mirror of
https://github.com/awslabs/amazon-bedrock-agentcore-samples.git
synced 2025-09-08 20:50:46 +00:00
01246a98b2
* feat: Add AWS Operations Agent with AgentCore Runtime - Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore - Added comprehensive deployment scripts for DIY and SDK runtime modes - Implemented OAuth2/PKCE authentication with Okta integration - Added MCP (Model Context Protocol) tool support for AWS service operations - Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders - Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker - Includes chatbot client, gateway management scripts, and comprehensive testing - Ready for public GitHub with security-cleared configuration files Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders * Update AWS Operations Agent architecture diagram * feat: Enhance AWS Operations Agent with improved testing and deployment - Update README with new local container testing approach using run-*-local-container.sh scripts - Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment - Add no-cache flag to Docker builds to ensure clean builds - Update deployment scripts to use consolidated configuration files - Add comprehensive cleanup scripts for all deployment components - Improve error handling and credential validation in deployment scripts - Add new MCP tool deployment using ZIP packaging instead of Docker containers - Update configuration management to use dynamic-config.yaml structure - Add local testing capabilities with containerized agents - Remove outdated test scripts and replace with interactive chat client approach * fix: Update IAM policy configurations - Update bac-permissions-policy.json with enhanced permissions - Update bac-trust-policy.json for improved trust relationships * fix: Update Docker configurations for agent runtimes - Update Dockerfile.diy with improved container configuration - Update Dockerfile.sdk with enhanced build settings * fix: Update OAuth iframe flow configuration - Update iframe-oauth-flow.html with improved OAuth handling * feat: Update AWS Operations Agent configuration and cleanup - Update IAM permissions policy with enhanced access controls - Update IAM trust policy with improved security conditions - Enhance OAuth iframe flow with better UX and error handling - Improve chatbot client with enhanced local testing capabilities - Remove cache files and duplicate code for cleaner repository * docs: Add architecture diagrams and update README - Add architecture-2.jpg and flow.jpg diagrams for better visualization - Update README.md with enhanced documentation and diagrams * Save current work before resolving merge conflicts * Keep AWS-operations-agent changes (local version takes precedence) * Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version * Fix deployment and cleanup script issues Major improvements and fixes: Configuration Management: - Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role) - Add missing role_arn cleanup in MCP tool deletion script - Fix OAuth provider deletion script configuration clearing - Improve memory deletion script to preserve quote consistency - Add Lambda invoke permissions to bac-permissions-policy.json Script Improvements: - Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh - Fix interactive prompt handling in cleanup scripts (echo -e format) - Add yq support with sed fallbacks for better YAML manipulation - Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script Architecture Fixes: - Correct gateway role assignment to use runtime.role_arn (bac-execution-role) - Ensure proper role separation between gateway and Lambda execution - Fix configuration cleanup to clear all dynamic config fields consistently Documentation: - Update README with clear configuration instructions - Maintain security best practices with placeholder values - Add comprehensive deployment and cleanup guidance These changes address systematic issues with cleanup scripts, role assignments, and configuration management while maintaining security best practices. * Update README.md with comprehensive documentation Enhanced