@anvil-cloud/sdk 0.0.13 → 0.0.14

package/bin/aws/vpcEndpoint.d.ts

@@ -0,0 +1,49 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as enums from "../types/enums";
+/**
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled — standard AWS service hostnames resolve to ENI IPs inside the VPC automatically. Includes a dedicated security group with zero rules by default. Use grantEndpointAccess on compute resources to open the network path. IAM permissions are managed separately via grantPermissions.
+ */
+export declare class VpcEndpoint extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of VpcEndpoint.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is VpcEndpoint;
+    /**
+     * The first DNS name assigned to the endpoint, e.g. vpce-xxx.ssm.ap-southeast-2.vpce.amazonaws.com. With private DNS enabled, normal consumers use the standard AWS SDK hostname — this is exposed for debugging and multi-VPC architectures only.
+     */
+    readonly dnsName: pulumi.Output<string>;
+    /**
+     * The ID of the VPC endpoint, e.g. vpce-0abc1234567890abc. Use this to reference the endpoint in IAM condition keys such as aws:SourceVpce.
+     */
+    readonly endpointId: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group attached to this endpoint. Zero rules by default. Ingress rules are added when compute resources call grantEndpointAccess.
+     */
+    readonly securityGroupId: pulumi.Output<string>;
+    /**
+     * Create a VpcEndpoint resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: VpcEndpointArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a VpcEndpoint resource.
+ */
+export interface VpcEndpointArgs {
+    /**
+     * The IDs of the private subnets to attach the endpoint to. AWS places one ENI per subnet. Pass all private subnet IDs from your VPC — typically one per AZ.
+     */
+    privateSubnetIds: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The AWS service to route privately. The full com.amazonaws.{region}.{service} name is constructed at deploy time from the resolved region — you never write it manually.
+     */
+    service: pulumi.Input<enums.aws.AwsVpcEndpointService>;
+    /**
+     * The ID of the VPC to create the endpoint in. Accepts both Anvil-managed VPC IDs and imported VPC IDs.
+     */
+    vpcId: pulumi.Input<string>;
+}

package/bin/aws/vpcEndpoint.js

@@ -0,0 +1,61 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VpcEndpoint = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled — standard AWS service hostnames resolve to ENI IPs inside the VPC automatically. Includes a dedicated security group with zero rules by default. Use grantEndpointAccess on compute resources to open the network path. IAM permissions are managed separately via grantPermissions.
+ */
+class VpcEndpoint extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of VpcEndpoint.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === VpcEndpoint.__pulumiType;
+    }
+    /**
+     * Create a VpcEndpoint resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.privateSubnetIds === undefined && !opts.urn) {
+                throw new Error("Missing required property 'privateSubnetIds'");
+            }
+            if (args?.service === undefined && !opts.urn) {
+                throw new Error("Missing required property 'service'");
+            }
+            if (args?.vpcId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'vpcId'");
+            }
+            resourceInputs["privateSubnetIds"] = args?.privateSubnetIds;
+            resourceInputs["service"] = args?.service;
+            resourceInputs["vpcId"] = args?.vpcId;
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(VpcEndpoint.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.VpcEndpoint = VpcEndpoint;
+/** @internal */
+VpcEndpoint.__pulumiType = 'anvil:aws:VpcEndpoint';
+//# sourceMappingURL=vpcEndpoint.js.map

package/bin/aws/vpcEndpoint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpcEndpoint.js","sourceRoot":"","sources":["../../aws/vpcEndpoint.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;GAEG;AACH,MAAa,WAAY,SAAQ,MAAM,CAAC,iBAAiB;IAIrD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,WAAW,CAAC,YAAY,CAAC;IAC5D,CAAC;IAeD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAqB,EAAE,IAAsC;QACnF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,gBAAgB,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACnD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;aACnE;YACD,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,IAAI,IAAI,EAAE,KAAK,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACxC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;aACxD;YACD,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,EAAE,gBAAgB,CAAC;YAC5D,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC;YACtC,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACzD;aAAM;YACH,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACzD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACjF,CAAC;;AA7DL,kCA8DC;AA7DG,gBAAgB;AACO,wBAAY,GAAG,uBAAuB,CAAC"}

