java-on-aws/apps/java-spring-ai-agents/scripts/13-mcp-policy.sh at 04cdcc8eddf516f1ea33ce647947274d102f3f69 · aws-samples/java-on-aws · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash
# Deploy Cedar policy to MCP Gateway
# Requires AWS CLI 2.32+
set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Load environment
if [ -f "$SCRIPT_DIR/.env" ]; then
    source "$SCRIPT_DIR/.env"
fi

GATEWAY_ARN="arn:aws:bedrock-agentcore:${AWS_REGION}:${ACCOUNT_ID}:gateway/${MCP_GATEWAY_ID}"
POLICY_FILE="${SCRIPT_DIR}/backoffice-policy.cedar"

echo "Deploying Cedar policy..."
echo "  Gateway: ${MCP_GATEWAY_ID}"
echo "  Policy Engine: ${MCP_POLICY_ENGINE_ID}"
echo ""

# Read and substitute policy
POLICY_STATEMENT=$(sed "s|\${GATEWAY_ARN}|${GATEWAY_ARN}|g" "$POLICY_FILE")

# Delete existing policies and wait for deletion
echo "1. Cleaning up existing policies..."
EXISTING=$(aws bedrock-agentcore-control list-policies \
    --policy-engine-id "${MCP_POLICY_ENGINE_ID}" \
    --query 'policies[].policyId' --output text 2>/dev/null || true)

for PID in $EXISTING; do
    echo "   Deleting: $PID"
    aws bedrock-agentcore-control delete-policy \
        --policy-engine-id "${MCP_POLICY_ENGINE_ID}" \
        --policy-id "$PID" > /dev/null

    # Wait for deletion to complete
    while true; do
        STATUS=$(aws bedrock-agentcore-control get-policy \
            --policy-engine-id "${MCP_POLICY_ENGINE_ID}" \
            --policy-id "$PID" \
            --query 'status' --output text 2>/dev/null || echo "DELETED")

        if [ "$STATUS" = "DELETED" ] || [ -z "$STATUS" ]; then
            break
        fi
        sleep 2
    done
done

# Create new policy
echo ""
echo "2. Creating policy..."
POLICY_ID=$(aws bedrock-agentcore-control create-policy \
    --policy-engine-id "${MCP_POLICY_ENGINE_ID}" \
    --name "ForbidDangerousOperations" \
    --validation-mode "IGNORE_ALL_FINDINGS" \
    --definition "{\"cedar\":{\"statement\":$(echo "$POLICY_STATEMENT" | jq -Rs .)}}" \
    --query 'policyId' --output text)

echo "   Policy ID: $POLICY_ID"

# Wait for ACTIVE
echo ""
echo "3. Waiting for policy to become ACTIVE..."
for i in {1..30}; do
    STATUS=$(aws bedrock-agentcore-control get-policy \
        --policy-engine-id "${MCP_POLICY_ENGINE_ID}" \
        --policy-id "$POLICY_ID" \
        --query 'status' --output text)

    echo "   Status: $STATUS"

    if [ "$STATUS" = "ACTIVE" ]; then
        echo ""
        echo "✅ Policy deployed successfully!"
        exit 0
    elif [[ "$STATUS" == *"FAILED"* ]]; then
        echo ""
        echo "❌ Policy deployment failed"
        exit 1
    fi
    sleep 2
done

echo "❌ Timeout waiting for policy"
exit 1