feat: use higher level agentcore cdk constructs and terraform resources

docs/src/content/docs/en/get_started/tutorials/dungeon-game/1.mdx

@@ -385,8 +385,6 @@ The `py#strands-agent` generates these files:
         - Dockerfile defines the docker image for deployment to AgentCore Runtime
   - common/constructs/
     - src
-      - core/agent-core/
-        - runtime.ts generic construct for deploying to AgentCore Runtime
       - app/agents/story-agent/
         - story-agent.ts construct for deploying your Story agent to AgentCore Runtime
 </FileTree>
@@ -454,51 +452,55 @@ This is the entrypoint for the agent, configured using the [Amazon Bedrock Agent
 ```ts
 // common/constructs/src/app/agents/story-agent.ts
 import { Lazy, Names } from 'aws-cdk-lib';
-import { DockerImageAsset, Platform } from 'aws-cdk-lib/aws-ecr-assets';
+import { Platform } from 'aws-cdk-lib/aws-ecr-assets';
 import { Construct } from 'constructs';
 import { execSync } from 'child_process';
 import * as path from 'path';
 import * as url from 'url';
 import {
-  AgentCoreRuntime,
-  AgentCoreRuntimeProps,
-} from '../../../core/agent-core/runtime.js';
+  AgentRuntimeArtifact,
+  ProtocolType,
+  Runtime,
+  RuntimeProps,
+} from '@aws-cdk/aws-bedrock-agentcore-alpha';
 
 export type StoryAgentProps = Omit<
-  AgentCoreRuntimeProps,
-  'runtimeName' | 'serverProtocol' | 'containerUri'
+  RuntimeProps,
+  'runtimeName' | 'protocolConfiguration' | 'agentRuntimeArtifact'
 >;
 
 export class StoryAgent extends Construct {
-  public readonly dockerImage: DockerImageAsset;
-  public readonly agentCoreRuntime: AgentCoreRuntime;
+  public readonly dockerImage: AgentRuntimeArtifact;
+  public readonly agentCoreRuntime: Runtime;
 
   constructor(scope: Construct, id: string, props?: StoryAgentProps) {
     super(scope, id);
 
-    this.dockerImage = new DockerImageAsset(this, 'DockerImage', {
-      platform: Platform.LINUX_ARM64,
-      directory: path.dirname(url.fileURLToPath(new URL(import.meta.url))),
-      extraHash: execSync(
-        `docker inspect dungeon-adventure-story-agent:latest --format '{{.Id}}'`,
-        { encoding: 'utf-8' },
-      ).trim(),
-    });
+    this.dockerImage = AgentRuntimeArtifact.fromAsset(
+      path.dirname(url.fileURLToPath(new URL(import.meta.url))),
+      {
+        platform: Platform.LINUX_ARM64,
+        extraHash: execSync(
+          `docker inspect dungeon-adventure-story-agent:latest --format '{{.Id}}'`,
+          { encoding: 'utf-8' },
+        ).trim(),
+      },
+    );
 
-    this.agentCoreRuntime = new AgentCoreRuntime(this, 'StoryAgent', {
+    this.agentCoreRuntime = new Runtime(this, 'StoryAgent', {
       runtimeName: Lazy.string({
         produce: () =>
           Names.uniqueResourceName(this.agentCoreRuntime, { maxLength: 40 }),
       }),
-      serverProtocol: 'HTTP',
-      containerUri: this.dockerImage.imageUri,
+      protocolConfiguration: ProtocolType.HTTP,
+      agentRuntimeArtifact: this.dockerImage,
       ...props,
     });
   }
 }
 ```
 
-This configures a CDK `DockerImageAsset` which uploads your agent Docker image to ECR, and hosts it using AgentCore Runtime.
+This configures a CDK `AgentRuntimeArtifact` which uploads your agent Docker image to ECR, and hosts it using AgentCore Runtime.
 