package/bin/grants.d.ts

@@ -4,22 +4,12 @@ import * as pulumi from '@pulumi/pulumi';
  * Compute resources (Lambda, SvelteKitSite, etc.) satisfy this interface.
  */
 export interface GrantTarget {
-    /**
-     * The logical resource name passed to the constructor.
-     */
     grantName(): string;
-    /**
-     * The ARN of the IAM execution role attached to this compute resource.
-     */
     grantRoleArn(): pulumi.Output<string>;
 }
 /**
  * Optional metadata for grant methods.
  */
 export interface GrantOptions {
-    /**
-     * Documents why this grant is needed.
-     * Stored as a tag on the generated IAM policy resource for audit purposes.
-     */
     justification?: string;
 }

package/bin/grants.js

@@ -12,8 +12,6 @@ const aws = require("@pulumi/aws");
  * Creates a scoped IAM RolePolicy granting the specified actions on the
  * specified resource ARNs to the target's execution role.
  *
- * This is the core engine that all resource-specific grant methods delegate to.
- *
  * @internal
  */
 function createGrant(parent, name, target, actions, resourceArns, opts) {
@@ -27,13 +25,10 @@ function createGrant(parent, name, target, actions, resourceArns, opts) {
             },
         ],
     }));
-    // Extract role name from ARN (everything after the last "/")
     const roleName = target.grantRoleArn().apply((arn) => {
         const idx = arn.lastIndexOf('/');
         return idx >= 0 ? arn.substring(idx + 1) : arn;
     });
-    // Justification is stored in the resource name suffix for audit trail.
-    // Future: compliance audit trail (Pro tier) will capture this metadata separately.
     const policyName = opts?.justification
         ? `${name}-${sanitize(opts.justification)}`
         : name;
@@ -43,7 +38,7 @@ function createGrant(parent, name, target, actions, resourceArns, opts) {
     }, { parent });
 }
 exports.createGrant = createGrant;
-/** @internal Sanitize a string for use in resource names. */
+/** @internal */
 function sanitize(s) {
     return s
         .toLowerCase()
@@ -52,10 +47,6 @@ function sanitize(s) {
 }
 /**
  * Builds the list of ARNs for a grant based on a base ARN and optional path scoping.
- *
- * - No paths: grants access to the entire resource (baseArn + baseArn/*)
- * - With paths: grants access to baseArn (for list operations) + each scoped path
- *
  * @internal
  */
 function buildResourceArns(baseArn, paths) {

package/bin/grants.js.map

@@ -1 +1 @@
-{"version":3,"file":"grants.js","sourceRoot":"","sources":["../grants.ts"],"names":[],"mappings":";AAAA,uBAAuB;AACvB,4EAA4E;AAC5E,EAAE;AACF,uEAAuE;AACvE,+EAA+E;;;AAE/E,yCAAyC;AACzC,mCAAmC;AA6BnC;;;;;;;GAOG;AACH,SAAgB,WAAW,CACzB,MAAuB,EACvB,IAAY,EACZ,MAAmB,EACnB,OAAiB,EACjB,YAAqC,EACrC,IAAmB;IAEnB,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7D,IAAI,CAAC,SAAS,CAAC;QACb,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,IAAI;aACf;SACF;KACF,CAAC,CACH,CAAC;IAEF,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,uEAAuE;IACvE,mFAAmF;IACnF,MAAM,UAAU,GAAG,IAAI,EAAE,aAAa;QACpC,CAAC,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CACpB,UAAU,EACV;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,cAAc;KACvB,EACD,EAAE,MAAM,EAAE,CACX,CAAC;AACJ,CAAC;AAzCD,kCAyCC;AAED,6DAA6D;AAC7D,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,CAAC;SACL,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAC/B,OAA8B,EAC9B,KAAgB;IAEhB,MAAM,IAAI,GAA4B,CAAC,OAAO,CAAC,CAAC;IAEhD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,CAAC;KAC7C;SAAM;QACL,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE;YACrB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;SAChD;KACF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAfD,8CAeC"}
+{"version":3,"file":"grants.js","sourceRoot":"","sources":["../grants.ts"],"names":[],"mappings":";AAAA,uBAAuB;AACvB,4EAA4E;AAC5E,EAAE;AACF,uEAAuE;AACvE,+EAA+E;;;AAE/E,yCAAyC;AACzC,mCAAmC;AAkBnC;;;;;GAKG;AACH,SAAgB,WAAW,CACzB,MAAuB,EACvB,IAAY,EACZ,MAAmB,EACnB,OAAiB,EACjB,YAAqC,EACrC,IAAmB;IAEnB,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7D,IAAI,CAAC,SAAS,CAAC;QACb,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,IAAI;aACf;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,EAAE,aAAa;QACpC,CAAC,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CACpB,UAAU,EACV;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,cAAc;KACvB,EACD,EAAE,MAAM,EAAE,CACX,CAAC;AACJ,CAAC;AAtCD,kCAsCC;AAED,gBAAgB;AAChB,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,CAAC;SACL,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAC/B,OAA8B,EAC9B,KAAgB;IAEhB,MAAM,IAAI,GAA4B,CAAC,OAAO,CAAC,CAAC;IAEhD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,CAAC;KAC7C;SAAM;QACL,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE;YACrB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;SAChD;KACF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAfD,8CAeC"}

package/bin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.13",
+  "version": "0.0.14",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },

package/bin/types/enums/aws/index.d.ts

@@ -1,3 +1,61 @@
+export declare const AwsVpcEndpointService: {
+    /**
+     * AWS Systems Manager. Required alongside ssmmessages and ec2messages for full SSM functionality including Session Manager and Run Command.
+     */
+    readonly Ssm: "ssm";
+    /**
+     * SSM Session Manager messaging. Required alongside ssm and ec2messages.
+     */
+    readonly Ssmmessages: "ssmmessages";
+    /**
+     * SSM Run Command messaging. Required alongside ssm and ssmmessages.
+     */
+    readonly Ec2messages: "ec2messages";
+    /**
+     * AWS Secrets Manager. Allows compute resources to call GetSecretValue and other Secrets Manager APIs without traversing the public internet.
+     */
+    readonly Secretsmanager: "secretsmanager";
+    /**
+     * ECR control plane — authentication, image manifests, and repository metadata. Required alongside ecr.dkr for private image pulls.
+     */
+    readonly Ecr_api: "ecr.api";
+    /**
+     * ECR data plane — image layer pulls. Required alongside ecr.api for private image pulls.
+     */
+    readonly Ecr_dkr: "ecr.dkr";
+    /**
+     * Amazon Simple Queue Service. Covers all SQS operations including SendMessage, ReceiveMessage, and DeleteMessage — all are client-initiated HTTPS, one endpoint covers all operations.
+     */
+    readonly Sqs: "sqs";
+    /**
+     * Amazon Simple Notification Service. Allows compute resources to publish to SNS topics without traversing the public internet.
+     */
+    readonly Sns: "sns";
+    /**
+     * AWS Lambda invoke. Allows private invocation of Lambda functions from within the VPC.
+     */
+    readonly Lambda: "lambda";
+    /**
+     * Amazon CloudWatch Logs. Required for compute resources in private subnets to ship logs to CloudWatch without a NAT Gateway.
+     */
+    readonly Logs: "logs";
+    /**
+     * Amazon CloudWatch Metrics. Required for compute resources in private subnets to publish custom metrics without a NAT Gateway.
+     */
+    readonly Monitoring: "monitoring";
+    /**
+     * AWS Key Management Service. Required for compute resources that perform envelope encryption, use KMS-managed secrets, or interact with services that call KMS on their behalf.
+     */
+    readonly Kms: "kms";
+    /**
+     * AWS Security Token Service. Required for IAM role assumption and temporary credential generation within private subnets.
+     */
+    readonly Sts: "sts";
+};
+/**
+ * The AWS service to route privately via an Interface VPC Endpoint. Each value maps to the com.amazonaws.{region}.{suffix} endpoint service name.
+ */
+export type AwsVpcEndpointService = (typeof AwsVpcEndpointService)[keyof typeof AwsVpcEndpointService];
 export declare const LambdaArchitecture: {
     /**
      * Graviton — 20% cheaper, better performance. Default.
@@ -51,3 +109,21 @@ export declare const LambdaRuntime: {
     readonly Nodejs22_x: "nodejs22.x";
 };
 export type LambdaRuntime = (typeof LambdaRuntime)[keyof typeof LambdaRuntime];
+export declare const S3FlowLogLifecycle: {
+    /**
+     * Auto-tiered: Standard (0-30d) → Standard-IA (30-90d) → Glacier Instant Retrieval (90d+). Suitable for compliance retention at minimal long-term cost.
+     */
+    readonly Standard: "standard";
+};
+export type S3FlowLogLifecycle = (typeof S3FlowLogLifecycle)[keyof typeof S3FlowLogLifecycle];
+export declare const VpcNatType: {
+    /**
+     * AWS managed NAT Gateway. One per AZ for true HA. ~$32/month per AZ plus $0.045/GB data processed.
+     */
+    readonly Gateway: "gateway";
+    /**
+     * fck-nat EC2 instance. Single instance regardless of AZ count. ~$4-6/month for t4g.small. Accepted single point of failure tradeoff for cost savings.
+     */
+    readonly Fck_nat: "fck-nat";
+};
+export type VpcNatType = (typeof VpcNatType)[keyof typeof VpcNatType];

