@anvil-cloud/sdk 0.0.13 → 0.0.15

package/aws/cognitoAuth.ts

@@ -0,0 +1,70 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../utilities";
+
+/**
+ * An Anvil-managed JWT authorizer backed by a Cognito user pool. Derives the issuer URL automatically from the user pool ID — no manual Cognito endpoint construction required. Creates a native API Gateway JWT authorizer; verification is handled entirely by API Gateway with no Lambda or custom code. Pass authorizerId to HttpApi defaultAuthorizerId to protect your API routes.
+ */
+export class CognitoAuth extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:CognitoAuth';
+
+    /**
+     * Returns true if the given object is an instance of CognitoAuth.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CognitoAuth {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CognitoAuth.__pulumiType;
+    }
+
+    /**
+     * The API Gateway authorizer ID. Pass this to HttpApi defaultAuthorizerId to protect your API routes.
+     */
+    declare public /*out*/ readonly authorizerId: pulumi.Output<string>;
+
+    /**
+     * Create a CognitoAuth resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: CognitoAuthArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.audience === undefined && !opts.urn) {
+                throw new Error("Missing required property 'audience'");
+            }
+            if (args?.userPoolId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'userPoolId'");
+            }
+            resourceInputs["audience"] = args?.audience;
+            resourceInputs["userPoolId"] = args?.userPoolId;
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        } else {
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CognitoAuth.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CognitoAuth resource.
+ */
+export interface CognitoAuthArgs {
+    /**
+     * The Cognito app client IDs allowed to access this API. API Gateway rejects tokens whose 'aud' claim does not match one of these values. Pass your Cognito app client ID(s) here.
+     */
+    audience: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The Cognito user pool ID. Pass pool.userPoolId directly. Accepts Output<string>. Anvil derives the issuer URL automatically: https://cognito-idp.{region}.amazonaws.com/{userPoolId}.
+     */
+    userPoolId: any;
+}

