The Amazon Bedrock AgentCore Terraform module provides a high-level, object-oriented approach to creating and managing Amazon Bedrock AgentCore resources using Terraform. This module abstracts away the complexity of the L1 resources and provides a higher level implementation.
The module provides support for Amazon Bedrock AgentCore Runtime, Runtime Endpoints, Memories, and Gateways. This allows you to deploy custom container-based runtimes for your Bedrock agents, create memory resources that provide long-term contextual awareness, and establish gateways which serve as integration points between agents and external services.
This module simplifies the process of:
- Creating and configuring Bedrock AgentCore Runtimes
- Setting up AgentCore Runtime Endpoints
- Implementing AgentCore Memory with various memory strategies
- Creating and managing AgentCore Gateways
- Managing IAM permissions for your runtimes, memories, and gateways
- Configuring network access and security settings
- Custom Container Support: Deploy your own container images from Amazon ECR
- Flexible Networking: Support for both PUBLIC and VPC network modes for runtimes, and SANDBOX and VPC modes for code interpreters
- IAM Role Management: Automatic creation of IAM roles with appropriate permissions
- Environment Variables: Pass configuration to your runtime container
- JWT Authorization: Optional JWT authorizer configuration for secure access
- Endpoint Management: Create and manage runtime endpoints for client access
- Memory Management: Create and configure memory resources for persistent contextual awareness
- Multiple Memory Strategies: Support for semantic, summary, user preference, and custom memory strategies
- Namespace Organization: Organize memory data with customizable namespaces for different actors and sessions
- Custom Memory Consolidation: Override prompts and models for memory extraction and consolidation
- Gateway Support: Create and manage AgentCore Gateways for model context communication
- Protocol Configuration: Configure MCP protocol settings for gateways
- Gateway Security: Implement JWT authorization and KMS encryption for gateways
- Granular Permissions: Control gateway create, read, update, and delete permissions
- OAuth2 Outbound Authorization: Configure OAuth client for gateway outbound authorization
- API Key Outbound Authorization: Configure API key for gateway outbound authorization
- Code Interpreter: Create and manage custom code interpreter resources for Bedrock agents
- Browser Custom: Create and manage custom browser resources for Bedrock agents with recording capabilities
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Runtime
create_runtime = true
runtime_name = "MyCustomRuntime"
runtime_description = "Custom runtime for my Bedrock agent"
runtime_container_uri = "123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock/agent-runtime:latest"
runtime_network_mode = "PUBLIC"
# Environment variables for the runtime
runtime_environment_variables = {
"LOG_LEVEL" = "INFO"
"ENV" = "production"
}
# Enable Agent Core Runtime Endpoint
create_runtime_endpoint = true
runtime_endpoint_name = "MyRuntimeEndpoint"
runtime_endpoint_description = "Endpoint for my custom runtime"
}module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Runtime
create_runtime = true
runtime_name = "SecureRuntime"
runtime_container_uri = "123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock/agent-runtime:latest"
# Configure JWT authorization
runtime_authorizer_configuration = {
custom_jwt_authorizer = {
discovery_url = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example/.well-known/jwks.json"
allowed_audience = ["client-id-1", "client-id-2"]
}
}
# Enable Agent Core Runtime Endpoint
create_runtime_endpoint = true
runtime_endpoint_name = "SecureEndpoint"
}module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Runtime with custom IAM role
create_runtime = true
runtime_name = "CustomRoleRuntime"
runtime_container_uri = "123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock/agent-runtime:latest"
runtime_role_arn = "arn:aws:iam::123456789012:role/my-custom-bedrock-role"
# Enable Agent Core Runtime Endpoint
create_runtime_endpoint = true
runtime_endpoint_name = "CustomRoleEndpoint"
}Create and configure an MCP gateway:
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Gateway
create_gateway = true
gateway_name = "MyMCPGateway"
gateway_description = "Gateway for Model Context Protocol connections"
# Configure the gateway protocol (MCP)
gateway_protocol_type = "MCP"
gateway_protocol_configuration = {
mcp = {
instructions = "Custom instructions for MCP tools and resources"
search_type = "DEFAULT"
supported_versions = ["1.0.0"]
}
}
# Optional JWT authorization
gateway_authorizer_type = "CUSTOM_JWT"
gateway_authorizer_configuration = {
custom_jwt_authorizer = {
discovery_url = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example/.well-known/jwks.json"
allowed_audience = ["client-id-1", "client-id-2"]
}
}
# Optional KMS encryption
gateway_kms_key_arn = "<INSERT_KEY_HERE>"
# Manage gateway permissions
gateway_allow_create_permissions = true
gateway_allow_update_delete_permissions = true
}The module can automatically create a Cognito User Pool to handle JWT authentication when no JWT auth information is provided:
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Gateway
create_gateway = true
gateway_name = "GatewayWithAutoCognito"
gateway_authorizer_type = "CUSTOM_JWT"
# No gateway_authorizer_configuration - a Cognito User Pool will be created automatically
}In this scenario, the module will:
- Create a Cognito User Pool
- Configure a domain for the User Pool
- Set up a User Pool client with the necessary OAuth configuration
- Configure the gateway's JWT authorizer to use the User Pool
Memory is a critical component of intelligence. While Large Language Models (LLMs) have impressive capabilities, they lack persistent memory across conversations. Amazon Bedrock AgentCore Memory addresses this limitation by providing a managed service that enables AI agents to maintain context over time, remember important facts, and deliver consistent, personalized experiences.
