@anvil-cloud/sdk 0.0.13 → 0.0.15

package/aws/lambda.ts

@@ -44,6 +44,10 @@ export class Lambda extends pulumi.ComponentResource {
      * The ARN of the Lambda's IAM execution role.
      */
     declare public /*out*/ readonly roleArn: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group created for this Lambda. Only populated when vpc is set. Use this to grant other resources access to this Lambda via the grant system.
+     */
+    declare public /*out*/ readonly securityGroupId: pulumi.Output<string | undefined>;
 
     /**
      * Create a Lambda resource with the given unique name, arguments, and options.
@@ -80,11 +84,13 @@ export class Lambda extends pulumi.ComponentResource {
             resourceInputs["functionName"] = undefined /*out*/;
             resourceInputs["functionUrl"] = undefined /*out*/;
             resourceInputs["roleArn"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
         } else {
             resourceInputs["arn"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
             resourceInputs["functionUrl"] = undefined /*out*/;
             resourceInputs["roleArn"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Lambda.__pulumiType, name, resourceInputs, opts, true /*remote*/);
@@ -165,11 +171,11 @@ export interface LambdaArgs {
     tracing?: pulumi.Input<boolean>;
     transform?: pulumi.Input<inputs.aws.LambdaTransformArgsArgs>;
     /**
-     * Enable a direct HTTPS endpoint for the function. Auth mode is AWS_IAM — never public. Default: false.
+     * Enable a direct HTTPS endpoint for the function. Auth mode is AWS_IAM - never public. Default: false.
      */
     url?: pulumi.Input<boolean>;
     /**
-     * VPC ID to place the Lambda in for access to private resources (RDS, ElastiCache, etc.).
+     * Places the Lambda inside a VPC for access to private resources such as RDS or ElastiCache. Anvil creates a dedicated security group with zero inbound and zero outbound rules. Nothing is reachable until explicitly granted via the grant system.
      */
-    vpc?: pulumi.Input<string>;
+    vpc?: pulumi.Input<inputs.aws.LambdaVpcArgsArgs>;
 }

package/aws/oauthAuthorizer.ts

@@ -0,0 +1,70 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../utilities";
+
+/**
+ * An Anvil-managed JWT authorizer for HTTP API Gateway. Works with any OIDC-compliant identity provider — Auth0, Clerk, Google, Okta, Cognito. API Gateway verifies the JWT signature, issuer, audience, and expiry on every request natively — no Lambda or custom code required. Pass authorizerId to HttpApi defaultAuthorizerId to protect your routes.
+ */
+export class OAuthAuthorizer extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:OAuthAuthorizer';
+
+    /**
+     * Returns true if the given object is an instance of OAuthAuthorizer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is OAuthAuthorizer {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === OAuthAuthorizer.__pulumiType;
+    }
+
+    /**
+     * The API Gateway authorizer ID. Pass this to HttpApi defaultAuthorizerId to protect your API routes.
+     */
+    declare public /*out*/ readonly authorizerId: pulumi.Output<string>;
+
+    /**
+     * Create a OAuthAuthorizer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: OAuthAuthorizerArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.audience === undefined && !opts.urn) {
+                throw new Error("Missing required property 'audience'");
+            }
+            if (args?.issuer === undefined && !opts.urn) {
+                throw new Error("Missing required property 'issuer'");
+            }
+            resourceInputs["audience"] = args?.audience;
+            resourceInputs["issuer"] = args?.issuer;
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        } else {
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(OAuthAuthorizer.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a OAuthAuthorizer resource.
+ */
+export interface OAuthAuthorizerArgs {
+    /**
+     * The intended recipients of the JWT. API Gateway rejects tokens whose 'aud' claim does not match one of these values. Typically your API's client ID registered with the identity provider.
+     */
+    audience: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The OIDC issuer URL of your identity provider. API Gateway fetches public signing keys from {issuer}/.well-known/jwks.json to verify token signatures. Examples: Auth0: 'https://your-tenant.auth0.com/', Clerk: 'https://your-instance.clerk.accounts.dev', Google: 'https://accounts.google.com'.
+     */
+    issuer: pulumi.Input<string>;
+}

