feat(config-bundle): add --kms-key for customer-managed encryption#1642
feat(config-bundle): add --kms-key for customer-managed encryption#1642jariy17 wants to merge 2 commits into
Conversation
Surface CMK support for configuration bundles: a --kms-key flag and an optional wizard step set kmsKeyArn in agentcore.json, validated by the shared KmsKeyArnSchema and passed through to the create API and the L3 ConfigurationBundle resource (KmsKeyArn). Requires the matching change in @aws/agentcore-cdk.
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
github-actions
Bot
added
the
agentcore-harness-reviewing
Package TarballHow to installgh release download pr-1642-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.21.0.tgz |
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
Coverage Report
|
agentcore-cli-automation
left a comment
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Nice, focused change overall — wizard step plumbing, validation reuse, and API/test coverage all line up. A couple of items worth addressing before merge:
-
Missing telemetry for the new feature. Per
src/cli/telemetry/README.md, new features should be instrumented.add.config-bundleis currently absent fromCOMMAND_SCHEMASinsrc/cli/telemetry/schemas/command-run.ts(noteremove.config-bundleis already there), and this PR adds a meaningful new attribute (CMK usage) that we'd want visibility on. Recommend adding anadd.config-bundleentry with at leasthas_kms_key: z.boolean()(and maybecomponent_count: Count) and wiring it through the CLI handler withrunCliCommand/withCommandRunTelemetry. See inline comment for specifics. -
Inconsistent up-front validation for
--kms-key.EvaluatorPrimitivevalidates the same ARN format up-front with a clear, flag-named error (--kms-key-arn must be a valid KMS key ARN ...). This PR relies on the Zod schema atwriteProjectSpectime, so a bad ARN surfaces as a generic schema validation error. The integ test only assertsjson.errorexists, so it doesn't catch the worse message. Either add an up-frontisValidKmsKeyArncheck in the action handler (matching the evaluator pattern), or accept the trade-off but assert the resulting error message in the integ test so we know what users see. -
Cross-repo release ordering. The PR description correctly calls out the dependency on aws/agentcore-l3-cdk-constructs#294. Worth confirming explicitly in this PR's status checks: if
@aws/agentcore-cdkisn't published withKmsKeyArnsupport and bundled into this CLI's tarball (bundled-agentcore-cdk.tgzinCDKRenderer) before this lands, the--kms-keyflag will silently no-op at deploy time. Not a code change request — just flagging that the bundled CDK version needs to roll forward as part of merging this.
A couple of smaller notes inline.
| components, | ||
| branchName: cliOptions.branch, | ||
| commitMessage: cliOptions.commitMessage, | ||
| kmsKeyArn: cliOptions.kmsKey, |
There was a problem hiding this comment.
Inconsistent up-front validation + missing telemetry on this handler.
(1) EvaluatorPrimitive.ts:298 validates kmsKeyArn with isValidKmsKeyArn right before calling this.add(...) and fails with a clear, flag-named message. Here, an invalid ARN falls through to writeProjectSpec's Zod validation, producing a generic schema error. The integ test (integ-tests/add-remove-config-bundle.test.ts:243) only asserts json.error is defined, so the worse message wouldn't be caught. Either:
- Mirror
EvaluatorPrimitiveand add an explicitisValidKmsKeyArncheck just before thisthis.add({...})call that callsfail('--kms-key must be a valid KMS key ARN ...'). - Or keep relying on the Zod schema, but tighten the integ test to assert the actual error message users see.
(2) Missing telemetry instrumentation. Per src/cli/telemetry/README.md, new features should be instrumented. add.config-bundle isn't in COMMAND_SCHEMAS (src/cli/telemetry/schemas/command-run.ts) at all today, and this PR is a natural opportunity to add it since we now have an interesting attribute to track (CMK adoption). Suggested:
// command-run.ts
const AddConfigBundleAttrs = safeSchema({
has_kms_key: z.boolean(),
component_count: Count,
});
// ...
