Merge branch 'main' into fix-integ-runner-region-deployment

Author: Abogical

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/gateway/perms.ts

@@ -5,7 +5,7 @@ import * as kms from 'aws-cdk-lib/aws-kms';
 import { Construct } from 'constructs';
 // Internal imports
 import { IGatewayAuthorizerConfig } from './inbound-auth/authorizer';
-import { GatewayPerms } from './perms';
+import { GATEWAY_GET_PERMS, GATEWAY_LIST_PERMS, GATEWAY_MANAGE_PERMS, GATEWAY_INVOKE_PERMS } from './perms';
 import { IGatewayProtocolConfig } from './protocol';
 
 /******************************************************************************
@@ -269,12 +269,12 @@ export abstract class GatewayBase extends Resource implements IGateway {
    * @param grantee The principal to grant read permissions to
    */
   public grantRead(grantee: iam.IGrantable): iam.Grant {
-    const resourceSpecificGrant = this.grant(grantee, ...GatewayPerms.GET_PERMS);
+    const resourceSpecificGrant = this.grant(grantee, ...GATEWAY_GET_PERMS);
 
     const allResourceGrant = iam.Grant.addToPrincipal({
       grantee: grantee,
       resourceArns: ['*'],
-      actions: [...GatewayPerms.LIST_PERMS],
+      actions: [...GATEWAY_LIST_PERMS],
     });
     // Return combined grant
     return resourceSpecificGrant.combine(allResourceGrant);
@@ -286,7 +286,7 @@ export abstract class GatewayBase extends Resource implements IGateway {
    * @param grantee The principal to grant manage permissions to
    */
   public grantManage(grantee: iam.IGrantable): iam.Grant {
-    return this.grant(grantee, ...GatewayPerms.MANAGE_PERMS);
+    return this.grant(grantee, ...GATEWAY_MANAGE_PERMS);
   }
 
   /**
@@ -295,7 +295,7 @@ export abstract class GatewayBase extends Resource implements IGateway {
    * @param grantee The principal to grant invoke permissions to
    */
   public grantInvoke(grantee: iam.IGrantable): iam.Grant {
-    return this.grant(grantee, ...GatewayPerms.INVOKE_PERMS);
+    return this.grant(grantee, ...GATEWAY_INVOKE_PERMS);
   }
 
   // ------------------------------------------------------

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/index.ts

@@ -11,7 +11,7 @@ import { Construct } from 'constructs';
 import { GatewayBase, GatewayExceptionLevel, IGateway } from './gateway-base';
 import { GatewayAuthorizer, IGatewayAuthorizerConfig } from './inbound-auth/authorizer';
 import { ICredentialProviderConfig } from './outbound-auth/credential-provider';
-import { GatewayPerms } from './perms';
+import { GATEWAY_ASSUME_ROLE, GATEWAY_KMS_KEY_PERMS } from './perms';
 import { IGatewayProtocolConfig, McpGatewaySearchType, McpProtocolConfiguration, MCPProtocolVersion } from './protocol';
 import { ApiSchema } from './targets/schema/api-schema';
 import { ToolSchema } from './targets/schema/tool-schema';
@@ -585,7 +585,7 @@ export class Gateway extends GatewayBase {
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         principals: [new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com')],
-        actions: GatewayPerms.ASSUME_ROLE,
+        actions: GATEWAY_ASSUME_ROLE,
         conditions: {
           StringEquals: {
             'aws:SourceAccount': account,
@@ -600,7 +600,7 @@ export class Gateway extends GatewayBase {
     if (this.kmsKey) {
       role.addToPolicy(new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
-        actions: GatewayPerms.KMS_KEY_PERMS,
+        actions: GATEWAY_KMS_KEY_PERMS,
         resources: [this.kmsKey.keyArn],
       }));
     }

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/gateway/gateway-base.ts renamed to packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/gateway/gateway-base.ts

@@ -1,6 +1,6 @@
 import { Grant, IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { CredentialProviderType, ICredentialProviderConfig } from './credential-provider';
-import { GatewayPerms } from '../perms';
+import { GATEWAY_API_KEY_PERMS, GATEWAY_WORKLOAD_IDENTITY_PERMS, GATEWAY_SECRETS_PERMS } from '../perms';
 
 /******************************************************************************
  *                                 API KEY
@@ -152,13 +152,13 @@ export class ApiKeyCredentialProviderConfiguration implements ICredentialProvide
     const statements = [
       new PolicyStatement({
         actions: [
-          ...GatewayPerms.GATEWAY_API_KEY_PERMS,
-          ...GatewayPerms.GATEWAY_WORKLOAD_IDENTITY_PERMS,
+          ...GATEWAY_API_KEY_PERMS,
+          ...GATEWAY_WORKLOAD_IDENTITY_PERMS,
         ],
         resources: [this.providerArn],
       }),
       new PolicyStatement({
-        actions: GatewayPerms.SECRETS_PERMS,
+        actions: GATEWAY_SECRETS_PERMS,
         resources: [this.secretArn],
       }),
     ];

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/gateway/gateway.ts renamed to packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/gateway/gateway.ts

@@ -1,6 +1,6 @@
 import { Grant, IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { CredentialProviderType, ICredentialProviderConfig } from './credential-provider';
-import { GatewayPerms } from '../perms';
+import { GATEWAY_OAUTH_PERMS, GATEWAY_WORKLOAD_IDENTITY_PERMS, GATEWAY_SECRETS_PERMS } from '../perms';
 
 /******************************************************************************
  *                                OAuth
@@ -90,13 +90,13 @@ export class OAuthCredentialProviderConfiguration implements ICredentialProvider
     const statements = [
       new PolicyStatement({
         actions: [
-          ...GatewayPerms.GATEWAY_OAUTH_PERMS,
-          ...GatewayPerms.GATEWAY_WORKLOAD_IDENTITY_PERMS,
+          ...GATEWAY_OAUTH_PERMS,
+          ...GATEWAY_WORKLOAD_IDENTITY_PERMS,
         ],
         resources: [this.providerArn],
       }),
       new PolicyStatement({
-        actions: GatewayPerms.SECRETS_PERMS,
+        actions: GATEWAY_SECRETS_PERMS,
         resources: [this.secretArn],
       }),
     ];