AgentCore Memory operates on two levels:
- Short-Term Memory: Immediate conversation context and session-based information that provides continuity within a single interaction or closely related sessions.
- Long-Term Memory: Persistent information extracted and stored across multiple conversations, including facts, preferences, and summaries that enable personalized experiences over time.
When you interact with the memory, you store interactions in Short-Term Memory (STM) instantly. These interactions can include everything from user messages, assistant responses, to tool actions.
To write to long-term memory, you need to configure extraction strategies which define how and where to store information from conversations for future use. These strategies are asynchronously processed from raw events after every few turns based on the strategy that was selected. You can't create long term memory records directly, as they are extracted asynchronously by AgentCore Memory.
Below you can find how to configure a simple short-term memory (STM) with no long-term memory extraction strategies. Note how you set memory_event_expiry_duration, which defines the time in days the events will be stored in the short-term memory before they expire.
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Create a basic memory with default settings, no LTM strategies
create_memory = true
memory_name = "my_memory"
memory_description = "A memory for storing user interactions for a period of 90 days"
memory_event_expiry_duration = 90
}Basic Memory with Custom KMS Encryption
# Create a custom KMS key for encryption
resource "aws_kms_key" "memory_encryption_key" {
enable_key_rotation = true
description = "KMS key for memory encryption"
}
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Create memory with custom encryption
create_memory = true
memory_name = "my_encrypted_memory"
memory_description = "Memory with custom KMS encryption"
memory_event_expiry_duration = 90
memory_kms_key_arn = aws_kms_key.memory_encryption_key.arn
}The library provides three built-in LTM strategies. These are default strategies for organizing and extracting memory data, each optimized for specific use cases.
For example: An agent helps multiple users with cloud storage setup. From these conversations, see how each strategy processes users expressing confusion about account connection:
This strategy compresses conversations into concise overviews, preserving essential context and key insights for quick recall. Extracted memory example: Users confused by cloud setup during onboarding.
- Extracts concise summaries to preserve critical context and key insights
- Namespace:
/strategies/{memoryStrategyId}/actors/{actorId}/sessions/{sessionId}
Distills general facts, concepts, and underlying meanings from raw conversational data, presenting the information in a context-independent format. Extracted memory example: In-context learning = task-solving via examples, no training needed.
- Extracts general factual knowledge, concepts and meanings from raw conversations
- Namespace:
/strategies/{memoryStrategyId}/actors/{actorId}
Captures individual preferences, interaction patterns, and personalized settings to enhance future experiences. Extracted memory example: User needs clear guidance on cloud storage account connection during onboarding.
- Extracts user behavior patterns from raw conversations
- Namespace:
/strategies/{memoryStrategyId}/actors/{actorId}
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Create memory with built-in strategies
create_memory = true
memory_name = "my_memory"
memory_description = "Memory with built-in strategies"
memory_event_expiry_duration = 90
# Add built-in memory strategies
memory_strategies = [
{
summarization_memory_strategy = {
name = "summary_strategy"
description = "Built-in summarization memory strategy"
namespaces = ["/strategies/{memoryStrategyId}/actors/{actorId}/sessions/{sessionId}"]
}
},
{
semantic_memory_strategy = {
name = "semantic_strategy"
description = "Built-in semantic memory strategy"
namespaces = ["/strategies/{memoryStrategyId}/actors/{actorId}"]
}
},
{
user_preference_memory_strategy = {
name = "preference_strategy"
description = "Built-in user preference memory strategy"
namespaces = ["/strategies/{memoryStrategyId}/actors/{actorId}"]
}
}
]
}The name generated for each built in memory strategy follows this pattern:
- For Summarization:
summary_builtin_<suffix> - For Semantic:
semantic_builtin_<suffix> - For User Preferences:
preference_builtin_<suffix>
Where the suffix is a 5 characters string ([a-z, A-Z, 0-9]).