package/aws/queue.ts

@@ -0,0 +1,156 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+import * as grants from "../grants";
+
+/**
+ * An Anvil-managed SQS queue. A dead letter queue is always provisioned to prevent silent message loss. SSE-SQS encryption is enabled by default at no cost.
+ */
+export class Queue extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:Queue';
+
+    /** @internal Logical resource name for grant policy naming. */
+    private __name: string;
+
+    /**
+     * Returns true if the given object is an instance of Queue.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Queue {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Queue.__pulumiType;
+    }
+
+    /**
+     * The ARN of the SQS queue.
+     */
+    declare public /*out*/ readonly arn: pulumi.Output<string>;
+    /**
+     * The ARN of the dead letter queue.
+     */
+    declare public /*out*/ readonly dlqArn: pulumi.Output<string>;
+    /**
+     * The URL of the dead letter queue.
+     */
+    declare public /*out*/ readonly dlqUrl: pulumi.Output<string>;
+    /**
+     * The physical name of the SQS queue.
+     */
+    declare public /*out*/ readonly name: pulumi.Output<string>;
+    /**
+     * The URL of the SQS queue. Use this to send and receive messages.
+     */
+    declare public /*out*/ readonly url: pulumi.Output<string>;
+
+    /**
+     * Create a Queue resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: QueueArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["consumer"] = args?.consumer;
+            resourceInputs["dlq"] = args?.dlq;
+            resourceInputs["fifo"] = args?.fifo;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["dlqArn"] = undefined /*out*/;
+            resourceInputs["dlqUrl"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        } else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["dlqArn"] = undefined /*out*/;
+            resourceInputs["dlqUrl"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Queue.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+
+    /**
+     * Grants sendmessage access (sqs:SendMessage) on this queue
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantSendMessage(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-sendmessage`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["sqs:SendMessage"], arns, opts);
+    }
+
+    /**
+     * Grants consumemessages access (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes) on this queue
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantConsumeMessages(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-consumemessages`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes"], arns, opts);
+    }
+
+    /**
+     * Grants full access (sqs:SendMessage, sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, sqs:ChangeMessageVisibility, sqs:PurgeQueue) on this queue
+     * to the target compute resource's execution role.
+     *
+     * This is an escape hatch — prefer scoped grants (grantRead, grantWrite, etc.).
+     * A warning is logged if no justification is provided.
+     */
+    public grantFullAccess(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        if (!opts?.justification) {
+            pulumi.log.warn(
+                `⚠ ${this.__name} → ${target.grantName()}: full access granted with no justification. ` +
+                `Consider scoping with grantRead, grantWrite, or grantDelete, ` +
+                `or add a justification.`,
+                this,
+            );
+        } else {
+            pulumi.log.info(
+                `ℹ ${this.__name} → ${target.grantName()}: full access granted. Justification: "${opts.justification}"`,
+                this,
+            );
+        }
+        const name = `${this.__name}-${target.grantName()}-fullaccess`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:ChangeMessageVisibility", "sqs:PurgeQueue"], arns, opts);
+    }
+
+}
+
+/**
+ * The set of arguments for constructing a Queue resource.
+ */
+export interface QueueArgs {
+    /**
+     * Wires a compute resource to consume messages from this queue. Creates the event source mapping (trigger) and grants the necessary IAM permissions automatically.
+     */
+    consumer?: pulumi.Input<inputs.aws.QueueConsumerArgsArgs>;
+    /**
+     * Dead letter queue configuration. Always provisioned — messages that fail processing are moved here instead of being silently dropped. Omit to use defaults (managed DLQ, maxReceiveCount: 3). Set arn to reuse an existing queue.
+     */
+    dlq?: pulumi.Input<inputs.aws.QueueDlqArgsArgs>;
+    /**
+     * Creates a FIFO queue when true. FIFO queues guarantee message ordering and exactly-once processing but have lower throughput (~3,000 msg/s vs unlimited for standard). Use for financial transactions, inventory updates, or any workflow where ordering or deduplication matters. Default: false.
+     */
+    fifo?: pulumi.Input<boolean>;
+    transform?: pulumi.Input<inputs.aws.QueueTransformArgsArgs>;
+}