package/bin/types/enums/aws/index.js

@@ -2,7 +2,61 @@
 // *** WARNING: this file was generated by pulumi-language-nodejs. ***
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.LambdaRuntime = exports.LambdaLogRetention = exports.LambdaArchitecture = void 0;
+exports.VpcNatType = exports.S3FlowLogLifecycle = exports.LambdaRuntime = exports.LambdaLogRetention = exports.LambdaArchitecture = exports.AwsVpcEndpointService = void 0;
+exports.AwsVpcEndpointService = {
+    /**
+     * AWS Systems Manager. Required alongside ssmmessages and ec2messages for full SSM functionality including Session Manager and Run Command.
+     */
+    Ssm: "ssm",
+    /**
+     * SSM Session Manager messaging. Required alongside ssm and ec2messages.
+     */
+    Ssmmessages: "ssmmessages",
+    /**
+     * SSM Run Command messaging. Required alongside ssm and ssmmessages.
+     */
+    Ec2messages: "ec2messages",
+    /**
+     * AWS Secrets Manager. Allows compute resources to call GetSecretValue and other Secrets Manager APIs without traversing the public internet.
+     */
+    Secretsmanager: "secretsmanager",
+    /**
+     * ECR control plane — authentication, image manifests, and repository metadata. Required alongside ecr.dkr for private image pulls.
+     */
+    Ecr_api: "ecr.api",
+    /**
+     * ECR data plane — image layer pulls. Required alongside ecr.api for private image pulls.
+     */
+    Ecr_dkr: "ecr.dkr",
+    /**
+     * Amazon Simple Queue Service. Covers all SQS operations including SendMessage, ReceiveMessage, and DeleteMessage — all are client-initiated HTTPS, one endpoint covers all operations.
+     */
+    Sqs: "sqs",
+    /**
+     * Amazon Simple Notification Service. Allows compute resources to publish to SNS topics without traversing the public internet.
+     */
+    Sns: "sns",
+    /**
+     * AWS Lambda invoke. Allows private invocation of Lambda functions from within the VPC.
+     */
+    Lambda: "lambda",
+    /**
+     * Amazon CloudWatch Logs. Required for compute resources in private subnets to ship logs to CloudWatch without a NAT Gateway.
+     */
+    Logs: "logs",
+    /**
+     * Amazon CloudWatch Metrics. Required for compute resources in private subnets to publish custom metrics without a NAT Gateway.
+     */
+    Monitoring: "monitoring",
+    /**
+     * AWS Key Management Service. Required for compute resources that perform envelope encryption, use KMS-managed secrets, or interact with services that call KMS on their behalf.
+     */
+    Kms: "kms",
+    /**
+     * AWS Security Token Service. Required for IAM role assumption and temporary credential generation within private subnets.
+     */
+    Sts: "sts",
+};
 exports.LambdaArchitecture = {
     /**
      * Graviton — 20% cheaper, better performance. Default.
@@ -53,4 +107,20 @@ exports.LambdaRuntime = {
      */
     Nodejs22_x: "nodejs22.x",
 };
+exports.S3FlowLogLifecycle = {
+    /**
+     * Auto-tiered: Standard (0-30d) → Standard-IA (30-90d) → Glacier Instant Retrieval (90d+). Suitable for compliance retention at minimal long-term cost.
+     */
+    Standard: "standard",
+};
+exports.VpcNatType = {
+    /**
+     * AWS managed NAT Gateway. One per AZ for true HA. ~$32/month per AZ plus $0.045/GB data processed.
+     */
+    Gateway: "gateway",
+    /**
+     * fck-nat EC2 instance. Single instance regardless of AZ count. ~$4-6/month for t4g.small. Accepted single point of failure tradeoff for cost savings.
+     */
+    Fck_nat: "fck-nat",
+};
 //# sourceMappingURL=index.js.map