documentation includes: - Complete project structure with 75 files - Step-by-step deployment guide with all 13 scripts - Clear configuration instructions with security best practices - Dual agent architecture documentation (DIY + SDK) - Authentication flow and security implementation details - Troubleshooting guide and operational procedures - Local testing and container development guidance - Tool integration and MCP protocol documentation The README now provides complete guidance for deploying and operating the AWS Support Agent with Amazon Bedrock AgentCore system. --------- Co-authored-by: name <alias@amazon.com>
200 lines
7.0 KiB
Python
Executable File
200 lines
7.0 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
"""
|
|
Create Bedrock AgentCore Gateway
|
|
Uses unified AgentCore configuration system
|
|
"""
|
|
import json
|
|
import boto3
|
|
import logging
|
|
import argparse
|
|
import sys
|
|
import subprocess
|
|
from datetime import datetime
|
|
from pathlib import Path
|
|
|
|
# Add project root to path for shared config manager
|
|
project_root = Path(__file__).parent.parent.parent
|
|
sys.path.append(str(project_root))
|
|
from shared.config_manager import AgentCoreConfigManager
|
|
|
|
# Configure logging
|
|
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
|
|
logger = logging.getLogger(__name__)
|
|
|
|
def parse_arguments():
|
|
"""Parse command line arguments"""
|
|
parser = argparse.ArgumentParser(description='Create Bedrock AgentCore Gateway')
|
|
parser.add_argument('--name', help='Gateway name (optional)')
|
|
parser.add_argument('--description', help='Gateway description (optional)')
|
|
parser.add_argument("--environment", type=str, default="production", help="Environment to use (for CloudFormation tags only)")
|
|
return parser.parse_args()
|
|
|
|
def print_request(title, request_data):
|
|
"""Print formatted request"""
|
|
print(f"\n{title}")
|
|
print("=" * 60)
|
|
print(json.dumps(request_data, indent=2, default=str))
|
|
print("=" * 60)
|
|
|
|
def print_response(title, response_data):
|
|
"""Print formatted response"""
|
|
print(f"\n{title}")
|
|
print("=" * 60)
|
|
print(json.dumps(response_data, indent=2, default=str))
|
|
print("=" * 60)
|
|
|
|
def update_dynamic_config_with_yq(gateway_id, gateway_arn, gateway_url):
|
|
"""Update dynamic configuration using yq"""
|
|
try:
|
|
config_file = project_root / "config" / "dynamic-config.yaml"
|
|
|
|
# Update using yq commands
|
|
subprocess.run([
|
|
"yq", "eval", f".gateway.id = \"{gateway_id}\"", "-i", str(config_file)
|
|
], check=True, capture_output=True)
|
|
|
|
subprocess.run([
|
|
"yq", "eval", f".gateway.arn = \"{gateway_arn}\"", "-i", str(config_file)
|
|
], check=True, capture_output=True)
|
|
|
|
subprocess.run([
|
|
"yq", "eval", f".gateway.url = \"{gateway_url}\"", "-i", str(config_file)
|
|
], check=True, capture_output=True)
|
|
|
|
print("✅ Dynamic configuration updated successfully")
|
|
return True
|
|
|
|
except subprocess.CalledProcessError as e:
|
|
print(f"⚠️ Failed to update dynamic configuration: {e}")
|
|
return False
|
|
except Exception as e:
|
|
print(f"⚠️ Error updating configuration: {e}")
|
|
return False
|
|
|
|
def create_bedrock_agentcore_gateway(config_manager, environment, gateway_name=None, description=None):
|
|
"""Create Bedrock AgentCore Gateway using configuration"""
|
|
|
|
# Get configuration from config manager
|
|
base_settings = config_manager.get_base_settings()
|
|
oauth_settings = config_manager.get_oauth_settings()
|
|
dynamic_config = config_manager.get_dynamic_config()
|
|
|
|
# Extract AWS configuration
|
|
aws_config = {
|
|
'region': base_settings['aws']['region'],
|
|
'account_id': base_settings['aws']['account_id'],
|
|
'profile': None # Use default credentials
|
|
}
|
|
|
|
# Get gateway execution role from static config (bac-execution-role)
|
|
gateway_execution_role_arn = base_settings['runtime']['role_arn']
|
|
|
|
if not gateway_execution_role_arn:
|
|
raise ValueError("Gateway execution role ARN not found in static configuration. Please run 01-prerequisites.sh first.")