If you need long-term memory for context recall across sessions, you can setup memory extraction strategies to extract the relevant memory from the raw events.
Amazon Bedrock AgentCore Memory has different memory strategies for extracting and organizing information:
- Summarization: to summarize interactions to preserve critical context and key insights.
- Semantic Memory: to extract general factual knowledge, concepts and meanings from raw conversations using vector embeddings. This enables similarity-based retrieval of relevant facts and context.
- User Preferences: to extract user behavior patterns from raw conversations.
You can use built-in extraction strategies for quick setup, or create custom extraction strategies with specific models and prompt templates.
With Long-Term Memory, organization is managed through Namespaces.
An actor refers to entity such as end users or agent/user combinations. For example, in a coding support chatbot, the actor is usually the developer asking questions. Using the actor ID helps the system know which user the memory belongs to, keeping each user's data separate and organized.
A session is usually a single conversation or interaction period between the user and the AI agent. It groups all related messages and events that happen during that conversation.
A namespace is used to logically group and organize long-term memories. It ensures data stays neat, separate, and secure.
With AgentCore Memory, you need to add a namespace when you define a memory strategy. This namespace helps define where the long-term memory will be logically grouped. Every time a new long-term memory is extracted using this memory strategy, it is saved under the namespace you set. This means that all long-term memories are scoped to their specific namespace, keeping them organized and preventing any mix-ups with other users or sessions. You should use a hierarchical format separated by forward slashes /. This helps keep memories organized clearly. As needed, you can choose to use the below pre-defined variables within braces in the namespace based on your applications' organization needs:
actorId– Identifies who the long-term memory belongs to, such as a usermemoryStrategyId– Shows which memory strategy is being used. This strategy identifier is auto-generated when you create a memory using CreateMemory operation.sessionId– Identifies which session or conversation the memory is from.
For example, if you define the following namespace as the input to your strategy:
/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}After memory creation, this namespace might look like:
/strategy/summarization-93483043//actor/actor-9830m2w3/session/session-9330sds8You can customize the namespace (where the memories are stored) by configuring the memory strategies in your Terraform configuration:
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Memory
create_memory = true
memory_name = "my_memory"
memory_description = "Memory with built-in strategies"
memory_event_expiry_duration = 90
# Configure memory strategies with custom namespaces
memory_strategies = [
{
user_preference_memory_strategy = {
name = "CustomerPreferences"
description = "User preference memory strategy"
namespaces = ["support/customer/{actorId}/preferences"]
}
},
{
semantic_memory_strategy = {
name = "CustomerSupportSemantic"
description = "Semantic memory strategy"
namespaces = ["support/customer/{actorId}/semantic"]
}
}
]
}Custom memory strategies let you tailor memory extraction and consolidation to your specific domain or use case. You can override the prompts for extracting and consolidating semantic, summary, or user preferences. You can also choose the model that you want to use for extraction and consolidation.
The custom prompts you create are appended to a non-editable system prompt.
Since a custom strategy requires you to invoke certain Foundation Models, you need a role with appropriate permissions. For that, you can:
- Use a custom role with the overly permissive
AmazonBedrockAgentCoreMemoryBedrockModelInferenceExecutionRolePolicymanaged policy. - Use a custom role with your own custom policies.
Keep in mind that memories that do not use custom strategies do not require a service role. A role is only created automatically when you use custom memory strategies that need to invoke foundation models. For standard built-in strategies (semantic, summary, user preference), no role is needed.
The module also exposes IAM policy documents that you can use to grant memory permissions to other resources (like Lambda functions or EC2 instances):
# Create a Lambda function that needs to write to memory
resource "aws_lambda_function" "memory_writer" {
function_name = "memory-writer"
# ... other Lambda configuration ...
}
# Create a policy for the Lambda using the provided policy document
resource "aws_iam_policy" "memory_write_policy" {
name = "memory-write-policy"
policy = jsonencode(module.agentcore.memory_stm_write_policy)
}
# Attach the policy to the Lambda role
resource "aws_iam_role_policy_attachment" "memory_write_policy_attachment" {
role = aws_lambda_function.memory_writer.role
policy_arn = aws_iam_policy.memory_write_policy.arn
}Available policy documents include:
memory_stm_write_policy- For STM write permissionsmemory_read_policy- For read permissions to both STM and LTMmemory_stm_read_policy- For STM-only read permissionsmemory_ltm_read_policy- For LTM-only read permissionsmemory_delete_policy- For delete permissions to both STM and LTMmemory_stm_delete_policy- For STM-only delete permissionsmemory_ltm_delete_policy- For LTM-only delete permissionsmemory_admin_policy- For control plane admin permissionsmemory_full_access_policy- For full access to all operations
The Amazon Bedrock AgentCore Browser provides a secure, cloud-based browser that enables AI agents to interact with websites. It includes security features such as session isolation, built-in observability through live viewing, CloudTrail logging, and session replay capabilities.
