Jerad
8bb4db3009
* feat(cdk): reorganize CDK samples into python/ and typescript/ folders - Move existing Python CDK samples to cdk/python/ - Add TypeScript CDK samples folder with knowledge-base-rag-agent - Update cdk/README.md with language comparison table - Update parent README with new paths and TypeScript mention - Add cdk/python/README.md for Python-specific guidance 🤖 Assisted by Amazon Q Developer * docs: add Jerad Engebreth to CONTRIBUTORS.md 🤖 Assisted by Amazon Q Developer * fix(cdk/typescript): document known vulnerabilities and fix npm workspaces build - Add Known Dependency Vulnerabilities section to README documenting upstream issues in aws-amplify (fast-xml-parser, lodash) - Add build/test scripts to Lambda layer package.json to fix npm workspaces build command 🤖 Assisted by Amazon Q Developer * fix(security): add HEALTHCHECK and non-root USER to Dockerfile - Add HEALTHCHECK instruction for container orchestration - Create non-root appuser for security best practices - Addresses CKV_DOCKER_2, CKV_DOCKER_3 security findings * fix(security): address CodeQL findings for insecure randomness and HTML sanitization - Replace Math.random() with crypto.randomBytes() for session ID generation - Use iterative sanitization loop to handle nested/obfuscated HTML tags - Addresses CodeQL insecure randomness and incomplete sanitization findings * fix(security): improve HTML sanitization to address CodeQL findings - Handle closing tags with spaces like </script > - Add data: and vbscript: URL scheme blocking - Use tag-based approach instead of content-matching regex - Add more dangerous tags (form, input, button, etc.) * remove unused import * fix(lint): fix import ordering and remove extra blank lines - Sort imports alphabetically (logging before os) - Remove extra blank line in knowledge_base.py - Consistent import grouping (stdlib, then third-party) * fix(security): use HTML entity encoding instead of regex-based sanitization - Replace regex-based tag stripping with HTML entity encoding - Encode all special characters (&, <, >, ", ', /, `, =) - This approach is CodeQL-compliant and more secure - Regex-based HTML filtering is inherently flawed * fix(lint): add __all__ to fix F401 unused import warnings - Add __all__ exports to infra_utils/__init__.py files - Explicitly declares AgentCoreRole as public API * style: apply ruff formatting to all Python files in 04-infrastructure-as-code - Format 32 Python files with ruff - Includes CDK Python samples, Terraform samples, and TypeScript agent code * refactor: rename project from bedrock-agentcore-template to knowledge-base-rag-agent - Update package.json names for root and infrastructure packages - Update README and docs with new project name and paths - Update CloudWatch, SNS, KMS, and Cognito resource names - Regenerate package-lock.json with new package names * refactor: complete project rename to knowledge-base-rag-agent - Update README title and all documentation headers - Update TypeScript stack descriptions and resource names - Update Python agent module docstrings - Update Dockerfile header comment - Update Lambda function package description - Rename runtime to knowledge_base_rag_agent - Rename memory to knowledge_base_rag_agent_memory - Rename API to Knowledge Base RAG Agent API - Update Secrets Manager secret name * fix: correct Docker references and fix Lambda bundling - Update README and docs to clarify Docker is for AgentCore Runtime container, not Lambda bundling - Add @aws-lambda-powertools/logger dependency for Lambda function - Add esbuild as dev dependency for NodejsFunction bundling - Fix S3 bucket deployment to use single deployment with auto content-type detection - Deploy config.json separately with prune:false to preserve other files --------- Co-authored-by: Jerad Engebreth <awsjerad@amazon.com>
Basic AgentCore Runtime - CDK
This CDK stack deploys a basic Amazon Bedrock AgentCore Runtime with a simple Strands agent. This is the simplest possible AgentCore deployment, perfect for getting started and understanding the core concepts without additional complexity.
Table of Contents
- Overview
- Architecture
- Prerequisites
- Deployment
- Testing
- Sample Queries
- Cleanup
- Cost Estimate
- Troubleshooting
- 🤝 Contributing
- 📄 License
Overview
This CDK stack creates a minimal AgentCore deployment that includes:
- AgentCore Runtime: Hosts a simple Strands agent
- ECR Repository: Stores the Docker container image
- IAM Roles: Provides necessary permissions
- CodeBuild Project: Automatically builds the ARM64 Docker image
- Lambda Functions: Custom resources for automation
This makes it ideal for:
- Learning AgentCore basics
- Quick prototyping
- Understanding the core deployment pattern
- Building a foundation before adding complexity
Architecture
The architecture consists of:
- User: Sends questions to the agent and receives responses
- AWS CodeBuild: Builds the ARM64 Docker container image with the agent code
- Amazon ECR Repository: Stores the container image
- AgentCore Runtime: Hosts the Basic Agent container
- Basic Agent: Simple Strands agent that processes user queries
- Invokes Amazon Bedrock LLMs to generate responses
- IAM Roles:
- IAM role for CodeBuild (builds and pushes images)
- IAM role for Agent Execution (runtime permissions)
Prerequisites
AWS Account Setup
-
AWS Account: You need an active AWS account with appropriate permissions
-
AWS CLI: Install and configure AWS CLI with your credentials
aws configure -
Python 3.10+ and AWS CDK v2 installed
# Install CDK npm install -g aws-cdk # Verify installation cdk --version -
CDK version 2.220.0 or later (for BedrockAgentCore support)
-
Bedrock Model Access: Enable access to Amazon Bedrock models in your AWS region
-
Required Permissions: Your AWS user/role needs permissions for:
- CloudFormation stack operations
- ECR repository management
- IAM role creation
- Lambda function creation
- CodeBuild project creation
- BedrockAgentCore resource creation
Deployment
CDK vs CloudFormation
This is the CDK version of the basic AgentCore runtime. If you prefer CloudFormation, see the CloudFormation version.
