serverless-bedrock-agentcore-plugin 0.1.0

package/src/compilers/browser.js

@@ -0,0 +1,110 @@
+'use strict';
+
+const { getResourceName, getLogicalId } = require('../utils/naming');
+
+/**
+ * Build network configuration for BrowserCustom
+ *
+ * @param {Object} network - The network configuration from serverless.yml
+ * @returns {Object} CloudFormation NetworkConfiguration
+ */
+function buildBrowserNetworkConfiguration(network = {}) {
+  const networkMode = network.networkMode || 'PUBLIC';
+
+  const config = {
+    NetworkMode: networkMode,
+  };
+
+  if (networkMode === 'VPC' && network.vpcConfig) {
+    config.VpcConfig = {
+      ...(network.vpcConfig.subnetIds && { SubnetIds: network.vpcConfig.subnetIds }),
+      ...(network.vpcConfig.securityGroupIds && {
+        SecurityGroupIds: network.vpcConfig.securityGroupIds,
+      }),
+    };
+  }
+
+  return config;
+}
+
+/**
+ * Build recording configuration for BrowserCustom
+ *
+ * @param {Object} recording - The recording configuration from serverless.yml
+ * @returns {Object|null} CloudFormation RecordingConfig or null
+ */
+function buildRecordingConfig(recording) {
+  if (!recording) {
+    return null;
+  }
+
+  const config = {};
+
+  if (recording.enabled !== undefined) {
+    config.Enabled = recording.enabled;
+  }
+
+  if (recording.s3Location) {
+    config.S3Location = {
+      Bucket: recording.s3Location.bucket,
+      ...(recording.s3Location.prefix && { Prefix: recording.s3Location.prefix }),
+    };
+  }
+
+  return Object.keys(config).length > 0 ? config : null;
+}
+
+/**
+ * Build browser signing configuration
+ *
+ * @param {Object} signing - The signing configuration from serverless.yml
+ * @returns {Object|null} CloudFormation BrowserSigning or null
+ */
+function buildBrowserSigning(signing) {
+  if (!signing) {
+    return null;
+  }
+
+  return { Enabled: signing.enabled || false };
+}
+
+/**
+ * Compile a BrowserCustom resource to CloudFormation
+ *
+ * @param {string} name - The browser name
+ * @param {Object} config - The browser configuration
+ * @param {Object} context - The compilation context
+ * @param {Object} tags - The merged tags
+ * @returns {Object} CloudFormation resource definition
+ */
+function compileBrowser(name, config, context, tags) {
+  const { serviceName, stage } = context;
+  const resourceName = getResourceName(serviceName, name, stage);
+  const roleLogicalId = `${getLogicalId(name, 'Browser')}Role`;
+
+  const networkConfig = buildBrowserNetworkConfiguration(config.network);
+  const recordingConfig = buildRecordingConfig(config.recording);
+  const signingConfig = buildBrowserSigning(config.signing);
+
+  return {
+    Type: 'AWS::BedrockAgentCore::BrowserCustom',
+    Properties: {
+      Name: resourceName,
+      NetworkConfiguration: networkConfig,
+      ...(config.roleArn
+        ? { ExecutionRoleArn: config.roleArn }
+        : { ExecutionRoleArn: { 'Fn::GetAtt': [roleLogicalId, 'Arn'] } }),
+      ...(config.description && { Description: config.description }),
+      ...(signingConfig && { BrowserSigning: signingConfig }),
+      ...(recordingConfig && { RecordingConfig: recordingConfig }),
+      ...(Object.keys(tags).length > 0 && { Tags: tags }),
+    },
+  };
+}
+
+module.exports = {
+  compileBrowser,
+  buildBrowserNetworkConfiguration,
+  buildRecordingConfig,
+  buildBrowserSigning,
+};