Additional information about the browser tool can be found in the official documentation.
The Browser construct supports the following network modes:
- Public Network Mode - Default
- Allows internet access for web browsing and external API calls
- Suitable for scenarios where agents need to interact with publicly available websites
- Enables full web browsing capabilities
- VPC mode is not supported with this option
- VPC (Virtual Private Cloud)
- Select whether to run the browser in a virtual private cloud (VPC).
- By configuring VPC connectivity, you enable secure access to private resources such as databases, internal APIs, and services within your VPC.
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Browser Custom
create_browser = true
browser_name = "MyBrowser"
browser_description = "Custom browser for my Bedrock agent"
browser_network_mode = "PUBLIC" # PUBLIC or VPC
# Optional: Enable recording to S3
browser_recording_enabled = true
browser_recording_config = {
bucket = "my-browser-recordings-bucket"
prefix = "recordings/"
}
# Optional: For VPC network mode
# browser_network_configuration = {
# security_groups = ["enter_security_group"]
# subnets = ["enter_subnet"]
# }
browser_tags = {
Environment = "production"
Project = "ai-assistants"
}
}The Amazon Bedrock AgentCore Code Interpreter enables AI agents to write and execute code securely in sandbox environments, enhancing their accuracy and expanding their ability to solve complex end-to-end tasks. This is critical in Agentic AI applications where the agents may execute arbitrary code that can lead to data compromise or security risks. The AgentCore Code Interpreter tool provides secure code execution, which helps you avoid running into these issues.
For more information about code interpreter, please refer to the official documentation.
The Code Interpreter construct supports the following network modes:
- Public Network Mode - Default
- Allows internet access for package installation and external API calls
- Suitable for development and testing environments
- Enables downloading Python packages from PyPI
- Sandbox Network Mode
- Isolated network environment with no internet access
- Suitable for production environments with strict security requirements
- Only allows access to pre-installed packages and local resources
- VPC (Virtual Private Cloud)
- Select whether to run the browser in a virtual private cloud (VPC).
- By configuring VPC connectivity, you enable secure access to private resources such as databases, internal APIs, and services within your VPC.
module "agentcore" {
source = "aws-ia/agentcore/aws"
version = "0.0.2"
# Enable Agent Core Code Interpreter Custom
create_code_interpreter = true
code_interpreter_name = "MyCodeInterpreter"
code_interpreter_description = "Custom code interpreter for my Bedrock agent"
code_interpreter_network_mode = "SANDBOX" # SANDBOX or VPC
# Optional: For VPC network mode
# code_interpreter_network_configuration = {
# security_groups = ["enter-sg"]
# subnets = ["enter-subnet"]
# }
code_interpreter_tags = {
Environment = "production"
Project = "ai-assistants"
}
}The module creates the following resources:
- Agent Core Runtime: A container-based runtime environment for your Bedrock agent
- IAM Role and Policy: Permissions for the runtime to access AWS services
- Agent Core Runtime Endpoint: An endpoint for client applications to interact with the runtime
- Agent Core Gateway: A gateway for Model Context Protocol (MCP) connections
- Gateway IAM Role and Policy: Permissions for the gateway to access AWS services
The IAM role includes permissions for:
- ECR image access
- CloudWatch Logs
- X-Ray tracing
- CloudWatch metrics
- Bedrock model invocation
- Workload identity token management
To use this module, you need:
- An AWS account with appropriate permissions
- Terraform >= 1.0.7
- AWS provider >= 4.0.0
- AWSCC provider >= 0.24.0
- A container image in Amazon ECR (for the runtime)
The module includes examples demonstrating different use cases:
The agent-runtime example demonstrates:
- Creating an ECR repository
- Building and pushing a Docker image
- Creating a Bedrock Agent Runtime and Endpoint
- Implementing a STRANDS framework agent with tool-calling capabilities
This example includes:
- A Python implementation using the STRANDS framework
- Tools for calculations, weather information, and greetings
- Testing scripts for local and deployed testing
The module supports both PUBLIC and VPC network modes:
# Public network mode (default)
runtime_network_mode = "PUBLIC"
# VPC network mode (requires additional configuration)
runtime_network_mode = "VPC"Pass configuration to your runtime container:
runtime_environment_variables = {
"LOG_LEVEL" = "DEBUG"
"MODEL_ID" = "anthropic.claude-3-sonnet-20240229-v1:0"
"MAX_TOKENS" = "4096"