package/bin/types/enums/aws/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../types/enums/aws/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAGpE,QAAA,kBAAkB,GAAG;IAC9B;;OAEG;IACH,KAAK,EAAE,OAAO;IACd;;OAEG;IACH,MAAM,EAAE,QAAQ;CACV,CAAC;AAIE,QAAA,kBAAkB,GAAG;IAC9B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,sBAAsB,EAAE,KAAK;IAC7B;;OAEG;IACH,sBAAsB,EAAE,KAAK;IAC7B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,qBAAqB,EAAE,IAAI;CACrB,CAAC;AAIE,QAAA,aAAa,GAAG;IACzB;;OAEG;IACH,UAAU,EAAE,YAAY;IACxB;;OAEG;IACH,UAAU,EAAE,YAAY;CAClB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../types/enums/aws/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAGpE,QAAA,qBAAqB,GAAG;IACjC;;OAEG;IACH,GAAG,EAAE,KAAK;IACV;;OAEG;IACH,WAAW,EAAE,aAAa;IAC1B;;OAEG;IACH,WAAW,EAAE,aAAa;IAC1B;;OAEG;IACH,cAAc,EAAE,gBAAgB;IAChC;;OAEG;IACH,OAAO,EAAE,SAAS;IAClB;;OAEG;IACH,OAAO,EAAE,SAAS;IAClB;;OAEG;IACH,GAAG,EAAE,KAAK;IACV;;OAEG;IACH,GAAG,EAAE,KAAK;IACV;;OAEG;IACH,MAAM,EAAE,QAAQ;IAChB;;OAEG;IACH,IAAI,EAAE,MAAM;IACZ;;OAEG;IACH,UAAU,EAAE,YAAY;IACxB;;OAEG;IACH,GAAG,EAAE,KAAK;IACV;;OAEG;IACH,GAAG,EAAE,KAAK;CACJ,CAAC;AAOE,QAAA,kBAAkB,GAAG;IAC9B;;OAEG;IACH,KAAK,EAAE,OAAO;IACd;;OAEG;IACH,MAAM,EAAE,QAAQ;CACV,CAAC;AAIE,QAAA,kBAAkB,GAAG;IAC9B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,sBAAsB,EAAE,KAAK;IAC7B;;OAEG;IACH,sBAAsB,EAAE,KAAK;IAC7B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,qBAAqB,EAAE,IAAI;IAC3B;;OAEG;IACH,qBAAqB,EAAE,IAAI;CACrB,CAAC;AAIE,QAAA,aAAa,GAAG;IACzB;;OAEG;IACH,UAAU,EAAE,YAAY;IACxB;;OAEG;IACH,UAAU,EAAE,YAAY;CAClB,CAAC;AAIE,QAAA,kBAAkB,GAAG;IAC9B;;OAEG;IACH,QAAQ,EAAE,UAAU;CACd,CAAC;AAIE,QAAA,UAAU,GAAG;IACtB;;OAEG;IACH,OAAO,EAAE,SAAS;IAClB;;OAEG;IACH,OAAO,EAAE,SAAS;CACZ,CAAC"}

