@anvil-cloud/sdk 0.0.12 → 0.0.14

package/aws/index.ts

@@ -20,6 +20,16 @@ export type SvelteKitSite = import("./svelteKitSite").SvelteKitSite;
 export const SvelteKitSite: typeof import("./svelteKitSite").SvelteKitSite = null as any;
 utilities.lazyLoad(exports, ["SvelteKitSite"], () => require("./svelteKitSite"));
 
+export { VpcArgs } from "./vpc";
+export type Vpc = import("./vpc").Vpc;
+export const Vpc: typeof import("./vpc").Vpc = null as any;
+utilities.lazyLoad(exports, ["Vpc"], () => require("./vpc"));
+
+export { VpcEndpointArgs } from "./vpcEndpoint";
+export type VpcEndpoint = import("./vpcEndpoint").VpcEndpoint;
+export const VpcEndpoint: typeof import("./vpcEndpoint").VpcEndpoint = null as any;
+utilities.lazyLoad(exports, ["VpcEndpoint"], () => require("./vpcEndpoint"));
+
 
 // Export enums:
 export * from "../types/enums/aws";
@@ -34,6 +44,10 @@ const _module = {
                 return new Lambda(name, <any>undefined, { urn })
             case "anvil:aws:SvelteKitSite":
                 return new SvelteKitSite(name, <any>undefined, { urn })
+            case "anvil:aws:Vpc":
+                return new Vpc(name, <any>undefined, { urn })
+            case "anvil:aws:VpcEndpoint":
+                return new VpcEndpoint(name, <any>undefined, { urn })
             default:
                 throw new Error(`unknown resource type ${type}`);
         }

package/aws/lambda.ts

@@ -44,6 +44,10 @@ export class Lambda extends pulumi.ComponentResource {
      * The ARN of the Lambda's IAM execution role.
      */
     declare public /*out*/ readonly roleArn: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group created for this Lambda. Only populated when vpc is set. Use this to grant other resources access to this Lambda via the grant system.
+     */
+    declare public /*out*/ readonly securityGroupId: pulumi.Output<string | undefined>;
 
     /**
      * Create a Lambda resource with the given unique name, arguments, and options.
@@ -80,11 +84,13 @@ export class Lambda extends pulumi.ComponentResource {
             resourceInputs["functionName"] = undefined /*out*/;
             resourceInputs["functionUrl"] = undefined /*out*/;
             resourceInputs["roleArn"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
         } else {
             resourceInputs["arn"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
             resourceInputs["functionUrl"] = undefined /*out*/;
             resourceInputs["roleArn"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Lambda.__pulumiType, name, resourceInputs, opts, true /*remote*/);
@@ -169,7 +175,7 @@ export interface LambdaArgs {
      */
     url?: pulumi.Input<boolean>;
     /**
-     * VPC ID to place the Lambda in for access to private resources (RDS, ElastiCache, etc.).
+     * Places the Lambda inside a VPC for access to private resources such as RDS or ElastiCache. Anvil creates a dedicated security group with zero inbound and zero outbound rules. Nothing is reachable until explicitly granted via the grant system.
      */
-    vpc?: pulumi.Input<string>;
+    vpc?: pulumi.Input<inputs.aws.LambdaVpcArgsArgs>;
 }