package/aws/cognitoUserPool.ts

@@ -0,0 +1,132 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+import * as pulumiAws from "@pulumi/aws";
+
+/**
+ * An Anvil-managed Cognito user pool. Tier 1 controls (deletion protection, enforced password policy, account recovery via email) are always on. Pair with CognitoAuth to protect API Gateway routes.
+ */
+export class CognitoUserPool extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:CognitoUserPool';
+
+    /**
+     * Returns true if the given object is an instance of CognitoUserPool.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CognitoUserPool {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CognitoUserPool.__pulumiType;
+    }
+
+    /**
+     * The ID of the default app client. Pass to CognitoAuth audience.
+     */
+    declare public /*out*/ readonly appClientId: pulumi.Output<string>;
+    /**
+     * The client secret of the default app client. Only populated when appClient.generateSecret is true. Treat as sensitive.
+     */
+    declare public /*out*/ readonly appClientSecret: pulumi.Output<string | undefined>;
+    /**
+     * The CloudFront distribution domain for the custom hosted UI. Only populated when hostedUi.customDomain is true. Create a Route53 alias record pointing hostedUi.domain to this value to complete DNS setup. Empty string for Cognito-managed domains.
+     */
+    declare public /*out*/ readonly cloudFrontDomain: pulumi.Output<string>;
+    /**
+     * The Cognito OIDC issuer URL. Format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}. Pass directly to CognitoAuth if building the authorizer manually.
+     */
+    declare public /*out*/ readonly endpoint: pulumi.Output<string>;
+    /**
+     * The full hosted UI domain (e.g. https://auth.myapp.com or https://myprefix.auth.us-east-1.amazoncognito.com). Empty string if hostedUi is not configured.
+     */
+    declare public /*out*/ readonly hostedUiDomain: pulumi.Output<string>;
+    /**
+     * The ARN of the Cognito user pool.
+     */
+    declare public /*out*/ readonly userPoolArn: pulumi.Output<string>;
+    /**
+     * The Cognito user pool ID. Pass to CognitoAuth.userPoolId.
+     */
+    declare public /*out*/ readonly userPoolId: pulumi.Output<string>;
+
+    /**
+     * Create a CognitoUserPool resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CognitoUserPoolArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["appClient"] = args?.appClient;
+            resourceInputs["attributes"] = args?.attributes;
+            resourceInputs["emailConfiguration"] = args?.emailConfiguration;
+            resourceInputs["hostedUi"] = args?.hostedUi;
+            resourceInputs["identityProviders"] = args?.identityProviders;
+            resourceInputs["mfa"] = args?.mfa;
+            resourceInputs["passwordPolicy"] = args?.passwordPolicy;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["appClientId"] = undefined /*out*/;
+            resourceInputs["appClientSecret"] = undefined /*out*/;
+            resourceInputs["cloudFrontDomain"] = undefined /*out*/;
+            resourceInputs["endpoint"] = undefined /*out*/;
+            resourceInputs["hostedUiDomain"] = undefined /*out*/;
+            resourceInputs["userPoolArn"] = undefined /*out*/;
+            resourceInputs["userPoolId"] = undefined /*out*/;
+        } else {
+            resourceInputs["appClientId"] = undefined /*out*/;
+            resourceInputs["appClientSecret"] = undefined /*out*/;
+            resourceInputs["cloudFrontDomain"] = undefined /*out*/;
+            resourceInputs["endpoint"] = undefined /*out*/;
+            resourceInputs["hostedUiDomain"] = undefined /*out*/;
+            resourceInputs["userPoolArn"] = undefined /*out*/;
+            resourceInputs["userPoolId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CognitoUserPool.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CognitoUserPool resource.
+ */
+export interface CognitoUserPoolArgs {
+    /**
+     * Default app client created with the user pool. Covers the 80% case of one application per pool. Use transform for additional clients.
+     */
+    appClient?: pulumi.Input<inputs.aws.CognitoUserPoolAppClientArgs>;
+    /**
+     * User attribute configuration. Controls sign-in identifiers and required attributes on sign-up.
+     */
+    attributes?: pulumi.Input<inputs.aws.CognitoUserPoolAttributesArgs>;
+    /**
+     * Email delivery configuration. Default: Cognito-managed email (5 emails/day limit). Set sesFromAddress for SES delivery in production.
+     */
+    emailConfiguration?: pulumi.Input<inputs.aws.CognitoUserPoolEmailConfigurationArgs>;
+    /**
+     * Hosted UI / Managed Login configuration. Omit to use the Cognito user pools API directly without a hosted sign-in page.
+     */
+    hostedUi?: pulumi.Input<inputs.aws.CognitoUserPoolHostedUiArgs>;
+    /**
+     * External identity providers to federate with this user pool. Supports Google, Facebook, LoginWithAmazon, SignInWithApple, OIDC, and SAML. Schema never changes per provider — add new providers by extending this array.
+     */
+    identityProviders?: pulumi.Input<pulumi.Input<inputs.aws.CognitoUserPoolIdentityProviderArgs>[]>;
+    /**
+     * MFA configuration. TOTP requires no additional AWS resources. SMS requires an SNS caller ARN.
+     */
+    mfa?: pulumi.Input<inputs.aws.CognitoUserPoolMfaArgs>;
+    /**
+     * Password policy for the user pool. Anvil enforces a secure baseline by default — override only to strengthen.
+     */
+    passwordPolicy?: pulumi.Input<inputs.aws.CognitoUserPoolPasswordPolicyArgs>;
+    transform?: pulumi.Input<inputs.aws.CognitoUserPoolTransformArgsArgs>;
+}

