy").AgentcoreMemoryStrategy;
+export { AgentcoreOauth2CredentialProviderArgs, AgentcoreOauth2CredentialProviderState } from "./agentcoreOauth2CredentialProvider";
+export type AgentcoreOauth2CredentialProvider = import("./agentcoreOauth2CredentialProvider").AgentcoreOauth2CredentialProvider;
+export declare const AgentcoreOauth2CredentialProvider: typeof import("./agentcoreOauth2CredentialProvider").AgentcoreOauth2CredentialProvider;
+export { AgentcoreTokenVaultCmkArgs, AgentcoreTokenVaultCmkState } from "./agentcoreTokenVaultCmk";
+export type AgentcoreTokenVaultCmk = import("./agentcoreTokenVaultCmk").AgentcoreTokenVaultCmk;
+export declare const AgentcoreTokenVaultCmk: typeof import("./agentcoreTokenVaultCmk").AgentcoreTokenVaultCmk;
+export { AgentcoreWorkloadIdentityArgs, AgentcoreWorkloadIdentityState } from "./agentcoreWorkloadIdentity";
+export type AgentcoreWorkloadIdentity = import("./agentcoreWorkloadIdentity").AgentcoreWorkloadIdentity;
+export declare const AgentcoreWorkloadIdentity: typeof import("./agentcoreWorkloadIdentity").AgentcoreWorkloadIdentity;
 export { CustomModelArgs, CustomModelState } from "./customModel";
 export type CustomModel = import("./customModel").CustomModel;
 export declare const CustomModel: typeof import("./customModel").CustomModel;

package/bedrock/index.js

@@ -2,7 +2,7 @@
 // *** WARNING: this file was generated by pulumi-language-nodejs. ***
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ProvisionedModelThroughput = exports.InferenceProfile = exports.GuardrailVersion = exports.Guardrail = exports.getInferenceProfilesOutput = exports.getInferenceProfiles = exports.getInferenceProfileOutput = exports.getInferenceProfile = exports.getCustomModelsOutput = exports.getCustomModels = exports.getCustomModelOutput = exports.getCustomModel = exports.getAgentAgentVersionsOutput = exports.getAgentAgentVersions = exports.CustomModel = exports.AgentcoreGatewayTarget = exports.AgentcoreGateway = exports.AgentcoreCodeInterpreter = exports.AgentcoreBrowser = exports.AgentcoreApiKeyCredentialProvider = exports.AgentcoreAgentRuntimeEndpoint = exports.AgentcoreAgentRuntime = exports.AgentPrompt = exports.AgentKnowledgeBase = exports.AgentFlow = exports.AgentDataSource = exports.AgentAgentKnowledgeBaseAssociation = exports.AgentAgentCollaborator = exports.AgentAgentAlias = exports.AgentAgentActionGroup = exports.AgentAgent = void 0;
+exports.ProvisionedModelThroughput = exports.InferenceProfile = exports.GuardrailVersion = exports.Guardrail = exports.getInferenceProfilesOutput = exports.getInferenceProfiles = exports.getInferenceProfileOutput = exports.getInferenceProfile = exports.getCustomModelsOutput = exports.getCustomModels = exports.getCustomModelOutput = exports.getCustomModel = exports.getAgentAgentVersionsOutput = exports.getAgentAgentVersions = exports.CustomModel = exports.AgentcoreWorkloadIdentity = exports.AgentcoreTokenVaultCmk = exports.AgentcoreOauth2CredentialProvider = exports.AgentcoreMemoryStrategy = exports.AgentcoreMemory = exports.AgentcoreGatewayTarget = exports.AgentcoreGateway = exports.AgentcoreCodeInterpreter = exports.AgentcoreBrowser = exports.AgentcoreApiKeyCredentialProvider = exports.AgentcoreAgentRuntimeEndpoint = exports.AgentcoreAgentRuntime = exports.AgentPrompt = exports.AgentKnowledgeBase = exports.AgentFlow = exports.AgentDataSource = exports.AgentAgentKnowledgeBaseAssociation = exports.AgentAgentCollaborator = exports.AgentAgentAlias = exports.AgentAgentActionGroup = exports.AgentAgent = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 exports.AgentAgent = null;
