[Enhancement] aws_bedrockagentcore_agent_runtime/aws_bedrockagentcore_gateway: Add authorizer_configuration.custom_jwt_authorizer.custom_claim block

[tabito-hara]

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

This PR adds the authorizer_configuration.custom_jwt_authorizer.custom_claim block to the aws_bedrockagentcore_agent_runtime and aws_bedrockagentcore_gateway resources.

• The models for authorizer_configuration are defined in agent_runtime.go and shared with gateway.go. However, the corresponding schemas are defined separately in each file.

  • This can cause inconsistencies where the models in agent_runtime.go are updated but the schemas in gateway.go are not.

    • This issue actually occurred in r/aws_bedrockagentcore_agent_runtime: Add authorizer_config.custom_jwt_authorizer.allowed_scopes argument #46828 and was fixed in [bugfix (regression introduced in v6.36.0)] aws_bedrockagentcore_gateway: Fix authorizer_configuration.custom_jwt_authorizer schema to resolve "schema mismatch - expected 4 attributes, got 3" error #46908.

  • To address this, this PR extracts the functionality for creating the authorizer_configuration schema into a reusable function, allowing it to be shared between agent_runtime.go and gateway.go.

Relations

Closes #47032

References

https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CustomJWTAuthorizerConfiguration.html

Output from Acceptance Testing

aws_bedrockagentcore_agent_runtime

The disappears test failed due to insufficient permissions, even though I was using an "Admin" role.
(According to the debug log, DeleteAgentRuntime appears to have been called even after it had already been executed.)

Since the latest main branch also exhibits the same error in my environment, this failure does not appear to be related to the changes in this PR.

$ AWS_BEDROCK_AGENTCORE_RUNTIME_IMAGE_V1_URI=123456789012.dkr.ecr.us-west-2.amazonaws.com/bedrockagentcore/agent:latest \
AWS_BEDROCK_AGENTCORE_RUNTIME_IMAGE_V2_URI=123456789012.dkr.ecr.us-west-2.amazonaws.com/bedrockagentcore/agent:test \
AWS_BEDROCK_AGENTCORE_RUNTIME_CODE_V1_S3_BUCKET=bedrock-agentcore-runtime \
AWS_BEDROCK_AGENTCORE_RUNTIME_CODE_V1_S3_KEY=strands_agent.zip \
AWS_BEDROCK_AGENTCORE_RUNTIME_CODE_V2_S3_BUCKET=bedrock-agentcore-runtime \
AWS_BEDROCK_AGENTCORE_RUNTIME_CODE_V2_S3_KEY=strands_agent_v2.zip \
make testacc TESTS='TestAccBedrockAgentCoreAgentRuntime_' PKG=bedrockagentcore
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-aws_bedrockagentcore_agent_runtime-add_custom_claim 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/bedrockagentcore/... -v -count 1 -parallel 20 -run='TestAccBedrockAgentCoreAgentRuntime_'  -timeout 360m -vet=off
2026/03/23 00:26:16 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/23 00:26:16 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccBedrockAgentCoreAgentRuntime_basic
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_basic
=== RUN   TestAccBedrockAgentCoreAgentRuntime_disappears
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_disappears
=== RUN   TestAccBedrockAgentCoreAgentRuntime_tags
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_tags
=== RUN   TestAccBedrockAgentCoreAgentRuntime_description
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_description
=== RUN   TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== RUN   TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== RUN   TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim
=== RUN   TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifactContainer
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_artifactContainer
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifactCode
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_artifactCode
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifactTypeChanged
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_artifactTypeChanged
=== CONT  TestAccBedrockAgentCoreAgentRuntime_basic
=== CONT  TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim
=== CONT  TestAccBedrockAgentCoreAgentRuntime_artifactCode
=== CONT  TestAccBedrockAgentCoreAgentRuntime_artifactTypeChanged
=== CONT  TestAccBedrockAgentCoreAgentRuntime_description
=== CONT  TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== CONT  TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== CONT  TestAccBedrockAgentCoreAgentRuntime_artifactContainer
=== CONT  TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== CONT  TestAccBedrockAgentCoreAgentRuntime_tags
=== CONT  TestAccBedrockAgentCoreAgentRuntime_disappears
    agent_runtime_test.go:82: Error running post-test destroy, there may be dangling resources: exit status 1
        
        Error: deleting Bedrock AgentCore Agent Runtime
        
        ID: tf_acc_test_1551418766752101054-7g4ZBD8h14
        Cause: operation error Bedrock AgentCore Control: DeleteAgentRuntime, ,
        AccessDeniedException: User:
        arn:aws:sts::123456789012:assumed-role/xxxxx
        is not authorized to perform: bedrock-agentcore:DeleteAgentRuntime"
        
--- FAIL: TestAccBedrockAgentCoreAgentRuntime_disappears (66.30s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration (107.72s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_artifactCode (125.47s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_basic (356.98s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_tags (378.67s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration (417.74s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_environmentVariables (418.21s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_artifactContainer (419.59s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_description (419.75s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim (449.92s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_artifactTypeChanged (761.98s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore   766.485s
FAIL
make: *** [testacc] Error 1

aws_bedrockagentcore_gateway

One test failed, but it appears not to be related to the fix in this PR.