}Add tags to your resources:
runtime_tags = {
Environment = "production"
Project = "ai-assistants"
Owner = "data-science-team"
}
runtime_endpoint_tags = {
Environment = "production"
Project = "ai-assistants"
Owner = "data-science-team"
}
memory_tags = {
Environment = "production"
Project = "ai-assistants"
Owner = "data-science-team"
}
gateway_tags = {
Environment = "production"
Project = "ai-assistants"
Owner = "data-science-team"
}| Name | Version |
|---|---|
| terraform | >= 1.0.7 |
| aws | >= 4.0.0 |
| awscc | >= 0.24.0 |
| random | >= 3.6.0 |
| time | >= 0.9.0 |
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
| awscc | >= 0.24.0 |
| random | >= 3.6.0 |
| time | >= 0.9.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| apikey_credential_provider_arn | ARN of the API key credential provider created with CreateApiKeyCredentialProvider. Required when enable_apikey_outbound_auth is true. | string |
null |
no |
| apikey_secret_arn | ARN of the AWS Secrets Manager secret containing the API key. Required when enable_apikey_outbound_auth is true. | string |
null |
no |
| browser_description | Description of the agent core browser. | string |
null |
no |
| browser_name | The name of the agent core browser. Valid characters are a-z, A-Z, 0-9, _ (underscore). The name must start with a letter and can be up to 48 characters long. | string |
"TerraformBedrockAgentCoreBrowser" |
no |
| browser_network_configuration | VPC network configuration for the agent core browser. Required when browser_network_mode is set to 'VPC'. | object({ |
null |
no |
| browser_network_mode | Network mode configuration type for the agent core browser. Valid values: PUBLIC, VPC. | string |
"PUBLIC" |
no |
| browser_recording_config | Configuration for browser session recording when enabled. Bucket name must follow S3 naming conventions (lowercase alphanumeric characters, dots, and hyphens), between 3 and 63 characters, starting and ending with alphanumeric character. | object({ |
null |
no |
| browser_recording_enabled | Whether to enable browser session recording to S3. | bool |
false |
no |
| browser_role_arn | Optional external IAM role ARN for the Bedrock agent core browser. If empty, the module will create one internally. | string |
null |
no |
| browser_tags | A map of tag keys and values for the agent core browser. Each tag key and value must be between 1 and 256 characters and can only include alphanumeric characters, spaces, and the following special characters: _ . : / = + @ - | map(string) |
null |
no |
| code_interpreter_description | Description of the agent core code interpreter. Valid characters are a-z, A-Z, 0-9, _ (underscore), - (hyphen) and spaces. The description can have up to 200 characters. | string |
null |
no |
| code_interpreter_name | The name of the agent core code interpreter. Valid characters are a-z, A-Z, 0-9, _ (underscore). The name must start with a letter and can be up to 48 characters long. | string |
"TerraformBedrockAgentCoreCodeInterpreter" |
no |
| code_interpreter_network_configuration | VPC network configuration for the agent core code interpreter. | object({ |
null |
no |
| code_interpreter_network_mode | Network mode configuration type for the agent core code interpreter. Valid values: SANDBOX, VPC. | string |
"SANDBOX" |
no |
| code_interpreter_role_arn | Optional external IAM role ARN for the Bedrock agent core code interpreter. If empty, the module will create one internally. | string |
null |
no |
| code_interpreter_tags | A map of tag keys and values for the agent core code interpreter. Each tag key and value must be between 1 and 256 characters and can only include alphanumeric characters, spaces, and the following special characters: _ . : / = + @ - | map(string) |
null |
no |
| create_browser | Whether or not to create an agent core browser custom. | bool |
false |
no |
| create_code_interpreter | Whether or not to create an agent core code interpreter custom. | bool |
false |
no |
| create_gateway | Whether or not to create an agent core gateway. | bool |
false |
no |
| create_memory | Whether or not to create an agent core memory. | bool |
false |
no |
| create_runtime | Whether or not to create an agent core runtime. | bool |
false |
no |
| create_runtime_endpoint | Whether or not to create an agent core runtime endpoint. | bool |
false |
no |
| enable_apikey_outbound_auth | Whether to enable outbound authorization with an API key for the gateway. | bool |
false |
no |
| enable_oauth_outbound_auth | Whether to enable outbound authorization with an OAuth client for the gateway. | bool |
false |
no |
| gateway_allow_create_permissions | Whether to allow create permissions for the gateway. | bool |
true |
no |
| gateway_allow_update_delete_permissions | Whether to allow update and delete permissions for the gateway. | bool |