'add.config-bundle': AddConfigBundleAttrs,Then wrap this non-interactive handler in runCliCommand('add.config-bundle', !!cliOptions.json, async () => { ...; return { has_kms_key: !!cliOptions.kmsKey, component_count: Object.keys(components).length }; }).
| /** Optional commit message for this version. */ | ||
| commitMessage: z.string().max(500).optional(), | ||
| /** Optional KMS key ARN for customer-managed encryption of the bundle. */ | ||
| kmsKeyArn: KmsKeyArnSchema.optional(), |
There was a problem hiding this comment.
Reusing KmsKeyArnSchema from ./evaluator is fine, but that schema's JSDoc in evaluator.ts:128-130 explicitly says it's the pattern accepted by the AgentCore Evaluation service, and notes alias ARNs are unsupported for evaluator encryption. Since this is now shared across services (evaluator + config bundle), please either:
- Move
KmsKeyArnSchema/KMS_KEY_ARN_PATTERN/isValidKmsKeyArnto a shared/generic location with a service-agnostic docstring, or - At minimum, update the JSDoc on
KmsKeyArnSchemainevaluator.tsto reflect that it's the general KMS key-ARN pattern used across multiple AgentCore resources, and confirm the Configuration Bundle service has the same alias-ARN constraint as the Evaluator service (so users aren't getting a needlessly stricter check than the service requires).
|
|
||
| const setCommitMessage = useCallback((commitMessage: string) => { | ||
| setConfig(c => ({ ...c, commitMessage })); | ||
| setStep('kmsKey'); |
There was a problem hiding this comment.
Minor UX note (non-blocking): the wizard now unconditionally shows the KMS step to every user creating a config bundle, even though CMK is an advanced/opt-in feature. Given the prompt explicitly says "press Enter to skip", this is probably acceptable, but consider whether this should be gated behind a yes/no question ("Encrypt with a customer-managed KMS key?") so the common path doesn't grow an extra prompt. Feel free to ignore if this was a deliberate design choice.
github-actions
Bot
removed
the
agentcore-harness-reviewing
Match the evaluator pattern: fail fast with a clear --kms-key message in non-interactive mode before attempting the add, rather than only surfacing the error at schema-write time.
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
2 participants
Summary
Adds (CMK) encryption for AgentCore configuration bundles. A new
--kms-key <arn>flag and an optional wizard step setkmsKeyArninagentcore.json, validated by the sharedKmsKeyArnSchema. The value flows through the create control-plane API and the L3ConfigurationBundleconstruct (asKmsKeyArn).CFN property name (
KmsKeyArn) verified against the official AWS CloudFormation resource reference forAWS::BedrockAgentCore::ConfigurationBundle.Important
Depends on aws/agentcore-l3-cdk-constructs#294 — merge and release
@aws/agentcore-cdkfirst so the vended CDK project emitsKmsKeyArn.Changes
src/schema/schemas/primitives/config-bundle.ts—kmsKeyArn(reusesKmsKeyArnSchema)src/cli/aws/agentcore-config-bundles.ts— option + create request bodysrc/cli/primitives/ConfigBundlePrimitive.ts—--kms-keyflag, threaded throughadd()src/cli/tui/screens/config-bundle/*,src/cli/tui/hooks/useCreateConfigBundle.ts— optional wizard stepschemas/agentcore.schema.v1.json— regeneratedTests
createConfigurationBundleincludes/omitskmsKeyArnin request bodyadd-remove-config-bundle.test.ts):--kms-keypersisted in full-options add; invalid KMS ARN rejectedManual verification
agentcore add config-bundle --kms-key <arn>writeskmsKeyArntoagentcore.json; an invalid ARN is rejected at write-time; omitting the flag writes no field; synthesizing the bundle producesKmsKeyArnon the CFN resource.