package/aws/svelteKitSite.ts

@@ -2,6 +2,9 @@
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 
 import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
 import * as utilities from "../utilities";
 
 export class SvelteKitSite extends pulumi.ComponentResource {
@@ -23,6 +26,10 @@ export class SvelteKitSite extends pulumi.ComponentResource {
     declare public /*out*/ readonly cloudFrontDistributionId: pulumi.Output<string | undefined>;
     declare public /*out*/ readonly dnsRecords: pulumi.Output<string | undefined>;
     declare public /*out*/ readonly functionName: pulumi.Output<string | undefined>;
+    /**
+     * OriginSecret is the x-origin-secret header value to configure in Cloudflare Transform Rules. Only populated when originProtection is set.
+     */
+    declare public /*out*/ readonly originSecret: pulumi.Output<string | undefined>;
     declare public /*out*/ readonly url: pulumi.Output<string | undefined>;
 
     /**
@@ -38,6 +45,7 @@ export class SvelteKitSite extends pulumi.ComponentResource {
         if (!opts.id) {
             resourceInputs["domain"] = args?.domain;
             resourceInputs["environment"] = args?.environment;
+            resourceInputs["originProtection"] = args?.originProtection;
             resourceInputs["path"] = args?.path;
             resourceInputs["runtimeEnvironment"] = args?.runtimeEnvironment;
             resourceInputs["transform"] = args?.transform;
@@ -45,12 +53,14 @@ export class SvelteKitSite extends pulumi.ComponentResource {
             resourceInputs["cloudFrontDistributionId"] = undefined /*out*/;
             resourceInputs["dnsRecords"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["originSecret"] = undefined /*out*/;
             resourceInputs["url"] = undefined /*out*/;
         } else {
             resourceInputs["bucketName"] = undefined /*out*/;
             resourceInputs["cloudFrontDistributionId"] = undefined /*out*/;
             resourceInputs["dnsRecords"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["originSecret"] = undefined /*out*/;
             resourceInputs["url"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
@@ -67,6 +77,10 @@ export interface SvelteKitSiteArgs {
      * Environment vars available at BOTH build time and runtime. Values must be string literals since they're needed before the build runs.
      */
     environment?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+    /**
+     * OriginProtection enables WAF-based origin protection. When set, a WAF WebACL is created that blocks requests missing the x-origin-secret header. The secret value is output as originSecret. Requires domain to be set.
+     */
+    originProtection?: pulumi.Input<inputs.aws.SiteOriginProtectionArgs>;
     path?: pulumi.Input<string>;
     /**
      * Runtime-only environment vars set on the Lambda function. Supports Pulumi Output values (e.g. bucket.name, fn.arn). Only available at request time, NOT during build/prerendering.