$ make testacc TESTS='TestAccBedrockAgentCoreGateway_' PKG=bedrockagentcore 
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-aws_bedrockagentcore_agent_runtime-add_custom_claim 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/bedrockagentcore/... -v -count 1 -parallel 20 -run='TestAccBedrockAgentCoreGateway_'  -timeout 360m -vet=off
2026/03/22 23:15:23 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/22 23:15:23 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccBedrockAgentCoreGateway_basic
=== PAUSE TestAccBedrockAgentCoreGateway_basic
=== RUN   TestAccBedrockAgentCoreGateway_xrayDelivery
=== PAUSE TestAccBedrockAgentCoreGateway_xrayDelivery
=== RUN   TestAccBedrockAgentCoreGateway_disappears
=== PAUSE TestAccBedrockAgentCoreGateway_disappears
=== RUN   TestAccBedrockAgentCoreGateway_tags
=== PAUSE TestAccBedrockAgentCoreGateway_tags
=== RUN   TestAccBedrockAgentCoreGateway_interceptorConfigurations
=== PAUSE TestAccBedrockAgentCoreGateway_interceptorConfigurations
=== RUN   TestAccBedrockAgentCoreGateway_description
=== PAUSE TestAccBedrockAgentCoreGateway_description
=== RUN   TestAccBedrockAgentCoreGateway_IAMAuthorizer
=== PAUSE TestAccBedrockAgentCoreGateway_IAMAuthorizer
=== RUN   TestAccBedrockAgentCoreGateway_kmsKey
    gateway_test.go:367: KMS key returns HTTP 500
--- SKIP: TestAccBedrockAgentCoreGateway_kmsKey (0.00s)
=== RUN   TestAccBedrockAgentCoreGateway_protocolConfiguration
=== PAUSE TestAccBedrockAgentCoreGateway_protocolConfiguration
=== RUN   TestAccBedrockAgentCoreGateway_customJWTAuthorizer
=== PAUSE TestAccBedrockAgentCoreGateway_customJWTAuthorizer
=== RUN   TestAccBedrockAgentCoreGateway_customJWTAuthorizerCustomClaim
=== PAUSE TestAccBedrockAgentCoreGateway_customJWTAuthorizerCustomClaim
=== CONT  TestAccBedrockAgentCoreGateway_basic
=== CONT  TestAccBedrockAgentCoreGateway_description
=== CONT  TestAccBedrockAgentCoreGateway_customJWTAuthorizer
=== CONT  TestAccBedrockAgentCoreGateway_customJWTAuthorizerCustomClaim
=== CONT  TestAccBedrockAgentCoreGateway_tags
=== CONT  TestAccBedrockAgentCoreGateway_disappears
=== CONT  TestAccBedrockAgentCoreGateway_protocolConfiguration
=== CONT  TestAccBedrockAgentCoreGateway_IAMAuthorizer
=== CONT  TestAccBedrockAgentCoreGateway_xrayDelivery
=== CONT  TestAccBedrockAgentCoreGateway_interceptorConfigurations
=== NAME  TestAccBedrockAgentCoreGateway_xrayDelivery
    gateway_test.go:80: Step 1/1 error: Error running apply: exit status 1
        
        Error: creating CloudWatch Logs Delivery
        
          with aws_cloudwatch_log_delivery.test,
          on terraform_plugin_test.tf line 54, in resource "aws_cloudwatch_log_delivery" "test":
          54: resource "aws_cloudwatch_log_delivery" "test" {
        
        operation error CloudWatch Logs: CreateDelivery, https response error
        StatusCode: 400, RequestID: affb68e3-66cd-4b82-96ce-830fd01cbdd2,
        ValidationException: X-Ray Delivery Destination is supported with CloudWatch
        Logs as a Trace Segment Destination. Please enable the CloudWatch Logs
        destination for your traces using the UpdateTraceSegmentDestination API
        (https://docs.aws.amazon.com/xray/latest/api/API_UpdateTraceSegmentDestination.html)
--- FAIL: TestAccBedrockAgentCoreGateway_xrayDelivery (42.02s)
--- PASS: TestAccBedrockAgentCoreGateway_disappears (56.82s)
--- PASS: TestAccBedrockAgentCoreGateway_basic (65.67s)
--- PASS: TestAccBedrockAgentCoreGateway_interceptorConfigurations (80.04s)
--- PASS: TestAccBedrockAgentCoreGateway_protocolConfiguration (86.17s)
--- PASS: TestAccBedrockAgentCoreGateway_description (91.94s)
--- PASS: TestAccBedrockAgentCoreGateway_IAMAuthorizer (94.36s)
--- PASS: TestAccBedrockAgentCoreGateway_customJWTAuthorizer (95.82s)
--- PASS: TestAccBedrockAgentCoreGateway_tags (112.72s)
--- PASS: TestAccBedrockAgentCoreGateway_customJWTAuthorizerCustomClaim (124.92s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore   130.059s
FAIL
make: *** [testacc] Error 1