 You may notice an extra `Dockerfile`, that references the Docker image from the `story` project, allowing us to co-locate the Dockerfile and agent source code.
 

docs/src/content/docs/en/guides/py-strands-agent.mdx

@@ -76,9 +76,6 @@ For deploying your Strands Agent, the following files are generated:
         - \<project-name>
           - \<project-name>.ts CDK construct for deploying your agent
           - Dockerfile Passthrough docker file used by the CDK construct
-    - core
-      - agent-core
-        - runtime.ts Generic CDK construct for deploying to Bedrock AgentCore Runtime
 </FileTree>
 </Fragment>
 <Fragment slot="terraform">
@@ -217,8 +214,8 @@ export class ExampleStack extends Stack {
     const mcpServer = new MyProjectMcpServer(this, 'MyProjectMcpServer');
 
     const agent = new MyProjectAgent(this, 'MyProjectAgent', {
-      environment: {
-        MCP_AGENTCORE_RUNTIME_ARN: mcpServer.agentCoreRuntime.arn,
+      environmentVariables: {
+        MCP_AGENTCORE_RUNTIME_ARN: mcpServer.agentCoreRuntime.agentRuntimeArn,
       },
     });
 
@@ -352,7 +349,7 @@ If you selected `BedrockAgentCoreRuntime` for `computeType`, the relevant CDK or
 
 <Infrastructure>
 <Fragment slot="cdk">
-A CDK construct is generated for your, named based on the `name` you chose when running the generator, or `<ProjectName>Agent` by default.
+A CDK construct is generated for your agent, named based on the `name` you chose when running the generator, or `<ProjectName>Agent` by default.
 
 You can use this CDK construct in a CDK application:
 
@@ -365,7 +362,7 @@ export class ExampleStack extends Stack {
     const agent = new MyProjectAgent(this, 'MyProjectAgent');
 
     // Grant permissions to invoke the relevant models in bedrock
-    agent.agentCoreRuntime.role.addToPolicy(
+    agent.agentCoreRuntime.addToRolePolicy(
       new PolicyStatement({
         actions: [
           'bedrock:InvokeModel',
@@ -378,6 +375,10 @@ export class ExampleStack extends Stack {
   }
 }
 ```
+
+:::note
+This construct uses the [`@aws-cdk/aws-bedrock-agentcore-alpha` module](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-bedrock-agentcore-alpha-readme.html).
+:::
 </Fragment>
 <Fragment slot="terraform">
 A Terraform module is generated for you, named based on the `name` you chose when running the generator, or `<ProjectName>-agent` by default.
@@ -502,10 +503,11 @@ The below demonstrates how to configure Cognito authentication for your agent.
 
 <Infrastructure>
 <Fragment slot="cdk">
-To configure JWT authentication, you can pass the `authorizerConfiguration` property to your agent construct. Here is an example which configures a Cognito user pool and client to secure the agent:
+To configure JWT authentication using Cognito, use the `RuntimeAuthorizerConfiguration.usingCognito()` factory method:
 
-```ts {13-18}
+```ts {13-16}
 import { MyProjectAgent } from ':my-scope/common-constructs';
+import { RuntimeAuthorizerConfiguration } from '@aws-cdk/aws-bedrock-agentcore-alpha';
 
 export class ExampleStack extends Stack {
   constructor(scope: Construct, id: string) {
@@ -517,27 +519,44 @@ export class ExampleStack extends Stack {
     });
 
     new MyProjectAgent(this, 'MyProjectAgent', {
-      authorizerConfiguration: {
-        customJwtAuthorizer: {
-          discoveryUrl: `https://cognito-idp.${Stack.of(userPool).region}.amazonaws.com/${userPool.userPoolId}/.well-known/openid-configuration`,
-          allowedClients: [client.userPoolClientId],
-        },
-      },
+      authorizerConfiguration: RuntimeAuthorizerConfiguration.usingCognito(
+        userPool,
+        [client],
+      ),
+    });
+  }
+}
+```
+
+Alternatively, for custom JWT authentication with your own OIDC provider, use `RuntimeAuthorizerConfiguration.usingJWT()`:
+
+```ts {6-10}
+import { MyProjectAgent } from ':my-scope/common-constructs';
+import { RuntimeAuthorizerConfiguration } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+
+export class ExampleStack extends Stack {
+  constructor(scope: Construct, id: string) {
+    new MyProjectAgent(this, 'MyProjectAgent', {
+      authorizerConfiguration: RuntimeAuthorizerConfiguration.usingJWT(
+        'https://example.com/.well-known/openid-configuration',
+        ['client1', 'client2'], // Allowed Client IDs (optional)
+        ['audience1'],          // Allowed Audiences (optional)
+      ),
     });
   }
 }
 ```
 </Fragment>
 <Fragment slot="terraform">
-To configure JWT authentication, you can edit your agent module to configure the `customJWTAuthorizer` variable as follows:
+To configure JWT authentication, you can edit your agent module to configure the `authorizer_configuration` variable as follows:
 
