@anvil-cloud/sdk 0.0.13 → 0.0.15

package/bin/aws/vpc.d.ts

@@ -0,0 +1,98 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+export declare class Vpc extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of Vpc.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Vpc;
+    /**
+     * The resolved Availability Zone names, e.g. ['ap-southeast-2a']. Consumed by RDS Multi-AZ, ECS spread, and other downstream components.
+     */
+    readonly availabilityZones: pulumi.Output<string[]>;
+    /**
+     * The EC2 instance ID of the bastion host. Use with: aws ssm start-session --target <bastionInstanceId>. Only populated when bastion is enabled.
+     */
+    readonly bastionInstanceId: pulumi.Output<string | undefined>;
+    /**
+     * The security group ID of the bastion host. Use to grant the bastion access to private resources, e.g. db.grant(network.bastion, { access: 'readWrite' }). Only populated when bastion is enabled.
+     */
+    readonly bastionSecurityGroupId: pulumi.Output<string | undefined>;
+    /**
+     * The ID of the VPC default security group. All rules removed — not used by Anvil components.
+     */
+    readonly defaultSecurityGroupId: pulumi.Output<string>;
+    /**
+     * The IDs of the private subnets, one per AZ. Used by Lambda, ECS tasks, EC2, and RDS.
+     */
+    readonly privateSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The IDs of the public subnets, one per AZ. Used by load balancers, NAT Gateways, and the bastion host.
+     */
+    readonly publicSubnetIds: pulumi.Output<string[]>;
+    /**
+     * The ID of the VPC.
+     */
+    readonly vpcId: pulumi.Output<string>;
+    /**
+     * Create a Vpc resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: VpcArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Imports an existing Vpc into Anvil without managing or modifying it.
+     * Returns an identical output shape to `new Vpc()`.
+     *
+     * Flow logs, NAT, and bastion are not available on an imported VPC.
+     *
+     * If subnet IDs are omitted, Anvil auto-discovers them by inspecting
+     * route tables. Provide IDs explicitly if auto-discovery fails.
+     *
+     * @example
+     * const network = Vpc.fromId("existing", {
+     *   vpcId: "vpc-0abc123def456",
+     * });
+     */
+    static fromId(name: string, args: {
+        vpcId: string;
+        privateSubnetIds?: string[];
+        publicSubnetIds?: string[];
+    }, opts?: pulumi.ComponentResourceOptions): Vpc;
+}
+/**
+ * The set of arguments for constructing a Vpc resource.
+ */
+export interface VpcArgs {
+    /**
+     * Number of Availability Zones to deploy subnets into. Valid values: 1, 2, 3. Defaults to 1. Inherits from App.defaults.availability — 'high' maps to 3, 'low' maps to 1.
+     */
+    availabilityZones?: pulumi.Input<number>;
+    /**
+     * Optional SSM bastion host for private network access. No SSH, no port 22 — access via AWS SSM Session Manager only. Use to connect to RDS, ElastiCache, and other private resources locally.
+     */
+    bastion?: pulumi.Input<boolean | inputs.aws.VpcBastionArgsArgs>;
+    /**
+     * The IPv4 CIDR block for the VPC. Default: '10.0.0.0/16'. Public subnets carved from offset 0 (/24 each), private subnets from offset 10 (/24 each).
+     */
+    cidr?: pulumi.Input<string>;
+    /**
+     * Optional VPC Flow Log configuration. Opt-in only. Either or both destinations can be enabled simultaneously. CloudWatch for active debugging, S3 for long-term compliance retention.
+     */
+    flowLogs?: pulumi.Input<inputs.aws.VpcFlowLogsArgsArgs>;
+    /**
+     * Optional NAT configuration for outbound internet access from private subnets. Omit for a fully private VPC.
+     */
+    nat?: pulumi.Input<inputs.aws.VpcNatArgsArgs>;
+}
+/**
+ * Normalises the `bastion` shorthand so the Pulumi provider
+ * always receives an object, never a raw boolean.
+ *
+ *   bastion: true          // enable with all defaults
+ *   bastion: {}            // identical to true
+ *   bastion: { ... }       // enable with custom config
+ */
+export declare function normaliseBastion(val: boolean | inputs.aws.VpcBastionArgsArgs | undefined): inputs.aws.VpcBastionArgsArgs | undefined;

package/bin/aws/vpc.js

@@ -0,0 +1,94 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normaliseBastion = exports.Vpc = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+class Vpc extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of Vpc.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Vpc.__pulumiType;
+    }
+    /**
+     * Create a Vpc resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["availabilityZones"] = args?.availabilityZones;
+            resourceInputs["bastion"] = args?.bastion;
+            resourceInputs["cidr"] = args?.cidr;
+            resourceInputs["flowLogs"] = args?.flowLogs;
+            resourceInputs["nat"] = args?.nat;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["availabilityZones"] = undefined /*out*/;
+            resourceInputs["bastionInstanceId"] = undefined /*out*/;
+            resourceInputs["bastionSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["defaultSecurityGroupId"] = undefined /*out*/;
+            resourceInputs["privateSubnetIds"] = undefined /*out*/;
+            resourceInputs["publicSubnetIds"] = undefined /*out*/;
+            resourceInputs["vpcId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Vpc.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+    /**
+     * Imports an existing Vpc into Anvil without managing or modifying it.
+     * Returns an identical output shape to `new Vpc()`.
+     *
+     * Flow logs, NAT, and bastion are not available on an imported VPC.
+     *
+     * If subnet IDs are omitted, Anvil auto-discovers them by inspecting
+     * route tables. Provide IDs explicitly if auto-discovery fails.
+     *
+     * @example
+     * const network = Vpc.fromId("existing", {
+     *   vpcId: "vpc-0abc123def456",
+     * });
+     */
+    static fromId(name, args, opts) {
+        return new Vpc(name, args, {
+            ...opts,
+            id: args.vpcId,
+        });
+    }
+}
+exports.Vpc = Vpc;
+/** @internal */
+Vpc.__pulumiType = 'anvil:aws:Vpc';
+/**
+ * Normalises the `bastion` shorthand so the Pulumi provider
+ * always receives an object, never a raw boolean.
+ *
+ *   bastion: true          // enable with all defaults
+ *   bastion: {}            // identical to true
+ *   bastion: { ... }       // enable with custom config
+ */
+function normaliseBastion(val) {
+    if (val === undefined || val === false)
+        return undefined;
+    if (val === true)
+        return {};
+    return val;
+}
+exports.normaliseBastion = normaliseBastion;
+//# sourceMappingURL=vpc.js.map

package/bin/aws/vpc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpc.js","sourceRoot":"","sources":["../../aws/vpc.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C,MAAa,GAAI,SAAQ,MAAM,CAAC,iBAAiB;IAI7C;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,GAAG,CAAC,YAAY,CAAC;IACpD,CAAC;IA+BD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAc,EAAE,IAAsC;QAC5E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,EAAE,iBAAiB,CAAC;YAC9D,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,mBAAmB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACxD,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/C;aAAM;YACH,cAAc,CAAC,mBAAmB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACxD,cAAc,CAAC,mBAAmB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACxD,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC7D,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC/C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACzE,CAAC;IACD;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,MAAM,CACX,IAAY,EACZ,IAIC,EACD,IAAsC;QAEtC,OAAO,IAAI,GAAG,CAAC,IAAI,EAAE,IAAW,EAAE;YAChC,GAAG,IAAI;YACP,EAAE,EAAE,IAAI,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;;AAzGL,kBA2GC;AA1GG,gBAAgB;AACO,gBAAY,GAAG,eAAe,CAAC;AAqI1D;;;;;;;GAOG;AACH,SAAgB,gBAAgB,CAC9B,GAAwD;IAExD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,SAAS,CAAC;IACzD,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAC5B,OAAO,GAAG,CAAC;AACb,CAAC;AAND,4CAMC"}

