feat(memory): add agentcore memory l2 construct

[krokoko]

Issue # (if applicable)

Related to aws/aws-cdk-rfcs#825

Reason for this change

Adding a new alpha package for Amazon Bedrock AgentCore and add support for memory.

Description of changes

• Create a new alpha package
• Add L2 constructs for memory
• Add documentation
• Add tests

Describe any new or updated permissions being added

Using permissions for agent core defined in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html

Description of how you validated changes

Unit tests, integration tests, manual tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Pull request has been modified.

[krokoko]

tagging the PR as "ready for review" since the RFC was approved

[Abogical]

Validation errors should be scoped to the resource it emits. (This should've been specified in the design guidelines, not sure why it isn't), see here.

Also, the entire validation helper file seem to be very general functions that can be used elsewhere, and is quite similar to the ones added by runtime. To avoid duplication, use what is available in core/lib. If it's not available
in core, you can add it there.

[krokoko]

Yes we use the same validation methods in every part of agentcore alpha package. Is this a blocker for you now ? I can create a follow up PR to harmonize these across the three primitives (memory, 1p tools, runtime)

[Abogical]

It's not a strong blocker, but I'd prefer the validation errors be scoped to the resource at least so the users can know where the error is coming from.

[krokoko]

scoped in ddae010
as discussed will open a PR later to harmonize across the different pieces of the alpha package

Pull request has been modified.

[Abogical]

I might be misunderstanding something here, but shouldn't these permissions be used in the grant methods?

[krokoko]

they are in the grantFullAccess method:

grantFullAccess(grantee: iam.IGrantable): iam.Grant {
    return this.grant(grantee, ...MemoryPerms.FULL_ACCESS_PERMS);
  }

Is that what you are referring to ?

[Abogical]

I can't find this grant method in the PR. Is it pushed to this PR?

[krokoko]

Yes in memory.ts, line 326

/**
   * Grant the given principal identity permissions to do every action on this memory.
   *
   * @param grantee - The IAM principal to grant full access permissions to
   * @default - Default grant configuration:
   * - actions: ['bedrock-agentcore:CreateEvent',
      'bedrock-agentcore:GetEvent',
      'bedrock-agentcore:DeleteEvent',
      'bedrock-agentcore:GetMemoryRecord',
      'bedrock-agentcore:RetrieveMemoryRecords',
      'bedrock-agentcore:ListMemoryRecords',
      'bedrock-agentcore:ListActors',
      'bedrock-agentcore:ListSessions',
      'bedrock-agentcore:CreateMemory',
      'bedrock-agentcore:GetMemory',
      'bedrock-agentcore:DeleteMemory',
      'bedrock-agentcore:UpdateMemory'] on this.memoryArn
   * @returns An IAM Grant object representing the granted permissions
   */
  grantFullAccess(grantee: iam.IGrantable): iam.Grant {
    return this.grant(grantee, ...MemoryPerms.FULL_ACCESS_PERMS);
  }

Pull request has been modified.

[krokoko]

@Abogical FYI

[Abogical]

LGTM, Thanks!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.