package/aws/vpc.ts

@@ -0,0 +1,159 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+export class Vpc extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:Vpc';
+
+    /**
+     * Returns true if the given object is an instance of Vpc.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Vpc {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Vpc.__pulumiType;
+    }
+
+    /**
+     * The resolved Availability Zone names, e.g. ['ap-southeast-2a']. Consumed by RDS Multi-AZ, ECS spread, and other downstream components.
+     */
+    declare public readonly availabilityZones: pulumi.Output<string[]>;
+    /**
+     * The EC2 instance ID of the bastion host. Use with: aws ssm start-session --target <bastionInstanceId>. Only populated when bastion is enabled.
+     */
+    declare public /*out*/ readonly bastionInstanceId: pulumi.Output<string | undefined>;
+    /**
+     * The security group ID of the bastion host. Use to grant the bastion access to private resources, e.g. db.grant(network.bastion, { access: 'readWrite' }). Only populated when bastion is enabled.
+     */
+    declare public /*out*/ readonly bastionSecurityGroupId: pulumi.Output<string | undefined>;
+    /**
+     * The ID of the VPC default security group. All rules removed — not used by Anvil components.
+     */
+    declare public /*out*/ readonly defaultSecurityGroupId: pulumi.Output<string>;
+    /**
+     * The IDs of the private subnets, one per AZ. Used by Lambda, ECS tasks, EC2, and RDS.
+     */
+    declare public /*out*/ readonly privateSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The IDs of the public subnets, one per AZ. Used by load balancers, NAT Gateways, and the bastion host.
+     */
+    declare public /*out*/ readonly publicSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The ID of the VPC.
+     */
+    declare public /*out*/ readonly vpcId: pulumi.Output<string>;
+
+    /**
+     * Create a Vpc resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: VpcArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["availabilityZones"] = args?.availabilityZones;
+            resourceInputs["bastion"] = args?.bastion;
+            resourceInputs["cidr"] = args?.cidr;
+            resourceInputs["flowLogs"] = args?.flowLogs;
+            resourceInputs["nat"] = args?.nat;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        } else {
+            resourceInputs["availabilityZones"] = undefined /*out*/;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Vpc.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+    /**
+     * Imports an existing Vpc into Anvil without managing or modifying it.
+     * Returns an identical output shape to `new Vpc()`.
+     *
+     * Flow logs, NAT, and bastion are not available on an imported VPC.
+     *
+     * If subnet IDs are omitted, Anvil auto-discovers them by inspecting
+     * route tables. Provide IDs explicitly if auto-discovery fails.
+     *
+     * @example
+     * const network = Vpc.fromId("existing", {
+     *   vpcId: "vpc-0abc123def456",
+     * });
+     */
+    static fromId(
+      name: string,
+      args: {
+        vpcId: string;
+        privateSubnetIds?: string[];
+        publicSubnetIds?: string[];
+      },
+      opts?: pulumi.ComponentResourceOptions
+    ): Vpc {
+      return new Vpc(name, args as any, {
+        ...opts,
+        id: args.vpcId,
+      });
+    }
+
+}
+
+/**
+ * The set of arguments for constructing a Vpc resource.
+ */
+export interface VpcArgs {
+    /**
+     * Number of Availability Zones to deploy subnets into. Valid values: 1, 2, 3. Defaults to 1. Inherits from App.defaults.availability — 'high' maps to 3, 'low' maps to 1.
+     */
+    availabilityZones?: pulumi.Input<number>;
+    /**
+     * Optional SSM bastion host for private network access. No SSH, no port 22 — access via AWS SSM Session Manager only. Use to connect to RDS, ElastiCache, and other private resources locally.
+     */
+    bastion?: pulumi.Input<boolean | inputs.aws.VpcBastionArgsArgs>;
+    /**
+     * The IPv4 CIDR block for the VPC. Default: '10.0.0.0/16'. Public subnets carved from offset 0 (/24 each), private subnets from offset 10 (/24 each).
+     */
+    cidr?: pulumi.Input<string>;
+    /**
+     * Optional VPC Flow Log configuration. Opt-in only. Either or both destinations can be enabled simultaneously. CloudWatch for active debugging, S3 for long-term compliance retention.
+     */
+    flowLogs?: pulumi.Input<inputs.aws.VpcFlowLogsArgsArgs>;
+    /**
+     * Optional NAT configuration for outbound internet access from private subnets. Omit for a fully private VPC.
+     */
+    nat?: pulumi.Input<inputs.aws.VpcNatArgsArgs>;
+}
+
+/**
+ * Normalises the `bastion` shorthand so the Pulumi provider
+ * always receives an object, never a raw boolean.
+ *
+ *   bastion: true          // enable with all defaults
+ *   bastion: {}            // identical to true
+ *   bastion: { ... }       // enable with custom config
+ */
+export function normaliseBastion(
+  val: boolean | inputs.aws.VpcBastionArgsArgs | undefined
+): inputs.aws.VpcBastionArgsArgs | undefined {
+  if (val === undefined || val === false) return undefined;
+  if (val === true) return {};
+  return val;
+}

