refactor(infra-cdk): migrate to L2 constructs and replace NestedStacks with Constructs

[adam-weber]

Summary

Refactors CDK infrastructure to follow best practices by using L2 constructs where available and simplifying the stack architecture.

Changes

L2 Constructs

• Replace CfnResource for Memory with agentcore.Memory
• Replace CfnGateway and CfnGatewayTarget with agentcore.Gateway and gateway.addLambdaTarget()
• Remove unused aws-cdk-lib/aws-bedrockagentcore L1 import

NestedStacks -> Constructs

• CognitoStack -> CognitoConstruct
• AmplifyHostingStack -> AmplifyHostingConstruct
• BackendStack -> BackendConstruct

CfnParameters -> config.yaml

• Remove CfnParameter for AgentName and NetworkMode, move to config.yaml with typed AppConfig interface

Why

• L2 constructs provide sensible defaults, automatic IAM permissions, and cleaner APIs. The alpha package is already used for Runtime, so this aligns with existing patterns.
• NestedStacks add deployment complexity and cross-stack dependency overhead when all resources deploy together anyway. CDK docs recommend Constructs for composition.
• CfnParameters bypass CDK's type safety, values are CloudFormation tokens at synthesis time, so TypeScript can't
  validate them. CDK docs recommend against them.

[harshitkgupta]

What is the reason for making PUBLIC VPC instead of default Private?

[adam-weber]

@harshitkgupta PUBLIC is the current default with CfnParams on main.

[harshitkgupta]

P;ease test deployment of current code and attach testing proof.

[adam-weber]

@harshitkgupta

Testing Proof

Code checks:

• npx tsc --noEmit passes

Deployment:

• Stack FAST-stack deployed successfully (UPDATE_COMPLETE)
• All three Constructs (CognitoConstruct, BackendConstruct, AmplifyHostingConstruct) resources created
• See attached cfn_output.txt

End-to-end test:

• Agent responds and invokes Gateway tool (text_analysis_tool)
• See attached test_agent_output.txt

UI:

• Frontend accessible and functional

[brianz]

@adam-weber I'm looking at this again. I took an initial look last week, and I was able to deploy your changes which looked good. When I tried to deploy this today, I got this error:

This AWS::BedrockAgentCore::GatewayTarget resource is in a CREATE_FAILED state.

Resource handler returned message: "Gateway execution role lacks permission to invoke Lambda function arn:aws:lambda:us-west-2:790544710702:function:FAST-stack-FASTstackbackendSampleToolLambdaDB29514-8E6qvK5CAi7f. Update the permission and retry

Note sure if anything changed in the underlying L2 constructs between then and now.

Can you please destroy, do a fresh npm install and see if you can replicate this? I deployed from the main branch without issue.

[adam-weber]

@brianz - this is a bug with CDK and a recent AgentCore service change. Tracking here: aws/aws-cdk#36826