From c41bcfabb749f6db68bf07d9f22ed07e5e88a673 Mon Sep 17 00:00:00 2001 From: Marc Peiser Date: Wed, 10 Dec 2025 18:01:56 +0200 Subject: [PATCH] feat: enable Amazon Bedrock AgentCore services Add bedrock-agent, bedrock-agent-runtime, and bedrock-agentcore to SCP allowlist to enable sandbox users to deploy and manage Bedrock agents. Upgrade aws-nuke from v3.60.1 to v3.62.0 which adds support for cleaning up bedrock-agentcore resources during sandbox cleanup. --- .../infrastructure/lib/components/account-cleaner/Dockerfile | 2 +- source/infrastructure/lib/components/config/nuke-config.yaml | 1 + .../isb-aws-nuke-supported-services-scp.json | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/source/infrastructure/lib/components/account-cleaner/Dockerfile b/source/infrastructure/lib/components/account-cleaner/Dockerfile index f7d3599..829ce51 100644 --- a/source/infrastructure/lib/components/account-cleaner/Dockerfile +++ b/source/infrastructure/lib/components/account-cleaner/Dockerfile @@ -2,7 +2,7 @@ FROM public.ecr.aws/amazonlinux/amazonlinux:2023-minimal@sha256:181f434838407aab RUN dnf install -y tar gzip awscli jq sed -ADD https://github.com/ekristen/aws-nuke/releases/download/v3.60.1/aws-nuke-v3.60.1-linux-amd64.tar.gz nuke-binary.tar.gz +ADD https://github.com/ekristen/aws-nuke/releases/download/v3.62.0/aws-nuke-v3.62.0-linux-amd64.tar.gz nuke-binary.tar.gz RUN mkdir /tmp/aws-nuke && \ tar -xzvf nuke-binary.tar.gz -C /tmp/aws-nuke && \ diff --git a/source/infrastructure/lib/components/config/nuke-config.yaml b/source/infrastructure/lib/components/config/nuke-config.yaml index 19b9c9d..ea061c2 100644 --- a/source/infrastructure/lib/components/config/nuke-config.yaml +++ b/source/infrastructure/lib/components/config/nuke-config.yaml @@ -44,6 +44,7 @@ resource-types: - S3Object # Let the S3Bucket delete all Objects instead of individual objects (optimization) - ConfigServiceConfigurationRecorder - ConfigServiceDeliveryChannel + - BedrockAgentCoreWorkloadIdentity # Cannot be deleted directly - deleted when parent AgentRuntime is deleted blocklist: - "%HUB_ACCOUNT_ID%" # placeholder HUB_ACCOUNT_ID will be dynamically replaced during CodeBuild execution accounts: diff --git a/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json b/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json index 7b5fca1..56575d0 100644 --- a/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json +++ b/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json @@ -23,6 +23,9 @@ "backup:*", "batch:*", "bedrock:*", + "bedrock-agent:*", + "bedrock-agent-runtime:*", + "bedrock-agentcore:*", "budgets:*", "cloud9:*", "clouddirectory:*",