package/bin/types/input.d.ts

@@ -1,5 +1,6 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "../types/input";
+import * as enums from "../types/enums";
 import * as pulumiAws from "@pulumi/aws";
 import * as pulumiGcp from "@pulumi/gcp";
 export declare namespace aws {
@@ -522,6 +523,51 @@ export declare namespace aws {
     interface LambdaTransformArgsArgs {
         lambda?: pulumi.Input<inputs.aws.LambdaOverridesArgs>;
     }
+    interface LambdaVpcArgsArgs {
+        /**
+         * CIDR-scoped egress rules. One SG rule per port per CIDR. Use for peered VPCs or on-premise ranges.
+         */
+        cidrs?: pulumi.Input<pulumi.Input<inputs.aws.LambdaVpcCidrArgsArgs>[]>;
+        /**
+         * Only needed for imported VPCs with NAT. Omit when using an Anvil Vpc component.
+         */
+        hasNat?: pulumi.Input<boolean>;
+        /**
+         * The IDs of the private subnets to attach the Lambda to. Always private — Lambda must never be placed in public subnets.
+         */
+        privateSubnetIds: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * VPC endpoints this Lambda needs access to. Anvil wires both SG rules automatically.
+         */
+        vpcEndpoints?: pulumi.Input<pulumi.Input<inputs.aws.LambdaVpcEndpointArgsArgs>[]>;
+        /**
+         * The ID of the VPC to place the Lambda in.
+         */
+        vpcId: pulumi.Input<string>;
+    }
+    interface LambdaVpcCidrArgsArgs {
+        /**
+         * TCP ports to allow. Required — be explicit.
+         */
+        ports: pulumi.Input<pulumi.Input<number>[]>;
+        /**
+         * IPv4 CIDR block, e.g. 10.0.0.0/8
+         */
+        range: pulumi.Input<string>;
+    }
+    /**
+     * A VPC endpoint to grant this Lambda access to.
+     */
+    interface LambdaVpcEndpointArgsArgs {
+        /**
+         * The endpoint's ID. Use ep.endpointId. Used for SG rule naming.
+         */
+        endpointId: pulumi.Input<string>;
+        /**
+         * The endpoint's security group ID. Use ep.securityGroupId.
+         */
+        securityGroupId: pulumi.Input<string>;
+    }
     interface PABTransformArgs {
         /**
          * Whether Amazon S3 should block public ACLs for this bucket. Defaults to <span pulumi-lang-nodejs="`false`" pulumi-lang-dotnet="`False`" pulumi-lang-go="`false`" pulumi-lang-python="`false`" pulumi-lang-yaml="`false`" pulumi-lang-java="`false`">`false`</span>. Enabling this setting does not affect existing policies or ACLs. When set to <span pulumi-lang-nodejs="`true`" pulumi-lang-dotnet="`True`" pulumi-lang-go="`true`" pulumi-lang-python="`true`" pulumi-lang-yaml="`true`" pulumi-lang-java="`true`">`true`</span> causes the following behavior:
@@ -557,6 +603,48 @@ export declare namespace aws {
          */
         skipDestroy?: pulumi.Input<boolean>;
     }
+    interface VpcBastionArgsArgs {
+        /**
+         * Source IP CIDRs allowed to initiate SSM sessions via IAM policy condition. Omit to allow any authenticated IAM principal. Example: ['203.0.113.0/32'] to restrict to your office IP.
+         */
+        allowedCidrs?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * EC2 instance type for the bastion host. Default: 't4g.nano' — the bastion is purely a jump box with minimal resource requirements.
+         */
+        instanceType?: pulumi.Input<string>;
+    }
+    interface VpcCloudWatchFlowLogArgsArgs {
+        /**
+         * Number of days to retain flow log data in CloudWatch Logs. Common values: 7, 14, 30, 90.
+         */
+        retention: pulumi.Input<number>;
+    }
+    interface VpcFlowLogsArgsArgs {
+        /**
+         * Enable flow log delivery to a CloudWatch Log Group. Use for fast querying with CloudWatch Logs Insights and active debugging of connection issues.
+         */
+        cloudwatch?: pulumi.Input<inputs.aws.VpcCloudWatchFlowLogArgsArgs>;
+        /**
+         * Enable flow log delivery to a dedicated S3 bucket with auto-tiered lifecycle policy. Use for compliance retention and audit evidence.
+         */
+        s3?: pulumi.Input<inputs.aws.VpcS3FlowLogArgsArgs>;
+    }
+    interface VpcNatArgsArgs {
+        /**
+         * EC2 instance type for the fck-nat instance. Only applies when natType is 'fck-nat'. Default: 't4g.small'.
+         */
+        instanceType?: pulumi.Input<string>;
+        /**
+         * Type of NAT to provision. 'gateway' provisions one AWS managed NAT Gateway per AZ. 'fck-nat' provisions a single fck-nat EC2 instance shared across all AZs.
+         */
+        natType: pulumi.Input<enums.aws.VpcNatType>;
+    }
+    interface VpcS3FlowLogArgsArgs {
+        /**
+         * Storage tiering policy for flow log retention.
+         */
+        lifecycle: pulumi.Input<enums.aws.S3FlowLogLifecycle>;
+    }
 }
 export declare namespace gcp {
     interface BucketOverridesArgs {

