fix(bedrock-agentcore-alpha): add Lambda permission to fix IAM eventual consistency issue

[pahud]

Issue # (if applicable)

Closes #36826.

Reason for this change

The gateway.addLambdaTarget() method fails with "Gateway execution role lacks permission to invoke Lambda function" due to IAM eventual consistency. The BedrockAgentCore service recently added a dry run Lambda invocation during CreateGatewayTarget API that executes before IAM has propagated the identity-based policy.

Solution Diagram

┌─────────────────────────────────────────────────────────────────────────────┐
│                        BEFORE (BROKEN)                                      │
└─────────────────────────────────────────────────────────────────────────────┘

    IAM Policy (identity-based)     GatewayTarget Creation     Dry Run Check
           │                               │                        │
           ▼                               ▼                        ▼
    ┌─────────────┐                 ┌─────────────┐          ┌─────────────┐
    │ IAM Service │                 │ CFN Creates │          │ Lambda      │
    │ (eventual   │                 │ Target      │─────────▶│ Invoke      │
    │ consistency)│                 │             │          │ Check ❌    │
    └─────────────┘                 └─────────────┘          └─────────────┘
           │                                                        │
           │  ⏱️ Policy still propagating...                        │
           └────────────────────────────────────────────────────────┘
                                                    ERROR: "lacks permission"

┌─────────────────────────────────────────────────────────────────────────────┐
│                        AFTER (FIXED)                                        │
└─────────────────────────────────────────────────────────────────────────────┘

    Lambda::Permission              GatewayTarget Creation     Dry Run Check
    (resource-based)                (DependsOn Permission)
           │                               │                        │
           ▼                               ▼                        ▼
    ┌─────────────┐                 ┌─────────────┐          ┌─────────────┐
    │ Lambda      │                 │ CFN Creates │          │ Lambda      │
    │ Service     │─────────────────│ Target      │─────────▶│ Invoke      │
    │ (sync ✅)   │  Permission     │ (after perm)│          │ Check ✅    │
    └─────────────┘  EXISTS         └─────────────┘          └─────────────┘

Description of changes

Added resource-based Lambda permission to bypass IAM eventual consistency issues:

• target-configuration.ts: Added CfnPermission creation in LambdaTargetConfiguration.bind() with bedrock-agentcore.amazonaws.com service principal
• target.ts: Added node.addDependency() on the permission in GatewayTarget constructor to ensure CloudFormation creates the permission before the target
• gateway.test.ts: Added 7 new unit tests to verify permission creation and dependency ordering

This fix follows the established pattern from @aws-cdk/aws-bedrock-alpha (agent.ts) which uses the same approach for Bedrock agent Lambda permissions.

Describe any new or updated permissions being added

• IAM permissions: No new IAM permissions required
• Resource access: Adds AWS::Lambda::Permission resource-based policy allowing bedrock-agentcore.amazonaws.com to invoke the Lambda function with sourceArn scoped to the specific gateway

Description of how you validated changes

• Unit tests: Added 7 new tests verifying:
  • AWS::Lambda::Permission resource is created for Lambda targets
  • Permission has correct principal (bedrock-agentcore.amazonaws.com) and sourceArn
  • GatewayTarget has DependsOn on the permission
  • Non-Lambda targets (OpenAPI, Smithy, MCP Server) do NOT create Lambda permission
  • Multiple Lambda targets create separate permissions
  • addLambdaTarget() method creates permission correctly
• Integration tests: Existing integration test (integ.target.ts) validates end-to-end deployment

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	168 ran	168 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	168 ran	168 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates