{ "Description": "agent-claw: serverless personal assistant on AgentCore", "Resources": { "SessionStore8C86EEFE": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "actor_id", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "actor_id", "KeyType": "HASH" } ], "TableName": "agent-claw-sessions", "TimeToLiveSpecification": { "AttributeName": "ttl", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "AgentClawStack/SessionStore/Resource" } }, "UsersTable9725E9C8": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "actor_id", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "actor_id", "KeyType": "HASH" } ], "TableName": "agent-claw-users" }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "AgentClawStack/UsersTable/Resource" } }, "MessageQueue7A3BF959": { "Type": "AWS::SQS::Queue", "Properties": { "ContentBasedDeduplication": false, "FifoQueue": true, "QueueName": "agent-claw-messages.fifo", "ReceiveMessageWaitTimeSeconds": 20, "VisibilityTimeout": 900 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "AgentClawStack/MessageQueue/Resource" } }, "TgIngestServiceRoleB96980B6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/TgIngest/ServiceRole/Resource" } }, "TgIngestServiceRoleDefaultPolicyCC51E135": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MessageQueue7A3BF959", "Arn" ] } }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3" } ], "Version": "2012-10-17" }, "PolicyName": "TgIngestServiceRoleDefaultPolicyCC51E135", "Roles": [ { "Ref": "TgIngestServiceRoleB96980B6" } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/TgIngest/ServiceRole/DefaultPolicy/Resource" } }, "TgIngest4CB35C2F": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1", "S3Key": "8da48fd743d1e2cb70d8d1935cee795b6f8cf02609db05e2b8f28449be9ef875.zip" }, "Environment": { "Variables": { "MESSAGE_QUEUE_URL": { "Ref": "MessageQueue7A3BF959" }, "TELEGRAM_BOT_TOKEN_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3", "TELEGRAM_WEBHOOK_SECRET": "" } }, "FunctionName": "agent-claw-tg-ingest", "Handler": "handler.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "TgIngestServiceRoleB96980B6", "Arn" ] }, "Runtime": "python3.12", "Timeout": 10 }, "DependsOn": [ "TgIngestServiceRoleDefaultPolicyCC51E135", "TgIngestServiceRoleB96980B6" ], "Metadata": { "aws:cdk:path": "AgentClawStack/TgIngest/Resource", "aws:asset:path": "asset.8da48fd743d1e2cb70d8d1935cee795b6f8cf02609db05e2b8f28449be9ef875", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "AgentRunnerServiceRole40CA0A00": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/AgentRunner/ServiceRole/Resource" } }, "AgentRunnerServiceRoleDefaultPolicyA584A5CF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SessionStore8C86EEFE", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "SessionStore8C86EEFE", "Arn" ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "UsersTable9725E9C8", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "UsersTable9725E9C8", "Arn" ] } ] }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::agent-claw-workspace-495395224548" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::agent-claw-workspace-495395224548/*" ] ] } ] }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3" }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/brave-api-key-uUSgzi" }, { "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:GetQueueUrl", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "MessageQueue7A3BF959", "Arn" ] } }, { "Action": "bedrock-agentcore:InvokeAgentRuntime", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "AgentRunnerServiceRoleDefaultPolicyA584A5CF", "Roles": [ { "Ref": "AgentRunnerServiceRole40CA0A00" } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/AgentRunner/ServiceRole/DefaultPolicy/Resource" } }, "AgentRunnerBDE3FA56": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1", "S3Key": "49f9e3ee598c0259165125872304200dbdffee263d76fca541a8630534d8f5c5.zip" }, "Environment": { "Variables": { "SESSION_TABLE_NAME": { "Ref": "SessionStore8C86EEFE" }, "WORKSPACE_BUCKET_NAME": "agent-claw-workspace-495395224548", "TELEGRAM_BOT_TOKEN_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3", "BRAVE_API_KEY_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/brave-api-key-uUSgzi", "RUNTIME_1_ARN": "arn:aws:bedrock-agentcore:us-east-1:495395224548:runtime/agentclaw_agent_claw_main-vTRGIEG6ON", "AWS_REGION_NAME": "us-east-1", "USERS_TABLE_NAME": { "Ref": "UsersTable9725E9C8" }, "WORKSPACE_MCP_URL": "https://25hugrzw4uwtueeg77jsmft6lq0wunmd.lambda-url.us-east-1.on.aws/mcp" } }, "FunctionName": "agent-claw-agent-runner", "Handler": "handler.handler", "MemorySize": 256, "Role": { "Fn::GetAtt": [ "AgentRunnerServiceRole40CA0A00", "Arn" ] }, "Runtime": "python3.12", "Timeout": 900 }, "DependsOn": [ "AgentRunnerServiceRoleDefaultPolicyA584A5CF", "AgentRunnerServiceRole40CA0A00" ], "Metadata": { "aws:cdk:path": "AgentClawStack/AgentRunner/Resource", "aws:asset:path": "asset.49f9e3ee598c0259165125872304200dbdffee263d76fca541a8630534d8f5c5", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "AgentRunnerSqsEventSourceAgentClawStackMessageQueue9AF4DF234671B32B": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { "BatchSize": 10, "Enabled": true, "EventSourceArn": { "Fn::GetAtt": [ "MessageQueue7A3BF959", "Arn" ] }, "FunctionName": { "Ref": "AgentRunnerBDE3FA56" } }, "Metadata": { "aws:cdk:path": "AgentClawStack/AgentRunner/SqsEventSource:AgentClawStackMessageQueue9AF4DF23/Resource" } }, "WebhookApi28122C53": { "Type": "AWS::ApiGatewayV2::Api", "Properties": { "Name": "agent-claw-webhook", "ProtocolType": "HTTP" }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/Resource" } }, "WebhookApiDefaultStageC0BC9CA5": { "Type": "AWS::ApiGatewayV2::Stage", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "AutoDeploy": true, "StageName": "$default" }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/DefaultStage/Resource" } }, "WebhookApiPOSTtelegramTgIngestIntegration9EE5BB85": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "IntegrationType": "AWS_PROXY", "IntegrationUri": { "Fn::GetAtt": [ "TgIngest4CB35C2F", "Arn" ] }, "PayloadFormatVersion": "2.0" }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/POST--telegram/TgIngestIntegration/Resource" } }, "WebhookApiPOSTtelegramTgIngestIntegrationPermissionFEBC2E3B": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TgIngest4CB35C2F", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:us-east-1:495395224548:", { "Ref": "WebhookApi28122C53" }, "/*/*/telegram" ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/POST--telegram/TgIngestIntegration-Permission" } }, "WebhookApiPOSTtelegramF7127CFF": { "Type": "AWS::ApiGatewayV2::Route", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "AuthorizationType": "NONE", "RouteKey": "POST /telegram", "Target": { "Fn::Join": [ "", [ "integrations/", { "Ref": "WebhookApiPOSTtelegramTgIngestIntegration9EE5BB85" } ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/POST--telegram/Resource" } }, "WebhookApiGEToauthstartOAuthStartIntegrationA546443F": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "IntegrationType": "AWS_PROXY", "IntegrationUri": { "Fn::GetAtt": [ "OAuthHandlerC97C2476", "Arn" ] }, "PayloadFormatVersion": "2.0" }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--start/OAuthStartIntegration/Resource" } }, "WebhookApiGEToauthstartOAuthStartIntegrationPermission38BAEF6D": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "OAuthHandlerC97C2476", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:us-east-1:495395224548:", { "Ref": "WebhookApi28122C53" }, "/*/*/oauth/start" ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--start/OAuthStartIntegration-Permission" } }, "WebhookApiGEToauthstart6DCA713A": { "Type": "AWS::ApiGatewayV2::Route", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "AuthorizationType": "NONE", "RouteKey": "GET /oauth/start", "Target": { "Fn::Join": [ "", [ "integrations/", { "Ref": "WebhookApiGEToauthstartOAuthStartIntegrationA546443F" } ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--start/Resource" } }, "WebhookApiGEToauthcallbackOAuthCallbackIntegrationCFBBEB09": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "IntegrationType": "AWS_PROXY", "IntegrationUri": { "Fn::GetAtt": [ "OAuthHandlerC97C2476", "Arn" ] }, "PayloadFormatVersion": "2.0" }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--callback/OAuthCallbackIntegration/Resource" } }, "WebhookApiGEToauthcallbackOAuthCallbackIntegrationPermission6BA3A5AD": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "OAuthHandlerC97C2476", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:us-east-1:495395224548:", { "Ref": "WebhookApi28122C53" }, "/*/*/oauth/callback" ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--callback/OAuthCallbackIntegration-Permission" } }, "WebhookApiGEToauthcallbackFC1F6BCD": { "Type": "AWS::ApiGatewayV2::Route", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "AuthorizationType": "NONE", "RouteKey": "GET /oauth/callback", "Target": { "Fn::Join": [ "", [ "integrations/", { "Ref": "WebhookApiGEToauthcallbackOAuthCallbackIntegrationCFBBEB09" } ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--callback/Resource" } }, "WebhookApiANYworkspaceproxyWorkspaceMcpIntegration7377EE13": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "IntegrationType": "AWS_PROXY", "IntegrationUri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:us-east-1:495395224548:function:agent-claw-workspace-mcp" ] ] }, "PayloadFormatVersion": "2.0" }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/ANY--workspace--{proxy+}/WorkspaceMcpIntegration/Resource" } }, "WebhookApiANYworkspaceproxyWorkspaceMcpIntegrationPermission97613ADF": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:us-east-1:495395224548:function:agent-claw-workspace-mcp" ] ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:us-east-1:495395224548:", { "Ref": "WebhookApi28122C53" }, "/*/*/workspace/{proxy+}" ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/ANY--workspace--{proxy+}/WorkspaceMcpIntegration-Permission" } }, "WebhookApiANYworkspaceproxy4455BE19": { "Type": "AWS::ApiGatewayV2::Route", "Properties": { "ApiId": { "Ref": "WebhookApi28122C53" }, "AuthorizationType": "NONE", "RouteKey": "ANY /workspace/{proxy+}", "Target": { "Fn::Join": [ "", [ "integrations/", { "Ref": "WebhookApiANYworkspaceproxyWorkspaceMcpIntegration7377EE13" } ] ] } }, "Metadata": { "aws:cdk:path": "AgentClawStack/WebhookApi/ANY--workspace--{proxy+}/Resource" } }, "Runtime1RoleA7A82078": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "bedrock-agentcore.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Execution role for agent-claw Runtime 1 (main assistant)" }, "Metadata": { "aws:cdk:path": "AgentClawStack/Runtime1Role/Resource" } }, "Runtime1RoleDefaultPolicy1A3D5ACF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::agent-claw-workspace-495395224548" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::agent-claw-workspace-495395224548/*" ] ] } ] }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3" }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/brave-api-key-uUSgzi" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "UsersTable9725E9C8", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "UsersTable9725E9C8", "Arn" ] } ] }, { "Action": [ "bedrock-agentcore:CreateEvent", "bedrock-agentcore:ListEvents", "bedrock-agentcore:RetrieveMemoryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": "lambda:InvokeFunctionUrl", "Condition": { "StringEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" } }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:us-east-1:495395224548:function:agent-claw-workspace-mcp" ] ] }, "Sid": "WorkspaceMcpInvoke" }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????" ] ] } }, { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*", "Sid": "PerUserGoogleCredentialsReadRuntime" }, { "Action": [ "events:PutRule", "events:PutTargets", "events:ListRules", "events:ListTargetsByRule", "events:RemoveTargets", "events:DeleteRule" ], "Effect": "Allow", "Resource": "arn:aws:events:us-east-1:*:rule/agent-claw-reminder-*", "Sid": "EventBridgeScheduler" }, { "Action": [ "lambda:AddPermission", "lambda:RemovePermission" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SchedulerCFE73206", "Arn" ] }, "Sid": "SchedulerLambdaPermission" } ], "Version": "2012-10-17" }, "PolicyName": "Runtime1RoleDefaultPolicy1A3D5ACF", "Roles": [ { "Ref": "Runtime1RoleA7A82078" } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/Runtime1Role/DefaultPolicy/Resource" } }, "WorkspaceMcpRolePolicy5B8B0072": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????" ] ] } }, { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*", "Sid": "PerUserGoogleCredentialsRead" } ], "Version": "2012-10-17" }, "PolicyName": "WorkspaceMcpRolePolicy5B8B0072", "Roles": [ "agent-claw-workspace-mcp-role" ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/WorkspaceMcpRole/Policy/Resource" } }, "OAuthHandlerServiceRole9CDCCF9E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/OAuthHandler/ServiceRole/Resource" } }, "OAuthHandlerServiceRoleDefaultPolicy69D90416": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????" ] ] } }, { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "UsersTable9725E9C8", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "UsersTable9725E9C8", "Arn" ] } ] }, { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl", "Sid": "GoogleOAuthClientSecretExact" }, { "Action": [ "secretsmanager:CreateSecret", "secretsmanager:PutSecretValue", "secretsmanager:GetSecretValue" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*", "Sid": "PerUserGoogleCredentialsWrite" } ], "Version": "2012-10-17" }, "PolicyName": "OAuthHandlerServiceRoleDefaultPolicy69D90416", "Roles": [ { "Ref": "OAuthHandlerServiceRole9CDCCF9E" } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/OAuthHandler/ServiceRole/DefaultPolicy/Resource" } }, "OAuthHandlerC97C2476": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1", "S3Key": "b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645.zip" }, "Environment": { "Variables": { "GOOGLE_OAUTH_CLIENT_SECRET_ARN": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client" ] ] }, "USERS_TABLE_NAME": { "Ref": "UsersTable9725E9C8" }, "TELEGRAM_BOT_TOKEN_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3", "OAUTH_REDIRECT_URI": { "Fn::Join": [ "", [ "https://", { "Ref": "WebhookApi28122C53" }, ".execute-api.us-east-1.", { "Ref": "AWS::URLSuffix" }, "/oauth/callback" ] ] } } }, "FunctionName": "agent-claw-oauth-handler", "Handler": "handler.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "OAuthHandlerServiceRole9CDCCF9E", "Arn" ] }, "Runtime": "python3.12", "Timeout": 30 }, "DependsOn": [ "OAuthHandlerServiceRoleDefaultPolicy69D90416", "OAuthHandlerServiceRole9CDCCF9E" ], "Metadata": { "aws:cdk:path": "AgentClawStack/OAuthHandler/Resource", "aws:asset:path": "asset.b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "SchedulerServiceRole62CDA70C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/Scheduler/ServiceRole/Resource" } }, "SchedulerServiceRoleDefaultPolicyFA0D8235": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3" }, { "Action": [ "events:RemoveTargets", "events:DeleteRule" ], "Effect": "Allow", "Resource": "arn:aws:events:us-east-1:495395224548:rule/agent-claw-reminder-*" } ], "Version": "2012-10-17" }, "PolicyName": "SchedulerServiceRoleDefaultPolicyFA0D8235", "Roles": [ { "Ref": "SchedulerServiceRole62CDA70C" } ] }, "Metadata": { "aws:cdk:path": "AgentClawStack/Scheduler/ServiceRole/DefaultPolicy/Resource" } }, "SchedulerCFE73206": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1", "S3Key": "8e7324457a5952eb51f04a34fbc5ba853252e7157d8d8958ac5fda92e72edb1f.zip" }, "Environment": { "Variables": { "TELEGRAM_BOT_TOKEN_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3" } }, "FunctionName": "agent-claw-scheduler", "Handler": "handler.