package/bin/aws/vpcEndpoint.d.ts

@@ -0,0 +1,53 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+/**
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled. The endpoint security group uses a self-referencing ingress rule on port 443 — only compute resources that have been explicitly granted access can reach the endpoint at the network layer. Access is enforced at three layers: network (self-referencing SG), IAM role policy (scoped per compute resource), and endpoint policy (blanket ceiling on allowed actions for all compute principals — Lambda, ECS, EC2).
+ */
+export declare class VpcEndpoint extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of VpcEndpoint.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is VpcEndpoint;
+    /**
+     * The first DNS name assigned to the endpoint, e.g. vpce-xxx.sqs.ap-southeast-2.vpce.amazonaws.com. With private DNS enabled, normal consumers use the standard AWS SDK hostname — this is exposed for debugging and multi-VPC architectures only.
+     */
+    readonly dnsName: pulumi.Output<string>;
+    /**
+     * The ID of the VPC endpoint, e.g. vpce-0abc1234567890abc. Use this to reference the endpoint in IAM condition keys such as aws:SourceVpce.
+     */
+    readonly endpointId: pulumi.Output<string>;
+    /**
+     * The ID of the dedicated security group attached to this endpoint. Uses a self-referencing ingress rule on port 443 — only compute resources with this SG explicitly attached can reach the endpoint at the network layer.
+     */
+    readonly securityGroupId: pulumi.Output<string>;
+    /**
+     * Create a VpcEndpoint resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: VpcEndpointArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a VpcEndpoint resource.
+ */
+export interface VpcEndpointArgs {
+    /**
+     * Explicit Allow and Deny permission statements for the endpoint policy. When omitted, the endpoint policy allows all actions (*) for all Anvil compute principals (Lambda, ECS, EC2). When set, only the declared actions are permitted — the caller is responsible for declaring every action their compute resources need. Supports both Allow and Deny effects. Resource defaults to "*" if omitted on a permission entry.
+     */
+    overridePermissions?: pulumi.Input<pulumi.Input<inputs.aws.VpcEndpointPermissionArgs>[]>;
+    /**
+     * The IDs of the private subnets to attach the endpoint to. AWS places one ENI per subnet. Pass all private subnet IDs from your VPC — typically one per AZ.
+     */
+    privateSubnetIds: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The AWS service to route privately. The full com.amazonaws.{region}.{service} name is constructed at deploy time from the resolved region — you never write it manually.
+     */
+    service: pulumi.Input<string>;
+    /**
+     * The ID of the VPC to create the endpoint in. Accepts both Anvil-managed VPC IDs and imported VPC IDs.
+     */
+    vpcId: pulumi.Input<string>;
+}

package/bin/aws/vpcEndpoint.js

@@ -0,0 +1,62 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VpcEndpoint = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled. The endpoint security group uses a self-referencing ingress rule on port 443 — only compute resources that have been explicitly granted access can reach the endpoint at the network layer. Access is enforced at three layers: network (self-referencing SG), IAM role policy (scoped per compute resource), and endpoint policy (blanket ceiling on allowed actions for all compute principals — Lambda, ECS, EC2).
+ */
+class VpcEndpoint extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of VpcEndpoint.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === VpcEndpoint.__pulumiType;
+    }
+    /**
+     * Create a VpcEndpoint resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.privateSubnetIds === undefined && !opts.urn) {
+                throw new Error("Missing required property 'privateSubnetIds'");
+            }
+            if (args?.service === undefined && !opts.urn) {
+                throw new Error("Missing required property 'service'");
+            }
+            if (args?.vpcId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'vpcId'");
+            }
+            resourceInputs["overridePermissions"] = args?.overridePermissions;
+            resourceInputs["privateSubnetIds"] = args?.privateSubnetIds;
+            resourceInputs["service"] = args?.service;
+            resourceInputs["vpcId"] = args?.vpcId;
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["dnsName"] = undefined /*out*/;
+            resourceInputs["endpointId"] = undefined /*out*/;
+            resourceInputs["securityGroupId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(VpcEndpoint.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.VpcEndpoint = VpcEndpoint;
+/** @internal */
+VpcEndpoint.__pulumiType = 'anvil:aws:VpcEndpoint';
+//# sourceMappingURL=vpcEndpoint.js.map