[github-actions]

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[ewbankkit]

LGTM 🚀.

% AWS_BEDROCK_AGENTCORE_RUNTIME_IMAGE_V1_URI=123456789012.dkr.ecr.us-west-2.amazonaws.com/bedrockagentcore_v1:latest AWS_BEDROCK_AGENTCORE_RUNTIME_IMAGE_V2_URI=123456789012.dkr.ecr.us-west-2.amazonaws.com/bedrockagentcore_v2:latest make testacc TESTARGS='-run=TestAccBedrockAgentCoreAgentRuntime_' PKG=bedrockagentcore ACCTEST_PARALLELISM=4
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 HEAD 🌿...
TF_ACC=1 go1.25.8 test ./internal/service/bedrockagentcore/... -v -count 1 -parallel 4  -run=TestAccBedrockAgentCoreAgentRuntime_ -timeout 360m -vet=off
2026/03/23 08:20:00 Creating Terraform AWS Provider (SDKv2-style)...
2026/03/23 08:20:00 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccBedrockAgentCoreAgentRuntime_basic
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_basic
=== RUN   TestAccBedrockAgentCoreAgentRuntime_disappears
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_disappears
=== RUN   TestAccBedrockAgentCoreAgentRuntime_tags
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_tags
=== RUN   TestAccBedrockAgentCoreAgentRuntime_description
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_description
=== RUN   TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== RUN   TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== RUN   TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim
=== RUN   TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifactContainer
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_artifactContainer
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifactCode
    agent_runtime_test.go:771: skipping test; environment variable AWS_BEDROCK_AGENTCORE_RUNTIME_CODE_V1_S3_BUCKET must be set
--- SKIP: TestAccBedrockAgentCoreAgentRuntime_artifactCode (0.00s)
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifactTypeChanged
    agent_runtime_test.go:878: skipping test; environment variable AWS_BEDROCK_AGENTCORE_RUNTIME_CODE_V1_S3_BUCKET must be set
--- SKIP: TestAccBedrockAgentCoreAgentRuntime_artifactTypeChanged (0.00s)
=== CONT  TestAccBedrockAgentCoreAgentRuntime_basic
=== CONT  TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== CONT  TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== CONT  TestAccBedrockAgentCoreAgentRuntime_artifactContainer
--- PASS: TestAccBedrockAgentCoreAgentRuntime_basic (45.01s)
=== CONT  TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim
--- PASS: TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration (57.83s)
=== CONT  TestAccBedrockAgentCoreAgentRuntime_description
--- PASS: TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration (60.70s)
=== CONT  TestAccBedrockAgentCoreAgentRuntime_environmentVariables
--- PASS: TestAccBedrockAgentCoreAgentRuntime_artifactContainer (61.15s)
=== CONT  TestAccBedrockAgentCoreAgentRuntime_tags
--- PASS: TestAccBedrockAgentCoreAgentRuntime_description (59.67s)
=== CONT  TestAccBedrockAgentCoreAgentRuntime_disappears
--- PASS: TestAccBedrockAgentCoreAgentRuntime_environmentVariables (59.60s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_authorizerConfigurationCustomClaim (76.83s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_tags (63.72s)
=== NAME  TestAccBedrockAgentCoreAgentRuntime_disappears
    agent_runtime_test.go:82: Error running post-test destroy, there may be dangling resources: exit status 1

        Error: deleting Bedrock AgentCore Agent Runtime

        ID: tf_acc_test_2206906550655035379-DBh5VXGHlw
        Cause: operation error Bedrock AgentCore Control: DeleteAgentRuntime, ,
        AccessDeniedException: User: arn:aws:iam::123456789012:user/kit is not
        authorized to perform: bedrock-agentcore:DeleteAgentRuntime"

--- FAIL: TestAccBedrockAgentCoreAgentRuntime_disappears (28.39s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore   151.367s
FAIL
make: *** [testacc] Error 1

[ewbankkit]

@tabito-hara Thanks for the contribution 🎉 👏.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v6.38.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.