@@ -37,6 +37,16 @@ exports.AgentcoreGateway = null;
 utilities.lazyLoad(exports, ["AgentcoreGateway"], () => require("./agentcoreGateway"));
 exports.AgentcoreGatewayTarget = null;
 utilities.lazyLoad(exports, ["AgentcoreGatewayTarget"], () => require("./agentcoreGatewayTarget"));
+exports.AgentcoreMemory = null;
+utilities.lazyLoad(exports, ["AgentcoreMemory"], () => require("./agentcoreMemory"));
+exports.AgentcoreMemoryStrategy = null;
+utilities.lazyLoad(exports, ["AgentcoreMemoryStrategy"], () => require("./agentcoreMemoryStrategy"));
+exports.AgentcoreOauth2CredentialProvider = null;
+utilities.lazyLoad(exports, ["AgentcoreOauth2CredentialProvider"], () => require("./agentcoreOauth2CredentialProvider"));
+exports.AgentcoreTokenVaultCmk = null;
+utilities.lazyLoad(exports, ["AgentcoreTokenVaultCmk"], () => require("./agentcoreTokenVaultCmk"));
+exports.AgentcoreWorkloadIdentity = null;
+utilities.lazyLoad(exports, ["AgentcoreWorkloadIdentity"], () => require("./agentcoreWorkloadIdentity"));
 exports.CustomModel = null;
 utilities.lazyLoad(exports, ["CustomModel"], () => require("./customModel"));
 exports.getAgentAgentVersions = null;
@@ -98,6 +108,16 @@ const _module = {
                 return new exports.AgentcoreGateway(name, undefined, { urn });
             case "aws:bedrock/agentcoreGatewayTarget:AgentcoreGatewayTarget":
                 return new exports.AgentcoreGatewayTarget(name, undefined, { urn });
+            case "aws:bedrock/agentcoreMemory:AgentcoreMemory":
+                return new exports.AgentcoreMemory(name, undefined, { urn });
+            case "aws:bedrock/agentcoreMemoryStrategy:AgentcoreMemoryStrategy":
+                return new exports.AgentcoreMemoryStrategy(name, undefined, { urn });
+            case "aws:bedrock/agentcoreOauth2CredentialProvider:AgentcoreOauth2CredentialProvider":
+                return new exports.AgentcoreOauth2CredentialProvider(name, undefined, { urn });
+            case "aws:bedrock/agentcoreTokenVaultCmk:AgentcoreTokenVaultCmk":
+                return new exports.AgentcoreTokenVaultCmk(name, undefined, { urn });
+            case "aws:bedrock/agentcoreWorkloadIdentity:AgentcoreWorkloadIdentity":
+                return new exports.AgentcoreWorkloadIdentity(name, undefined, { urn });
             case "aws:bedrock/customModel:CustomModel":
                 return new exports.CustomModel(name, undefined, { urn });
             case "aws:bedrock/guardrail:Guardrail":
@@ -129,6 +149,11 @@ pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreBrowser", _module
 pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreCodeInterpreter", _module);
 pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreGateway", _module);
 pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreGatewayTarget", _module);
+pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreMemory", _module);
+pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreMemoryStrategy", _module);
+pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreOauth2CredentialProvider", _module);
+pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreTokenVaultCmk", _module);
+pulumi.runtime.registerResourceModule("aws", "bedrock/agentcoreWorkloadIdentity", _module);
 pulumi.runtime.registerResourceModule("aws", "bedrock/customModel", _module);
 pulumi.runtime.registerResourceModule("aws", "bedrock/guardrail", _module);
 pulumi.runtime.registerResourceModule("aws", "bedrock/guardrailVersion", _module);