package/src/compilers/codeInterpreter.js

@@ -0,0 +1,64 @@
+'use strict';
+
+const { getResourceName, getLogicalId } = require('../utils/naming');
+
+/**
+ * Build network configuration for CodeInterpreterCustom
+ * Supports PUBLIC, SANDBOX, and VPC modes
+ *
+ * @param {Object} network - The network configuration from serverless.yml
+ * @returns {Object} CloudFormation NetworkConfiguration
+ */
+function buildCodeInterpreterNetworkConfiguration(network = {}) {
+  const networkMode = network.networkMode || 'SANDBOX';
+
+  const config = {
+    NetworkMode: networkMode, // PUBLIC, SANDBOX, or VPC
+  };
+
+  if (networkMode === 'VPC' && network.vpcConfig) {
+    config.VpcConfig = {
+      ...(network.vpcConfig.subnetIds && { SubnetIds: network.vpcConfig.subnetIds }),
+      ...(network.vpcConfig.securityGroupIds && {
+        SecurityGroupIds: network.vpcConfig.securityGroupIds,
+      }),
+    };
+  }
+
+  return config;
+}
+
+/**
+ * Compile a CodeInterpreterCustom resource to CloudFormation
+ *
+ * @param {string} name - The code interpreter name
+ * @param {Object} config - The code interpreter configuration
+ * @param {Object} context - The compilation context
+ * @param {Object} tags - The merged tags
+ * @returns {Object} CloudFormation resource definition
+ */
+function compileCodeInterpreter(name, config, context, tags) {
+  const { serviceName, stage } = context;
+  const resourceName = getResourceName(serviceName, name, stage);
+  const roleLogicalId = `${getLogicalId(name, 'CodeInterpreter')}Role`;
+
+  const networkConfig = buildCodeInterpreterNetworkConfiguration(config.network);
+
+  return {
+    Type: 'AWS::BedrockAgentCore::CodeInterpreterCustom',
+    Properties: {
+      Name: resourceName,
+      NetworkConfiguration: networkConfig,
+      ...(config.roleArn
+        ? { ExecutionRoleArn: config.roleArn }
+        : { ExecutionRoleArn: { 'Fn::GetAtt': [roleLogicalId, 'Arn'] } }),
+      ...(config.description && { Description: config.description }),
+      ...(Object.keys(tags).length > 0 && { Tags: tags }),
+    },
+  };
+}
+
+module.exports = {
+  compileCodeInterpreter,
+  buildCodeInterpreterNetworkConfiguration,
+};

