Merge pull request #8 from aws-ia/feat/updates

feat: AgentCore Gateway

Author: alexa-perlov

.header.md

@@ -4,13 +4,14 @@ The [Amazon Bedrock AgentCore](https://aws.amazon.com/bedrock/agentcore/) Terraf
 
 ## Overview
 
-The module provides support for Amazon Bedrock AgentCore Runtime and Runtime Endpoints. This allows you to deploy custom container-based runtimes for your Bedrock agents. You can extend agent capabilities with custom code that runs in your own container, giving you full control over the agent's behavior and integration capabilities.
+The module provides support for Amazon Bedrock AgentCore Runtime, Runtime Endpoints, and Gateways. This allows you to deploy custom container-based runtimes for your Bedrock agents and create gateways, which serve as integration points between agents and external services.
 
 This module simplifies the process of:
 
 - Creating and configuring Bedrock AgentCore Runtimes
 - Setting up AgentCore Runtime Endpoints
-- Managing IAM permissions for your runtimes
+- Creating and managing AgentCore Gateways
+- Managing IAM permissions for your runtimes and gateways
 - Configuring network access and security settings
 
 ## Features
@@ -21,10 +22,16 @@ This module simplifies the process of:
 - **Environment Variables**: Pass configuration to your runtime container
 - **JWT Authorization**: Optional JWT authorizer configuration for secure access
 - **Endpoint Management**: Create and manage runtime endpoints for client access
+- **Gateway Support**: Create and manage AgentCore Gateways for model context communication
+- **Protocol Configuration**: Configure MCP protocol settings for gateways
+- **Gateway Security**: Implement JWT authorization and KMS encryption for gateways
+- **Granular Permissions**: Control gateway create, read, update, and delete permissions
+- **OAuth2 Outbound Authorization**: Configure OAuth client for gateway outbound authorization
+- **API Key Outbound Authorization**: Configure API key for gateway outbound authorization
 
 ## Usage
 
-### Basic Runtime and Endpoint
+### AgentCore Runtime and Endpoint
 
 ```hcl
 module "agentcore" {
@@ -49,7 +56,7 @@ module "agentcore" {
 }
 ```
 
-### With JWT Authorization
+#### With JWT Authorization
 
 ```hcl
 module "agentcore" {
@@ -75,7 +82,7 @@ module "agentcore" {
 }
 ```
 
-### With Custom IAM Role
+#### With Custom IAM Role
 
 ```hcl
 module "agentcore" {
@@ -94,13 +101,82 @@ module "agentcore" {
 }
 ```
 
+### AgentCore Gateway
+
+Create and configure an MCP gateway:
+
+```hcl
+module "agentcore" {
+  source  = "aws-ia/agentcore/aws"
+  version = "0.0.1"
+
+  # Enable Agent Core Gateway
+  create_gateway = true
+  gateway_name = "MyMCPGateway"
+  gateway_description = "Gateway for Model Context Protocol connections"
+
+  # Configure the gateway protocol (MCP)
+  gateway_protocol_type = "MCP"
+  gateway_protocol_configuration = {
+    mcp = {
+      instructions = "Custom instructions for MCP tools and resources"
+      search_type = "DEFAULT"
+      supported_versions = ["1.0.0"]
+    }
+  }
+
+  # Optional JWT authorization
+  gateway_authorizer_type = "CUSTOM_JWT"
+  gateway_authorizer_configuration = {
+    custom_jwt_authorizer = {
+      discovery_url = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example/.well-known/jwks.json"
+      allowed_audience = ["client-id-1", "client-id-2"]
+    }
+  }
+
+  # Optional KMS encryption
+  gateway_kms_key_arn = "<INSERT_KEY_HERE>"
+
+  # Manage gateway permissions
+  gateway_allow_create_permissions = true
+  gateway_allow_update_delete_permissions = true
+}
+```
+
+### Automatic Cognito User Pool Creation
+
+The module can automatically create a Cognito User Pool to handle JWT authentication when no JWT auth information is provided:
+
+```hcl
+module "agentcore" {
+  source  = "aws-ia/agentcore/aws"
+  version = "0.0.1"
+
+  # Enable Agent Core Gateway
+  create_gateway = true
+  gateway_name = "GatewayWithAutoCognito"
+  gateway_authorizer_type = "CUSTOM_JWT"
+  # No gateway_authorizer_configuration - a Cognito User Pool will be created automatically
+
+}
+```
+
+In this scenario, the module will:
+
+1. Create a Cognito User Pool
+2. Configure a domain for the User Pool
+3. Set up a User Pool client with the necessary OAuth configuration
+4. Configure the gateway's JWT authorizer to use the User Pool
+
 ## Architecture
 
 The module creates the following resources:
 
 1. **Agent Core Runtime**: A container-based runtime environment for your Bedrock agent
 2. **IAM Role and Policy**: Permissions for the runtime to access AWS services
 3. **Agent Core Runtime Endpoint**: An endpoint for client applications to interact with the runtime
+4. **Agent Core Gateway**: A gateway for Model Context Protocol (MCP) connections
+5. **Gateway IAM Role and Policy**: Permissions for the gateway to access AWS services
 
 The IAM role includes permissions for:
 
@@ -182,4 +258,10 @@ runtime_endpoint_tags = {
   Project     = "ai-assistants"
   Owner       = "data-science-team"
 }
+
+gateway_tags = {
+  Environment = "production"
+  Project     = "ai-assistants"
+  Owner       = "data-science-team"
+}
 ```