@anvil-cloud/sdk 0.0.13 → 0.0.15

package/bin/aws/cognitoAuth.js

@@ -0,0 +1,53 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoAuth = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed JWT authorizer backed by a Cognito user pool. Derives the issuer URL automatically from the user pool ID — no manual Cognito endpoint construction required. Creates a native API Gateway JWT authorizer; verification is handled entirely by API Gateway with no Lambda or custom code. Pass authorizerId to HttpApi defaultAuthorizerId to protect your API routes.
+ */
+class CognitoAuth extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoAuth.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CognitoAuth.__pulumiType;
+    }
+    /**
+     * Create a CognitoAuth resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.audience === undefined && !opts.urn) {
+                throw new Error("Missing required property 'audience'");
+            }
+            if (args?.userPoolId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'userPoolId'");
+            }
+            resourceInputs["audience"] = args?.audience;
+            resourceInputs["userPoolId"] = args?.userPoolId;
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CognitoAuth.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.CognitoAuth = CognitoAuth;
+/** @internal */
+CognitoAuth.__pulumiType = 'anvil:aws:CognitoAuth';
+//# sourceMappingURL=cognitoAuth.js.map

package/bin/aws/cognitoAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognitoAuth.js","sourceRoot":"","sources":["../../aws/cognitoAuth.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;GAEG;AACH,MAAa,WAAY,SAAQ,MAAM,CAAC,iBAAiB;IAIrD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,WAAW,CAAC,YAAY,CAAC;IAC5D,CAAC;IAOD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAqB,EAAE,IAAsC;QACnF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,QAAQ,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC3C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;aAC3D;YACD,IAAI,IAAI,EAAE,UAAU,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC7C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;aAC7D;YACD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACtD;aAAM;YACH,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACtD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACjF,CAAC;;AA7CL,kCA8CC;AA7CG,gBAAgB;AACO,wBAAY,GAAG,uBAAuB,CAAC"}

package/bin/aws/cognitoUserPool.d.ts

@@ -0,0 +1,82 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+/**
+ * An Anvil-managed Cognito user pool. Tier 1 controls (deletion protection, enforced password policy, account recovery via email) are always on. Pair with CognitoAuth to protect API Gateway routes.
+ */
+export declare class CognitoUserPool extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoUserPool.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CognitoUserPool;
+    /**
+     * The ID of the default app client. Pass to CognitoAuth audience.
+     */
+    readonly appClientId: pulumi.Output<string>;
+    /**
+     * The client secret of the default app client. Only populated when appClient.generateSecret is true. Treat as sensitive.
+     */
+    readonly appClientSecret: pulumi.Output<string | undefined>;
+    /**
+     * The CloudFront distribution domain for the custom hosted UI. Only populated when hostedUi.customDomain is true. Create a Route53 alias record pointing hostedUi.domain to this value to complete DNS setup. Empty string for Cognito-managed domains.
+     */
+    readonly cloudFrontDomain: pulumi.Output<string>;
+    /**
+     * The Cognito OIDC issuer URL. Format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}. Pass directly to CognitoAuth if building the authorizer manually.
+     */
+    readonly endpoint: pulumi.Output<string>;
+    /**
+     * The full hosted UI domain (e.g. https://auth.myapp.com or https://myprefix.auth.us-east-1.amazoncognito.com). Empty string if hostedUi is not configured.
+     */
+    readonly hostedUiDomain: pulumi.Output<string>;
+    /**
+     * The ARN of the Cognito user pool.
+     */
+    readonly userPoolArn: pulumi.Output<string>;
+    /**
+     * The Cognito user pool ID. Pass to CognitoAuth.userPoolId.
+     */
+    readonly userPoolId: pulumi.Output<string>;
+    /**
+     * Create a CognitoUserPool resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CognitoUserPoolArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CognitoUserPool resource.
+ */
+export interface CognitoUserPoolArgs {
+    /**
+     * Default app client created with the user pool. Covers the 80% case of one application per pool. Use transform for additional clients.
+     */
+    appClient?: pulumi.Input<inputs.aws.CognitoUserPoolAppClientArgs>;
+    /**
+     * User attribute configuration. Controls sign-in identifiers and required attributes on sign-up.
+     */
+    attributes?: pulumi.Input<inputs.aws.CognitoUserPoolAttributesArgs>;
+    /**
+     * Email delivery configuration. Default: Cognito-managed email (5 emails/day limit). Set sesFromAddress for SES delivery in production.
+     */
+    emailConfiguration?: pulumi.Input<inputs.aws.CognitoUserPoolEmailConfigurationArgs>;
+    /**
+     * Hosted UI / Managed Login configuration. Omit to use the Cognito user pools API directly without a hosted sign-in page.
+     */
+    hostedUi?: pulumi.Input<inputs.aws.CognitoUserPoolHostedUiArgs>;
+    /**
+     * External identity providers to federate with this user pool. Supports Google, Facebook, LoginWithAmazon, SignInWithApple, OIDC, and SAML. Schema never changes per provider — add new providers by extending this array.
+     */
+    identityProviders?: pulumi.Input<pulumi.Input<inputs.aws.CognitoUserPoolIdentityProviderArgs>[]>;
+    /**
+     * MFA configuration. TOTP requires no additional AWS resources. SMS requires an SNS caller ARN.
+     */
+    mfa?: pulumi.Input<inputs.aws.CognitoUserPoolMfaArgs>;
+    /**
+     * Password policy for the user pool. Anvil enforces a secure baseline by default — override only to strengthen.
+     */
+    passwordPolicy?: pulumi.Input<inputs.aws.CognitoUserPoolPasswordPolicyArgs>;
+    transform?: pulumi.Input<inputs.aws.CognitoUserPoolTransformArgsArgs>;
+}

