feat(bedrock-agentcore-alpha): allow tagging service-created runtime application log group#37997
feat(bedrock-agentcore-alpha): allow tagging service-created runtime application log group#37997gingeekrishna wants to merge 8 commits into
Conversation
…application log group
Adds `applicationLogGroupTags` to `RuntimeProps` so users can apply tags to
the AgentCore-managed CloudWatch Log Group at
`/aws/bedrock-agentcore/runtimes/{agentRuntimeId}-DEFAULT`.
Because the log group is provisioned by the AgentCore service (not by
CloudFormation), CDK cannot tag it via the runtime resource itself. When
`applicationLogGroupTags` is provided, CDK pre-creates the log group with
`RemovalPolicy.RETAIN` so the required tags are present from the first
runtime invocation onward.
fixes aws#37983
gingeekrishna
had a problem deploying
to
automation
GitHub Actions
Failure
github-actions
Bot
added
beginning-contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds support for tagging the AgentCore runtime application CloudWatch Log Group by pre-creating it in CDK when tags are provided.
Changes:
- Introduces
applicationLogGroupTagsprop onRuntimePropsand creates a/aws/bedrock-agentcore/runtimes/{agentRuntimeId}-DEFAULTlog group withRemovalPolicy.RETAIN. - Applies user-specified tags to the pre-created log group.
- Adds unit tests covering creation/non-creation, invalid tag keys, and retain policies.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/runtime/runtime.ts | Adds a new runtime prop and pre-creates/tag the application log group with retain policy. |
| packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts | Adds tests validating log group creation, tagging behavior, validation, and retention. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Features must contain a change to an integration test file and the resulting snapshot.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
✅ A exemption request has been requested. Please wait for a maintainer's review.
|
Exemption Request |
aws-cdk-automation
added
the
pr-linter/exemption-requested
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
…nLogGroupTags - Combine LogGroupName and Tags assertions into a single hasResourceProperties call to prevent false positives from separate resource matches (Copilot review) - Expand JSDoc to document orphaned log group risk on runtime replacement (Copilot review) - Add README section with usage example and retention behaviour note - Add integration test for applicationLogGroupTags feature
|
Exemption Request
|
… comments - README: remove unused agentcore import from code example - integ test: update header comment to match actual test intent and add listTagsForResource assertion to verify log group tags after deployment - unit tests: extract shared App/Stack/artifact setup into beforeEach to eliminate repeated boilerplate across test cases
…ogGroupTags - Add migration caveat to RuntimeProps JSDoc warning about ResourceAlreadyExistsException when adding applicationLogGroupTags to an existing runtime whose log group was already created by the service - Add same migration caveat to README documentation - Rename test 'fails when...' to 'Should throw when...' for consistency with other tests in the describe block
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| * **Retention behaviour**: the pre-created log group always uses | ||
| * `RemovalPolicy.RETAIN`. This means: |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…omments
- Rename JSDoc heading 'Retention behaviour' to 'Removal behavior' with clarifying note distinguishing RemovalPolicy from CloudWatch Logs retention period
- Extract Tags.of() outside loop in constructor to avoid repeated tag-manager lookup
- Rephrase README wording: Tags.of(runtime) does not propagate to service-created log group
- Replace brittle resourceCountIs('AWS::Logs::LogGroup', 0) assertions with targeted checks that filter by bedrock-agentcore name pattern
- Loosen error-message regex from exact-quote match to case-insensitive substring match
- Append ':*' suffix to log group ARN in integ test to match CloudWatch Logs ARN format expected by listTagsForResource
Issue # (if applicable)
Closes #37983.
Adds
applicationLogGroupTagstoRuntimePropsso users can apply tags to the AgentCore-managed CloudWatch Log Group at/aws/bedrock-agentcore/runtimes/{agentRuntimeId}-DEFAULT.Because the log group is provisioned by the AgentCore service (not by CloudFormation), CDK cannot tag it via the runtime resource itself. When
applicationLogGroupTagsis provided, CDK pre-creates the log group withRemovalPolicy.RETAINso the required tags are present from the first runtime invocation onward.Reason for this change
The AgentCore service automatically creates a CloudWatch Log Group at
/aws/bedrock-agentcore/runtimes/{agentRuntimeId}-DEFAULTfor runtime application logs. The existingRuntimeProps.tagsonly tags theAWS::BedrockAgentCore::Runtimeresource itself — there is no supported way to tag this service-created log group through CDK.This is a blocker in environments that enforce mandatory resource tags for PII data isolation, cost allocation, retention/compliance automation, or access governance.
Description of changes
applicationLogGroupTags?: { [key: string]: string }toRuntimeProps.Runtimeconstructor pre-creates aAWS::Logs::LogGroupwith:logGroupNamecomputed from the runtime'sAgentRuntimeIdCloudFormation attribute (no hardcoding).RemovalPolicy.RETAINso logs are preserved if the stack is deleted.Tags.of(logGroup).add(key, value).validateTags()method for consistent key/value validation.agentRuntimeIdchanges.Describe any new or updated permissions being added
None. The execution role already has
logs:CreateLogGroupand related permissions scoped to/aws/bedrock-agentcore/runtimes/*.Description of how you validated changes
Added 5 unit tests under
describe('Runtime applicationLogGroupTags tests'):Fn::Join-based name and all specified tags in a single assertion (avoids false positives from separate resource matches).{}.ValidationErrorthrown for anaws:-prefixed tag key.DeletionPolicy: Retain/UpdateReplacePolicy: Retainverified.Integration test added at
test/agentcore/runtime/integ.runtime-application-log-group-tags.ts. Snapshot generation requires a full build pipeline (blocked locally due to environment constraints) — see exemption request below.Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license