package/grants.ts

@@ -12,14 +12,7 @@ import * as aws from '@pulumi/aws';
  * Compute resources (Lambda, SvelteKitSite, etc.) satisfy this interface.
  */
 export interface GrantTarget {
-  /**
-   * The logical resource name passed to the constructor.
-   */
   grantName(): string;
-
-  /**
-   * The ARN of the IAM execution role attached to this compute resource.
-   */
   grantRoleArn(): pulumi.Output<string>;
 }
 
@@ -27,10 +20,6 @@ export interface GrantTarget {
  * Optional metadata for grant methods.
  */
 export interface GrantOptions {
-  /**
-   * Documents why this grant is needed.
-   * Stored as a tag on the generated IAM policy resource for audit purposes.
-   */
   justification?: string;
 }
 
@@ -38,8 +27,6 @@ export interface GrantOptions {
  * Creates a scoped IAM RolePolicy granting the specified actions on the
  * specified resource ARNs to the target's execution role.
  *
- * This is the core engine that all resource-specific grant methods delegate to.
- *
  * @internal
  */
 export function createGrant(
@@ -63,14 +50,11 @@ export function createGrant(
     })
   );
 
-  // Extract role name from ARN (everything after the last "/")
   const roleName = target.grantRoleArn().apply((arn) => {
     const idx = arn.lastIndexOf('/');
     return idx >= 0 ? arn.substring(idx + 1) : arn;
   });
 
-  // Justification is stored in the resource name suffix for audit trail.
-  // Future: compliance audit trail (Pro tier) will capture this metadata separately.
   const policyName = opts?.justification
     ? `${name}-${sanitize(opts.justification)}`
     : name;
@@ -85,7 +69,7 @@ export function createGrant(
   );
 }
 
-/** @internal Sanitize a string for use in resource names. */
+/** @internal */
 function sanitize(s: string): string {
   return s
     .toLowerCase()
@@ -95,10 +79,6 @@ function sanitize(s: string): string {
 
 /**
  * Builds the list of ARNs for a grant based on a base ARN and optional path scoping.
- *
- * - No paths: grants access to the entire resource (baseArn + baseArn/*)
- * - With paths: grants access to baseArn (for list operations) + each scoped path
- *
  * @internal
  */
 export function buildResourceArns(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.13",
+  "version": "0.0.14",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },

package/tsconfig.json

@@ -17,6 +17,8 @@
         "aws/index.ts",
         "aws/lambda.ts",
         "aws/svelteKitSite.ts",
+        "aws/vpc.ts",
+        "aws/vpcEndpoint.ts",
         "gcp/function.ts",
         "gcp/index.ts",
         "gcp/storageBucket.ts",