package/bin/aws/cognitoUserPool.js

@@ -0,0 +1,65 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoUserPool = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed Cognito user pool. Tier 1 controls (deletion protection, enforced password policy, account recovery via email) are always on. Pair with CognitoAuth to protect API Gateway routes.
+ */
+class CognitoUserPool extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoUserPool.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CognitoUserPool.__pulumiType;
+    }
+    /**
+     * Create a CognitoUserPool resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["appClient"] = args?.appClient;
+            resourceInputs["attributes"] = args?.attributes;
+            resourceInputs["emailConfiguration"] = args?.emailConfiguration;
+            resourceInputs["hostedUi"] = args?.hostedUi;
+            resourceInputs["identityProviders"] = args?.identityProviders;
+            resourceInputs["mfa"] = args?.mfa;
+            resourceInputs["passwordPolicy"] = args?.passwordPolicy;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["appClientId"] = undefined /*out*/;
+            resourceInputs["appClientSecret"] = undefined /*out*/;
+            resourceInputs["cloudFrontDomain"] = undefined /*out*/;
+            resourceInputs["endpoint"] = undefined /*out*/;
+            resourceInputs["hostedUiDomain"] = undefined /*out*/;
+            resourceInputs["userPoolArn"] = undefined /*out*/;
+            resourceInputs["userPoolId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["appClientId"] = undefined /*out*/;
+            resourceInputs["appClientSecret"] = undefined /*out*/;
+            resourceInputs["cloudFrontDomain"] = undefined /*out*/;
+            resourceInputs["endpoint"] = undefined /*out*/;
+            resourceInputs["hostedUiDomain"] = undefined /*out*/;
+            resourceInputs["userPoolArn"] = undefined /*out*/;
+            resourceInputs["userPoolId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CognitoUserPool.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.CognitoUserPool = CognitoUserPool;
+/** @internal */
+CognitoUserPool.__pulumiType = 'anvil:aws:CognitoUserPool';
+//# sourceMappingURL=cognitoUserPool.js.map

package/bin/aws/cognitoUserPool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognitoUserPool.js","sourceRoot":"","sources":["../../aws/cognitoUserPool.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAI1C;;GAEG;AACH,MAAa,eAAgB,SAAQ,MAAM,CAAC,iBAAiB;IAIzD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,eAAe,CAAC,YAAY,CAAC;IAChE,CAAC;IA+BD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAA0B,EAAE,IAAsC;QACxF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC;YAChE,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,EAAE,iBAAiB,CAAC;YAC9D,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,gBAAgB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACrD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACpD;aAAM;YACH,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,gBAAgB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACrD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACpD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,eAAe,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACrF,CAAC;;AAjFL,0CAkFC;AAjFG,gBAAgB;AACO,4BAAY,GAAG,2BAA2B,CAAC"}

