UNPKG

@aws-cdk/aws-bedrock-agentcore-alpha

Version:

The CDK Construct Library for Amazon Bedrock

github.com/aws/aws-cdk

aws/aws-cdk

384 lines (383 loc) 12.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
import * as cognito from 'aws-cdk-lib/aws-cognito'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as kms from 'aws-cdk-lib/aws-kms'; import { IFunction } from 'aws-cdk-lib/aws-lambda'; import { Construct } from 'constructs'; import { GatewayBase, GatewayExceptionLevel, IGateway } from './gateway-base'; import { IGatewayAuthorizerConfig } from './inbound-auth/authorizer'; import { ICredentialProviderConfig } from './outbound-auth/credential-provider'; import { IGatewayProtocolConfig } from './protocol'; import { ApiSchema } from './targets/schema/api-schema'; import { ToolSchema } from './targets/schema/tool-schema'; import { GatewayTarget } from './targets/target'; /****************************************************************************** * Props *****************************************************************************/ /** * Options for adding a Lambda target to a gateway */ export interface AddLambdaTargetOptions { /** * The name of the gateway target * Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) */ readonly gatewayTargetName: string; /** * Optional description for the gateway target * @default - No description */ readonly description?: string; /** * The Lambda function to associate with this target */ readonly lambdaFunction: IFunction; /** * The tool schema defining the available tools */ readonly toolSchema: ToolSchema; /** * Credential providers for authentication * @default - [GatewayCredentialProvider.iamRole()] */ readonly credentialProviderConfigurations?: ICredentialProviderConfig[]; } /** * Options for adding an OpenAPI target to a gateway */ export interface AddOpenApiTargetOptions { /** * The name of the gateway target * Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) */ readonly gatewayTargetName: string; /** * Optional description for the gateway target * @default - No description */ readonly description?: string; /** * The OpenAPI schema defining the API */ readonly apiSchema: ApiSchema; /** * Whether to validate the OpenAPI schema or not * Note: Validation is only performed for inline and asset-based schema and during CDK synthesis. * S3 schemas cannot be validated at synthesis time. * @default true */ readonly validateOpenApiSchema?: boolean; /** * Credential providers for authentication * @default - [GatewayCredentialProvider.iamRole()] */ readonly credentialProviderConfigurations?: ICredentialProviderConfig[]; } /** * Options for adding a Smithy target to a gateway */ export interface AddSmithyTargetOptions { /** * The name of the gateway target * Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) */ readonly gatewayTargetName: string; /** * Optional description for the gateway target * @default - No description */ readonly description?: string; /** * The Smithy model defining the API */ readonly smithyModel: ApiSchema; /** * Credential providers for authentication * @default - [GatewayCredentialProvider.iamRole()] */ readonly credentialProviderConfigurations?: ICredentialProviderConfig[]; } /** * Options for adding an MCP Server target to a gateway */ export interface AddMcpServerTargetOptions { /** * The name of the gateway target * Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) */ readonly gatewayTargetName: string; /** * Optional description for the gateway target * @default - No description */ readonly description?: string; /** * The HTTPS endpoint URL of the MCP server * * The endpoint must: * - Use HTTPS protocol * - Be properly URL-encoded * - Point to an MCP server that implements tool capabilities */ readonly endpoint: string; /** * Credential providers for authentication * * MCP servers require explicit authentication configuration. * OAuth2 is strongly recommended over NoAuth. */ readonly credentialProviderConfigurations: ICredentialProviderConfig[]; } /** * Properties for defining a Gateway */ export interface GatewayProps { /** * The name of the gateway * Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) * The name must be unique within your account */ readonly gatewayName: string; /** * Optional description for the gateway * Valid characters are a-z, A-Z, 0-9, _ (underscore), - (hyphen) and spaces * The description can have up to 200 characters * @default - No description */ readonly description?: string; /** * The protocol configuration for the gateway * @default - A default protocol configuration will be created using MCP with following params * supportedVersions: [MCPProtocolVersion.MCP_2025_03_26], * searchType: McpGatewaySearchType.SEMANTIC, * instructions: "Default gateway to connect to external MCP tools", */ readonly protocolConfiguration?: IGatewayProtocolConfig; /** * The authorizer configuration for the gateway * @default - A default authorizer will be created using Cognito */ readonly authorizerConfiguration?: IGatewayAuthorizerConfig; /** * The verbosity of exception messages * Use DEBUG mode to see granular exception messages from a Gateway * @default - Exception messages are sanitized for presentation to end users */ readonly exceptionLevel?: GatewayExceptionLevel; /** * The AWS KMS key used to encrypt data associated with the gateway * @default - No encryption */ readonly kmsKey?: kms.IKey; /** * The IAM role that provides permissions for the gateway to access AWS services * @default - A new role will be created */ readonly role?: iam.IRole; /** * Tags for the gateway * A list of