feat(bedrock-agentcore): use IUserPool and IUserPoolClient interfaces instead of string identifiers (#35860)

### Issue # (if applicable)

Closes #35854 .

### Reason for this change

Improve the Cognito authorizer configuration by accepting Cognito construct references instead of string identifiers, providing better type safety and integration with the CDK ecosystem. 
Additionally, add support for multi-clients.
### Description of changes

- Enhanced `RuntimeAuthorizerConfiguration.usingCognito()` to accept `IUserPool` and `IUserPoolClient` constructs instead of string parameters
- Added support for multiple Cognito clients through an array parameter

The implementation now provides better CDK integration and type safety by using construct references rather than raw string identifiers.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes
Add unit tests and integ test.


BREAKING CHANGE: The signature of `RuntimeAuthorizerConfiguration.usingCognito()` has changed to accept IUserPool and IUserPoolClient constructs instead of string parameters, and now supports multiple clients.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mazyu36

packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md

@@ -303,6 +303,10 @@ IAM authentication is the default mode, when no authorizerConfiguration is set t
 To configure AWS Cognito User Pool authentication:
 
 ```typescript
+declare const userPool: cognito.UserPool;
+declare const userPoolClient: cognito.UserPoolClient;
+declare const anotherUserPoolClient: cognito.UserPoolClient;
+
 const repository = new ecr.Repository(this, "TestRepository", {
   repositoryName: "test-agent-runtime",
 });
@@ -312,9 +316,8 @@ const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
   runtimeName: "myAgent",
   agentRuntimeArtifact: agentRuntimeArtifact,
   authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingCognito(
-    "us-west-2_ABC123",  // User Pool ID (required)
-    "client123",         // Client ID (required)
-    "us-west-2"         // Region (optional, defaults to stack region)
+    userPool, // User Pool (required)
+    [userPoolClient, anotherUserPoolClient], // User Pool Clients
   ),
 });
 ```

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts

@@ -11,9 +11,9 @@
  *  and limitations under the License.
  */
 
-import { Token } from 'aws-cdk-lib';
 import { CfnRuntime } from 'aws-cdk-lib/aws-bedrockagentcore';
 import { ValidationError } from './validation-helpers';
+import { IUserPool, IUserPoolClient } from 'aws-cdk-lib/aws-cognito';
 
 /**
  * Abstract base class for runtime authorizer configurations.
@@ -54,19 +54,17 @@ export abstract class RuntimeAuthorizerConfiguration {
    * Use AWS Cognito User Pool authentication.
    * Validates Cognito-issued JWT tokens.
    *
-   * @param userPoolId The Cognito User Pool ID (e.g., 'us-west-2_ABC123')
-   * @param clientId The Cognito App Client ID
-   * @param region Optional AWS region where the User Pool is located (defaults to stack region)
+   * @param userPool The Cognito User Pool
+   * @param userPoolClient The Cognito User Pool App Clients
    * @param allowedAudience Optional array of allowed audiences
    * @returns RuntimeAuthorizerConfiguration for Cognito authentication
    */
   public static usingCognito(
-    userPoolId: string,
-    clientId: string,
-    region?: string,
+    userPool: IUserPool,
+    userPoolClients: IUserPoolClient[],
     allowedAudience?: string[],
   ): RuntimeAuthorizerConfiguration {
-    return new CognitoAuthorizerConfiguration(userPoolId, clientId, region, allowedAudience);
+    return new CognitoAuthorizerConfiguration(userPool, userPoolClients, allowedAudience);
   }
 
   /**
@@ -134,25 +132,21 @@ class JwtAuthorizerConfiguration extends RuntimeAuthorizerConfiguration {
  */
 class CognitoAuthorizerConfiguration extends RuntimeAuthorizerConfiguration {
   constructor(
-    private readonly userPoolId: string,
-    private readonly clientId: string,
-    private readonly region?: string,
+    private readonly userPool: IUserPool,
+    private readonly userPoolClients: IUserPoolClient[],
     private readonly allowedAudience?: string[],
   ) {
     super();
   }
 
   public _render(): CfnRuntime.AuthorizerConfigurationProperty {
-    // If region is not provided, use a token that will be resolved to the stack region
-    // This will be resolved during synthesis
-    const region = this.region ?? Token.asString({ Ref: 'AWS::Region' });
-    const discoveryUrl = `https://cognito-idp.${region}.amazonaws.com/${this.userPoolId}/.well-known/openid-configuration`;
+    const discoveryUrl = `https://cognito-idp.${this.userPool.env.region}.amazonaws.com/${this.userPool.userPoolId}/.well-known/openid-configuration`;
 
     // Use JWT format for Cognito (CloudFormation expects JWT format)
     return {
       customJwtAuthorizer: {
         discoveryUrl: discoveryUrl,
-        allowedClients: [this.clientId],
+        allowedClients: this.userPoolClients.map(client => client.userPoolClientId),
         allowedAudience: this.allowedAudience,
       },
     };

packages/@aws-cdk/aws-bedrock-agentcore-alpha/rosetta/default.ts-fixture

@@ -4,6 +4,7 @@ import { Construct } from 'constructs';
 import { Stack } from 'aws-cdk-lib';
 import { Duration, RemovalPolicy, aws_s3_deployment } from 'aws-cdk-lib';
 import * as agentcore from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import * as cognito from 'aws-cdk-lib/aws-cognito';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as sns from 'aws-cdk-lib/aws-sns';