package/bin/aws/vpcEndpoint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpcEndpoint.js","sourceRoot":"","sources":["../../aws/vpcEndpoint.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;GAEG;AACH,MAAa,WAAY,SAAQ,MAAM,CAAC,iBAAiB;IAIrD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,WAAW,CAAC,YAAY,CAAC;IAC5D,CAAC;IAeD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAqB,EAAE,IAAsC;QACnF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,gBAAgB,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACnD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;aACnE;YACD,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,IAAI,IAAI,EAAE,KAAK,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACxC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;aACxD;YACD,cAAc,CAAC,qBAAqB,CAAC,GAAG,IAAI,EAAE,mBAAmB,CAAC;YAClE,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,EAAE,gBAAgB,CAAC;YAC5D,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC;YACtC,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACzD;aAAM;YACH,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACzD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACjF,CAAC;;AA9DL,kCA+DC;AA9DG,gBAAgB;AACO,wBAAY,GAAG,uBAAuB,CAAC"}

package/bin/grants.d.ts

@@ -4,22 +4,12 @@ import * as pulumi from '@pulumi/pulumi';
  * Compute resources (Lambda, SvelteKitSite, etc.) satisfy this interface.
  */
 export interface GrantTarget {
-    /**
-     * The logical resource name passed to the constructor.
-     */
     grantName(): string;
-    /**
-     * The ARN of the IAM execution role attached to this compute resource.
-     */
     grantRoleArn(): pulumi.Output<string>;
 }
 /**
  * Optional metadata for grant methods.
  */
 export interface GrantOptions {
-    /**
-     * Documents why this grant is needed.
-     * Stored as a tag on the generated IAM policy resource for audit purposes.
-     */
     justification?: string;
 }

package/bin/grants.js

@@ -12,8 +12,6 @@ const aws = require("@pulumi/aws");
  * Creates a scoped IAM RolePolicy granting the specified actions on the
  * specified resource ARNs to the target's execution role.
  *
- * This is the core engine that all resource-specific grant methods delegate to.
- *
  * @internal
  */
 function createGrant(parent, name, target, actions, resourceArns, opts) {
@@ -27,13 +25,10 @@ function createGrant(parent, name, target, actions, resourceArns, opts) {
             },
         ],
     }));
-    // Extract role name from ARN (everything after the last "/")
     const roleName = target.grantRoleArn().apply((arn) => {
         const idx = arn.lastIndexOf('/');
         return idx >= 0 ? arn.substring(idx + 1) : arn;
     });
-    // Justification is stored in the resource name suffix for audit trail.
-    // Future: compliance audit trail (Pro tier) will capture this metadata separately.
     const policyName = opts?.justification
         ? `${name}-${sanitize(opts.justification)}`
         : name;
@@ -43,7 +38,7 @@ function createGrant(parent, name, target, actions, resourceArns, opts) {
     }, { parent });
 }
 exports.createGrant = createGrant;
-/** @internal Sanitize a string for use in resource names. */
+/** @internal */
 function sanitize(s) {
     return s
         .toLowerCase()
@@ -52,14 +47,14 @@ function sanitize(s) {
 }
 /**
  * Builds the list of ARNs for a grant based on a base ARN and optional path scoping.
- *
- * - No paths: grants access to the entire resource (baseArn + baseArn/*)
- * - With paths: grants access to baseArn (for list operations) + each scoped path
- *
  * @internal
  */
 function buildResourceArns(baseArn, paths) {
     const arns = [baseArn];
+    if (paths === null) {
+        // Explicit null = base ARN only, no sub-paths (used by DynamoDB index grants)
+        return arns;
+    }
     if (!paths || paths.length === 0) {
         arns.push(pulumi.interpolate `${baseArn}/*`);
     }