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "SchedulerServiceRole62CDA70C", "Arn" ] }, "Runtime": "python3.12", "Timeout": 30 }, "DependsOn": [ "SchedulerServiceRoleDefaultPolicyFA0D8235", "SchedulerServiceRole62CDA70C" ], "Metadata": { "aws:cdk:path": "AgentClawStack/Scheduler/Resource", "aws:asset:path": "asset.8e7324457a5952eb51f04a34fbc5ba853252e7157d8d8958ac5fda92e72edb1f", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "SchedulerEventBridgeInvoke72A0529A": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "SchedulerCFE73206", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": "arn:aws:events:us-east-1:495395224548:rule/agent-claw-reminder-*" }, "Metadata": { "aws:cdk:path": "AgentClawStack/Scheduler/EventBridgeInvoke" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/22PwU7DMAyGn2X31IxuPMCGQHBAjI775KZela1NSu1sqqK8O0rKOCBO/+ff+WO7hPKhhOUCr1zo5lx0poawF9RnVRE7P2pSeOVD4BVsvT6TbJFJNZPF3jU1hE+sO1KPR5shKv5iCB+efDYzRNVhXzcI4dlbLcbZ1PrlpwtZ2edRbzgMxrap/b+7o7E3zCl2y6d9ojLYQ6jcvErWneuMnnIoU1S8OiAzCcMmicLBtCh0xelSQngRGTaDSYEkqdwLtvnDGZJVOS8zvVqhdsTbOX/K/C5GlSel+M8B714GL1FZ1xCc+O5SruF+DcvFiY0pRm/F9ATVrN8RDS1cnQEAAA==" }, "Metadata": { "aws:cdk:path": "AgentClawStack/CDKMetadata/Default" } } }, "Outputs": { "WorkspaceMcpFunctionUrl": { "Description": "workspace-mcp Lambda Function URL (MCP endpoint for Gmail/Calendar)", "Value": "https://25hugrzw4uwtueeg77jsmft6lq0wunmd.lambda-url.us-east-1.on.aws" }, "OAuthStartUrl": { "Description": "Google OAuth start URL — set as OAUTH_START_URL in agentcore.json", "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "WebhookApi28122C53" }, ".execute-api.us-east-1.", { "Ref": "AWS::URLSuffix" }, "/oauth/start" ] ] } }, "OAuthRedirectUri": { "Description": "Google OAuth redirect URI — register in Google Cloud Console", "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "WebhookApi28122C53" }, ".execute-api.us-east-1.", { "Ref": "AWS::URLSuffix" }, "/oauth/callback" ] ] } }, "WebhookUrl": { "Description": "Register this URL with Telegram BotFather as webhook endpoint", "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "WebhookApi28122C53" }, ".execute-api.us-east-1.", { "Ref": "AWS::URLSuffix" }, "/telegram" ] ] } }, "WorkspaceBucketName": { "Description": "S3 bucket containing agent workspace files", "Value": "agent-claw-workspace-495395224548" }, "SessionTableName": { "Description": "DynamoDB table for session mapping", "Value": { "Ref": "SessionStore8C86EEFE" } }, "UsersTableName": { "Description": "DynamoDB user registry table", "Value": { "Ref": "UsersTable9725E9C8" } }, "MessageQueueUrl": { "Description": "SQS FIFO queue for incoming messages", "Value": { "Ref": "MessageQueue7A3BF959" } }, "Runtime1RoleArn": { "Description": "IAM execution role ARN for AgentCore Runtime 1", "Value": { "Fn::GetAtt": [ "Runtime1RoleA7A82078", "Arn" ] } }, "SchedulerLambdaArn": { "Description": "Scheduler Lambda ARN — set as SCHEDULER_LAMBDA_ARN in agentcore.json", "Value": { "Fn::GetAtt": [ "SchedulerCFE73206", "Arn" ] } } }, "Parameters": { "BootstrapVersion": { "Type": "AWS::SSM::Parameter::Value", "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" } }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5" ], { "Ref": "BootstrapVersion" } ] } ] }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } ] } } }