feat(bootstrap): resource-action-map for synth-time validation

cdk/src/bootstrap/index.ts

@@ -19,3 +19,4 @@
 
 export { infrastructurePolicy, applicationPolicy, observabilityPolicy, allPolicies } from './policies';
 export { BOOTSTRAP_VERSION, computeBootstrapHash } from './version';
+export { getRequiredBootstrapPolicies } from './required-policies';

cdk/src/bootstrap/preflight/index.ts

@@ -0,0 +1,25 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+export {
+  RESOURCE_ACTION_MAP,
+  getActionsForResource,
+  getAllMappedActions,
+} from './resource-action-map';
+export type { ResourceActions } from './resource-action-map';

cdk/src/bootstrap/required-policies.ts

@@ -0,0 +1,36 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+const CORE_POLICIES = [
+  'infrastructure',
+  'application',
+  'observability',
+] as const;
+
+const COMPUTE_VARIANT_POLICIES: Record<string, string[]> = {
+  agentcore: ['compute-agentcore'],
+  ecs: ['compute-ecs'],
+};
+
+export function getRequiredBootstrapPolicies(computeType: string): string[] {
+  const base: string[] = [...CORE_POLICIES];
+  const variants = COMPUTE_VARIANT_POLICIES[computeType];
+  if (variants) base.push(...variants);
+  return base;
+}

cdk/src/stacks/agent.ts

@@ -23,8 +23,7 @@ import * as bedrock from '@aws-cdk/aws-bedrock-alpha';
 import * as agentcoremixins from '@aws-cdk/mixins-preview/aws-bedrockagentcore';
 import { ArnFormat, AspectPriority, Aspects, Stack, StackProps, RemovalPolicy, CfnOutput, CfnResource, Duration, Fn, Lazy } from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
-// ecr_assets import is only needed when the ECS block below is uncommented
-// import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets';
+import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as logs from 'aws-cdk-lib/aws-logs';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
@@ -39,7 +38,7 @@ import { Blueprint } from '../constructs/blueprint';
 import { CedarWasmLayer } from '../constructs/cedar-wasm-layer';
 import { ConcurrencyReconciler } from '../constructs/concurrency-reconciler';
 import { DnsFirewall } from '../constructs/dns-firewall';
-// import { EcsAgentCluster } from '../constructs/ecs-agent-cluster';
+import { EcsAgentCluster } from '../constructs/ecs-agent-cluster';
 import { FanOutConsumer } from '../constructs/fanout-consumer';
 import { LinearIntegration } from '../constructs/linear-integration';
 import { PendingUploadCleanup } from '../constructs/pending-upload-cleanup';
@@ -537,26 +536,25 @@ export class AgentStack extends Stack {
       description: 'Name of the S3 bucket storing --trace trajectory artifacts (design §10.1)',
     });
 
-    // --- ECS Fargate compute backend (optional) ---
-    // To enable ECS as an alternative compute backend, uncomment the block below
-    // and the EcsAgentCluster import at the top of this file. Repos can then use
-    // compute_type: 'ecs' in their blueprint config to route tasks to ECS Fargate.
-    //
-    // const agentImageAsset = new ecr_assets.DockerImageAsset(this, 'AgentImage', {
-    //   directory: repoRoot,
-    //   file: 'agent/Dockerfile',
-    //   platform: ecr_assets.Platform.LINUX_ARM64,
-    // });
-    //
-    // const ecsCluster = new EcsAgentCluster(this, 'EcsAgentCluster', {
-    //   vpc: agentVpc.vpc,
-    //   agentImageAsset,
-    //   taskTable: taskTable.table,
-    //   taskEventsTable: taskEventsTable.table,
-    //   userConcurrencyTable: userConcurrencyTable.table,
-    //   githubTokenSecret,
-    //   memoryId: agentMemory.memory.memoryId,
-    // });
+    // --- ECS Fargate compute backend (enabled when compute_type=ecs) ---
+    const computeType = this.node.tryGetContext('compute_type') ?? 'agentcore';
+    if (computeType === 'ecs') {
+      const agentImageAsset = new ecr_assets.DockerImageAsset(this, 'AgentImage', {
+        directory: repoRoot,
+        file: 'agent/Dockerfile',
+        platform: ecr_assets.Platform.LINUX_ARM64,
+      });
+
+      new EcsAgentCluster(this, 'EcsAgentCluster', {
+        vpc: agentVpc.vpc,
+        agentImageAsset,
+        taskTable: taskTable.table,
+        taskEventsTable: taskEventsTable.table,
+        userConcurrencyTable: userConcurrencyTable.table,
+        githubTokenSecret,
+        memoryId: agentMemory.memory.memoryId,
+      });
+    }
 
     // --- Task Orchestrator (durable Lambda function) ---
     const orchestrator = new TaskOrchestrator(this, 'TaskOrchestrator', {

cdk/test/bootstrap/required-policies.test.ts

@@ -0,0 +1,49 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+import { getRequiredBootstrapPolicies } from '../../src/bootstrap/required-policies';
+
+describe('getRequiredBootstrapPolicies', () => {
+  it('returns core policies plus compute-agentcore for agentcore type', () => {
+    const result = getRequiredBootstrapPolicies('agentcore');
+    expect(result).toEqual(['infrastructure', 'application', 'observability', 'compute-agentcore']);
+  });
+
+  it('returns core policies plus compute-ecs for ecs type', () => {
+    const result = getRequiredBootstrapPolicies('ecs');
+    expect(result).toEqual(['infrastructure', 'application', 'observability', 'compute-ecs']);
+    expect(result).not.toContain('compute-agentcore');
+  });
+
+  it('compute variants are independent choices', () => {
+    const agentcore = getRequiredBootstrapPolicies('agentcore');
+    const ecs = getRequiredBootstrapPolicies('ecs');
+    expect(agentcore).toContain('compute-agentcore');
+    expect(agentcore).not.toContain('compute-ecs');
+    expect(ecs).toContain('compute-ecs');
+    expect(ecs).not.toContain('compute-agentcore');
+  });
+
+  it('returns only core policies for unknown compute type', () => {
+    const result = getRequiredBootstrapPolicies('unknown');
+    expect(result).toEqual(['infrastructure', 'application', 'observability']);
+    expect(result).not.toContain('compute-ecs');
+    expect(result).not.toContain('compute-agentcore');
+  });
+});