feat(tf): Create AgentCore Memory

Create AgentCore Memory from Terraform and populate its ID into
Parameter Store, rather than requiring prerequisite setup.

Author: athewsey

infra/main.tf

@@ -7,9 +7,16 @@ module "container_image" {
   repository_name     = "langgraph-cx-agent"
 }
 
+# Agent Memory
+resource "aws_bedrockagentcore_memory" "agent_memory" {
+  name                  = "CxMemory"
+  event_expiry_duration = 30
+}
+
 # Bedrock Agent Role
 module "bedrock_role" {
   source                   = "./modules/agentcore-iam-role"
+  agent_memory_arn         = aws_bedrockagentcore_memory.agent_memory.arn
   container_repository_arn = module.container_image.ecr_repository_arn
   role_name                = var.bedrock_role_name
   knowledge_base_id        = module.kb_stack.knowledge_base_id
@@ -45,7 +52,7 @@ module "parameters" {
   guardrail_id      = module.guardrail.guardrail_id
   user_pool_id      = module.cognito.user_pool_id
   client_id         = module.cognito.user_pool_client_id
-  ac_stm_memory_id  = var.ac_stm_memory_id
+  ac_stm_memory_id  = aws_bedrockagentcore_memory.agent_memory.id
 
   depends_on = [
     module.kb_stack,

infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf

@@ -148,6 +148,35 @@ resource "aws_iam_policy" "agentcore_permissions" {
           "arn:aws:bedrock-agentcore:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:workload-identity-directory/default",
           "arn:aws:bedrock-agentcore:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:workload-identity-directory/default/workload-identity/*"
         ]
+      },
+      {
+        Sid    = "AccessMemory"
+        Effect = "Allow"
+        Action = [
+          "bedrock-agentcore:BatchCreateMemoryRecords",
+          "bedrock-agentcore:BatchDeleteMemoryRecords",
+          "bedrock-agentcore:BatchUpdateMemoryRecords",
+          "bedrock-agentcore:CreateEvent",
+          "bedrock-agentcore:DeleteEvent",
+          "bedrock-agentcore:DeleteMemoryRecord",
+          "bedrock-agentcore:GetEvent",
+          "bedrock-agentcore:GetMemory",
+          "bedrock-agentcore:GetMemoryRecord",
+          "bedrock-agentcore:ListActors",
+          "bedrock-agentcore:ListEvents",
+          "bedrock-agentcore:ListMemoryRecords",
+          "bedrock-agentcore:ListSessions",
+          "bedrock-agentcore:ListTagsForResource",
+          "bedrock-agentcore:RetrieveMemoryRecords",
+          "bedrock-agentcore:TagResource",
+        ]
+        Resource = (
+          var.agent_memory_arn == "" ?
+          [
+            "arn:aws:bedrock-agentcore:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:memory/*"
+          ] :
+          [var.agent_memory_arn]
+        )
       }
     ]
   })

infra/modules/agentcore-iam-role/variables.tf

@@ -19,4 +19,10 @@ variable "guardrail_id" {
   description = "Guardrail ID to restrict access to"
   type        = string
   default     = "*"
+}
+
+variable "agent_memory_arn" {
+  description = "ARN of specific AgentCore Memory to grant access (default: all)"
+  default     = ""
+  type        = string
 }

infra/modules/opensearch-serverless/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = ">= 5.0"
     }
     awscc = {
       source  = "hashicorp/awscc"

infra/terraform.tf

@@ -0,0 +1,15 @@
+terraform {
+  backend "s3" {
+    encrypt = true
+    key     = "sample-agentic-ai-foundation.tfstate"
+    # TODO: Can we enable use_lockfile = true ?
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      # v6.18 added support for Bedrock AgentCore Memory
+      version = ">= 6.18"
+    }
+  }
+}

infra/variables.tf

@@ -95,8 +95,3 @@ variable "tavily_api_key" {
   type        = string
   sensitive   = true
 }
-
-variable "ac_stm_memory_id" {
-  description = "ID of the AC STM resource"
-  type        = string
-}