import { RemovalPolicy } from 'aws-cdk-lib'; import { PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam'; import { Key } from 'aws-cdk-lib/aws-kms'; import { Architecture, IFunction, ILayerVersion, LayerVersion } from 'aws-cdk-lib/aws-lambda'; import { Asset } from 'aws-cdk-lib/aws-s3-assets'; import { Construct } from 'constructs'; import { LogGroupDataProtectionProps, ObservableProps } from '../../utilities'; import { BedrockModelProps } from '../bedrock'; import { Network } from '../foundation'; import { InvokeType } from './invoke-type'; import { IKnowledgeBase, KnowledgeBaseRuntimeConfig } from './knowledge-base'; export { InvokeType }; export interface AgentToolsLocationDefinition { readonly bucketName: string; readonly key: string; readonly isFile: boolean; readonly isZipArchive: boolean; } /** * Parameters that influences the behavior of the agent */ export interface AgentDefinitionProps { /** * Configuration for the Bedrock Model to be used */ readonly bedrockModel: BedrockModelProps; /** * The system prompt of the agent * */ readonly systemPrompt: Asset; /** * List of tools defined in python files. This tools would automatically * be loaded by the agent. You can also use this to incorporate other specialized * agents as tools. */ readonly tools?: Asset[]; /** * Any dependencies needed by the provided tools */ readonly lambdaLayers?: LayerVersion[]; /** * If tools need additional IAM permissions, these statements * would be attached to the Agent's IAM role */ readonly additionalPolicyStatementsForTools?: PolicyStatement[]; /** * Knowledge bases available to the agent for Retrieval-Augmented Generation (RAG). * * When configured, the agent will have access to a built-in retrieval tool * that can query these knowledge bases. The agent's system prompt will be * automatically augmented with information about available knowledge bases. * * Each knowledge base must implement the IKnowledgeBase interface, which * handles IAM permission generation and runtime configuration. * * @default - No knowledge bases configured */ readonly knowledgeBases?: IKnowledgeBase[]; /** * Additional IAM policy statements for knowledge base access. * * Use this when knowledge bases require permissions beyond what is * automatically generated by the IKnowledgeBase implementations. * These statements will be added to the agent's IAM role in addition * to the auto-generated permissions. * * @default - Only auto-generated permissions from knowledge bases */ readonly additionalPolicyStatementsForKnowledgeBases?: PolicyStatement[]; } export interface BaseAgentProps extends ObservableProps { /** * Name of the agent */ readonly agentName: string; /** * The IAM service principal for the agent role's trust policy. * * This is typically set by the hosting adapter (e.g., `lambda.amazonaws.com` * for Lambda hosting, `bedrock-agentcore.amazonaws.com` for AgentCore). * * @default ServicePrincipal('lambda.amazonaws.com') */ readonly servicePrincipal?: ServicePrincipal; /** * Agent related parameters */ readonly agentDefinition: AgentDefinitionProps; /** * Enable observability for the agent * * When enabled, configures both Lambda Powertools and AWS Bedrock AgentCore observability: * - **Lambda Powertools**: Provides function-level observability including structured logging, * distributed tracing with X-Ray, and custom metrics * - **AgentCore Observability**: Provides agent-specific observability including agent invocations, * reasoning steps, tool usage, token consumption, and agent latency * * Both systems publish to Amazon CloudWatch and use the same service name and namespace * for correlation. This provides complete visibility at both function and agent levels. * * **Environment Variables Set** (AgentCore): * - `AGENT_OBSERVABILITY_ENABLED`: Enables AgentCore observability * - `OTEL_RESOURCE_ATTRIBUTES`: Service identification for OpenTelemetry * - `OTEL_EXPORTER_OTLP_LOGS_HEADERS`: Agent identification headers * - `AWS_LAMBDA_EXEC_WRAPPER`: ADOT wrapper for automatic instrumentation * * **IAM Permissions Granted** (AgentCore): * - CloudWatch Logs: `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents` * - X-Ray: `xray:PutTraceSegments`, `xray:PutTelemetryRecords` * * **Additional Requirements**: * - BatchAgent automatically adds ADOT (AWS Distro for OpenTelemetry) Lambda Layer * * @see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html * @default false */ readonly enableObservability?: boolean; /** * If the Agent would be running inside a VPC * * @default Agent would not be in a VPC */ readonly network?: Network; /** * Encryption key to encrypt agent environment variables * * @default new KMS Key would be created */ readonly encryptionKey?: Key; /** * Removal policy for resources created by this * construct * * @default RemovalPolicy.DESTROY */ readonly removalPolicy?: RemovalPolicy; /** * The architecture used by the Lambda function where the * agent is hosted * * @default Architecture.ARM_64 */ readonly agentArchitecture?: Architecture; } /** * Base class for all agent types in the framework * * Provides common infrastructure for AI agents including: * - IAM role and permissions management * - Encryption key for environment variables * - Tool integration and S3 asset management * - Knowledge base integration for RAG (Retrieval-Augmented Generation) * - Observability configuration (Lambda Powertools + AgentCore) * * Subclasses must implement the agent-specific Lambda function creation. * * **Observability**: When `enableObservability: true`, BaseAgent configures both * Lambda Powertools (function-level) and AWS Bedrock AgentCore (agent-level) * observability. Both systems work together to provide complete visibility: * - Lambda Powertools captures function execution, logs, and custom metrics * - AgentCore captures agent reasoning, tool usage, and token consumption * - Both publish to CloudWatch with correlated service names for unified monitoring * * The observability integration includes: * - Automatic IAM permission grants for CloudWatch Logs and X-Ray * - Environment variable configuration for OpenTelemetry * - ADOT Lambda Layer attachment (handled by concrete implementations) * * @see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html */ export declare abstract class BaseAgent extends Construct { /** * The Lambda function for the agent (when using Lambda hosting). * May be undefined for non-Lambda hosting backends (e.g. AgentCore Runtime). */ abstract readonly agentFunction?: IFunction; readonly bedrockModel?: BedrockModelProps; readonly agentRole: Role; readonly encryptionKey: Key; /** log group data protection configuration */ protected readonly logGroupDataProtection: LogGroupDataProtectionProps; protected readonly agentToolsLocationDefinitions: AgentToolsLocationDefinition[]; /** * Knowledge base configurations for runtime use. * * This array contains the exported configurations from all configured * knowledge bases. Subclasses use this to set the KNOWLEDGE_BASES_CONFIG * environment variable on the agent Lambda function. */ protected readonly knowledgeBaseConfigs: KnowledgeBaseRuntimeConfig[]; /** * Asset containing the knowledge base retrieval tool. * * This is automatically created when knowledge bases are configured. * The asset is added to the agent's tools and granted read access. */ protected readonly knowledgeBaseToolAsset?: Asset; /** * Lambda layers required by knowledge base retrieval tools. * * This array contains Lambda layers from all configured knowledge bases. * Subclasses should add these layers to the agent Lambda function to * ensure retrieval tools have access to required dependencies. */ protected readonly knowledgeBaseLayers: LayerVersion[]; constructor(scope: Construct, id: string, props: BaseAgentProps); /** * Creates the AWS Distro for OpenTelemetry (ADOT) Lambda Layer. * * The ADOT layer provides automatic instrumentation for observability. * Layer versions vary by region - some regions have newer versions with * better Python 3.13 support. If you encounter compatibility issues, * the layer ARNs can be found at: * https://aws-otel.github.io/docs/getting-started/lambda#adot-lambda-layer-arns * * @returns The ADOT Lambda Layer for the current region * @throws Error if the region is not supported */ protected createADOTLayer(): ILayerVersion; }