package/src/compilers/gateway.js

@@ -0,0 +1,98 @@
+'use strict';
+
+const { getLogicalId } = require('../utils/naming');
+
+/**
+ * Build authorizer configuration for the gateway
+ *
+ * @param {Object} authConfig - The authorizer configuration from serverless.yml
+ * @returns {Object|null} CloudFormation authorizer configuration or null
+ */
+function buildGatewayAuthorizerConfiguration(authConfig) {
+  if (!authConfig) {
+    return null;
+  }
+
+  return {
+    ...(authConfig.allowedAudiences && { AllowedAudiences: authConfig.allowedAudiences }),
+    ...(authConfig.allowedClients && { AllowedClients: authConfig.allowedClients }),
+    ...(authConfig.allowedIssuers && { AllowedIssuers: authConfig.allowedIssuers }),
+  };
+}
+
+/**
+ * Build protocol configuration for the gateway
+ *
+ * @param {Object} protocolConfig - The protocol configuration from serverless.yml
+ * @returns {Object|null} CloudFormation protocol configuration or null
+ */
+function buildGatewayProtocolConfiguration(protocolConfig) {
+  if (!protocolConfig) {
+    return null;
+  }
+
+  return {
+    ...(protocolConfig.mcpConfiguration && {
+      McpConfiguration: {
+        ...(protocolConfig.mcpConfiguration.instructions && {
+          Instructions: protocolConfig.mcpConfiguration.instructions,
+        }),
+        ...(protocolConfig.mcpConfiguration.supportedVersions && {
+          SupportedVersions: protocolConfig.mcpConfiguration.supportedVersions,
+        }),
+      },
+    }),
+  };
+}
+
+/**
+ * Compile a Gateway resource to CloudFormation
+ *
+ * @param {string} name - The agent name
+ * @param {Object} config - The gateway configuration
+ * @param {Object} context - The compilation context
+ * @param {Object} tags - The merged tags
+ * @returns {Object} CloudFormation resource definition
+ */
+function compileGateway(name, config, context, tags) {
+  const { serviceName, stage } = context;
+
+  // Gateway name pattern: ^([0-9a-zA-Z][-]?){1,100}$
+  const resourceName = `${serviceName}-${name}-${stage}`
+    .replace(/[^0-9a-zA-Z-]/g, '-')
+    .replace(/--+/g, '-')
+    .substring(0, 100);
+
+  const roleLogicalId = `${getLogicalId(name, 'Gateway')}Role`;
+
+  // Default to AWS_IAM if not specified
+  const authorizerType = config.authorizerType || 'AWS_IAM';
+
+  // Default to MCP if not specified
+  const protocolType = config.protocolType || 'MCP';
+
+  const authConfig = buildGatewayAuthorizerConfiguration(config.authorizerConfiguration);
+  const protocolConfig = buildGatewayProtocolConfiguration(config.protocolConfiguration);
+
+  return {
+    Type: 'AWS::BedrockAgentCore::Gateway',
+    Properties: {
+      Name: resourceName,
+      AuthorizerType: authorizerType,
+      ProtocolType: protocolType,
+      RoleArn: config.roleArn || { 'Fn::GetAtt': [roleLogicalId, 'Arn'] },
+      ...(config.description && { Description: config.description }),
+      ...(authConfig && { AuthorizerConfiguration: authConfig }),
+      ...(protocolConfig && { ProtocolConfiguration: protocolConfig }),
+      ...(config.kmsKeyArn && { KmsKeyArn: config.kmsKeyArn }),
+      ...(config.exceptionLevel && { ExceptionLevel: config.exceptionLevel }),
+      ...(Object.keys(tags).length > 0 && { Tags: tags }),
+    },
+  };
+}
+
+module.exports = {
+  compileGateway,
+  buildGatewayAuthorizerConfiguration,
+  buildGatewayProtocolConfiguration,
+};

