fix(bedrock-agentcore-alpha): fix unexpected validation error when properties are Token (#35978)

### Issue # (if applicable)

N/A

### Reason for this change

Some Validation logics were throwing unexpected errors when properties are defined as CDK `Token` types. 
`string` or `number` may be `Token`.

### Description of changes

- Added `Token` type checking before property validation
- Added test cases for `Token` properties to verify not throwing errors.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes
Added unit tests to verify `Token` properties bypass validation


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mazyu36

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/memory/memory.ts

@@ -11,7 +11,7 @@
  *  and limitations under the License.
  */
 
-import { Arn, ArnFormat, Duration, IResource, Lazy, Resource } from 'aws-cdk-lib';
+import { Arn, ArnFormat, Duration, IResource, Lazy, Resource, Token } from 'aws-cdk-lib';
 import { IConstruct, Construct } from 'constructs';
 import * as bedrockagentcore from 'aws-cdk-lib/aws-bedrockagentcore';
 import { CfnMemory, CfnMemoryProps } from 'aws-cdk-lib/aws-bedrockagentcore';
@@ -828,6 +828,10 @@ export class Memory extends MemoryBase {
   private _validateMemoryExpirationDays = (expirationDays: number): string[] => {
     let errors: string[] = [];
 
+    if (Token.isUnresolved(expirationDays)) {
+      return errors;
+    }
+
     if (expirationDays < MEMORY_EXPIRATION_DAYS_MIN || expirationDays > MEMORY_EXPIRATION_DAYS_MAX) {
       errors.push(`Memory expiration days must be between ${MEMORY_EXPIRATION_DAYS_MIN} and ${MEMORY_EXPIRATION_DAYS_MAX}`);
     }

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts

@@ -13,6 +13,7 @@
 
 import { CfnRuntime } from 'aws-cdk-lib/aws-bedrockagentcore';
 import { ValidationError } from './validation-helpers';
+import { Token } from 'aws-cdk-lib';
 import { IUserPool, IUserPoolClient } from 'aws-cdk-lib/aws-cognito';
 
 /**
@@ -44,7 +45,7 @@ export abstract class RuntimeAuthorizerConfiguration {
     allowedClients?: string[],
     allowedAudience?: string[],
   ): RuntimeAuthorizerConfiguration {
-    if (!discoveryUrl.endsWith('/.well-known/openid-configuration')) {
+    if (!Token.isUnresolved(discoveryUrl) && !discoveryUrl.endsWith('/.well-known/openid-configuration')) {
       throw new ValidationError('JWT discovery URL must end with /.well-known/openid-configuration');
     }
     return new JwtAuthorizerConfiguration(discoveryUrl, allowedClients, allowedAudience);
@@ -81,7 +82,7 @@ export abstract class RuntimeAuthorizerConfiguration {
     clientId: string,
     allowedAudience?: string[],
   ): RuntimeAuthorizerConfiguration {
-    if (!discoveryUrl.endsWith('/.well-known/openid-configuration')) {
+    if (!Token.isUnresolved(discoveryUrl) && !discoveryUrl.endsWith('/.well-known/openid-configuration')) {
       throw new ValidationError('OAuth discovery URL must end with /.well-known/openid-configuration');
     }
     return new OAuthAuthorizerConfiguration(discoveryUrl, clientId, allowedAudience);

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/memory/memory.test.ts

@@ -471,6 +471,21 @@ describe('Memory expiration duration validation tests', () => {
       });
     }).not.toThrow();
   });
+
+  test('does not fail validation if expirationDuration is a late-bound value', () => {
+    // WHEN
+    const expirationDuration = new cdk.CfnParameter(stack, 'ExpirationDuration', {
+      default: 30,
+      type: 'Number',
+    });
+
+    expect(() => {
+      new Memory(stack, 'memory-late-bound', {
+        memoryName: 'memory_late_bound',
+        expirationDuration: Duration.days(expirationDuration.valueAsNumber),
+      });
+    }).not.toThrow();
+  });
 });
 
 describe('Memory with custom strategies tests', () => {

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts

@@ -1154,6 +1154,35 @@ describe('Runtime authentication configuration error cases', () => {
     app.synth();
     expect(runtime.agentRuntimeName).toBe('test_runtime');
   });
+
+  test('does not fail validation if JWT discovery URL is a late-bound value', () => {
+    // WHEN
+    const discoveryUrlParam = new cdk.CfnParameter(stack, 'JWTDiscoveryUrl', {
+      default: 'https://example.com/.well-known/openid-configuration',
+      type: 'String',
+    });
+
+    // THEN
+    expect(() => {
+      RuntimeAuthorizerConfiguration.usingJWT(discoveryUrlParam.valueAsString);
+    }).not.toThrow();
+  });
+
+  test('does not fail validation if OAuth discovery URL is a late-bound value', () => {
+    // WHEN
+    const discoveryUrlParam = new cdk.CfnParameter(stack, 'OAuthDiscoveryUrl', {
+      default: 'https://oauth-provider.com/.well-known/openid-configuration',
+      type: 'String',
+    });
+
+    // THEN
+    expect(() => {
+      RuntimeAuthorizerConfiguration.usingOAuth(
+        discoveryUrlParam.valueAsString,
+        'oauth-client-123',
+      );
+    }).not.toThrow();
+  });
 });
 
 describe('RuntimeNetworkConfiguration tests', () => {