package/bin/grants.js.map

@@ -1 +1 @@
-{"version":3,"file":"grants.js","sourceRoot":"","sources":["../grants.ts"],"names":[],"mappings":";AAAA,uBAAuB;AACvB,4EAA4E;AAC5E,EAAE;AACF,uEAAuE;AACvE,+EAA+E;;;AAE/E,yCAAyC;AACzC,mCAAmC;AA6BnC;;;;;;;GAOG;AACH,SAAgB,WAAW,CACzB,MAAuB,EACvB,IAAY,EACZ,MAAmB,EACnB,OAAiB,EACjB,YAAqC,EACrC,IAAmB;IAEnB,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7D,IAAI,CAAC,SAAS,CAAC;QACb,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,IAAI;aACf;SACF;KACF,CAAC,CACH,CAAC;IAEF,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,uEAAuE;IACvE,mFAAmF;IACnF,MAAM,UAAU,GAAG,IAAI,EAAE,aAAa;QACpC,CAAC,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CACpB,UAAU,EACV;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,cAAc;KACvB,EACD,EAAE,MAAM,EAAE,CACX,CAAC;AACJ,CAAC;AAzCD,kCAyCC;AAED,6DAA6D;AAC7D,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,CAAC;SACL,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAC/B,OAA8B,EAC9B,KAAgB;IAEhB,MAAM,IAAI,GAA4B,CAAC,OAAO,CAAC,CAAC;IAEhD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,CAAC;KAC7C;SAAM;QACL,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE;YACrB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;SAChD;KACF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAfD,8CAeC"}
+{"version":3,"file":"grants.js","sourceRoot":"","sources":["../grants.ts"],"names":[],"mappings":";AAAA,uBAAuB;AACvB,4EAA4E;AAC5E,EAAE;AACF,uEAAuE;AACvE,+EAA+E;;;AAE/E,yCAAyC;AACzC,mCAAmC;AAkBnC;;;;;GAKG;AACH,SAAgB,WAAW,CACzB,MAAuB,EACvB,IAAY,EACZ,MAAmB,EACnB,OAAiB,EACjB,YAAqC,EACrC,IAAmB;IAEnB,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7D,IAAI,CAAC,SAAS,CAAC;QACb,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,IAAI;aACf;SACF;KACF,CAAC,CACH,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,EAAE,aAAa;QACpC,CAAC,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CACpB,UAAU,EACV;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,cAAc;KACvB,EACD,EAAE,MAAM,EAAE,CACX,CAAC;AACJ,CAAC;AAtCD,kCAsCC;AAED,gBAAgB;AAChB,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,CAAC;SACL,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAC/B,OAA8B,EAC9B,KAAuB;IAEvB,MAAM,IAAI,GAA4B,CAAC,OAAO,CAAC,CAAC;IAEhD,IAAI,KAAK,KAAK,IAAI,EAAE;QAClB,8EAA8E;QAC9E,OAAO,IAAI,CAAC;KACb;IAED,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,CAAC;KAC7C;SAAM;QACL,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE;YACrB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;SAChD;KACF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AApBD,8CAoBC"}