package/types/enums/aws/index.ts

@@ -2,6 +2,66 @@
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 
 
+export const AwsVpcEndpointService = {
+    /**
+     * AWS Systems Manager. Required alongside ssmmessages and ec2messages for full SSM functionality including Session Manager and Run Command.
+     */
+    Ssm: "ssm",
+    /**
+     * SSM Session Manager messaging. Required alongside ssm and ec2messages.
+     */
+    Ssmmessages: "ssmmessages",
+    /**
+     * SSM Run Command messaging. Required alongside ssm and ssmmessages.
+     */
+    Ec2messages: "ec2messages",
+    /**
+     * AWS Secrets Manager. Allows compute resources to call GetSecretValue and other Secrets Manager APIs without traversing the public internet.
+     */
+    Secretsmanager: "secretsmanager",
+    /**
+     * ECR control plane — authentication, image manifests, and repository metadata. Required alongside ecr.dkr for private image pulls.
+     */
+    Ecr_api: "ecr.api",
+    /**
+     * ECR data plane — image layer pulls. Required alongside ecr.api for private image pulls.
+     */
+    Ecr_dkr: "ecr.dkr",
+    /**
+     * Amazon Simple Queue Service. Covers all SQS operations including SendMessage, ReceiveMessage, and DeleteMessage — all are client-initiated HTTPS, one endpoint covers all operations.
+     */
+    Sqs: "sqs",
+    /**
+     * Amazon Simple Notification Service. Allows compute resources to publish to SNS topics without traversing the public internet.
+     */
+    Sns: "sns",
+    /**
+     * AWS Lambda invoke. Allows private invocation of Lambda functions from within the VPC.
+     */
+    Lambda: "lambda",
+    /**
+     * Amazon CloudWatch Logs. Required for compute resources in private subnets to ship logs to CloudWatch without a NAT Gateway.
+     */
+    Logs: "logs",
+    /**
+     * Amazon CloudWatch Metrics. Required for compute resources in private subnets to publish custom metrics without a NAT Gateway.
+     */
+    Monitoring: "monitoring",
+    /**
+     * AWS Key Management Service. Required for compute resources that perform envelope encryption, use KMS-managed secrets, or interact with services that call KMS on their behalf.
+     */
+    Kms: "kms",
+    /**
+     * AWS Security Token Service. Required for IAM role assumption and temporary credential generation within private subnets.
+     */
+    Sts: "sts",
+} as const;
+
+/**
+ * The AWS service to route privately via an Interface VPC Endpoint. Each value maps to the com.amazonaws.{region}.{suffix} endpoint service name.
+ */
+export type AwsVpcEndpointService = (typeof AwsVpcEndpointService)[keyof typeof AwsVpcEndpointService];
+
 export const LambdaArchitecture = {
     /**
      * Graviton — 20% cheaper, better performance. Default.
@@ -60,3 +120,25 @@ export const LambdaRuntime = {
 } as const;
 
 export type LambdaRuntime = (typeof LambdaRuntime)[keyof typeof LambdaRuntime];
+
+export const S3FlowLogLifecycle = {
+    /**
+     * Auto-tiered: Standard (0-30d) → Standard-IA (30-90d) → Glacier Instant Retrieval (90d+). Suitable for compliance retention at minimal long-term cost.
+     */
+    Standard: "standard",
+} as const;
+
+export type S3FlowLogLifecycle = (typeof S3FlowLogLifecycle)[keyof typeof S3FlowLogLifecycle];
+
+export const VpcNatType = {
+    /**
+     * AWS managed NAT Gateway. One per AZ for true HA. ~$32/month per AZ plus $0.045/GB data processed.
+     */
+    Gateway: "gateway",
+    /**
+     * fck-nat EC2 instance. Single instance regardless of AZ count. ~$4-6/month for t4g.small. Accepted single point of failure tradeoff for cost savings.
+     */
+    Fck_nat: "fck-nat",
+} as const;
+
+export type VpcNatType = (typeof VpcNatType)[keyof typeof VpcNatType];