false |
no |
| gateway_authorizer_configuration | Authorizer configuration for the agent core gateway. | object({ |
null |
no |
| gateway_authorizer_type | The authorizer type for the gateway. Valid values: AWS_IAM, CUSTOM_JWT. | string |
"CUSTOM_JWT" |
no |
| gateway_cross_account_lambda_permissions | Configuration for cross-account Lambda function access. Required only if Lambda functions are in different AWS accounts. | list(object({ |
[] |
no |
| gateway_description | Description of the agent core gateway. | string |
null |
no |
| gateway_exception_level | Exception level for the gateway. Valid values: PARTIAL, FULL. | string |
null |
no |
| gateway_kms_key_arn | The ARN of the KMS key used to encrypt the gateway. | string |
null |
no |
| gateway_lambda_function_arns | List of Lambda function ARNs that the gateway service role should be able to invoke. Required when using Lambda targets. | list(string) |
[] |
no |
| gateway_name | The name of the agent core gateway. | string |
"TerraformBedrockAgentCoreGateway" |
no |
| gateway_protocol_configuration | Protocol configuration for the agent core gateway. | object({ |
null |
no |
| gateway_protocol_type | The protocol type for the gateway. Valid value: MCP. | string |
"MCP" |
no |
| gateway_role_arn | Optional external IAM role ARN for the Bedrock agent core gateway. If empty, the module will create one internally. | string |
null |
no |
| gateway_tags | A map of tag keys and values for the agent core gateway. | map(string) |
null |
no |
| memory_description | Description of the agent core memory. | string |
null |
no |
| memory_encryption_key_arn | The ARN of the KMS key used to encrypt the memory. | string |
null |
no |
| memory_event_expiry_duration | Duration in days until memory events expire. | number |
90 |
no |
| memory_execution_role_arn | Optional IAM role ARN for the Bedrock agent core memory. | string |
null |
no |
| memory_name | The name of the agent core memory. | string |
"TerraformBedrockAgentCoreMemory" |
no |
| memory_strategies | List of memory strategies attached to this memory. | list(object({ |
[] |
no |
| memory_tags | A map of tag keys and values for the agent core memory. | map(string) |
null |
no |
| oauth_credential_provider_arn | ARN of the OAuth credential provider created with CreateOauth2CredentialProvider. Required when enable_oauth_outbound_auth is true. | string |
null |
no |
| oauth_secret_arn | ARN of the AWS Secrets Manager secret containing the OAuth client credentials. Required when enable_oauth_outbound_auth is true. | string |
null |
no |
| permissions_boundary_arn | The ARN of the IAM permission boundary for the role. | string |
null |
no |
| runtime_authorizer_configuration | Authorizer configuration for the agent core runtime. | object({ |
null |
no |
| runtime_container_uri | The ECR URI of the container for the agent core runtime. | string |
null |
no |
| runtime_description | Description of the agent runtime. | string |
null |
no |
| runtime_endpoint_agent_runtime_id | The ID of the agent core runtime associated with the endpoint. If not provided, it will use the ID of the agent runtime created by this module. | string |
null |
no |
| runtime_endpoint_description | Description of the agent core runtime endpoint. | string |
null |
no |
| runtime_endpoint_name | The name of the agent core runtime endpoint. | string |
"TerraformBedrockAgentCoreRuntimeEndpoint" |
no |
| runtime_endpoint_tags | A map of tag keys and values for the agent core runtime endpoint. | map(string) |
null |
no |
| runtime_environment_variables | Environment variables for the agent core runtime. | map(string) |
null |
no |
| runtime_name | The name of the agent core runtime. | string |
"TerraformBedrockAgentCoreRuntime" |
no |
| runtime_network_configuration | VPC network configuration for the agent core runtime. | object({ |
null |
no |
| runtime_network_mode | Network mode configuration type for the agent core runtime. Valid values: PUBLIC, VPC. | string |
"PUBLIC" |
no |
| runtime_protocol_configuration | Protocol configuration for the agent core runtime. | string |
null |
no |
| runtime_role_arn | Optional external IAM role ARN for the Bedrock agent core runtime. If empty, the module will create one internally. | string |
null |
no |
| runtime_tags | A map of tag keys and values for the agent core runtime. | map(string) |
null |
no |
| user_pool_admin_email | Email address for the admin user. | string |
"[email protected]" |
no |
| user_pool_allowed_clients | List of allowed clients for the Cognito User Pool JWT authorizer. | list(string) |
[] |
no |
| user_pool_callback_urls | List of allowed callback URLs for the Cognito User Pool client. | list(string) |
[ |
no |
| user_pool_create_admin | Whether to create an admin user in the Cognito User Pool. | bool |
