Bedrock AgentCore Runtime L3 Construct

This construct provides a high-level abstraction for creating Amazon Bedrock AgentCore Runtimes with Docker container deployment.

Features

- Custom Runtime Deployment: Deploy custom agent runtimes using Docker containers
- Docker Image Management: Build and push Docker images to ECR or use existing images
- IAM Role Management: Automatic creation of IAM roles with required permissions
- VPC Network Configuration: Secure VPC deployment (required for all runtimes)
- JWT Authorization: Configure custom JWT authorizers for access control
- Lifecycle Management: Configure session timeouts and maximum lifetimes
- Runtime Endpoints: Create endpoints for runtime invocation
- SSM Parameter Storage: Automatic storage of runtime ARNs and IDs

Usage

``typescript
import { BedrockAgentcoreRuntimeL3Construct } from '@aws-mdaa/bedrock-agentcore-runtime-l3-construct';

const runtime = new BedrockAgentcoreRuntimeL3Construct(this, 'MyRuntime', {
agentRuntimeName: 'my-agent-runtime',
description: 'Custom agent runtime for development',
agentRuntimeArtifact: {
containerConfiguration: {
codePath: './agent-code',
platform: 'linux/arm64'
}
},
networkConfiguration: {
securityGroups: ['sg-12345678'],
subnets: ['subnet-12345678', 'subnet-87654321']
},
environmentVariables: {
ENVIRONMENT: 'dev',
LOG_LEVEL: 'INFO'
},
authorizerConfiguration: {
customJwtAuthorizer: {
discoveryUrl: 'https://cognito-idp.region.amazonaws.com/pool/.well-known/openid-configuration',
allowedAudience: ['client-id']
}
},
runtimeEndpoint: {
name: 'my_runtime_endpoint',
description: 'Runtime endpoint for invocation'
},
naming: naming,
roleHelper: roleHelper
});
`

Configuration Options

$3


- agentRuntimeName: Name of the runtime (required)
- description: Optional description
- agentRuntimeArtifact: Container configuration (required)
- networkConfiguration: VPC network configuration (required)
- environmentVariables: Environment variables for the container
- lifecycleConfiguration: Session timeout and lifetime settings
- authorizerConfiguration: JWT authorizer configuration
- requestHeaderConfiguration: HTTP header forwarding configuration
- runtimeEndpoint: Endpoint configuration for runtime invocation

$3

- containerUri: Pre-built ECR image URI
- codePath: Local directory path for building Docker image
- platform: Target platform (linux/arm64 or linux/amd64)

$3

- securityGroups: Array of security group IDs (1-16 items, required)
- subnets: Array of subnet IDs (1-16 items, required)

Note: All runtimes are deployed in VPC mode for security. The network mode is automatically set to VPC.

$3

- discoveryUrl: OIDC discovery URL (required)
- allowedAudience: Array of allowed audience values
- allowedClients: Array of allowed client IDs

$3

- idleRuntimeSessionTimeout: Idle timeout in seconds (60-28800)
- maxLifetime: Maximum lifetime in seconds (60-28800)

IAM Permissions

The construct automatically creates IAM roles with permissions for:
- ECR image access (GetAuthorizationToken, BatchGetImage, GetDownloadUrlForLayer)
- CloudWatch Logs (CreateLogGroup, CreateLogStream, PutLogEvents)
- X-Ray tracing (PutTraceSegments, PutTelemetryRecords)
- CloudWatch Metrics (PutMetricData for bedrock-agentcore namespace)
- Bedrock AgentCore workload identity tokens
- Bedrock model invocation

SSM Parameters

The construct stores the following information in SSM Parameter Store:
- Runtime ARN: /mdaa/{env}/{runtime-name}-arn
- Runtime ID: /mdaa/{env}/{runtime-name}-id
- Runtime Name: /mdaa/{env}/{runtime-name}-name
- Endpoint ARN: /mdaa/{env}/{runtime-name}-endpoint-arn (if endpoint configured)
- Endpoint ID: /mdaa/{env}/{runtime-name}-endpoint-id (if endpoint configured)

Dependencies

- @aws-mdaa/iam-constructs
- @aws-mdaa/iam-role-helper
- @aws-mdaa/kms-constructs
- @aws-mdaa/l3-construct
- aws-cdk-lib
- constructs`