fix(bedrockagentcore): Memory no longer creates an unused execution role

[vishwakt]

Issue # (if applicable)

Fixes #38021.

Reason for this change

The Memory L2 construct always created an IAM execution role, even when no executionRole was provided and no memory strategies were configured. That auto-created role has a trust policy but zero permission policies, so it does nothing. In stacks with many memories this adds a large number of useless IAM roles, and the L1 CfnMemory deploys fine without MemoryExecutionRoleArn. pahud confirmed on the issue that making role creation conditional aligns with L1 behavior.

Description of changes

The execution role is now created only when the memory actually needs one:

• an executionRole is provided, or
• a customer managed kmsKey is configured (the service assumes the role to use the key), or
• one or more memory strategies are added, at construction or later via addMemoryStrategy(), which now creates the role on demand.

A memory with only short-term storage and no strategies creates no role, and MemoryExecutionRoleArn is omitted from the template. executionRole is undefined in that case, and grantPrincipal resolves to an UnknownPrincipal so grant calls are no-ops rather than failing.

Implementation notes:

• executionRole and grantPrincipal are now getters over a private backing field so the role can be created lazily. This is API-compatible: jsii models a readonly property and a getter identically, and yarn compat passes.
• memoryExecutionRoleArn is rendered lazily so it reflects a role created after construction.
• Memories that already create a role (strategies, KMS, or an explicit role) keep the same role and the same logical ID, so there is no resource replacement for them.

On feature flags: the only behavior change is for a bare new Memory(...) with no strategies, KMS key, or execution role. On upgrade, the empty role is removed from the template. I did not gate this behind a feature flag because (1) the removed resource is an empty role with no policies that, as noted on the issue, serves no purpose, (2) aws-bedrockagentcore is a recently added module so the deployed footprint of bare memories is small, and (3) the maintainer endorsed making the behavior conditional in the constructor. I am happy to add a BugFix feature flag if reviewers would prefer to gate it.

Description of how you validated changes

Unit tests in aws-bedrockagentcore/test/agentcore/memory/memory.test.ts:

• bare memory: no role, executionRole undefined, MemoryExecutionRoleArn absent, grantPrincipal is an UnknownPrincipal;
• a strategy auto-creates exactly one role with the correct confused-deputy trust policy and wires MemoryExecutionRoleArn;
• addMemoryStrategy() on a role-less memory creates the role on demand;
• existing KMS and explicit-role behavior is unchanged.

All 150 memory unit tests pass. yarn build, yarn compat, and eslint are clean. No integration test exists for Memory, and this change is synth-only (no new CFN resource types or runtime behavior); an Exemption Request will be filed if the PR linter asks for one.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

Credit to @lokasandeep for the report and diagnosis, and to @pahud for confirming the approach. Happy to iterate based on review.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[vishwakt]

Exemption Request for the integration test requirement.

This is a synth-time change to the Memory L2 construct's role-creation logic in aws-bedrockagentcore/lib/memory/memory.ts. It makes the execution role conditional (created only when an execution role is provided, a KMS key is configured, or memory strategies are added) instead of always creating an empty role. There are no new CloudFormation resource types, no new resource properties, no custom resources, and no runtime behavior to exercise. The behavior is entirely in how the template is synthesized.

There is also no integration test for Memory in framework-integ today, so there is no existing snapshot to update and nothing for an integ test to meaningfully assert beyond what the unit tests already cover.

Coverage is by unit tests in aws-bedrockagentcore/test/agentcore/memory/memory.test.ts:

• a bare memory creates no role, leaves executionRole undefined, omits MemoryExecutionRoleArn, and resolves grantPrincipal to an UnknownPrincipal;
• a memory with a strategy auto-creates exactly one role with the correct confused-deputy trust policy and wires MemoryExecutionRoleArn;
• addMemoryStrategy() on a role-less memory creates the role on demand;
• existing KMS and explicit-role behavior is unchanged.

All 150 memory unit tests pass, and yarn build / yarn compat are clean. Happy to add an integration test if reviewers prefer, but the value would be low for a synth-only change with no deployable surface.