key:value pairs of tags to apply to this Gateway resource * @default - No tags */ readonly tags?: { [key: string]: string; }; } /** * Attributes for importing an existing Gateway */ export interface GatewayAttributes { /** * The ARN of the gateway */ readonly gatewayArn: string; /** * The ID of the gateway */ readonly gatewayId: string; /** * The name of the gateway */ readonly gatewayName: string; /** * The IAM role that provides permissions for the gateway */ readonly role: iam.IRole; } /****************************************************************************** * Class *****************************************************************************/ /** * Gateway resource for AWS Bedrock Agent Core. * Serves as an integration point between your agent and external services. * * @resource AWS::BedrockAgentCore::Gateway * @see https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateGateway.html */ export declare class Gateway extends GatewayBase { /** Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; /** * Import an existing Gateway using its attributes * * @param scope The construct scope * @param id The construct id * @param attrs The attributes of the existing Gateway * @returns An IGateway instance representing the imported gateway */ static fromGatewayAttributes(scope: Construct, id: string, attrs: GatewayAttributes): IGateway; /** * The ARN of the gateway * @attribute */ readonly gatewayArn: string; /** * The unique identifier of the gateway * @attribute */ readonly gatewayId: string; /** * The name of the gateway */ readonly name: string; /** * The description of the gateway */ readonly description?: string; /** * The protocol configuration for the gateway */ readonly protocolConfiguration: IGatewayProtocolConfig; /** * The authorizer configuration for the gateway */ readonly authorizerConfiguration: IGatewayAuthorizerConfig; /** * The exception level for the gateway */ readonly exceptionLevel?: GatewayExceptionLevel; /** * The KMS key used for encryption */ readonly kmsKey?: kms.IKey; /** * The IAM role for the gateway */ readonly role: iam.IRole; /** * The URL endpoint for the gateway * @attribute */ readonly gatewayUrl?: string; /** * The status of the gateway * @attribute */ readonly status?: string; /** * The status reasons for the gateway * @attribute */ readonly statusReason?: string[]; /** * Timestamp when the gateway was created * @attribute */ readonly createdAt?: string; /** * Timestamp when the gateway was last updated * @attribute */ readonly updatedAt?: string; /** * Tags applied to the gateway */ readonly tags?: { [key: string]: string; }; /** * The Cognito User Pool created for the gateway (if using default Cognito authorizer) */ userPool?: cognito.IUserPool; /** * The Cognito User Pool Client created for the gateway (if using default Cognito authorizer) */ userPoolClient?: cognito.IUserPoolClient; constructor(scope: Construct, id: string, props: GatewayProps); /** * Add a Lambda target to this gateway * This is a convenience method that creates a GatewayTarget associated with this gateway * * @param id The construct id for the target * @param props Properties for the Lambda target * @returns The created GatewayTarget */ addLambdaTarget(id: string, props: AddLambdaTargetOptions): GatewayTarget; /** * Add an OpenAPI target to this gateway * This is a convenience method that creates a GatewayTarget associated with this gateway * * @param id The construct id for the target * @param props Properties for the OpenAPI target * @returns The created GatewayTarget */ addOpenApiTarget(id: string, props: AddOpenApiTargetOptions): GatewayTarget; /** * Add a Smithy target to this gateway * This is a convenience method that creates a GatewayTarget associated with this gateway * * @param id The construct id for the target * @param props Properties for the Smithy target * @returns The created GatewayTarget */ addSmithyTarget(id: string, props: AddSmithyTargetOptions): GatewayTarget; /** * Add an MCP server target to this gateway * This is a convenience method that creates a GatewayTarget associated with this gateway * * @param id The construct id for the target * @param props Properties for the MCP server target * @returns The created GatewayTarget * @see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-target-MCPservers.html */ addMcpServerTarget(id: string, props: AddMcpServerTargetOptions): GatewayTarget; /** * Creates the service role for the gateway to assume * * The service role starts with minimal permissions. Additional permissions * are added automatically when targets are configured: * - KMS encryption: Automatically grants encrypt/decrypt permissions * * For other target types, manually grant permissions using standard CDK grant methods: * @internal */ private createGatewayRole; /** * Validates the gateway name format * Pattern: ^([0-9a-zA-Z][-]?){1,100}$ * Max length: 48 characters * @param name The gateway name to validate * @throws Error if the name is invalid * @internal */ private validateGatewayName; /** * Validates the description format * Max length: 200 characters * @param description The description to validate * @throws Error if validation fails * @internal */ private validateDescription; /** * Creates a default Cognito authorizer for the gateway * Provisions a Cognito User Pool and configures JWT authentication * @internal */ private createDefaultCognitoAuthorizerConfig; /** * Creates a default MCP protocol configuration for the gateway * Provides sensible defaults for MCP protocol settings * @internal */ private createDefaultMcpProtocolConfiguration; }