Option 1: Quick Deploy (Recommended)
# Install dependencies
pip install -r requirements.txt
# Bootstrap CDK (first time only)
cdk bootstrap
# Deploy
cdk deploy
Option 2: Step by Step
# 1. Create and activate Python virtual environment
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# 2. Install Python dependencies
pip install -r requirements.txt
# 3. Bootstrap CDK in your account/region (first time only)
cdk bootstrap
# 4. Synthesize the CloudFormation template (optional)
cdk synth
# 5. Deploy the stack
cdk deploy --require-approval never
# 6. Get outputs
cdk list
Deployment Time
- Expected Duration: 8-12 minutes
- Main Steps:
- Stack creation: ~2 minutes
- Docker image build (CodeBuild): ~5-8 minutes
- Runtime provisioning: ~1-2 minutes
Testing
Using AWS CLI
# Get the Runtime ARN from CDK outputs
RUNTIME_ARN=$(aws cloudformation describe-stacks \
--stack-name BasicAgentDemo \
--region us-east-1 \
--query 'Stacks[0].Outputs[?OutputKey==`AgentRuntimeArn`].OutputValue' \
--output text)
# Invoke the agent
aws bedrock-agentcore invoke-agent-runtime \
--agent-runtime-arn $RUNTIME_ARN \
--qualifier DEFAULT \
--payload $(echo '{"prompt": "Hello, how are you?"}' | base64) \
response.json
# View the response
cat response.json
Using AWS Console
- Navigate to Bedrock AgentCore Console
- Go to "Runtimes" in the left navigation
- Find your runtime (name starts with
BasicAgentDemo_) - Click on the runtime name
- Click "Test" button
- Enter test payload:
{ "prompt": "Hello, how are you?" } - Click "Invoke"
Sample Queries
Try these queries to test your basic agent:
-
Simple Greeting:
{"prompt": "Hello, how are you?"} -
Question Answering:
{"prompt": "What is the capital of France?"} -
Creative Writing:
{"prompt": "Write a short poem about clouds"} -
Problem Solving:
{"prompt": "How do I bake a chocolate cake?"}
Cleanup
Using CDK (Recommended)
cdk destroy
Using AWS CLI
aws cloudformation delete-stack \
--stack-name BasicAgentDemo \
--region us-east-1
# Wait for deletion to complete
aws cloudformation wait stack-delete-complete \
--stack-name BasicAgentDemo \
--region us-east-1
Using AWS Console
- Navigate to CloudFormation Console
- Select the
BasicAgentDemostack - Click "Delete"
- Confirm deletion
Cost Estimate
Monthly Cost Breakdown (us-east-1)
| Service | Usage | Monthly Cost |
|---|---|---|
| AgentCore Runtime | 1 runtime, minimal usage | ~$5-10 |
| ECR Repository | 1 repository, <1GB storage | ~$0.10 |
| CodeBuild | Occasional builds | ~$1-2 |
| Lambda | Custom resource executions | ~$0.01 |
| CloudWatch Logs | Agent logs | ~$0.50 |
| Bedrock Model Usage | Pay per token | Variable* |
Estimated Total: ~$7-13/month (excluding Bedrock model usage)
*Bedrock costs depend on your usage patterns and chosen models. See Bedrock Pricing for details.
Cost Optimization Tips
- Delete when not in use: Use
cdk destroyto remove all resources - Monitor usage: Set up CloudWatch billing alarms
- Choose efficient models: Select appropriate Bedrock models for your use case
Troubleshooting
CDK Bootstrap Required
If you see bootstrap errors:
cdk bootstrap aws://ACCOUNT-NUMBER/REGION
Permission Issues
Ensure your IAM user/role has:
CDKToolkitpermissions or equivalent- Permissions to create all resources in the stack
iam:PassRolefor service roles
Python Dependencies
Install dependencies in the project directory:
pip install -r requirements.txt
Build Failures
Check CodeBuild logs in the AWS Console:
- Go to CodeBuild console
- Find the build project (name contains "basic-agent-build")
- Check build history and logs
Runtime Issues
If the runtime fails to start:
- Check CloudWatch logs for the runtime
- Verify the Docker image was built successfully
- Ensure IAM permissions are correct
🤝 Contributing
We welcome contributions! Please see our Contributing Guide for details.
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.