package/bin/aws/dynamoDB.d.ts

@@ -0,0 +1,115 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as grants from "../grants";
+/**
+ * Serverless key-value and document store. Secure-by-default DynamoDB table with GSI support, optional streams, and Lambda/EventBridge consumers. First data layer component — pairs naturally with anvil.aws.Lambda.
+ */
+export declare class DynamoDB extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of DynamoDB.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is DynamoDB;
+    /**
+     * The ARN of the DynamoDB stream. Only present when stream is enabled.
+     */
+    readonly streamArn: pulumi.Output<string | undefined>;
+    /**
+     * The ARN of the DynamoDB table.
+     */
+    readonly tableArn: pulumi.Output<string>;
+    /**
+     * The physical DynamoDB table name. Scoped as {name}-{stage}.
+     */
+    readonly tableName: pulumi.Output<string>;
+    /**
+     * Create a DynamoDB resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: DynamoDBArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Grants read access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantRead(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+    /**
+     * Grants write access (dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantWrite(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+    /**
+     * Grants readwrite access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan, dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantReadWrite(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+    /**
+     * Grants delete access (dynamodb:DeleteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantDelete(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+}
+/**
+ * The set of arguments for constructing a DynamoDB resource.
+ */
+export interface DynamoDBArgs {
+    /**
+     * Global Secondary Indexes. All GSI key types must be explicitly declared — Anvil derives attributeDefinitions automatically from all declared keys.
+     */
+    globalSecondaryIndexes?: pulumi.Input<pulumi.Input<inputs.aws.DynamoDBGlobalSecondaryIndexArgs>[]>;
+    /**
+     * Primary hash (partition) key. Required.
+     */
+    hashKey: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    /**
+     * Tier 2 opt-in. ARN of a KMS CMK for encryption at rest. If omitted, AWS_OWNED_KMS is used (Tier 1 default — always on, zero cost). Use this for compliance workloads requiring key rotation control, audit trail, or the ability to revoke access by disabling the key.
+     */
+    kmsKeyArn?: pulumi.Input<string>;
+    /**
+     * Primary range (sort) key. Optional.
+     */
+    rangeKey?: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    /**
+     * DynamoDB Streams configuration. Opt-in. Enables change data capture on the table.
+     */
+    stream?: pulumi.Input<inputs.aws.DynamoDBStreamArgs>;
+    transform?: pulumi.Input<inputs.aws.DynamoTransformArgsArgs>;
+    /**
+     * Name of the attribute used for TTL (time-to-live). Items with this attribute set to a past Unix timestamp are automatically deleted by DynamoDB.
+     */
+    ttlAttribute?: pulumi.Input<string>;
+}

package/bin/aws/dynamoDB.js

@@ -0,0 +1,121 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DynamoDB = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+const grants = require("../grants");
+/**
+ * Serverless key-value and document store. Secure-by-default DynamoDB table with GSI support, optional streams, and Lambda/EventBridge consumers. First data layer component — pairs naturally with anvil.aws.Lambda.
+ */
+class DynamoDB extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of DynamoDB.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === DynamoDB.__pulumiType;
+    }
+    /**
+     * Create a DynamoDB resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.hashKey === undefined && !opts.urn) {
+                throw new Error("Missing required property 'hashKey'");
+            }
+            resourceInputs["globalSecondaryIndexes"] = args?.globalSecondaryIndexes;
+            resourceInputs["hashKey"] = args?.hashKey;
+            resourceInputs["kmsKeyArn"] = args?.kmsKeyArn;
+            resourceInputs["rangeKey"] = args?.rangeKey;
+            resourceInputs["stream"] = args?.stream;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["ttlAttribute"] = args?.ttlAttribute;
+            resourceInputs["streamArn"] = undefined /*out*/;
+            resourceInputs["tableArn"] = undefined /*out*/;
+            resourceInputs["tableName"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["streamArn"] = undefined /*out*/;
+            resourceInputs["tableArn"] = undefined /*out*/;
+            resourceInputs["tableName"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(DynamoDB.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+    /**
+     * Grants read access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantRead(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-read`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan"], arns, { justification: opts?.justification });
+    }
+    /**
+     * Grants write access (dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantWrite(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-write`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem"], arns, { justification: opts?.justification });
+    }
+    /**
+     * Grants readwrite access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan, dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantReadWrite(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-readwrite`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem"], arns, { justification: opts?.justification });
+    }
+    /**
+     * Grants delete access (dynamodb:DeleteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantDelete(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-delete`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:DeleteItem"], arns, { justification: opts?.justification });
+    }
+}
+exports.DynamoDB = DynamoDB;
+/** @internal */
+DynamoDB.__pulumiType = 'anvil:aws:DynamoDB';
+//# sourceMappingURL=dynamoDB.js.map

