feat: add bedrock agentcore observability support

[Geun-Oh]

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

Resolve #44742

Add aws_bedrockagentcore_agent_runtime.observability block which enables agentcore observability option by addeing runtime id as an env vars after creating new runtime.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~>6.17"
    }
  }
}

provider "aws" {
  region = "us-west-2"
}

resource "aws_bedrockagentcore_agent_runtime" "test" {
  
  agent_runtime_name = "example_agent_runtime_2"
  role_arn           = "role_arn"
  
  agent_runtime_artifact {
    container_configuration {
      container_uri = "container_uri"
    }
  }
  
  network_configuration {
    network_mode = "PUBLIC"
  }
  
  observability {
    enabled = true
  }
}

There are 2 types of updating features:

• Enable CloudWatch Transaction Search & Modifying destination of trace segments (xray UpdateTraceSegmentDestination): global setting (only activate once). This code checks and update if those options are unavailable.
• Changing environment variables with generated Runtime ID and redeploy: needed to each runtimes.

This code automatically enables cloudwatch transaction search. But it would takes a few minutes to be fully activated.
After then, we can check full traces & sessions of AgentCore Agent.

Relations

Closes #44742

References

https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html

Output from Acceptance Testing

% make testacc PKG=bedrockagentcore TESTS='^TestAccBedrockAgentCoreAgentRuntime'
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 main 🌿...
TF_ACC=1 go1.24.8 test ./internal/service/bedrockagentcore/... -v -count 1 -parallel 20 -run='^TestAccBedrockAgentCoreAgentRuntime'  -timeout 360m -vet=off
2025/10/23 17:21:07 Creating Terraform AWS Provider (SDKv2-style)...
2025/10/23 17:21:07 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccBedrockAgentCoreAgentRuntimeEndpoint_basic
=== PAUSE TestAccBedrockAgentCoreAgentRuntimeEndpoint_basic
=== RUN   TestAccBedrockAgentCoreAgentRuntimeEndpoint_disappears
=== PAUSE TestAccBedrockAgentCoreAgentRuntimeEndpoint_disappears
=== RUN   TestAccBedrockAgentCoreAgentRuntimeEndpoint_update
=== PAUSE TestAccBedrockAgentCoreAgentRuntimeEndpoint_update
=== RUN   TestAccBedrockAgentCoreAgentRuntimeEndpoint_tags
=== PAUSE TestAccBedrockAgentCoreAgentRuntimeEndpoint_tags
=== RUN   TestAccBedrockAgentCoreAgentRuntime_basic
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_basic
=== RUN   TestAccBedrockAgentCoreAgentRuntime_disappears
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_disappears
=== RUN   TestAccBedrockAgentCoreAgentRuntime_tags
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_tags
=== RUN   TestAccBedrockAgentCoreAgentRuntime_description
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_description
=== RUN   TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== RUN   TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== RUN   TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== RUN   TestAccBedrockAgentCoreAgentRuntime_artifact
=== PAUSE TestAccBedrockAgentCoreAgentRuntime_artifact
=== CONT  TestAccBedrockAgentCoreAgentRuntimeEndpoint_basic
=== CONT  TestAccBedrockAgentCoreAgentRuntime_tags
=== CONT  TestAccBedrockAgentCoreAgentRuntimeEndpoint_tags
=== CONT  TestAccBedrockAgentCoreAgentRuntime_artifact
=== CONT  TestAccBedrockAgentCoreAgentRuntime_environmentVariables
=== CONT  TestAccBedrockAgentCoreAgentRuntime_disappears
=== CONT  TestAccBedrockAgentCoreAgentRuntimeEndpoint_update
=== CONT  TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration
=== CONT  TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration
=== CONT  TestAccBedrockAgentCoreAgentRuntime_basic
=== CONT  TestAccBedrockAgentCoreAgentRuntime_description
=== CONT  TestAccBedrockAgentCoreAgentRuntimeEndpoint_disappears
--- PASS: TestAccBedrockAgentCoreAgentRuntime_disappears (72.54s)
--- PASS: TestAccBedrockAgentCoreAgentRuntimeEndpoint_disappears (78.02s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_basic (80.31s)
--- PASS: TestAccBedrockAgentCoreAgentRuntimeEndpoint_basic (86.83s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_description (108.19s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_artifact (113.92s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_environmentVariables (114.36s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_protocolConfiguration (114.85s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_authorizerConfiguration (116.02s)
--- PASS: TestAccBedrockAgentCoreAgentRuntimeEndpoint_update (118.53s)
--- PASS: TestAccBedrockAgentCoreAgentRuntime_tags (129.74s)
--- PASS: TestAccBedrockAgentCoreAgentRuntimeEndpoint_tags (136.87s)
PASS
ok  	[github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore](http://github.com/hashicorp/terraform-provider-aws/internal/service/bedrockagentcore)	143.835s

[github-actions]

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[github-actions]

⚠️ Our automation has detected the following potential issues with your pull request

---

❌ Changelog Entry Required (Click to expand)

The proposed change requires a changelog entry. Please see the Changelog Process section of the contributing guide for information on the changelog generation process.

Tip: This check is not triggered for draft pull requests, since the pull request number is not known until the pull request is opened and is required to create a changelog entry. Opening a pull request first as a draft, adding the requisite changelog entry file, and then marking the pull request as ready for review will prevent future warnings.