false |
no |
| user_pool_logout_urls | List of allowed logout URLs for the Cognito User Pool client. | list(string) |
[ |
no |
| user_pool_mfa_configuration | MFA configuration for the Cognito User Pool. Valid values: OFF, OPTIONAL, REQUIRED. | string |
"OFF" |
no |
| user_pool_name | The name of the Cognito User Pool to create when JWT auth info is not provided. | string |
"AgentCoreUserPool" |
no |
| user_pool_password_policy | Password policy for the Cognito User Pool. | object({ |
{} |
no |
| user_pool_refresh_token_validity_days | Number of days that refresh tokens are valid for. | number |
30 |
no |
| user_pool_tags | A map of tag keys and values for the Cognito User Pool. | map(string) |
null |
no |
| user_pool_token_validity_hours | Number of hours that ID and access tokens are valid for. | number |
24 |
no |
| Name | Description |
|---|---|
| agent_browser_arn | ARN of the created Bedrock AgentCore Browser Custom |
| agent_browser_created_at | Creation timestamp of the created Bedrock AgentCore Browser Custom |
| agent_browser_failure_reason | Failure reason if the Bedrock AgentCore Browser Custom failed |
| agent_browser_id | ID of the created Bedrock AgentCore Browser Custom |
| agent_browser_last_updated_at | Last update timestamp of the created Bedrock AgentCore Browser Custom |
| agent_browser_status | Status of the created Bedrock AgentCore Browser Custom |
| agent_code_interpreter_arn | ARN of the created Bedrock AgentCore Code Interpreter Custom |
| agent_code_interpreter_created_at | Creation timestamp of the created Bedrock AgentCore Code Interpreter Custom |
| agent_code_interpreter_failure_reason | Failure reason if the Bedrock AgentCore Code Interpreter Custom failed |
| agent_code_interpreter_id | ID of the created Bedrock AgentCore Code Interpreter Custom |
| agent_code_interpreter_last_updated_at | Last update timestamp of the created Bedrock AgentCore Code Interpreter Custom |
| agent_code_interpreter_status | Status of the created Bedrock AgentCore Code Interpreter Custom |
| agent_gateway_arn | ARN of the created Bedrock AgentCore Gateway |
| agent_gateway_id | ID of the created Bedrock AgentCore Gateway |
| agent_gateway_status | Status of the created Bedrock AgentCore Gateway |
| agent_gateway_status_reasons | Status reasons of the created Bedrock AgentCore Gateway |
| agent_gateway_url | URL of the created Bedrock AgentCore Gateway |
| agent_gateway_workload_identity_details | Workload identity details of the created Bedrock AgentCore Gateway |
| agent_memory_arn | ARN of the created Bedrock AgentCore Memory |
| agent_memory_created_at | Creation timestamp of the created Bedrock AgentCore Memory |
| agent_memory_id | ID of the created Bedrock AgentCore Memory |
| agent_memory_status | Status of the created Bedrock AgentCore Memory |
| agent_memory_updated_at | Last update timestamp of the created Bedrock AgentCore Memory |
| agent_runtime_arn | ARN of the created Bedrock AgentCore Runtime |
| agent_runtime_endpoint_arn | ARN of the created Bedrock AgentCore Runtime Endpoint |
| agent_runtime_endpoint_id | ID of the created Bedrock AgentCore Runtime Endpoint |
| agent_runtime_endpoint_live_version | Live version of the created Bedrock AgentCore Runtime Endpoint |
| agent_runtime_endpoint_status | Status of the created Bedrock AgentCore Runtime Endpoint |
| agent_runtime_endpoint_target_version | Target version of the created Bedrock AgentCore Runtime Endpoint |
| agent_runtime_id | ID of the created Bedrock AgentCore Runtime |
| agent_runtime_status | Status of the created Bedrock AgentCore Runtime |
| agent_runtime_version | Version of the created Bedrock AgentCore Runtime |
| agent_runtime_workload_identity_details | Workload identity details of the created Bedrock AgentCore Runtime |
| browser_admin_permissions | IAM permissions for browser administration operations |
| browser_admin_policy | Policy document for browser administration |
| browser_full_access_permissions | Full access IAM permissions for all browser operations |
| browser_full_access_policy | Policy document for granting full access to Bedrock AgentCore Browser operations |
| browser_list_permissions | IAM permissions for listing browser resources |
| browser_list_policy | Policy document for listing browser resources |
| browser_read_permissions | IAM permissions for reading browser information |
| browser_read_policy | Policy document for reading browser information |
| browser_role_arn | ARN of the IAM role created for the Bedrock AgentCore Browser Custom |
| browser_role_name | Name of the IAM role created for the Bedrock AgentCore Browser Custom |
| browser_session_permissions | IAM permissions for managing browser sessions |
| browser_session_policy | Policy document for browser session management |