package/bin/aws/dynamoDB.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamoDB.js","sourceRoot":"","sources":["../../aws/dynamoDB.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAG1C,oCAAoC;AAEpC;;GAEG;AACH,MAAa,QAAS,SAAQ,MAAM,CAAC,iBAAiB;IAOlD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,YAAY,CAAC;IACzD,CAAC;IAeD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAkB,EAAE,IAAsC;QAChF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,cAAc,CAAC,wBAAwB,CAAC,GAAG,IAAI,EAAE,sBAAsB,CAAC;YACxE,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAChD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACnD;aAAM;YACH,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAChD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACnD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAEC;;;;;;;;OAQG;IACI,SAAS,CAAC,MAA0B,EAAE,IAAqD;QAC9F,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,eAAe,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAC3K,CAAC;IAED;;;;;;;;OAQG;IACI,UAAU,CAAC,MAA0B,EAAE,IAAqD;QAC/F,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,EAAE,qBAAqB,EAAE,yBAAyB,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACjK,CAAC;IAED;;;;;;;;OAQG;IACI,cAAc,CAAC,MAA0B,EAAE,IAAqD;QACnG,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC;QAC9D,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,yBAAyB,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACjP,CAAC;IAED;;;;;;;;OAQG;IACI,WAAW,CAAC,MAA0B,EAAE,IAAqD;QAChG,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC;QAC3D,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,qBAAqB,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAClH,CAAC;;AA/HP,4BAiIC;AAhIG,gBAAgB;AACO,qBAAY,GAAG,oBAAoB,CAAC"}

package/bin/aws/eventBus.d.ts

@@ -0,0 +1,47 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as grants from "../grants";
+/**
+ * An Anvil-managed EventBridge event bus. Archives events for 7 days by default for replay and debugging. Rules route matching events to Lambda targets.
+ */
+export declare class EventBus extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of EventBus.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is EventBus;
+    /**
+     * The ARN of the EventBridge event bus.
+     */
+    readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the EventBridge event bus. Pass to HttpApi consumer: { eventBridge: { name: bus.name } }
+     */
+    readonly name: pulumi.Output<string>;
+    /**
+     * Create a EventBus resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: EventBusArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Grants putevents access (events:PutEvents) on this eventbus
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantPutEvents(target: grants.GrantTarget, opts?: grants.GrantOptions): void;
+}
+/**
+ * The set of arguments for constructing a EventBus resource.
+ */
+export interface EventBusArgs {
+    /**
+     * EventBridge rules on this bus. Each rule matches events by pattern and routes them to a target.
+     */
+    rules?: pulumi.Input<pulumi.Input<inputs.aws.EventBusRuleArgs>[]>;
+    transform?: pulumi.Input<inputs.aws.EventBridgeTransformArgsArgs>;
+}

package/bin/aws/eventBus.js

@@ -0,0 +1,63 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EventBus = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+const grants = require("../grants");
+/**
+ * An Anvil-managed EventBridge event bus. Archives events for 7 days by default for replay and debugging. Rules route matching events to Lambda targets.
+ */
+class EventBus extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of EventBus.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === EventBus.__pulumiType;
+    }
+    /**
+     * Create a EventBus resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["rules"] = args?.rules;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(EventBus.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+    /**
+     * Grants putevents access (events:PutEvents) on this eventbus
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantPutEvents(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-putevents`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["events:PutEvents"], arns, opts);
+    }
+}
+exports.EventBus = EventBus;
+/** @internal */
+EventBus.__pulumiType = 'anvil:aws:EventBus';
+//# sourceMappingURL=eventBus.js.map