package/aws/dynamoDB.ts

@@ -0,0 +1,176 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+import * as pulumiAws from "@pulumi/aws";
+import * as grants from "../grants";
+
+/**
+ * Serverless key-value and document store. Secure-by-default DynamoDB table with GSI support, optional streams, and Lambda/EventBridge consumers. First data layer component — pairs naturally with anvil.aws.Lambda.
+ */
+export class DynamoDB extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:DynamoDB';
+
+    /** @internal Logical resource name for grant policy naming. */
+    private __name: string;
+
+    /**
+     * Returns true if the given object is an instance of DynamoDB.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is DynamoDB {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === DynamoDB.__pulumiType;
+    }
+
+    /**
+     * The ARN of the DynamoDB stream. Only present when stream is enabled.
+     */
+    declare public /*out*/ readonly streamArn: pulumi.Output<string | undefined>;
+    /**
+     * The ARN of the DynamoDB table.
+     */
+    declare public /*out*/ readonly tableArn: pulumi.Output<string>;
+    /**
+     * The physical DynamoDB table name. Scoped as {name}-{stage}.
+     */
+    declare public /*out*/ readonly tableName: pulumi.Output<string>;
+
+    /**
+     * Create a DynamoDB resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: DynamoDBArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.hashKey === undefined && !opts.urn) {
+                throw new Error("Missing required property 'hashKey'");
+            }
+            resourceInputs["globalSecondaryIndexes"] = args?.globalSecondaryIndexes;
+            resourceInputs["hashKey"] = args?.hashKey;
+            resourceInputs["kmsKeyArn"] = args?.kmsKeyArn;
+            resourceInputs["rangeKey"] = args?.rangeKey;
+            resourceInputs["stream"] = args?.stream;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["ttlAttribute"] = args?.ttlAttribute;
+            resourceInputs["streamArn"] = undefined /*out*/;
+            resourceInputs["tableArn"] = undefined /*out*/;
+            resourceInputs["tableName"] = undefined /*out*/;
+        } else {
+            resourceInputs["streamArn"] = undefined /*out*/;
+            resourceInputs["tableArn"] = undefined /*out*/;
+            resourceInputs["tableName"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(DynamoDB.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+
+      /**
+       * Grants read access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan) on this dynamodb
+       * to the target compute resource's execution role.
+       *
+       * @param target - The compute resource to grant access to.
+       * @param opts - Optional. indexes: scope to specific GSI names only.
+       *               If omitted, grants table access only — no index access.
+       * @param opts.justification - Optional audit trail note.
+       */
+      public grantRead(target: grants.GrantTarget, opts?: { indexes?: string[]; justification?: string }): void {
+          const name = `${this.__name}-${target.grantName()}-read`;
+          const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+          const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+          grants.createGrant(this, name, target, ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan"], arns, { justification: opts?.justification });
+      }
+
+      /**
+       * Grants write access (dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+       * to the target compute resource's execution role.
+       *
+       * @param target - The compute resource to grant access to.
+       * @param opts - Optional. indexes: scope to specific GSI names only.
+       *               If omitted, grants table access only — no index access.
+       * @param opts.justification - Optional audit trail note.
+       */
+      public grantWrite(target: grants.GrantTarget, opts?: { indexes?: string[]; justification?: string }): void {
+          const name = `${this.__name}-${target.grantName()}-write`;
+          const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+          const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+          grants.createGrant(this, name, target, ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem"], arns, { justification: opts?.justification });
+      }
+
+      /**
+       * Grants readwrite access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan, dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+       * to the target compute resource's execution role.
+       *
+       * @param target - The compute resource to grant access to.
+       * @param opts - Optional. indexes: scope to specific GSI names only.
+       *               If omitted, grants table access only — no index access.
+       * @param opts.justification - Optional audit trail note.
+       */
+      public grantReadWrite(target: grants.GrantTarget, opts?: { indexes?: string[]; justification?: string }): void {
+          const name = `${this.__name}-${target.grantName()}-readwrite`;
+          const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+          const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+          grants.createGrant(this, name, target, ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem"], arns, { justification: opts?.justification });
+      }
+
+      /**
+       * Grants delete access (dynamodb:DeleteItem) on this dynamodb
+       * to the target compute resource's execution role.
+       *
+       * @param target - The compute resource to grant access to.
+       * @param opts - Optional. indexes: scope to specific GSI names only.
+       *               If omitted, grants table access only — no index access.
+       * @param opts.justification - Optional audit trail note.
+       */
+      public grantDelete(target: grants.GrantTarget, opts?: { indexes?: string[]; justification?: string }): void {
+          const name = `${this.__name}-${target.grantName()}-delete`;
+          const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+          const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+          grants.createGrant(this, name, target, ["dynamodb:DeleteItem"], arns, { justification: opts?.justification });
+      }
+
+}
+
+/**
+ * The set of arguments for constructing a DynamoDB resource.
+ */
+export interface DynamoDBArgs {
+    /**
+     * Global Secondary Indexes. All GSI key types must be explicitly declared — Anvil derives attributeDefinitions automatically from all declared keys.
+     */
+    globalSecondaryIndexes?: pulumi.Input<pulumi.Input<inputs.aws.DynamoDBGlobalSecondaryIndexArgs>[]>;
+    /**
+     * Primary hash (partition) key. Required.
+     */
+    hashKey: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    /**
+     * Tier 2 opt-in. ARN of a KMS CMK for encryption at rest. If omitted, AWS_OWNED_KMS is used (Tier 1 default — always on, zero cost). Use this for compliance workloads requiring key rotation control, audit trail, or the ability to revoke access by disabling the key.
+     */
+    kmsKeyArn?: pulumi.Input<string>;
+    /**
+     * Primary range (sort) key. Optional.
+     */
+    rangeKey?: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    /**
+     * DynamoDB Streams configuration. Opt-in. Enables change data capture on the table.
+     */
+    stream?: pulumi.Input<inputs.aws.DynamoDBStreamArgs>;
+    transform?: pulumi.Input<inputs.aws.DynamoTransformArgsArgs>;
+    /**
+     * Name of the attribute used for TTL (time-to-live). Items with this attribute set to a past Unix timestamp are automatically deleted by DynamoDB.
+     */
+    ttlAttribute?: pulumi.Input<string>;
+}

