Skip to content

Commit 4e4dda7

Browse files
author
bgagent
committed
fix(docs): fix build
1 parent b6a61b5 commit 4e4dda7

2 files changed

Lines changed: 62 additions & 84 deletions

File tree

docs/design/DEPLOYMENT_ROLES.md

Lines changed: 31 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -437,12 +437,22 @@ DynamoDB tables, Lambda functions, API Gateway, Cognito, WAFv2, EventBridge, and
437437

438438
### IaCRole-ABCA-Observability
439439

440-
Bedrock Guardrails, CloudWatch Logs/Dashboards/Alarms, X-Ray, S3 (CDK assets), KMS, ECR, SSM, and STS. (Bedrock AgentCore lives in the separate `IaCRole-ABCA-Compute-Agentcore` policy below.)
440+
Bedrock Guardrails, CloudWatch Logs/Dashboards/Alarms, X-Ray, S3 (CDK assets), KMS, ECR, SSM, and STS.
441+
442+
> The golden baseline below keeps the `BedrockAgentCore` statement (`bedrock-agentcore:*`) as the first entry of this block, since it is the canonical action list parsed by `cdk/test/bootstrap/golden-baseline.test.ts`. At **deploy** time those actions are emitted as the standalone `IaCRole-ABCA-Compute-Agentcore` managed policy (see the next subsection), not as part of the runtime Observability policy — the test extracts the statement from here and validates it against the separate `computeAgentcorePolicy()`.
441443
442444
```json
443445
{
444446
"Version": "2012-10-17",
445447
"Statement": [
448+
{
449+
"Sid": "BedrockAgentCore",
450+
"Effect": "Allow",
451+
"Action": [
452+
"bedrock-agentcore:*"
453+
],
454+
"Resource": "*"
455+
},
446456
{
447457
"Sid": "BedrockGuardrailsAndLogging",
448458
"Effect": "Allow",
@@ -605,54 +615,33 @@ Bedrock Guardrails, CloudWatch Logs/Dashboards/Alarms, X-Ray, S3 (CDK assets), K
605615

606616
### IaCRole-ABCA-Compute-Agentcore
607617

608-
Bedrock AgentCore runtime/memory operations. This policy is always applied (AgentCore is the default compute backend) and is kept separate from Observability so each compute variant can be bootstrapped independently.
609-
610-
```json
611-
{
612-
"Version": "2012-10-17",
613-
"Statement": [
614-
{
615-
"Sid": "BedrockAgentCore",
616-
"Effect": "Allow",
617-
"Action": [
618-
"bedrock-agentcore:*"
619-
],
620-
"Resource": "*"
621-
}
622-
]
623-
}
624-
```
618+
Bedrock AgentCore runtime/memory operations — a single statement granting `bedrock-agentcore:*` on `*` (the `BedrockAgentCore` statement shown in the Observability block above). This policy is always applied (AgentCore is the default compute backend) and is emitted as its own managed policy (`computeAgentcorePolicy()`, compiled to `cdk/bootstrap/policies/compute-agentcore.json`) so each compute variant can be bootstrapped independently. No separate JSON baseline is repeated here: the golden-file test reads the action list from the Observability block and validates it against this policy.
625619

626620
### IaCRole-ABCA-Compute-ECS
627621

628622
When the ECS Fargate compute backend is enabled (bootstrap with `--context ComputeTypes=agentcore,ecs`), the generated template conditionally attaches this policy to the CloudFormation execution role. It is a standalone managed policy, not an addition to `IaCRole-ABCA-Application`.
629623

630624
```json
631625
{
632-
"Version": "2012-10-17",
633-
"Statement": [
634-
{
635-
"Sid": "ECS",
636-
"Effect": "Allow",
637-
"Action": [
638-
"ecs:CreateCluster",
639-
"ecs:DeleteCluster",
640-
"ecs:DescribeClusters",
641-
"ecs:UpdateCluster",
642-
"ecs:UpdateClusterSettings",
643-
"ecs:PutClusterCapacityProviders",
644-
"ecs:RegisterTaskDefinition",
645-
"ecs:DeregisterTaskDefinition",
646-
"ecs:DescribeTaskDefinition",
647-
"ecs:ListTaskDefinitions",
648-
"ecs:TagResource",
649-
"ecs:UntagResource",
650-
"ecs:ListTagsForResource",
651-
"ecs:PutAccountSetting"
652-
],
653-
"Resource": "*"
654-
}
655-
]
626+
"Sid": "ECS",
627+
"Effect": "Allow",
628+
"Action": [
629+
"ecs:CreateCluster",
630+
"ecs:DeleteCluster",
631+
"ecs:DescribeClusters",
632+
"ecs:UpdateCluster",
633+
"ecs:UpdateClusterSettings",
634+
"ecs:PutClusterCapacityProviders",
635+
"ecs:RegisterTaskDefinition",
636+
"ecs:DeregisterTaskDefinition",
637+
"ecs:DescribeTaskDefinition",
638+
"ecs:ListTaskDefinitions",
639+
"ecs:TagResource",
640+
"ecs:UntagResource",
641+
"ecs:ListTagsForResource",
642+
"ecs:PutAccountSetting"
643+
],
644+
"Resource": "*"
656645
}
657646
```
658647

docs/src/content/docs/architecture/Deployment-roles.md

Lines changed: 31 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -441,12 +441,22 @@ DynamoDB tables, Lambda functions, API Gateway, Cognito, WAFv2, EventBridge, and
441441

442442
### IaCRole-ABCA-Observability
443443

444-
Bedrock Guardrails, CloudWatch Logs/Dashboards/Alarms, X-Ray, S3 (CDK assets), KMS, ECR, SSM, and STS. (Bedrock AgentCore lives in the separate `IaCRole-ABCA-Compute-Agentcore` policy below.)
444+
Bedrock Guardrails, CloudWatch Logs/Dashboards/Alarms, X-Ray, S3 (CDK assets), KMS, ECR, SSM, and STS.
445+
446+
> The golden baseline below keeps the `BedrockAgentCore` statement (`bedrock-agentcore:*`) as the first entry of this block, since it is the canonical action list parsed by `cdk/test/bootstrap/golden-baseline.test.ts`. At **deploy** time those actions are emitted as the standalone `IaCRole-ABCA-Compute-Agentcore` managed policy (see the next subsection), not as part of the runtime Observability policy — the test extracts the statement from here and validates it against the separate `computeAgentcorePolicy()`.
445447
446448
```json
447449
{
448450
"Version": "2012-10-17",
449451
"Statement": [
452+
{
453+
"Sid": "BedrockAgentCore",
454+
"Effect": "Allow",
455+
"Action": [
456+
"bedrock-agentcore:*"
457+
],
458+
"Resource": "*"
459+
},
450460
{
451461
"Sid": "BedrockGuardrailsAndLogging",
452462
"Effect": "Allow",
@@ -609,54 +619,33 @@ Bedrock Guardrails, CloudWatch Logs/Dashboards/Alarms, X-Ray, S3 (CDK assets), K
609619

