cloudquery-mcp-agentcore/deploy.sh at main · cloudarray-v1/cloudquery-mcp-agentcore · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/usr/bin/env bash
# =============================================================================
# deploy.sh — Build, push to ECR, create IAM role, register AgentCore endpoint
# Usage:
#   export POSTGRES_SECRET_ARN=arn:aws:secretsmanager:us-east-1:ACCOUNT:secret:NAME
#   ./deploy.sh
# =============================================================================
set -euo pipefail

REGION="us-east-1"
ECR_REPO_NAME="cloudquery-mcp"
AGENTCORE_ENDPOINT_NAME="cloudquery-mcp"
IAM_ROLE_NAME="AgentCoreCloudQueryMCPRole"
CQ_MCP_VERSION="1.8.1"

: "${POSTGRES_SECRET_ARN:?ERROR: export POSTGRES_SECRET_ARN before running}"

AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com"
ECR_IMAGE_URI="${ECR_REGISTRY}/${ECR_REPO_NAME}:${CQ_MCP_VERSION}"
POSTGRES_SECRET_NAME=$(echo "${POSTGRES_SECRET_ARN}" | awk -F':' '{print $7}' | sed 's/-[A-Za-z0-9]*$//')

echo "======================================================================"
echo " CloudQuery MCP → Bedrock AgentCore Deployment"
echo " Account : ${AWS_ACCOUNT_ID}  |  Region: ${REGION}"
echo " Image   : ${ECR_IMAGE_URI}"
echo "======================================================================"

# 1. ECR repo
echo "[1/5] Ensuring ECR repository..."
aws ecr describe-repositories --repository-names "${ECR_REPO_NAME}" \
    --region "${REGION}" --output text > /dev/null 2>&1 \
|| aws ecr create-repository --repository-name "${ECR_REPO_NAME}" \
    --region "${REGION}" \
    --image-scanning-configuration scanOnPush=true \
    --encryption-configuration encryptionType=AES256 \
    --output text > /dev/null
echo "    ✓ ${ECR_REGISTRY}/${ECR_REPO_NAME}"

# 2. Build
echo "[2/5] Building Docker image..."
docker buildx build --platform linux/amd64 \
    --build-arg CQ_MCP_VERSION="${CQ_MCP_VERSION}" \
    --tag "${ECR_IMAGE_URI}" --load .
echo "    ✓ Image built"

# 3. Push
echo "[3/5] Pushing to ECR..."
aws ecr get-login-password --region "${REGION}" \
    | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
docker push "${ECR_IMAGE_URI}"
echo "    ✓ Image pushed"

# 4. IAM role
echo "[4/5] Creating IAM execution role..."
TRUST=$(python3 -c "
import json,sys,os
d=json.load(sys.stdin)
t=json.dumps(d['trust_policy']).replace('\${AWS_ACCOUNT_ID}',os.environ['AWS_ACCOUNT_ID'])
print(t)" AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID}" < iam/execution-role.json)

PERMS=$(python3 -c "
import json,sys,os
d=json.load(sys.stdin)
p=json.dumps(d['permissions_policy'])
p=p.replace('\${AWS_ACCOUNT_ID}',os.environ['AWS_ACCOUNT_ID'])
p=p.replace('\${POSTGRES_SECRET_NAME}',os.environ['POSTGRES_SECRET_NAME'])
p=p.replace('\${KMS_KEY_ID}',os.environ.get('KMS_KEY_ID','*'))
print(p)" AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID}" \
  POSTGRES_SECRET_NAME="${POSTGRES_SECRET_NAME}" \
  KMS_KEY_ID="${KMS_KEY_ID:-*}" < iam/execution-role.json)

ROLE_ARN=$(aws iam create-role \
    --role-name "${IAM_ROLE_NAME}" \
    --assume-role-policy-document "${TRUST}" \
    --query Role.Arn --output text 2>/dev/null \
  || aws iam get-role --role-name "${IAM_ROLE_NAME}" --query Role.Arn --output text)

aws iam put-role-policy \
    --role-name "${IAM_ROLE_NAME}" \
    --policy-name "CloudQueryMCPPermissions" \
    --policy-document "${PERMS}"
echo "    ✓ ${ROLE_ARN}"

# 5a. Create AgentCore Runtime
echo "[5a/6] Creating AgentCore Runtime..."
RUNTIME_ID=$(aws bedrock-agentcore-control create-agent-runtime \
    --agent-runtime-name "${AGENTCORE_ENDPOINT_NAME}" \
    --description "CloudQuery MCP Server - PostgreSQL mode" \
    --role-arn "${ROLE_ARN}" \
    --agent-runtime-artifact "{
        \"containerConfiguration\": {
            \"containerUri\": \"${ECR_IMAGE_URI}\"
        }
    }" \
    --network-configuration "{
        \"networkMode\": \"PUBLIC\"
    }" \
    --protocol-configuration "{
        \"serverProtocol\": \"MCP\"
    }" \
    --environment-variables "{
        \"AWS_REGION\": \"${REGION}\",
        \"HTTP_ADDRESS\": \":8080\",
        \"CQAPI_LOG_LEVEL\": \"info\",
        \"POSTGRES_SECRET_ARN\": \"${POSTGRES_SECRET_ARN}\"
    }" \
    --region "${REGION}" \
    --query agentRuntimeId \
    --output text)
echo "    ✓ Runtime ID: ${RUNTIME_ID}"


# 5b. Create AgentCore Runtime Endpoint
echo "[5b/6] Creating AgentCore Runtime Endpoint..."
ENDPOINT_URL=$(aws bedrock-agentcore-control create-agent-runtime-endpoint \
    --agent-runtime-id "${RUNTIME_ID}" \
    --name "default" \
    --region "${REGION}" \
    --query "liveVersion" \
    --output text)
echo "    ✓ Endpoint URL: ${ENDPOINT_URL}"

# Write resolved developer configs
python3 - <<PYEOF
import json, os
ep = "${ENDPOINT_URL}/mcp"
region = "${REGION}"

claude = {"mcpServers": {"cloudquery": {"command": "npx", "args": ["mcp-remote", ep, "--header", f"x-aws-region:{region}"]}}}
cursor = {"name": "cloudquery", "command": "npx", "args": ["mcp-remote", ep, "--header", f"x-aws-region:{region}"]}
vscode = {
    "inputs": [{"type": "promptString", "id": "aws-profile", "description": "AWS profile (blank = default)", "password": False}],
    "servers": {"CloudQuery": {"type": "stdio", "command": "npx", "args": ["mcp-remote", ep, "--header", f"x-aws-region:{region}"], "env": {"AWS_PROFILE": "\${input:aws-profile}"}}}
}
for name, data in [("developer-configs/claude_desktop_config.json", claude),
                   ("developer-configs/cursor_mcp.json", cursor),
                   ("developer-configs/vscode_mcp.json", vscode)]:
    with open(name, "w") as f:
        json.dump(data, f, indent=2)
print("Developer configs written.")
PYEOF

echo ""
echo "======================================================================"
echo " DONE — MCP endpoint: ${ENDPOINT_URL}/mcp"
echo " Developer configs updated in developer-configs/"
echo " Developers need: npm install -g mcp-remote"
echo "======================================================================"