package/aws/eventBus.ts

@@ -0,0 +1,91 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+import * as pulumiAws from "@pulumi/aws";
+import * as grants from "../grants";
+
+/**
+ * An Anvil-managed EventBridge event bus. Archives events for 7 days by default for replay and debugging. Rules route matching events to Lambda targets.
+ */
+export class EventBus extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:EventBus';
+
+    /** @internal Logical resource name for grant policy naming. */
+    private __name: string;
+
+    /**
+     * Returns true if the given object is an instance of EventBus.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is EventBus {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === EventBus.__pulumiType;
+    }
+
+    /**
+     * The ARN of the EventBridge event bus.
+     */
+    declare public /*out*/ readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the EventBridge event bus. Pass to HttpApi consumer: { eventBridge: { name: bus.name } }
+     */
+    declare public /*out*/ readonly name: pulumi.Output<string>;
+
+    /**
+     * Create a EventBus resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: EventBusArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["rules"] = args?.rules;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+        } else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(EventBus.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+
+    /**
+     * Grants putevents access (events:PutEvents) on this eventbus
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantPutEvents(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-putevents`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["events:PutEvents"], arns, opts);
+    }
+
+}
+
+/**
+ * The set of arguments for constructing a EventBus resource.
+ */
+export interface EventBusArgs {
+    /**
+     * EventBridge rules on this bus. Each rule matches events by pattern and routes them to a target.
+     */
+    rules?: pulumi.Input<pulumi.Input<inputs.aws.EventBusRuleArgs>[]>;
+    transform?: pulumi.Input<inputs.aws.EventBridgeTransformArgsArgs>;
+}