-```terraform {18-21}
+```terraform {18-23}
 # packages/common/terraform/src/app/agents/my-project-agent/my-project-agent.tf
 
 data "aws_region" "current" {}
 
 locals {
-  aws_region = data.aws_region.current.name
+  aws_region = data.aws_region.current.id
 
   # Replace with your user pool and client ids or expose as variables
   user_pool_id = "xxx"
@@ -549,9 +568,11 @@ module "agent_core_runtime" {
   agent_runtime_name = "MyProjectAgent"
   docker_image_tag = "my-scope-my-project-agent:latest"
   server_protocol = "HTTP"
-  customJWTAuthorizer = {
-    discoveryUrl = "https://cognito-idp.${local.aws_region}.amazonaws.com/${local.user_pool_id}/.well-known/openid-configuration",
-    allowedClients = local.user_pool_client_ids
+  authorizer_configuration = {
+    custom_jwt_authorizer = {
+      discovery_url = "https://cognito-idp.${local.aws_region}.amazonaws.com/${local.user_pool_id}/.well-known/openid-configuration"
+      allowed_clients = local.user_pool_client_ids
+    }
   }
   env = var.env
   additional_iam_policy_statements = var.additional_iam_policy_statements

docs/src/content/docs/en/snippets/mcp/bedrock-deployment.mdx

@@ -10,7 +10,7 @@ If you selected `BedrockAgentCoreRuntime` for `computeType`, the relevant CDK or
 
 <Infrastructure>
 <Fragment slot="cdk">
-A CDK construct is generated for your, named based on the `name` you chose when running the generator, or `<ProjectName>McpServer` by default.
+A CDK construct is generated for your MCP Server, named based on the `name` you chose when running the generator, or `<ProjectName>McpServer` by default.
 
 You can use this CDK construct in a CDK application:
 
@@ -24,6 +24,10 @@ export class ExampleStack extends Stack {
   }
 }
 ```
+
+:::note
+This construct uses the [`@aws-cdk/aws-bedrock-agentcore-alpha` module](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-bedrock-agentcore-alpha-readme.html).
+:::
 </Fragment>
 <Fragment slot="terraform">
 A Terraform module is generated for you, named based on the `name` you chose when running the generator, or `<ProjectName>-mcp-server` by default.
@@ -113,10 +117,11 @@ The below demonstrates how to configure Cognito authentication for your agent.
 
 <Infrastructure>
 <Fragment slot="cdk">
-To configure JWT authentication, you can pass the `authorizerConfiguration` property to your MCP server construct. Here is an example which configures a Cognito user pool and client to secure the MCP server:
+To configure JWT authentication using Cognito, use the `RuntimeAuthorizerConfiguration.usingCognito()` factory method:
 