610620
### IaCRole-ABCA-Compute-Agentcore
611621

612-
Bedrock AgentCore runtime/memory operations. This policy is always applied (AgentCore is the default compute backend) and is kept separate from Observability so each compute variant can be bootstrapped independently.
613-
614-
```json
615-
{
616-
"Version": "2012-10-17",
617-
"Statement": [
618-
{
619-
"Sid": "BedrockAgentCore",
620-
"Effect": "Allow",
621-
"Action": [
622-
"bedrock-agentcore:*"
623-
],
624-
"Resource": "*"
625-
}
626-
]
627-
}
628-
```
622+
Bedrock AgentCore runtime/memory operations — a single statement granting `bedrock-agentcore:*` on `*` (the `BedrockAgentCore` statement shown in the Observability block above). This policy is always applied (AgentCore is the default compute backend) and is emitted as its own managed policy (`computeAgentcorePolicy()`, compiled to `cdk/bootstrap/policies/compute-agentcore.json`) so each compute variant can be bootstrapped independently. No separate JSON baseline is repeated here: the golden-file test reads the action list from the Observability block and validates it against this policy.
629623

630624
### IaCRole-ABCA-Compute-ECS
631625

632626
When the ECS Fargate compute backend is enabled (bootstrap with `--context ComputeTypes=agentcore,ecs`), the generated template conditionally attaches this policy to the CloudFormation execution role. It is a standalone managed policy, not an addition to `IaCRole-ABCA-Application`.
633627

634628
```json
635629
{
636-
"Version": "2012-10-17",
637-
"Statement": [
638-
{
639-
"Sid": "ECS",
640-
"Effect": "Allow",
641-
"Action": [
642-
"ecs:CreateCluster",
643-
"ecs:DeleteCluster",
644-
"ecs:DescribeClusters",
645-
"ecs:UpdateCluster",
646-
"ecs:UpdateClusterSettings",
647-
"ecs:PutClusterCapacityProviders",
648-
"ecs:RegisterTaskDefinition",
649-
"ecs:DeregisterTaskDefinition",
650-
"ecs:DescribeTaskDefinition",
651-
"ecs:ListTaskDefinitions",
652-
"ecs:TagResource",
653-
"ecs:UntagResource",
654-
"ecs:ListTagsForResource",
655-
"ecs:PutAccountSetting"
656-
],
657-
"Resource": "*"
658-
}
659-
]
630+
"Sid": "ECS",
631+
"Effect": "Allow",
632+
"Action": [
633+
"ecs:CreateCluster",
634+
"ecs:DeleteCluster",
635+
"ecs:DescribeClusters",
636+
"ecs:UpdateCluster",
637+
"ecs:UpdateClusterSettings",
638+
"ecs:PutClusterCapacityProviders",
639+
"ecs:RegisterTaskDefinition",
640+
"ecs:DeregisterTaskDefinition",
641+
"ecs:DescribeTaskDefinition",
642+
"ecs:ListTaskDefinitions",
643+
"ecs:TagResource",
644+
"ecs:UntagResource",
645+
"ecs:ListTagsForResource",
646+
"ecs:PutAccountSetting"
647+
],
648+
"Resource": "*"
660649
}
661650
```
662651

0 commit comments

Comments
 (0)