package/bin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },

package/bin/types/enums/aws/index.d.ts

@@ -1,10 +1,186 @@
+export declare const CognitoUserPoolCustomAttributeType: {
+    readonly String: "String";
+    readonly Number: "Number";
+    readonly DateTime: "DateTime";
+    readonly Boolean: "Boolean";
+};
+export type CognitoUserPoolCustomAttributeType = (typeof CognitoUserPoolCustomAttributeType)[keyof typeof CognitoUserPoolCustomAttributeType];
+export declare const CognitoUserPoolIdentityProviderType: {
+    /**
+     * Google OAuth 2.0. Requires clientId and clientSecret.
+     */
+    readonly Google: "Google";
+    /**
+     * Facebook OAuth 2.0. Requires clientId and clientSecret.
+     */
+    readonly Facebook: "Facebook";
+    /**
+     * Login with Amazon. Requires clientId and clientSecret.
+     */
+    readonly LoginWithAmazon: "LoginWithAmazon";
+    /**
+     * Sign in with Apple. Requires clientId and clientSecret.
+     */
+    readonly SignInWithApple: "SignInWithApple";
+    /**
+     * Generic OIDC provider (Okta, Auth0, Microsoft Entra, etc.). Requires clientId, clientSecret, and oidcIssuer.
+     */
+    readonly OIDC: "OIDC";
+    /**
+     * SAML 2.0 provider (corporate SSO, Active Directory Federation Services etc.). Requires metadataUrl or metadataContent.
+     */
+    readonly SAML: "SAML";
+};
+export type CognitoUserPoolIdentityProviderType = (typeof CognitoUserPoolIdentityProviderType)[keyof typeof CognitoUserPoolIdentityProviderType];
+export declare const CognitoUserPoolMfaMethod: {
+    /**
+     * Time-based one-time password (authenticator app). No additional AWS resources required.
+     */
+    readonly TOTP: "TOTP";
+    /**
+     * SMS one-time password via SNS. Requires snsCallerArn.
+     */
+    readonly SMS: "SMS";
+};
+export type CognitoUserPoolMfaMethod = (typeof CognitoUserPoolMfaMethod)[keyof typeof CognitoUserPoolMfaMethod];
+export declare const CognitoUserPoolMfaMode: {
+    /**
+     * MFA disabled. Default.
+     */
+    readonly OFF: "OFF";
+    /**
+     * MFA available but not required. Users opt in.
+     */
+    readonly OPTIONAL: "OPTIONAL";
+    /**
+     * MFA required for all users.
+     */
+    readonly REQUIRED: "REQUIRED";
+};
+export type CognitoUserPoolMfaMode = (typeof CognitoUserPoolMfaMode)[keyof typeof CognitoUserPoolMfaMode];
+export declare const CognitoUserPoolOAuthFlow: {
+    /**
+     * Authorization code grant (PKCE). Most secure — use for all browser and server apps.
+     */
+    readonly Code: "code";
+    /**
+     * Implicit grant. Deprecated — tokens visible in browser URL. Avoid for new applications.
+     */
+    readonly Implicit: "implicit";
+    /**
+     * Client credentials grant. M2M only — no user interaction.
+     */
+    readonly Client_credentials: "client_credentials";
+};
+export type CognitoUserPoolOAuthFlow = (typeof CognitoUserPoolOAuthFlow)[keyof typeof CognitoUserPoolOAuthFlow];
+export declare const CognitoUserPoolUsernameAttribute: {
+    /**
+     * Users sign in with their email address.
+     */
+    readonly Email: "email";
+    /**
+     * Users sign in with their phone number.
+     */
+    readonly Phone_number: "phone_number";
+};
+export type CognitoUserPoolUsernameAttribute = (typeof CognitoUserPoolUsernameAttribute)[keyof typeof CognitoUserPoolUsernameAttribute];
+export declare const DynamoDBAttributeType: {
+    /**
+     * String
+     */
+    readonly S: "S";
+    /**
+     * Number
+     */
+    readonly N: "N";
+    /**
+     * Binary
+     */
+    readonly B: "B";
+};
+export type DynamoDBAttributeType = (typeof DynamoDBAttributeType)[keyof typeof DynamoDBAttributeType];
+export declare const DynamoDBProjectionType: {
+    /**
+     * All attributes are projected. Default.
+     */
+    readonly ALL: "ALL";
+    /**
+     * Only the table and GSI key attributes are projected.
+     */
+    readonly KEYS_ONLY: "KEYS_ONLY";
+    /**
+     * Only the specified nonKeyAttributes are projected in addition to keys.