package/src/compilers/gatewayTarget.js

@@ -0,0 +1,285 @@
+'use strict';
+
+/**
+ * Build credential provider configuration for the gateway target
+ *
+ * @param {Object} credProvider - The credential provider configuration
+ * @returns {Array} CloudFormation credential provider configurations array
+ */
+function buildCredentialProviderConfigurations(credProvider) {
+  if (!credProvider) {
+    // Default to GATEWAY_IAM_ROLE
+    return [
+      {
+        CredentialProviderType: 'GATEWAY_IAM_ROLE',
+      },
+    ];
+  }
+
+  const config = {
+    CredentialProviderType: credProvider.type || 'GATEWAY_IAM_ROLE',
+  };
+
+  // Add OAuth configuration
+  if (credProvider.type === 'OAUTH' && credProvider.oauthConfig) {
+    config.OauthCredentialProviderConfiguration = {
+      ...(credProvider.oauthConfig.secretArn && {
+        CredentialsSecretArn: credProvider.oauthConfig.secretArn,
+      }),
+      ...(credProvider.oauthConfig.tokenUrl && {
+        OauthTokenEndpoint: credProvider.oauthConfig.tokenUrl,
+      }),
+      ...(credProvider.oauthConfig.scopes && { Scopes: credProvider.oauthConfig.scopes }),
+    };
+  }
+
+  // Add API Key configuration
+  if (credProvider.type === 'API_KEY' && credProvider.apiKeyConfig) {
+    config.ApiKeyCredentialProviderConfiguration = {
+      ...(credProvider.apiKeyConfig.secretArn && {
+        ApiKeySecretArn: credProvider.apiKeyConfig.secretArn,
+      }),
+    };
+  }
+
+  return [config];
+}
+
+/**
+ * Build target configuration based on target type
+ *
+ * @param {Object} target - The target configuration from serverless.yml
+ * @param {Object} context - The compilation context
+ * @returns {Object} CloudFormation target configuration
+ */
+function buildTargetConfiguration(target, context) {
+  const targetType = target.type || 'lambda';
+
+  switch (targetType.toLowerCase()) {
+    case 'lambda':
+      return buildLambdaTargetConfiguration(target, context);
+    case 'openapi':
+      return buildOpenApiTargetConfiguration(target);
+    case 'smithy':
+      return buildSmithyTargetConfiguration(target);
+    default:
+      throw new Error(`Unknown gateway target type: ${targetType}`);
+  }
+}
+
+/**
+ * Transform JSON Schema to CloudFormation SchemaDefinition (PascalCase)
+ *
+ * @param {Object} schema - The JSON schema object
+ * @returns {Object} CloudFormation SchemaDefinition
+ */
+function transformSchemaToCloudFormation(schema) {
+  if (!schema || typeof schema !== 'object') {
+    return schema;
+  }
+
+  const cfSchema = {};
+
+  // Transform type (required)
+  if (schema.type || schema.Type) {
+    cfSchema.Type = schema.Type || schema.type;
+  }
+
+  // Transform description (optional)
+  if (schema.description || schema.Description) {
+    cfSchema.Description = schema.Description || schema.description;
+  }
+
+  // Transform properties (optional, for object types)
+  if (schema.properties || schema.Properties) {
+    const props = schema.Properties || schema.properties;
+    cfSchema.Properties = {};
+    for (const [key, value] of Object.entries(props)) {
+      cfSchema.Properties[key] = transformSchemaToCloudFormation(value);
+    }
+  }
+
+  // Transform required (optional, for object types)
+  if (schema.required || schema.Required) {
+    cfSchema.Required = schema.Required || schema.required;
+  }
+
+  // Transform items (optional, for array types)
+  if (schema.items || schema.Items) {
+    cfSchema.Items = transformSchemaToCloudFormation(schema.Items || schema.items);
+  }
+
+  // Transform enum (optional)
+  if (schema.enum || schema.Enum) {
+    cfSchema.Enum = schema.Enum || schema.enum;
+  }
+
+  return cfSchema;
+}
+
+/**
+ * Build Lambda target configuration
+ *
+ * @param {Object} target - The target configuration
+ * @param {Object} context - The compilation context
+ * @returns {Object} CloudFormation Lambda target configuration
+ */
+function buildLambdaTargetConfiguration(target, _context) {
+  let functionArn = target.functionArn;
+
+  // If functionName is provided instead of functionArn, build the ARN reference
+  if (target.functionName && !functionArn) {
+    // Reference the function from the same stack
+    const functionLogicalId =
+      target.functionName
+        .split(/[-_]/)
+        .map((part) => part.charAt(0).toUpperCase() + part.slice(1).toLowerCase())
+        .join('') + 'LambdaFunction';
+
+    functionArn = { 'Fn::GetAtt': [functionLogicalId, 'Arn'] };
+  }
+
+  const lambdaConfig = {
+    LambdaArn: functionArn,
+  };
+
+  // Add ToolSchema if provided
+  if (target.toolSchema) {
+    const toolSchema = {};
