Updated cedar policy to use templates

ashakirin · ashakirin · commit 23fafb91533f · 2026-03-04T10:51:25.000+01:00
diff --git a/apps/java-spring-ai-agents/scripts/policy/deny-tools-policy.cedar b/apps/java-spring-ai-agents/scripts/policy/deny-tools-policy.cedar
@@ -1,17 +1,26 @@
-# Cedar policy: Permit all tools EXCEPT cancelTrip and deleteExpense for user alice
+# Cedar policy: Permit all tools EXCEPT searchFlights for user alice
 #
 # Uses 'unless' clause to deny specific tools while permitting all others.
 # This approach works around AgentCore's "Overly Restrictive" safety check
 # that rejects standalone 'forbid' policies.
+#
+# NOTE: This is a template. Actual policy is generated by 02-create-policy.py
+# using values from .env (GATEWAY_ID, TARGET_NAME)
 
 permit(
   principal is AgentCore::OAuthUser,
   action,
-  resource == AgentCore::Gateway::"arn:aws:bedrock-agentcore:us-east-1:724772082315:gateway/policy-demo-gateway-wwh6rjluyl"
+  resource == AgentCore::Gateway::"arn:aws:bedrock-agentcore:${REGION}:${ACCOUNT_ID}:gateway/${GATEWAY_ID}"
 ) when {
   principal.hasTag("username") &&
   principal.getTag("username") == "alice"
 } unless {
-  action == AgentCore::Action::"backoffice___cancelTrip" ||
-  action == AgentCore::Action::"backoffice___deleteExpense"
+  action == AgentCore::Action::"${TARGET_NAME}___cancelTrip" ||
+  action == AgentCore::Action::"${TARGET_NAME}___deleteExpense"
 };
+
+# To deny multiple tools, use OR:
+# } unless {
+#   action == AgentCore::Action::"${TARGET_NAME}___searchFlights" ||
+#   action == AgentCore::Action::"${TARGET_NAME}___anotherTool"
+# };