package/aws/httpApi.ts

@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+/**
+ * An Anvil-managed AWS HTTP API Gateway (API Gateway v2). Route-level consumers support Lambda, SQS, EventBridge, Step Functions, and HTTP proxy integrations. Secure by default: TLS 1.2 minimum enforced on custom domains, execute-api endpoint disabled when a custom domain is set, conservative throttling defaults (1000 rps / 500 burst), CORS opt-in with wildcard origin blocked, per-consumer least-privilege IAM roles, access logs on by default.
+ */
+export class HttpApi extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:HttpApi';
+
+    /**
+     * Returns true if the given object is an instance of HttpApi.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HttpApi {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HttpApi.__pulumiType;
+    }
+
+    /**
+     * The default execute-api endpoint URL. Empty string when a custom domain is set and the execute-api endpoint is disabled.
+     */
+    declare public /*out*/ readonly apiEndpoint: pulumi.Output<string>;
+    /**
+     * The API Gateway HTTP API ID.
+     */
+    declare public /*out*/ readonly apiId: pulumi.Output<string>;
+    /**
+     * ACM cert validation CNAME. Only populated when domain.dns: false and domain.certificateArn is omitted. Add this record in Cloudflare (or your DNS provider) then re-run deploy — Anvil blocks until ACM confirms validation.
+     */
+    declare public /*out*/ readonly certValidationCname: pulumi.Output<outputs.aws.HttpApiCertValidationCname>;
+    /**
+     * The primary URL for the API. When a custom domain is configured this is the custom domain URL. Otherwise it is the execute-api endpoint URL.
+     */
+    declare public /*out*/ readonly url: pulumi.Output<string>;
+
+    /**
+     * Create a HttpApi resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: HttpApiArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.routes === undefined && !opts.urn) {
+                throw new Error("Missing required property 'routes'");
+            }
+            resourceInputs["cors"] = args?.cors;
+            resourceInputs["defaultAuthorizerId"] = args?.defaultAuthorizerId;
+            resourceInputs["domain"] = args?.domain;
+            resourceInputs["logRetention"] = args?.logRetention;
+            resourceInputs["routes"] = args?.routes;
+            resourceInputs["throttling"] = args?.throttling;
+            resourceInputs["apiEndpoint"] = undefined /*out*/;
+            resourceInputs["apiId"] = undefined /*out*/;
+            resourceInputs["certValidationCname"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiEndpoint"] = undefined /*out*/;
+            resourceInputs["apiId"] = undefined /*out*/;
+            resourceInputs["certValidationCname"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(HttpApi.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HttpApi resource.
+ */
+export interface HttpApiArgs {
+    /**
+     * Optional CORS configuration. Opt-in — omit to disable CORS entirely. When enabled, allowOrigins is required and wildcard '*' is blocked as a security measure.
+     */
+    cors?: pulumi.Input<inputs.aws.HttpApiCorsArgs>;
+    /**
+     * The API Gateway authorizer ID to apply to all routes. Pass auth.authorizerId from an OAuthAuthorizer or CognitoAuth component. All routes inherit this authorizer unless skipAuth: true is set on the route. Omit to leave all routes public.
+     */
+    defaultAuthorizerId?: any;
+    /**
+     * Optional custom domain for the API. When set, Anvil provisions the ACM certificate, API Gateway domain name, and Route 53 DNS record automatically. The raw execute-api endpoint is disabled — all traffic must flow through the custom domain.
+     */
+    domain?: pulumi.Input<inputs.aws.HttpApiDomainArgs>;
+    /**
+     * CloudWatch access log retention period. Presets: '7d' | '30d' | '90d' | '1y' | '3y' | '6y' | '7y'. Default: '1y' — satisfies SOC 2, ISO 27001, and PCI DSS baseline retention requirements.
+     */
+    logRetention?: pulumi.Input<string>;
+    /**
+     * The API routes. Each route maps a method and path to a consumer. At least one route is required.
+     */
+    routes: pulumi.Input<pulumi.Input<inputs.aws.HttpApiRouteArgs>[]>;
+    /**
+     * Optional throttling configuration. Defaults to rateLimit: 1000 rps and burstLimit: 500 concurrent requests when omitted. Without throttling a single route can exhaust the account-level limit shared across all APIs.
+     */
+    throttling?: pulumi.Input<inputs.aws.HttpApiThrottlingArgs>;
+}

package/aws/index.ts

@@ -10,16 +10,61 @@ export type Bucket = import("./bucket").Bucket;
 export const Bucket: typeof import("./bucket").Bucket = null as any;
 utilities.lazyLoad(exports, ["Bucket"], () => require("./bucket"));
 
