Skip to content

feat(bedrockagentcore): graduate to stable 🚀#37876

Open
alvazjor wants to merge 5 commits into
mainfrom
feat/agentcore-graduation
Open

feat(bedrockagentcore): graduate to stable 🚀#37876
alvazjor wants to merge 5 commits into
mainfrom
feat/agentcore-graduation

Conversation

@alvazjor
Copy link
Copy Markdown
Contributor

@alvazjor alvazjor commented May 14, 2026
edited
Loading

We are excited to graduate the @aws-cdk/aws-bedrock-agentcore-alpha module to STABLE.
It now lives on as aws-cdk-lib/aws-bedrockagentcore.

Migration Guide

// Before
import * as agentcore from '@aws-cdk/aws-bedrock-agentcore-alpha';

// After
import * as agentcore from 'aws-cdk-lib/aws-bedrockagentcore';

BREAKING CHANGES

Renames

Before After
IGateway.name IGateway.gatewayName
IGatewayTarget.name IGatewayTarget.gatewayTargetName
BrowserCustom.name BrowserCustom.browserCustomName
CodeInterpreterCustom.name CodeInterpreterCustom.codeInterpreterCustomName
IMemoryStrategy.name IMemoryStrategy.strategyName
MemoryStrategyCommonProps.name MemoryStrategyCommonProps.strategyName
ApiKeyCredentialProviderProps (gateway config) ApiKeyCredentialProviderOptions
ApiKeyCredentialProviderResourceProps (constructor) ApiKeyCredentialProviderProps
EvaluatorReference EvaluatorSelector
EvaluatorReferenceBindResult EvaluatorSelectorBindResult

Dependency change

Before After
OverrideConfig.model: IBedrockInvokable (from @aws-cdk/aws-bedrock-alpha) OverrideConfig.model: IModel (from aws-cdk-lib/aws-bedrock)

metric() signature

Removed dimensions: DimensionsMap positional parameter. Resource dimension is now baked into the implementation. Additional dimensions can be passed via props.dimensionsMap.

Before: metric(metricName: string, dimensions: DimensionsMap, props?: MetricOptions): Metric
After: metric(metricName: string, props?: MetricOptions): Metric

@github-actions github-actions Bot added the p2 label May 14, 2026
@mergify mergify Bot added the contribution/core This is a PR that came from AWS. label May 14, 2026
@mergify mergify Bot temporarily deployed to automation May 14, 2026 23:19 Inactive
@mergify mergify Bot temporarily deployed to automation May 14, 2026 23:19 Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026
edited
Loading

⚠️ This pull request description does not follow the correct template structure.

PRs without a linked issue will receive lower priority for review and merging. Please update the description to follow the PR template and include a line like Closes #123 in the Issue section. If no existing issue matches your change, create one first.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

TestsPassed ✅SkippedFailed
Security Guardian Results1272 ran1272 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates1272 ran1272 passed
TestResult
No test annotations available

@alvazjor alvazjor marked this pull request as ready for review May 14, 2026 23:21
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 15, 2026
@alvazjor alvazjor added the pr/do-not-merge This PR should not be merged at this time. label May 15, 2026
alvazjor added 3 commits May 15, 2026 11:59
@alvazjor
feat(bedrockagentcore): graduate to stable
9405387
@alvazjor
fix(bedrockagentcore): use stable bedrock classes in README examples
7559668
@alvazjor
fix(bedrockagentcore): add confused deputy conditions to service role…
a68cc40 
… trust policies

Add aws:SourceAccount and aws:SourceArn conditions to the trust policies
for Runtime, Memory, Browser, and CodeInterpreter auto-created service roles.
This prevents cross-service confused deputy attacks by scoping role assumption
to the specific resource in the account.

Follows the pattern already established in Gateway and OnlineEvaluationConfig.
@alvazjor alvazjor force-pushed the feat/agentcore-graduation branch from c3cf06b to a68cc40 Compare May 15, 2026 11:59
@alvazjor
fix(bedrockagentcore): reject tags with reserved aws: prefix and upda…
b1a9a04 
…te integ snapshots

Add validation to reject tag keys starting with 'aws:' (case-insensitive)
across all resources that accept tags. This prefix is reserved by AWS and
cannot be used by customers.

Affected resources: Runtime, RuntimeEndpoint, Memory, Browser,
CodeInterpreter, Gateway, PolicyEngine, and Identity credential providers.

Updated integ test snapshots for confused deputy trust policy changes.
leonmk-aws
leonmk-aws requested changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@leonmk-aws leonmk-aws left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are missing .jsiirc.json? EDIT: We are not, it exists in the stable module already, which is why it doesn.t show up in this PR

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 15, 2026
@alvazjor
fix(bedrockagentcore): throw on imported Policy/PolicyEngine name access
7327df6 
The service appends a random suffix to resource names, so the original
name cannot be extracted from the ARN. Accessing policyName or
policyEngineName on imported resources now throws with a clear message.
@leonmk-aws leonmk-aws added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label May 15, 2026
@leonmk-aws leonmk-aws had a problem deploying to deployment-integ-test May 15, 2026 14:14 — with GitHub Actions Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leonmk-aws leonmk-aws leonmk-aws requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2 pr/do-not-merge This PR should not be merged at this time. pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alvazjor @leonmk-aws @aws-cdk-automation