+
+    // Handle InlinePayload (CloudFormation uses PascalCase)
+    if (target.toolSchema.inlinePayload) {
+      toolSchema.InlinePayload = target.toolSchema.inlinePayload.map((tool) => ({
+        Name: tool.name || tool.Name,
+        Description: tool.description || tool.Description,
+        InputSchema: transformSchemaToCloudFormation(tool.inputSchema || tool.InputSchema),
+        ...(tool.outputSchema || tool.OutputSchema
+          ? {
+              OutputSchema: transformSchemaToCloudFormation(tool.outputSchema || tool.OutputSchema),
+            }
+          : {}),
+      }));
+    }
+
+    // Handle S3 location (CloudFormation uses PascalCase)
+    if (target.toolSchema.s3) {
+      toolSchema.S3 = {
+        Uri:
+          target.toolSchema.s3.uri ||
+          `s3://${target.toolSchema.s3.bucket}/${target.toolSchema.s3.key}`,
+        ...(target.toolSchema.s3.bucketOwnerAccountId && {
+          BucketOwnerAccountId: target.toolSchema.s3.bucketOwnerAccountId,
+        }),
+      };
+    }
+
+    lambdaConfig.ToolSchema = toolSchema;
+  }
+
+  return {
+    Mcp: {
+      Lambda: lambdaConfig,
+    },
+  };
+}
+
+/**
+ * Build OpenAPI target configuration
+ *
+ * @param {Object} target - The target configuration
+ * @returns {Object} CloudFormation OpenAPI target configuration
+ */
+function buildOpenApiTargetConfiguration(target) {
+  const openApiConfig = {};
+
+  if (target.s3) {
+    openApiConfig.S3 = {
+      Uri: target.s3.uri || `s3://${target.s3.bucket}/${target.s3.key}`,
+      ...(target.s3.bucketOwnerAccountId && {
+        BucketOwnerAccountId: target.s3.bucketOwnerAccountId,
+      }),
+    };
+  }
+
+  if (target.inline || target.inlinePayload) {
+    openApiConfig.InlinePayload = target.inline || target.inlinePayload;
+  }
+
+  return {
+    Mcp: {
+      OpenApiSchema: openApiConfig,
+    },
+  };
+}
+
+/**
+ * Build Smithy target configuration
+ *
+ * @param {Object} target - The target configuration
+ * @returns {Object} CloudFormation Smithy target configuration
+ */
+function buildSmithyTargetConfiguration(target) {
+  const smithyConfig = {};
+
+  if (target.s3) {
+    smithyConfig.S3 = {
+      Uri: target.s3.uri || `s3://${target.s3.bucket}/${target.s3.key}`,
+      ...(target.s3.bucketOwnerAccountId && {
+        BucketOwnerAccountId: target.s3.bucketOwnerAccountId,
+      }),
+    };
+  }
+
+  if (target.inline || target.inlinePayload) {
+    smithyConfig.InlinePayload = target.inline || target.inlinePayload;
+  }
+
+  return {
+    Mcp: {
+      SmithyModel: smithyConfig,
+    },
+  };
+}
+
+/**
+ * Compile a GatewayTarget resource to CloudFormation
+ *
+ * @param {string} gatewayName - The parent gateway name
+ * @param {string} targetName - The target name
+ * @param {Object} config - The target configuration
+ * @param {string} gatewayLogicalId - The logical ID of the parent Gateway resource
+ * @param {Object} context - The compilation context
+ * @returns {Object} CloudFormation resource definition
+ */
+function compileGatewayTarget(gatewayName, targetName, config, gatewayLogicalId, context) {
+  // Target name pattern: ^([0-9a-zA-Z][-]?){1,100}$
+  const resourceName = targetName
+    .replace(/[^0-9a-zA-Z-]/g, '-')
+    .replace(/--+/g, '-')
+    .substring(0, 100);
+
+  const credentialConfigs = buildCredentialProviderConfigurations(config.credentialProvider);
+  const targetConfig = buildTargetConfiguration(config, context);
+
+  return {
+    Type: 'AWS::BedrockAgentCore::GatewayTarget',
+    DependsOn: [gatewayLogicalId],
+    Properties: {
+      Name: resourceName,
+      GatewayIdentifier: { 'Fn::GetAtt': [gatewayLogicalId, 'GatewayIdentifier'] },
+      CredentialProviderConfigurations: credentialConfigs,
+      TargetConfiguration: targetConfig,
+      ...(config.description && { Description: config.description }),
+    },
+  };
+}
+
+module.exports = {
+  compileGatewayTarget,
+  buildCredentialProviderConfigurations,
+  buildTargetConfiguration,
+  buildLambdaTargetConfiguration,
+  buildOpenApiTargetConfiguration,
+  buildSmithyTargetConfiguration,
+  transformSchemaToCloudFormation,
+};

package/src/compilers/index.js

@@ -0,0 +1,15 @@
+'use strict';
+
+const { compileRuntime } = require('./runtime');
+const { compileRuntimeEndpoint } = require('./runtimeEndpoint');
+const { compileMemory } = require('./memory');
+const { compileGateway } = require('./gateway');
+const { compileGatewayTarget } = require('./gatewayTarget');
+
+module.exports = {
+  compileRuntime,
+  compileRuntimeEndpoint,
+  compileMemory,
+  compileGateway,
+  compileGatewayTarget,
+};