package/aws/vpcEndpoint.ts

@@ -0,0 +1,93 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+/**
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled — standard AWS service hostnames resolve to ENI IPs inside the VPC automatically. Includes a dedicated security group with zero rules by default. Use grantEndpointAccess on compute resources to open the network path. IAM permissions are managed separately via grantPermissions.
+ */
+export class VpcEndpoint extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:VpcEndpoint';
+
+    /**
+     * Returns true if the given object is an instance of VpcEndpoint.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is VpcEndpoint {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === VpcEndpoint.__pulumiType;
+    }
+
+    /**
+     * The first DNS name assigned to the endpoint, e.g. vpce-xxx.ssm.ap-southeast-2.vpce.amazonaws.com. With private DNS enabled, normal consumers use the standard AWS SDK hostname — this is exposed for debugging and multi-VPC architectures only.
+     */
+    declare public /*out*/ readonly dnsName: pulumi.Output<string>;
+    /**
+     * The ID of the VPC endpoint, e.g. vpce-0abc1234567890abc. Use this to reference the endpoint in IAM condition keys such as aws:SourceVpce.
+     */
+    declare public /*out*/ readonly endpointId: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group attached to this endpoint. Zero rules by default. Ingress rules are added when compute resources call grantEndpointAccess.
+     */
+    declare public /*out*/ readonly securityGroupId: pulumi.Output<string>;
+
+    /**
+     * Create a VpcEndpoint resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: VpcEndpointArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.privateSubnetIds === undefined && !opts.urn) {
+                throw new Error("Missing required property 'privateSubnetIds'");
+            }
+            if (args?.service === undefined && !opts.urn) {
+                throw new Error("Missing required property 'service'");
+            }
+            if (args?.vpcId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'vpcId'");
+            }
+            resourceInputs["privateSubnetIds"] = args?.privateSubnetIds;
+            resourceInputs["service"] = args?.service;
+            resourceInputs["vpcId"] = args?.vpcId;
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        } else {
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(VpcEndpoint.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a VpcEndpoint resource.
+ */
+export interface VpcEndpointArgs {
+    /**
+     * The IDs of the private subnets to attach the endpoint to. AWS places one ENI per subnet. Pass all private subnet IDs from your VPC — typically one per AZ.
+     */
+    privateSubnetIds: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The AWS service to route privately. The full com.amazonaws.{region}.{service} name is constructed at deploy time from the resolved region — you never write it manually.
+     */
+    service: pulumi.Input<enums.aws.AwsVpcEndpointService>;
+    /**
+     * The ID of the VPC to create the endpoint in. Accepts both Anvil-managed VPC IDs and imported VPC IDs.
+     */
+    vpcId: pulumi.Input<string>;
+}

package/bin/aws/index.d.ts

@@ -7,4 +7,10 @@ export declare const Lambda: typeof import("./lambda").Lambda;
 export { SvelteKitSiteArgs } from "./svelteKitSite";
 export type SvelteKitSite = import("./svelteKitSite").SvelteKitSite;
 export declare const SvelteKitSite: typeof import("./svelteKitSite").SvelteKitSite;
+export { VpcArgs } from "./vpc";
+export type Vpc = import("./vpc").Vpc;
+export declare const Vpc: typeof import("./vpc").Vpc;
+export { VpcEndpointArgs } from "./vpcEndpoint";
+export type VpcEndpoint = import("./vpcEndpoint").VpcEndpoint;
+export declare const VpcEndpoint: typeof import("./vpcEndpoint").VpcEndpoint;
 export * from "../types/enums/aws";

package/bin/aws/index.js

@@ -16,7 +16,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SvelteKitSite = exports.Lambda = exports.Bucket = void 0;
+exports.VpcEndpoint = exports.Vpc = exports.SvelteKitSite = exports.Lambda = exports.Bucket = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 exports.Bucket = null;
@@ -25,6 +25,10 @@ exports.Lambda = null;
 utilities.lazyLoad(exports, ["Lambda"], () => require("./lambda"));
 exports.SvelteKitSite = null;
 utilities.lazyLoad(exports, ["SvelteKitSite"], () => require("./svelteKitSite"));
+exports.Vpc = null;
+utilities.lazyLoad(exports, ["Vpc"], () => require("./vpc"));
+exports.VpcEndpoint = null;
+utilities.lazyLoad(exports, ["VpcEndpoint"], () => require("./vpcEndpoint"));
 // Export enums:
 __exportStar(require("../types/enums/aws"), exports);
 const _module = {
@@ -37,6 +41,10 @@ const _module = {
                 return new exports.Lambda(name, undefined, { urn });
             case "anvil:aws:SvelteKitSite":
                 return new exports.SvelteKitSite(name, undefined, { urn });
+            case "anvil:aws:Vpc":
+                return new exports.Vpc(name, undefined, { urn });
+            case "anvil:aws:VpcEndpoint":
+                return new exports.VpcEndpoint(name, undefined, { urn });
             default:
                 throw new Error(`unknown resource type ${type}`);
         }