| browser_stream_permissions | IAM permissions for browser streaming operations |
| browser_stream_policy | Policy document for browser streaming operations |
| browser_use_permissions | IAM permissions for using browser functionality |
| browser_use_policy | Policy document for using browser functionality |
| code_interpreter_admin_permissions | IAM permissions for code interpreter administration operations |
| code_interpreter_admin_policy | Policy document for code interpreter administration |
| code_interpreter_full_access_permissions | Full access IAM permissions for all code interpreter operations |
| code_interpreter_full_access_policy | Policy document for granting full access to Bedrock AgentCore Code Interpreter operations |
| code_interpreter_invoke_permissions | IAM permissions for invoking code interpreter |
| code_interpreter_invoke_policy | Policy document for code interpreter invocation operations |
| code_interpreter_list_permissions | IAM permissions for listing code interpreter resources |
| code_interpreter_list_policy | Policy document for listing code interpreter resources |
| code_interpreter_read_permissions | IAM permissions for reading code interpreter information |
| code_interpreter_read_policy | Policy document for reading code interpreter information |
| code_interpreter_role_arn | ARN of the IAM role created for the Bedrock AgentCore Code Interpreter Custom |
| code_interpreter_role_name | Name of the IAM role created for the Bedrock AgentCore Code Interpreter Custom |
| code_interpreter_session_permissions | IAM permissions for managing code interpreter sessions |
| code_interpreter_session_policy | Policy document for code interpreter session management |
| code_interpreter_use_permissions | IAM permissions for using code interpreter functionality |
| code_interpreter_use_policy | Policy document for using code interpreter functionality |
| cognito_discovery_url | OpenID Connect discovery URL for the Cognito User Pool |
| cognito_domain | Domain of the Cognito User Pool |
| gateway_role_arn | ARN of the IAM role created for the Bedrock AgentCore Gateway |
| gateway_role_name | Name of the IAM role created for the Bedrock AgentCore Gateway |
| memory_admin_permissions | IAM permissions for memory administration operations |
| memory_admin_policy | Policy document for granting control plane admin permissions |
| memory_delete_permissions | Combined IAM permissions for deleting from both Short-Term Memory (STM) and Long-Term Memory (LTM) |
| memory_delete_policy | Policy document for granting delete permissions to both STM and LTM |
| memory_full_access_permissions | Full access IAM permissions for all memory operations |
| memory_full_access_policy | Policy document for granting full access to all memory operations |
| memory_kms_policy_arn | ARN of the KMS policy for memory encryption (only available when KMS is provided) |
| memory_ltm_delete_permissions | IAM permissions for deleting from Long-Term Memory (LTM) |
| memory_ltm_delete_policy | Policy document for granting LTM delete permissions only |
| memory_ltm_read_permissions | IAM permissions for reading from Long-Term Memory (LTM) |
| memory_ltm_read_policy | Policy document for granting LTM read permissions only |
| memory_read_permissions | Combined IAM permissions for reading from both Short-Term Memory (STM) and Long-Term Memory (LTM) |
| memory_read_policy | Policy document for granting read permissions to both STM and LTM |
| memory_role_arn | ARN of the IAM role created for the Bedrock AgentCore Memory |
| memory_role_name | Name of the IAM role created for the Bedrock AgentCore Memory |
| memory_stm_delete_permissions | IAM permissions for deleting from Short-Term Memory (STM) |
| memory_stm_delete_policy | Policy document for granting STM delete permissions only |
| memory_stm_read_permissions | IAM permissions for reading from Short-Term Memory (STM) |
| memory_stm_read_policy | Policy document for granting STM read permissions only |
| memory_stm_write_permissions | IAM permissions for writing to Short-Term Memory (STM) |
| memory_stm_write_policy | Policy document for granting Short-Term Memory (STM) write permissions |
| runtime_role_arn | ARN of the IAM role created for the Bedrock AgentCore Runtime |
| runtime_role_name | Name of the IAM role created for the Bedrock AgentCore Runtime |
| user_pool_arn | ARN of the Cognito User Pool created as JWT authentication fallback |
| user_pool_client_id | ID of the Cognito User Pool Client |
| user_pool_endpoint | Endpoint of the Cognito User Pool created as JWT authentication fallback |
| user_pool_id | ID of the Cognito User Pool created as JWT authentication fallback |
| using_cognito_fallback | Whether the module is using a Cognito User Pool as fallback for JWT authentication |