package/bin/aws/eventBus.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eventBus.js","sourceRoot":"","sources":["../../aws/eventBus.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAG1C,oCAAoC;AAEpC;;GAEG;AACH,MAAa,QAAS,SAAQ,MAAM,CAAC,iBAAiB;IAOlD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,YAAY,CAAC;IACzD,CAAC;IAWD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAmB,EAAE,IAAsC;QACjF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC;YACtC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC9C;aAAM;YACH,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC9C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,cAAc,CAAC,MAA0B,EAAE,IAA0B;QACxE,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC;QAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7E,CAAC;;AA9DL,4BAgEC;AA/DG,gBAAgB;AACO,qBAAY,GAAG,oBAAoB,CAAC"}

package/bin/aws/httpApi.d.ts

@@ -0,0 +1,66 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+/**
+ * An Anvil-managed AWS HTTP API Gateway (API Gateway v2). Route-level consumers support Lambda, SQS, EventBridge, Step Functions, and HTTP proxy integrations. Secure by default: TLS 1.2 minimum enforced on custom domains, execute-api endpoint disabled when a custom domain is set, conservative throttling defaults (1000 rps / 500 burst), CORS opt-in with wildcard origin blocked, per-consumer least-privilege IAM roles, access logs on by default.
+ */
+export declare class HttpApi extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of HttpApi.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HttpApi;
+    /**
+     * The default execute-api endpoint URL. Empty string when a custom domain is set and the execute-api endpoint is disabled.
+     */
+    readonly apiEndpoint: pulumi.Output<string>;
+    /**
+     * The API Gateway HTTP API ID.
+     */
+    readonly apiId: pulumi.Output<string>;
+    /**
+     * ACM cert validation CNAME. Only populated when domain.dns: false and domain.certificateArn is omitted. Add this record in Cloudflare (or your DNS provider) then re-run deploy — Anvil blocks until ACM confirms validation.
+     */
+    readonly certValidationCname: pulumi.Output<outputs.aws.HttpApiCertValidationCname>;
+    /**
+     * The primary URL for the API. When a custom domain is configured this is the custom domain URL. Otherwise it is the execute-api endpoint URL.
+     */
+    readonly url: pulumi.Output<string>;
+    /**
+     * Create a HttpApi resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: HttpApiArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HttpApi resource.
+ */
+export interface HttpApiArgs {
+    /**
+     * Optional CORS configuration. Opt-in — omit to disable CORS entirely. When enabled, allowOrigins is required and wildcard '*' is blocked as a security measure.
+     */
+    cors?: pulumi.Input<inputs.aws.HttpApiCorsArgs>;
+    /**
+     * The API Gateway authorizer ID to apply to all routes. Pass auth.authorizerId from an OAuthAuthorizer or CognitoAuth component. All routes inherit this authorizer unless skipAuth: true is set on the route. Omit to leave all routes public.
+     */
+    defaultAuthorizerId?: any;
+    /**
+     * Optional custom domain for the API. When set, Anvil provisions the ACM certificate, API Gateway domain name, and Route 53 DNS record automatically. The raw execute-api endpoint is disabled — all traffic must flow through the custom domain.
+     */
+    domain?: pulumi.Input<inputs.aws.HttpApiDomainArgs>;
+    /**
+     * CloudWatch access log retention period. Presets: '7d' | '30d' | '90d' | '1y' | '3y' | '6y' | '7y'. Default: '1y' — satisfies SOC 2, ISO 27001, and PCI DSS baseline retention requirements.
+     */
+    logRetention?: pulumi.Input<string>;
+    /**
+     * The API routes. Each route maps a method and path to a consumer. At least one route is required.
+     */
+    routes: pulumi.Input<pulumi.Input<inputs.aws.HttpApiRouteArgs>[]>;
+    /**
+     * Optional throttling configuration. Defaults to rateLimit: 1000 rps and burstLimit: 500 concurrent requests when omitted. Without throttling a single route can exhaust the account-level limit shared across all APIs.
+     */
+    throttling?: pulumi.Input<inputs.aws.HttpApiThrottlingArgs>;
+}