package/bin/aws/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../aws/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;;;;;;;;;;;;;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAK7B,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,aAAa,GAAmD,IAAW,CAAC;AACzF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAGjF,gBAAgB;AAChB,qDAAmC;AAEnC,MAAM,OAAO,GAAG;IACZ,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,SAAS,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAAmB,EAAE;QACpE,QAAQ,IAAI,EAAE;YACV,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,yBAAyB;gBAC1B,OAAO,IAAI,qBAAa,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC3D;gBACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACxD;IACL,CAAC;CACJ,CAAC;AACF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../aws/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;;;;;;;;;;;;;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAK7B,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,aAAa,GAAmD,IAAW,CAAC;AACzF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAIpE,QAAA,GAAG,GAA+B,IAAW,CAAC;AAC3D,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAIhD,QAAA,WAAW,GAA+C,IAAW,CAAC;AACnF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;AAG7E,gBAAgB;AAChB,qDAAmC;AAEnC,MAAM,OAAO,GAAG;IACZ,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,SAAS,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAAmB,EAAE;QACpE,QAAQ,IAAI,EAAE;YACV,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,yBAAyB;gBAC1B,OAAO,IAAI,qBAAa,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC3D,KAAK,eAAe;gBAChB,OAAO,IAAI,WAAG,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACjD,KAAK,uBAAuB;gBACxB,OAAO,IAAI,mBAAW,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACzD;gBACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACxD;IACL,CAAC;CACJ,CAAC;AACF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA"}

package/bin/aws/lambda.d.ts

@@ -24,6 +24,10 @@ export declare class Lambda extends pulumi.ComponentResource {
      * The ARN of the Lambda's IAM execution role.
      */
     readonly roleArn: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group created for this Lambda. Only populated when vpc is set. Use this to grant other resources access to this Lambda via the grant system.
+     */
+    readonly securityGroupId: pulumi.Output<string | undefined>;
     /**
      * Create a Lambda resource with the given unique name, arguments, and options.
      *
@@ -101,7 +105,7 @@ export interface LambdaArgs {
      */
     url?: pulumi.Input<boolean>;
     /**
-     * VPC ID to place the Lambda in for access to private resources (RDS, ElastiCache, etc.).
+     * Places the Lambda inside a VPC for access to private resources such as RDS or ElastiCache. Anvil creates a dedicated security group with zero inbound and zero outbound rules. Nothing is reachable until explicitly granted via the grant system.
      */
-    vpc?: pulumi.Input<string>;
+    vpc?: pulumi.Input<inputs.aws.LambdaVpcArgsArgs>;
 }

package/bin/aws/lambda.js

@@ -52,12 +52,14 @@ class Lambda extends pulumi.ComponentResource {
             resourceInputs["functionName"] = undefined /*out*/;
             resourceInputs["functionUrl"] = undefined /*out*/;
             resourceInputs["roleArn"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
         }
         else {
             resourceInputs["arn"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
             resourceInputs["functionUrl"] = undefined /*out*/;
             resourceInputs["roleArn"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Lambda.__pulumiType, name, resourceInputs, opts, true /*remote*/);

