serverless-bedrock-agentcore-plugin 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/compilers/runtime.js +7 -5
- package/src/index.js +54 -3
package/package.json
CHANGED
package/src/compilers/runtime.js
CHANGED
|
@@ -187,15 +187,15 @@ function buildRequestHeaderConfiguration(requestHeaders) {
|
|
|
187
187
|
* Allows cross-account or cross-principal access to invoke the agent
|
|
188
188
|
*
|
|
189
189
|
* @param {Object} resourcePolicy - The resource policy configuration from serverless.yml
|
|
190
|
-
* @returns {Object|null}
|
|
190
|
+
* @returns {Object|null} IAM policy document or null
|
|
191
191
|
*/
|
|
192
192
|
function buildResourcePolicy(resourcePolicy) {
|
|
193
193
|
if (!resourcePolicy || !resourcePolicy.Statement || resourcePolicy.Statement.length === 0) {
|
|
194
194
|
return null;
|
|
195
195
|
}
|
|
196
196
|
|
|
197
|
-
//
|
|
198
|
-
//
|
|
197
|
+
// Return standard IAM policy document format
|
|
198
|
+
// Applied via bedrock-agentcore-control put-resource-policy API after deploy
|
|
199
199
|
return {
|
|
200
200
|
Version: resourcePolicy.Version || '2012-10-17',
|
|
201
201
|
Statement: resourcePolicy.Statement,
|
|
@@ -223,7 +223,10 @@ function compileRuntime(name, config, context, tags) {
|
|
|
223
223
|
const protocolConfig = buildProtocolConfiguration(config.protocol);
|
|
224
224
|
const envVars = buildEnvironmentVariables(config.environment);
|
|
225
225
|
const requestHeaderConfig = buildRequestHeaderConfiguration(config.requestHeaders);
|
|
226
|
-
|
|
226
|
+
|
|
227
|
+
// Note: resourcePolicy is NOT included in CFN properties.
|
|
228
|
+
// CloudFormation doesn't support ResourcePolicy on AWS::BedrockAgentCore::Runtime.
|
|
229
|
+
// It is applied via the bedrock-agentcore-control put-resource-policy API after deploy.
|
|
227
230
|
|
|
228
231
|
return {
|
|
229
232
|
Type: 'AWS::BedrockAgentCore::Runtime',
|
|
@@ -238,7 +241,6 @@ function compileRuntime(name, config, context, tags) {
|
|
|
238
241
|
...(protocolConfig && { ProtocolConfiguration: protocolConfig }),
|
|
239
242
|
...(envVars && { EnvironmentVariables: envVars }),
|
|
240
243
|
...(requestHeaderConfig && { RequestHeaderConfiguration: requestHeaderConfig }),
|
|
241
|
-
...(resourcePolicy && { ResourcePolicy: resourcePolicy }),
|
|
242
244
|
...(Object.keys(tags).length > 0 && { Tags: tags }),
|
|
243
245
|
},
|
|
244
246
|
};
|
package/src/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
const { compileRuntime } = require('./compilers/runtime');
|
|
3
|
+
const { compileRuntime, buildResourcePolicy } = require('./compilers/runtime');
|
|
4
4
|
const { compileRuntimeEndpoint } = require('./compilers/runtimeEndpoint');
|
|
5
5
|
const { compileMemory } = require('./compilers/memory');
|
|
6
6
|
const { compileGateway } = require('./compilers/gateway');
|
|
@@ -137,8 +137,11 @@ class ServerlessBedrockAgentCore {
|
|
|
137
137
|
'after:package:compileFunctions': () => this.compileAgentCoreResources(),
|
|
138
138
|
'before:package:finalize': () => this.compileAgentCoreResources(),
|
|
139
139
|
|
|
140
|
-
// Post-deploy info
|
|
141
|
-
'after:deploy:deploy': () =>
|
|
140
|
+
// Post-deploy: apply resource policies, then display info
|
|
141
|
+
'after:deploy:deploy': async () => {
|
|
142
|
+
await this.applyResourcePolicies();
|
|
143
|
+
await this.displayDeploymentInfo();
|
|
144
|
+
},
|
|
142
145
|
|
|
143
146
|
// Custom commands
|
|
144
147
|
'agentcore:info:info': () => this.showInfo(),
|
|
@@ -972,6 +975,54 @@ class ServerlessBedrockAgentCore {
|
|
|
972
975
|
}
|
|
973
976
|
}
|
|
974
977
|
|
|
978
|
+
/**
|
|
979
|
+
* Apply resource policies to runtimes after deployment.
|
|
980
|
+
* CloudFormation doesn't support ResourcePolicy on AWS::BedrockAgentCore::Runtime,
|
|
981
|
+
* so we apply it via the bedrock-agentcore-control put-resource-policy API after deploy.
|
|
982
|
+
*/
|
|
983
|
+
async applyResourcePolicies() {
|
|
984
|
+
const agents = this.getAgentsConfig();
|
|
985
|
+
|
|
986
|
+
if (!agents || Object.keys(agents).length === 0) {
|
|
987
|
+
return;
|
|
988
|
+
}
|
|
989
|
+
|
|
990
|
+
const agentsWithPolicies = Object.entries(agents).filter(
|
|
991
|
+
([, config]) => config.type === 'runtime' && config.resourcePolicy
|
|
992
|
+
);
|
|
993
|
+
|
|
994
|
+
if (agentsWithPolicies.length === 0) {
|
|
995
|
+
return;
|
|
996
|
+
}
|
|
997
|
+
|
|
998
|
+
this.log.info(`Applying resource policies for ${agentsWithPolicies.length} runtime(s)...`);
|
|
999
|
+
|
|
1000
|
+
for (const [name, config] of agentsWithPolicies) {
|
|
1001
|
+
try {
|
|
1002
|
+
this.log.info(` Applying resource policy for '${name}'...`);
|
|
1003
|
+
|
|
1004
|
+
const runtimeArn = await this.getRuntimeArn(name);
|
|
1005
|
+
const policyDocument = buildResourcePolicy(config.resourcePolicy);
|
|
1006
|
+
|
|
1007
|
+
if (!policyDocument) {
|
|
1008
|
+
this.log.warning(` Skipping '${name}': resource policy has no statements`);
|
|
1009
|
+
continue;
|
|
1010
|
+
}
|
|
1011
|
+
|
|
1012
|
+
await this.provider.request('BedrockAgentCoreControl', 'putResourcePolicy', {
|
|
1013
|
+
resourceArn: runtimeArn,
|
|
1014
|
+
policy: JSON.stringify(policyDocument),
|
|
1015
|
+
});
|
|
1016
|
+
|
|
1017
|
+
this.log.info(` Resource policy applied successfully for '${name}'`);
|
|
1018
|
+
} catch (error) {
|
|
1019
|
+
throw new this.serverless.classes.Error(
|
|
1020
|
+
`Failed to apply resource policy for '${name}': ${error.message}`
|
|
1021
|
+
);
|
|
1022
|
+
}
|
|
1023
|
+
}
|
|
1024
|
+
}
|
|
1025
|
+
|
|
975
1026
|
/**
|
|
976
1027
|
* Show information about AgentCore resources
|
|
977
1028
|
*/
|