+export { CognitoAuthArgs } from "./cognitoAuth";
+export type CognitoAuth = import("./cognitoAuth").CognitoAuth;
+export const CognitoAuth: typeof import("./cognitoAuth").CognitoAuth = null as any;
+utilities.lazyLoad(exports, ["CognitoAuth"], () => require("./cognitoAuth"));
+
+export { CognitoUserPoolArgs } from "./cognitoUserPool";
+export type CognitoUserPool = import("./cognitoUserPool").CognitoUserPool;
+export const CognitoUserPool: typeof import("./cognitoUserPool").CognitoUserPool = null as any;
+utilities.lazyLoad(exports, ["CognitoUserPool"], () => require("./cognitoUserPool"));
+
+export { DynamoDBArgs } from "./dynamoDB";
+export type DynamoDB = import("./dynamoDB").DynamoDB;
+export const DynamoDB: typeof import("./dynamoDB").DynamoDB = null as any;
+utilities.lazyLoad(exports, ["DynamoDB"], () => require("./dynamoDB"));
+
+export { EventBusArgs } from "./eventBus";
+export type EventBus = import("./eventBus").EventBus;
+export const EventBus: typeof import("./eventBus").EventBus = null as any;
+utilities.lazyLoad(exports, ["EventBus"], () => require("./eventBus"));
+
+export { HttpApiArgs } from "./httpApi";
+export type HttpApi = import("./httpApi").HttpApi;
+export const HttpApi: typeof import("./httpApi").HttpApi = null as any;
+utilities.lazyLoad(exports, ["HttpApi"], () => require("./httpApi"));
+
 export { LambdaArgs } from "./lambda";
 export type Lambda = import("./lambda").Lambda;
 export const Lambda: typeof import("./lambda").Lambda = null as any;
 utilities.lazyLoad(exports, ["Lambda"], () => require("./lambda"));
 
+export { OAuthAuthorizerArgs } from "./oauthAuthorizer";
+export type OAuthAuthorizer = import("./oauthAuthorizer").OAuthAuthorizer;
+export const OAuthAuthorizer: typeof import("./oauthAuthorizer").OAuthAuthorizer = null as any;
+utilities.lazyLoad(exports, ["OAuthAuthorizer"], () => require("./oauthAuthorizer"));
+
+export { QueueArgs } from "./queue";
+export type Queue = import("./queue").Queue;
+export const Queue: typeof import("./queue").Queue = null as any;
+utilities.lazyLoad(exports, ["Queue"], () => require("./queue"));
+
 export { SvelteKitSiteArgs } from "./svelteKitSite";
 export type SvelteKitSite = import("./svelteKitSite").SvelteKitSite;
 export const SvelteKitSite: typeof import("./svelteKitSite").SvelteKitSite = null as any;
 utilities.lazyLoad(exports, ["SvelteKitSite"], () => require("./svelteKitSite"));
 
+export { VpcArgs } from "./vpc";
+export type Vpc = import("./vpc").Vpc;
+export const Vpc: typeof import("./vpc").Vpc = null as any;
+utilities.lazyLoad(exports, ["Vpc"], () => require("./vpc"));
+
+export { VpcEndpointArgs } from "./vpcEndpoint";
+export type VpcEndpoint = import("./vpcEndpoint").VpcEndpoint;
+export const VpcEndpoint: typeof import("./vpcEndpoint").VpcEndpoint = null as any;
+utilities.lazyLoad(exports, ["VpcEndpoint"], () => require("./vpcEndpoint"));
+
 
 // Export enums:
 export * from "../types/enums/aws";
@@ -30,10 +75,28 @@ const _module = {
         switch (type) {
             case "anvil:aws:Bucket":
                 return new Bucket(name, <any>undefined, { urn })
+            case "anvil:aws:CognitoAuth":
+                return new CognitoAuth(name, <any>undefined, { urn })
+            case "anvil:aws:CognitoUserPool":
+                return new CognitoUserPool(name, <any>undefined, { urn })
+            case "anvil:aws:DynamoDB":
+                return new DynamoDB(name, <any>undefined, { urn })
+            case "anvil:aws:EventBus":
+                return new EventBus(name, <any>undefined, { urn })
+            case "anvil:aws:HttpApi":
+                return new HttpApi(name, <any>undefined, { urn })
             case "anvil:aws:Lambda":
                 return new Lambda(name, <any>undefined, { urn })
+            case "anvil:aws:OAuthAuthorizer":
+                return new OAuthAuthorizer(name, <any>undefined, { urn })
+            case "anvil:aws:Queue":
+                return new Queue(name, <any>undefined, { urn })
             case "anvil:aws:SvelteKitSite":
                 return new SvelteKitSite(name, <any>undefined, { urn })
+            case "anvil:aws:Vpc":
+                return new Vpc(name, <any>undefined, { urn })
+            case "anvil:aws:VpcEndpoint":
+                return new VpcEndpoint(name, <any>undefined, { urn })
             default:
                 throw new Error(`unknown resource type ${type}`);
         }