package/bin/aws/lambda.js.map

@@ -1 +1 @@
-{"version":3,"file":"lambda.js","sourceRoot":"","sources":["../../aws/lambda.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAG1C,oCAAoC;AAEpC,MAAa,MAAO,SAAQ,MAAM,CAAC,iBAAiB;IAOhD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,MAAM,CAAC,YAAY,CAAC;IACvD,CAAC;IAmBD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAgB,EAAE,IAAsC;QAC9E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC;YACtC,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACjD;aAAM;YACH,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACjD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,MAA0B,EAAE,IAA0B;QACrE,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,uBAAuB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAClF,CAAC;IACD,kEAAkE;IAC3D,SAAS;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,mEAAmE;IAC5D,YAAY;QACf,OAAO,IAAI,CAAC,OAAO,CAAC;IACxB,CAAC;;AArGL,wBAuGC;AAtGG,gBAAgB;AACO,mBAAY,GAAG,kBAAkB,CAAC"}
+{"version":3,"file":"lambda.js","sourceRoot":"","sources":["../../aws/lambda.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAG1C,oCAAoC;AAEpC,MAAa,MAAO,SAAQ,MAAM,CAAC,iBAAiB;IAOhD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,MAAM,CAAC,YAAY,CAAC;IACvD,CAAC;IAuBD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAgB,EAAE,IAAsC;QAC9E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC;YACtC,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC9C,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACzD;aAAM;YACH,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC9C,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACzD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,MAA0B,EAAE,IAA0B;QACrE,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,uBAAuB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAClF,CAAC;IACD,kEAAkE;IAC3D,SAAS;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,mEAAmE;IAC5D,YAAY;QACf,OAAO,IAAI,CAAC,OAAO,CAAC;IACxB,CAAC;;AA3GL,wBA6GC;AA5GG,gBAAgB;AACO,mBAAY,GAAG,kBAAkB,CAAC"}

package/bin/aws/vpc.d.ts

@@ -0,0 +1,98 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+export declare class Vpc extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of Vpc.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Vpc;
+    /**
+     * The resolved Availability Zone names, e.g. ['ap-southeast-2a']. Consumed by RDS Multi-AZ, ECS spread, and other downstream components.
+     */
+    readonly availabilityZones: pulumi.Output<string[]>;
+    /**
+     * The EC2 instance ID of the bastion host. Use with: aws ssm start-session --target <bastionInstanceId>. Only populated when bastion is enabled.
+     */
+    readonly bastionInstanceId: pulumi.Output<string | undefined>;
+    /**
+     * The security group ID of the bastion host. Use to grant the bastion access to private resources, e.g. db.grant(network.bastion, { access: 'readWrite' }). Only populated when bastion is enabled.
+     */
+    readonly bastionSecurityGroupId: pulumi.Output<string | undefined>;
+    /**
+     * The ID of the VPC default security group. All rules removed — not used by Anvil components.
+     */
+    readonly defaultSecurityGroupId: pulumi.Output<string>;
+    /**
+     * The IDs of the private subnets, one per AZ. Used by Lambda, ECS tasks, EC2, and RDS.
+     */
+    readonly privateSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The IDs of the public subnets, one per AZ. Used by load balancers, NAT Gateways, and the bastion host.
+     */
+    readonly publicSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The ID of the VPC.
+     */
+    readonly vpcId: pulumi.Output<string>;
+    /**
+     * Create a Vpc resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: VpcArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Imports an existing Vpc into Anvil without managing or modifying it.
+     * Returns an identical output shape to `new Vpc()`.
+     *
+     * Flow logs, NAT, and bastion are not available on an imported VPC.
+     *
+     * If subnet IDs are omitted, Anvil auto-discovers them by inspecting
+     * route tables. Provide IDs explicitly if auto-discovery fails.
+     *
+     * @example
+     * const network = Vpc.fromId("existing", {
+     *   vpcId: "vpc-0abc123def456",
+     * });
+     */
+    static fromId(name: string, args: {
+        vpcId: string;
+        privateSubnetIds?: string[];
+        publicSubnetIds?: string[];
+    }, opts?: pulumi.ComponentResourceOptions): Vpc;
+}
+/**
+ * The set of arguments for constructing a Vpc resource.
+ */
+export interface VpcArgs {
+    /**
+     * Number of Availability Zones to deploy subnets into. Valid values: 1, 2, 3. Defaults to 1. Inherits from App.defaults.availability — 'high' maps to 3, 'low' maps to 1.
+     */
+    availabilityZones?: pulumi.Input<number>;
+    /**
+     * Optional SSM bastion host for private network access. No SSH, no port 22 — access via AWS SSM Session Manager only. Use to connect to RDS, ElastiCache, and other private resources locally.
+     */
+    bastion?: pulumi.Input<boolean | inputs.aws.VpcBastionArgsArgs>;
+    /**
+     * The IPv4 CIDR block for the VPC. Default: '10.0.0.0/16'. Public subnets carved from offset 0 (/24 each), private subnets from offset 10 (/24 each).
+     */
+    cidr?: pulumi.Input<string>;
+    /**
+     * Optional VPC Flow Log configuration. Opt-in only. Either or both destinations can be enabled simultaneously. CloudWatch for active debugging, S3 for long-term compliance retention.
+     */
+    flowLogs?: pulumi.Input<inputs.aws.VpcFlowLogsArgsArgs>;
+    /**
+     * Optional NAT configuration for outbound internet access from private subnets. Omit for a fully private VPC.
+     */
+    nat?: pulumi.Input<inputs.aws.VpcNatArgsArgs>;
+}
+/**
+ * Normalises the `bastion` shorthand so the Pulumi provider
+ * always receives an object, never a raw boolean.
+ *
+ *   bastion: true          // enable with all defaults
+ *   bastion: {}            // identical to true
+ *   bastion: { ... }       // enable with custom config
+ */
+export declare function normaliseBastion(val: boolean | inputs.aws.VpcBastionArgsArgs | undefined): inputs.aws.VpcBastionArgsArgs | undefined;