package/aws/vpc.ts

@@ -0,0 +1,159 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+export class Vpc extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:Vpc';
+
+    /**
+     * Returns true if the given object is an instance of Vpc.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Vpc {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Vpc.__pulumiType;
+    }
+
+    /**
+     * The resolved Availability Zone names, e.g. ['ap-southeast-2a']. Consumed by RDS Multi-AZ, ECS spread, and other downstream components.
+     */
+    declare public readonly availabilityZones: pulumi.Output<string[]>;
+    /**
+     * The EC2 instance ID of the bastion host. Use with: aws ssm start-session --target <bastionInstanceId>. Only populated when bastion is enabled.
+     */
+    declare public /*out*/ readonly bastionInstanceId: pulumi.Output<string | undefined>;
+    /**
+     * The security group ID of the bastion host. Use to grant the bastion access to private resources, e.g. db.grant(network.bastion, { access: 'readWrite' }). Only populated when bastion is enabled.
+     */
+    declare public /*out*/ readonly bastionSecurityGroupId: pulumi.Output<string | undefined>;
+    /**
+     * The ID of the VPC default security group. All rules removed — not used by Anvil components.
+     */
+    declare public /*out*/ readonly defaultSecurityGroupId: pulumi.Output<string>;
+    /**
+     * The IDs of the private subnets, one per AZ. Used by Lambda, ECS tasks, EC2, and RDS.
+     */
+    declare public /*out*/ readonly privateSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The IDs of the public subnets, one per AZ. Used by load balancers, NAT Gateways, and the bastion host.
+     */
+    declare public /*out*/ readonly publicSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The ID of the VPC.
+     */
+    declare public /*out*/ readonly vpcId: pulumi.Output<string>;
+
+    /**
+     * Create a Vpc resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: VpcArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["availabilityZones"] = args?.availabilityZones;
+            resourceInputs["bastion"] = args?.bastion;
+            resourceInputs["cidr"] = args?.cidr;
+            resourceInputs["flowLogs"] = args?.flowLogs;
+            resourceInputs["nat"] = args?.nat;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        } else {
+            resourceInputs["availabilityZones"] = undefined /*out*/;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Vpc.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+    /**
+     * Imports an existing Vpc into Anvil without managing or modifying it.
+     * Returns an identical output shape to `new Vpc()`.
+     *
+     * Flow logs, NAT, and bastion are not available on an imported VPC.
+     *
+     * If subnet IDs are omitted, Anvil auto-discovers them by inspecting
+     * route tables. Provide IDs explicitly if auto-discovery fails.
+     *
+     * @example
+     * const network = Vpc.fromId("existing", {
+     *   vpcId: "vpc-0abc123def456",
+     * });
+     */
+    static fromId(
+      name: string,
+      args: {
+        vpcId: string;
+        privateSubnetIds?: string[];
+        publicSubnetIds?: string[];
+      },
+      opts?: pulumi.ComponentResourceOptions
+    ): Vpc {
+      return new Vpc(name, args as any, {
+        ...opts,
+        id: args.vpcId,
+      });
+    }
+
+}
+
+/**
+ * The set of arguments for constructing a Vpc resource.
+ */
+export interface VpcArgs {
+    /**
+     * Number of Availability Zones to deploy subnets into. Valid values: 1, 2, 3. Defaults to 1. Inherits from App.defaults.availability — 'high' maps to 3, 'low' maps to 1.
+     */
+    availabilityZones?: pulumi.Input<number>;
+    /**
+     * Optional SSM bastion host for private network access. No SSH, no port 22 — access via AWS SSM Session Manager only. Use to connect to RDS, ElastiCache, and other private resources locally.
+     */
+    bastion?: pulumi.Input<boolean | inputs.aws.VpcBastionArgsArgs>;
+    /**
+     * The IPv4 CIDR block for the VPC. Default: '10.0.0.0/16'. Public subnets carved from offset 0 (/24 each), private subnets from offset 10 (/24 each).
+     */
+    cidr?: pulumi.Input<string>;
+    /**
+     * Optional VPC Flow Log configuration. Opt-in only. Either or both destinations can be enabled simultaneously. CloudWatch for active debugging, S3 for long-term compliance retention.
+     */
+    flowLogs?: pulumi.Input<inputs.aws.VpcFlowLogsArgsArgs>;
+    /**
+     * Optional NAT configuration for outbound internet access from private subnets. Omit for a fully private VPC.
+     */
+    nat?: pulumi.Input<inputs.aws.VpcNatArgsArgs>;
+}
+
+/**
+ * Normalises the `bastion` shorthand so the Pulumi provider
+ * always receives an object, never a raw boolean.
+ *
+ *   bastion: true          // enable with all defaults
+ *   bastion: {}            // identical to true
+ *   bastion: { ... }       // enable with custom config
+ */
+export function normaliseBastion(
+  val: boolean | inputs.aws.VpcBastionArgsArgs | undefined
+): inputs.aws.VpcBastionArgsArgs | undefined {
+  if (val === undefined || val === false) return undefined;
+  if (val === true) return {};
+  return val;
+}