 ```ts {14-17}
 import { MyProjectMcpServer } from ':my-scope/common-constructs';
+import { RuntimeAuthorizerConfiguration } from '@aws-cdk/aws-bedrock-agentcore-alpha';
 
 export class ExampleStack extends Stack {
   constructor(scope: Construct, id: string) {
@@ -128,27 +133,44 @@ export class ExampleStack extends Stack {
     });
 
     new MyProjectMcpServer(this, 'MyProjectMcpServer', {
-      authorizerConfiguration: {
-        customJwtAuthorizer: {
-          discoveryUrl: `https://cognito-idp.${Stack.of(userPool).region}.amazonaws.com/${userPool.userPoolId}/.well-known/openid-configuration`,
-          allowedClients: [client.userPoolClientId],
-        },
-      },
+      authorizerConfiguration: RuntimeAuthorizerConfiguration.usingCognito(
+        userPool,
+        [client],
+      ),
+    });
+  }
+}
+```
+
+Alternatively, for custom JWT authentication with your own OIDC provider, use `RuntimeAuthorizerConfiguration.usingJWT()`:
+
+```ts {6-10}
+import { MyProjectMcpServer } from ':my-scope/common-constructs';
+import { RuntimeAuthorizerConfiguration } from '@aws-cdk/aws-bedrock-agentcore-alpha';
+
+export class ExampleStack extends Stack {
+  constructor(scope: Construct, id: string) {
+    new MyProjectMcpServer(this, 'MyProjectMcpServer', {
+      authorizerConfiguration: RuntimeAuthorizerConfiguration.usingJWT(
+        'https://example.com/.well-known/openid-configuration',
+        ['client1', 'client2'], // Allowed Client IDs (optional)
+        ['audience1'],          // Allowed Audiences (optional)
+      ),
     });
   }
 }
 ```
 </Fragment>
 <Fragment slot="terraform">
-To configure JWT authentication, you can edit your MCP Server module to configure the `customJWTAuthorizer` variable as follows:
+To configure JWT authentication, you can edit your MCP Server module to configure the `authorizer_configuration` variable as follows:
 
-```terraform {18-21}
+```terraform {18-23}
 # packages/common/terraform/src/app/mcp-servers/my-project-mcp-server/my-project-mcp-server.tf
 
 data "aws_region" "current" {}
 
 locals {
-  aws_region = data.aws_region.current.name
+  aws_region = data.aws_region.current.id
 
   # Replace with your user pool and client ids or expose as variables
   user_pool_id = "xxx"
@@ -158,11 +180,13 @@ locals {
 module "agent_core_runtime" {
   source = "../../../core/agent-core"
   agent_runtime_name = "MyProjectMcpServer"
-  docker_image_tag = "my-scope-my-project-agent:latest"
+  docker_image_tag = "my-scope-my-project-mcp-server:latest"
   server_protocol = "MCP"
-  customJWTAuthorizer = {
-    discoveryUrl = "https://cognito-idp.${local.aws_region}.amazonaws.com/${local.user_pool_id}/.well-known/openid-configuration",
-    allowedClients = local.user_pool_client_ids
+  authorizer_configuration = {
+    custom_jwt_authorizer = {
+      discovery_url = "https://cognito-idp.${local.aws_region}.amazonaws.com/${local.user_pool_id}/.well-known/openid-configuration"
+      allowed_clients = local.user_pool_client_ids
+    }
   }
   env = var.env
   additional_iam_policy_statements = var.additional_iam_policy_statements

docs/src/content/docs/en/snippets/mcp/shared-constructs.mdx

@@ -15,9 +15,6 @@ For deploying your MCP Server, the following files are generated:
         - \<project-name>
           - \<project-name>.ts CDK construct for deploying your MCP Server
           - Dockerfile Passthrough docker file used by the CDK construct
-    - core
-      - agent-core
-        - runtime.ts Generic CDK construct for deploying to Bedrock AgentCore Runtime
 </FileTree>
 </Fragment>
 <Fragment slot="terraform">