package/bin/aws/vpc.js

@@ -0,0 +1,94 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normaliseBastion = exports.Vpc = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+class Vpc extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of Vpc.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Vpc.__pulumiType;
+    }
+    /**
+     * Create a Vpc resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["availabilityZones"] = args?.availabilityZones;
+            resourceInputs["bastion"] = args?.bastion;
+            resourceInputs["cidr"] = args?.cidr;
+            resourceInputs["flowLogs"] = args?.flowLogs;
+            resourceInputs["nat"] = args?.nat;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["availabilityZones"] = undefined /*out*/;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Vpc.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+    /**
+     * Imports an existing Vpc into Anvil without managing or modifying it.
+     * Returns an identical output shape to `new Vpc()`.
+     *
+     * Flow logs, NAT, and bastion are not available on an imported VPC.
+     *
+     * If subnet IDs are omitted, Anvil auto-discovers them by inspecting
+     * route tables. Provide IDs explicitly if auto-discovery fails.
+     *
+     * @example
+     * const network = Vpc.fromId("existing", {
+     *   vpcId: "vpc-0abc123def456",
+     * });
+     */
+    static fromId(name, args, opts) {
+        return new Vpc(name, args, {
+            ...opts,
+            id: args.vpcId,
+        });
+    }
+}
+exports.Vpc = Vpc;
+/** @internal */
+Vpc.__pulumiType = 'anvil:aws:Vpc';
+/**
+ * Normalises the `bastion` shorthand so the Pulumi provider
+ * always receives an object, never a raw boolean.
+ *
+ *   bastion: true          // enable with all defaults
+ *   bastion: {}            // identical to true
+ *   bastion: { ... }       // enable with custom config
+ */
+function normaliseBastion(val) {
+    if (val === undefined || val === false)
+        return undefined;
+    if (val === true)
+        return {};
+    return val;
+}
+exports.normaliseBastion = normaliseBastion;
+//# sourceMappingURL=vpc.js.map

package/bin/aws/vpc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpc.js","sourceRoot":"","sources":["../../aws/vpc.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C,MAAa,GAAI,SAAQ,MAAM,CAAC,iBAAiB;IAI7C;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,GAAG,CAAC,YAAY,CAAC;IACpD,CAAC;IA+BD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAc,EAAE,IAAsC;QAC5E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,EAAE,iBAAiB,CAAC;YAC9D,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,mBAAmB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACxD,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/C;aAAM;YACH,cAAc,CAAC,mBAAmB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACxD,cAAc,CAAC,mBAAmB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACxD,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACzE,CAAC;IACD;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,MAAM,CACX,IAAY,EACZ,IAIC,EACD,IAAsC;QAEtC,OAAO,IAAI,GAAG,CAAC,IAAI,EAAE,IAAW,EAAE;YAChC,GAAG,IAAI;YACP,EAAE,EAAE,IAAI,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;;AAzGL,kBA2GC;AA1GG,gBAAgB;AACO,gBAAY,GAAG,eAAe,CAAC;AAqI1D;;;;;;;GAOG;AACH,SAAgB,gBAAgB,CAC9B,GAAwD;IAExD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,SAAS,CAAC;IACzD,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAC5B,OAAO,GAAG,CAAC;AACb,CAAC;AAND,4CAMC"}