|
|
|
|
# Create authorization configuration
|
|
auth_config = {
|
|
'customJWTAuthorizer': {
|
|
'discoveryUrl': oauth_settings['jwt']['discovery_url'],
|
|
'allowedAudience': [oauth_settings['jwt']['audience']]
|
|
}
|
|
}
|
|
|
|
print(f"Using Configuration:")
|
|
print(f" Environment: {environment}")
|
|
print(f" AWS Region: {aws_config['region']}")
|
|
print(f" AWS Account: {aws_config['account_id']}")
|
|
print(f" Gateway Execution Role (bac-execution-role): {gateway_execution_role_arn}")
|
|
print(f" JWT Discovery URL: {oauth_settings['jwt']['discovery_url']}")
|
|
print(f" JWT Audience: {oauth_settings['jwt']['audience']}")
|
|
|
|
# Use default gateway name if not provided
|
|
if not gateway_name:
|
|
gateway_name = f"{environment}-agentcore-gateway"
|
|
|
|
# Use default description if not provided
|
|
if not description:
|
|
description = f'AgentCore Gateway for {environment} environment'
|
|
|
|
# Create AWS session
|
|
session = boto3.Session(region_name=aws_config['region'])
|
|
|
|
# Use bedrock-agentcore-control client
|
|
bedrock_agentcore_client = session.client('bedrock-agentcore-control', region_name=aws_config['region'])
|
|
|
|
# Prepare request
|
|
request_data = {
|
|
'name': gateway_name,
|
|
'protocolType': 'MCP',
|
|
'roleArn': gateway_execution_role_arn,
|
|
'description': description,
|
|
'authorizerType': 'CUSTOM_JWT',
|
|
'authorizerConfiguration': auth_config
|
|
}
|
|
|
|
print_request("CREATE GATEWAY REQUEST", request_data)
|
|
|
|
try:
|
|
# Create gateway
|
|
response = bedrock_agentcore_client.create_gateway(**request_data)
|
|
|
|
print_response("CREATE GATEWAY RESPONSE", response)
|
|
|
|
gateway_id = response['gatewayId']
|
|
gateway_status = response.get('status', 'Unknown')
|
|
gateway_url = response.get('gatewayUrl', 'Unknown')
|
|
gateway_arn = response.get('gatewayArn', '')
|
|
|
|
# Update the dynamic config with the gateway information
|
|
update_dynamic_config_with_yq(gateway_id, gateway_arn, gateway_url)
|
|
|
|
print(f"\nGateway Created Successfully!")
|
|
print(f" Gateway ID: {gateway_id}")
|
|
print(f" Gateway URL: {gateway_url}")
|
|
print(f" Status: {gateway_status}")
|
|
print(f" Environment: {environment}")
|
|
|
|
return gateway_id, response
|
|
|
|
except Exception as e:
|
|
logger.error(f"Gateway creation failed: {str(e)}")
|
|
print(f"\nGateway creation failed: {str(e)}")
|
|
raise
|
|
|
|
def main():
|
|
"""Main function"""
|
|
args = parse_arguments()
|
|
|
|
# Initialize configuration manager
|
|
config_manager = AgentCoreConfigManager()
|
|
|
|
# Use environment from args
|
|
environment = args.environment
|
|
|
|
print("🚀 Create Bedrock AgentCore Gateway")
|
|
print("=" * 40)
|
|
print(f"Environment: {environment}")
|
|
print(f"Timestamp: {datetime.now().isoformat()}")
|
|
|
|
try:
|
|
# Create gateway
|
|
gateway_id, response = create_bedrock_agentcore_gateway(
|
|
config_manager,
|
|
environment,
|
|
args.name,
|
|
args.description
|
|
)
|
|
|
|
print(f"\n✅ Gateway creation completed successfully!")
|
|
print(f" Gateway ID: {gateway_id}")
|
|
print(f" Use 'python list-gateways.py' to see all gateways")
|
|
print(f" Use 'python get-gateway.py --gateway-id {gateway_id}' for details")
|
|
|
|
except Exception as e:
|
|
logger.error(f"Gateway creation failed: {str(e)}")
|
|
print(f"\n❌ Gateway creation failed: {str(e)}")
|
|
sys.exit(1)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|