package/aws/vpcEndpoint.ts

@@ -0,0 +1,98 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+
+/**
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled. The endpoint security group uses a self-referencing ingress rule on port 443 — only compute resources that have been explicitly granted access can reach the endpoint at the network layer. Access is enforced at three layers: network (self-referencing SG), IAM role policy (scoped per compute resource), and endpoint policy (blanket ceiling on allowed actions for all compute principals — Lambda, ECS, EC2).
+ */
+export class VpcEndpoint extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:VpcEndpoint';
+
+    /**
+     * Returns true if the given object is an instance of VpcEndpoint.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is VpcEndpoint {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === VpcEndpoint.__pulumiType;
+    }
+
+    /**
+     * The first DNS name assigned to the endpoint, e.g. vpce-xxx.sqs.ap-southeast-2.vpce.amazonaws.com. With private DNS enabled, normal consumers use the standard AWS SDK hostname — this is exposed for debugging and multi-VPC architectures only.
+     */
+    declare public /*out*/ readonly dnsName: pulumi.Output<string>;
+    /**
+     * The ID of the VPC endpoint, e.g. vpce-0abc1234567890abc. Use this to reference the endpoint in IAM condition keys such as aws:SourceVpce.
+     */
+    declare public /*out*/ readonly endpointId: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group attached to this endpoint. Uses a self-referencing ingress rule on port 443 — only compute resources with this SG explicitly attached can reach the endpoint at the network layer.
+     */
+    declare public /*out*/ readonly securityGroupId: pulumi.Output<string>;
+
+    /**
+     * Create a VpcEndpoint resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: VpcEndpointArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.privateSubnetIds === undefined && !opts.urn) {
+                throw new Error("Missing required property 'privateSubnetIds'");
+            }
+            if (args?.service === undefined && !opts.urn) {
+                throw new Error("Missing required property 'service'");
+            }
+            if (args?.vpcId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'vpcId'");
+            }
+            resourceInputs["overridePermissions"] = args?.overridePermissions;
+            resourceInputs["privateSubnetIds"] = args?.privateSubnetIds;
+            resourceInputs["service"] = args?.service;
+            resourceInputs["vpcId"] = args?.vpcId;
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        } else {
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(VpcEndpoint.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a VpcEndpoint resource.
+ */
+export interface VpcEndpointArgs {
+    /**
+     * Explicit Allow and Deny permission statements for the endpoint policy. When omitted, the endpoint policy allows all actions (*) for all Anvil compute principals (Lambda, ECS, EC2). When set, only the declared actions are permitted — the caller is responsible for declaring every action their compute resources need. Supports both Allow and Deny effects. Resource defaults to "*" if omitted on a permission entry.
+     */
+    overridePermissions?: pulumi.Input<pulumi.Input<inputs.aws.VpcEndpointPermissionArgs>[]>;
+    /**
+     * The IDs of the private subnets to attach the endpoint to. AWS places one ENI per subnet. Pass all private subnet IDs from your VPC — typically one per AZ.
+     */
+    privateSubnetIds: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The AWS service to route privately. The full com.amazonaws.{region}.{service} name is constructed at deploy time from the resolved region — you never write it manually.
+     */
+    service: pulumi.Input<string>;
+    /**
+     * The ID of the VPC to create the endpoint in. Accepts both Anvil-managed VPC IDs and imported VPC IDs.
+     */
+    vpcId: pulumi.Input<string>;
+}

package/bin/aws/cognitoAuth.d.ts

@@ -0,0 +1,36 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * An Anvil-managed JWT authorizer backed by a Cognito user pool. Derives the issuer URL automatically from the user pool ID — no manual Cognito endpoint construction required. Creates a native API Gateway JWT authorizer; verification is handled entirely by API Gateway with no Lambda or custom code. Pass authorizerId to HttpApi defaultAuthorizerId to protect your API routes.
+ */
+export declare class CognitoAuth extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoAuth.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CognitoAuth;
+    /**
+     * The API Gateway authorizer ID. Pass this to HttpApi defaultAuthorizerId to protect your API routes.
+     */
+    readonly authorizerId: pulumi.Output<string>;
+    /**
+     * Create a CognitoAuth resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: CognitoAuthArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CognitoAuth resource.
+ */
+export interface CognitoAuthArgs {
+    /**
+     * The Cognito app client IDs allowed to access this API. API Gateway rejects tokens whose 'aud' claim does not match one of these values. Pass your Cognito app client ID(s) here.
+     */
+    audience: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The Cognito user pool ID. Pass pool.userPoolId directly. Accepts Output<string>. Anvil derives the issuer URL automatically: https://cognito-idp.{region}.amazonaws.com/{userPoolId}.
+     */
+    userPoolId: any;
+}