feat: added endpoint_url to amazon bedrock

[roeybc]

Added support to endpoint_url when calling amazon bedrock. This is needed to support private endpoints behind VPCs on aws.

[vercel]

@roeybc is attempting to deploy a commit to the Boundary Team on Vercel.

A member of the Team first needs to authorize it.

[entelligence-ai-pr-reviews]

🔒 Entelligence AI Vulnerability Scanner

✅ No security vulnerabilities found!

Your code passed our comprehensive security analysis.

---

[entelligence-ai-pr-reviews]

correctness: endpoint_url is resolved and passed as Some(url) even if the resolved string is empty, which may cause downstream consumers to receive an invalid endpoint.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In engine/baml-lib/llm-client/src/clients/aws_bedrock.rs, lines 377-382, the code currently checks if the resolved endpoint_url is empty using `is_empty()`, but this will not catch strings that are only whitespace. Update the check to use `url.trim().is_empty()` to ensure that whitespace-only endpoint URLs are also treated as None.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	let url = endpoint_url.resolve(ctx)?;
	if url.is_empty() {
	None
	} else {
	Some(url)
	}
	let url = endpoint_url.resolve(ctx)?;
	if url.trim().is_empty() {
	None
	} else {
	Some(url)
	}

[entelligence-ai-pr-reviews]

correctness: bedrock_config.endpoint_url(endpoint_url) does not validate that endpoint_url is a valid URL, so passing an invalid value may cause runtime errors or panics when building the client.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In engine/baml-runtime/src/internal/llm_client/primitive/aws/aws_client.rs, lines 607-609, the code sets the endpoint_url for the Bedrock client without validating that the provided string is a valid URL. This can cause runtime panics or errors if an invalid URL is passed. Please update this block to parse and validate the endpoint_url using http::Uri::parse, and return an error if the URL is invalid, before setting it on the config builder.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	if let Some(endpoint_url) = self.properties.endpoint_url.as_ref() {
	bedrock_config = bedrock_config.endpoint_url(endpoint_url);
	}
	if let Some(endpoint_url) = self.properties.endpoint_url.as_ref() {
	if let Err(e) = endpoint_url.parse::<http::Uri>() {
	return Err(anyhow::anyhow!("Invalid endpoint_url: {}", e));
	}
	bedrock_config = bedrock_config.endpoint_url(endpoint_url);
	}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 28 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ine/baml-lib/llm-client/src/clients/aws_bedrock.rs	0.00%	23 Missing ⚠️
...rc/internal/llm_client/primitive/aws/aws_client.rs	0.00%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!

[sxlijin]

Ugh, my github setup is being stupid... I'm having trouble pushing https://github.com/BoundaryML/baml/commits/feature/endpoint_url_amazon_bedrock/ into your branch.

I have to run right now, but if you merge the integ-test changes I can merge this tomorrow! If you don't I'll still try tomorrow, just not sure why my github auth is being wonky.

[roeybc]

Done :D