+     */
+    readonly INCLUDE: "INCLUDE";
+};
+export type DynamoDBProjectionType = (typeof DynamoDBProjectionType)[keyof typeof DynamoDBProjectionType];
+export declare const DynamoDBStreamStartingPosition: {
+    /**
+     * Start reading from the oldest available record in the stream. Replays all existing records up to 24hr retention window. AWS default.
+     */
+    readonly TRIM_HORIZON: "TRIM_HORIZON";
+    /**
+     * Start reading from the most recent record. Only processes new events from the point of consumer creation.
+     */
+    readonly LATEST: "LATEST";
+};
+export type DynamoDBStreamStartingPosition = (typeof DynamoDBStreamStartingPosition)[keyof typeof DynamoDBStreamStartingPosition];
+export declare const DynamoDBStreamViewType: {
+    /**
+     * Only the new item image is written to the stream.
+     */
+    readonly NEW_IMAGE: "NEW_IMAGE";
+    /**
+     * Only the old item image is written to the stream.
+     */
+    readonly OLD_IMAGE: "OLD_IMAGE";
+    /**
+     * Both old and new item images are written to the stream.
+     */
+    readonly NEW_AND_OLD_IMAGES: "NEW_AND_OLD_IMAGES";
+    /**
+     * Only the key attributes are written to the stream.
+     */
+    readonly KEYS_ONLY: "KEYS_ONLY";
+};
+export type DynamoDBStreamViewType = (typeof DynamoDBStreamViewType)[keyof typeof DynamoDBStreamViewType];
+export declare const HttpApiMethod: {
+    /**
+     * HTTP GET — read operations.
+     */
+    readonly GET: "GET";
+    /**
+     * HTTP POST — create operations and async consumers (SQS, EventBridge, Step Functions).
+     */
+    readonly POST: "POST";
+    /**
+     * HTTP PUT — replace operations.
+     */
+    readonly PUT: "PUT";
+    /**
+     * HTTP PATCH — partial update operations.
+     */
+    readonly PATCH: "PATCH";
+    /**
+     * HTTP DELETE — delete operations.
+     */
+    readonly DELETE: "DELETE";
+    /**
+     * Matches all HTTP methods. Maps to the $default route key.
+     */
+    readonly ANY: "ANY";
+};
+/**
+ * HTTP method for an API route.
+ */
+export type HttpApiMethod = (typeof HttpApiMethod)[keyof typeof HttpApiMethod];
 export declare const LambdaArchitecture: {
     /**
-     * Graviton — 20% cheaper, better performance. Default.
+     * Graviton - 20% cheaper, better performance. Default.
      */
     readonly Arm64: "arm64";
     /**
-     * Intel/AMD — use for x86-specific native dependencies.
+     * Intel/AMD - use for x86-specific native dependencies.
      */
     readonly X86_64: "x86_64";
 };
@@ -23,26 +199,26 @@ export declare const LambdaLogRetention: {
      */
     readonly LambdaLogRetention_90d: "90d";
     /**
-     * 1 year (365 days) — SOC 2 / ISO 27001 / PCI-DSS baseline. Default.
+     * 1 year (365 days) - SOC 2 / ISO 27001 / PCI-DSS baseline. Default.
      */
     readonly LambdaLogRetention_1y: "1y";
     /**
-     * 3 years (1095 days) — FedRAMP minimum
+     * 3 years (1095 days) - FedRAMP minimum
      */
     readonly LambdaLogRetention_3y: "3y";
     /**
-     * 6 years (2190 days) — HIPAA minimum
+     * 6 years (2190 days) - HIPAA minimum
      */
     readonly LambdaLogRetention_6y: "6y";
     /**
-     * 7 years (2555 days) — IRAP minimum
+     * 7 years (2555 days) - IRAP minimum
      */
     readonly LambdaLogRetention_7y: "7y";
 };
 export type LambdaLogRetention = (typeof LambdaLogRetention)[keyof typeof LambdaLogRetention];
 export declare const LambdaRuntime: {
     /**
-     * Node.js 24 (LTS) — recommended
+     * Node.js 24 (LTS) - recommended
      */
     readonly Nodejs24_x: "nodejs24.x";
     /**
@@ -51,3 +227,31 @@ export declare const LambdaRuntime: {
     readonly Nodejs22_x: "nodejs22.x";
 };
 export type LambdaRuntime = (typeof LambdaRuntime)[keyof typeof LambdaRuntime];
+export declare const S3FlowLogLifecycle: {
+    /**
+     * Auto-tiered: Standard (0-30d) → Standard-IA (30-90d) → Glacier Instant Retrieval (90d+). Suitable for compliance retention at minimal long-term cost.
+     */
+    readonly Standard: "standard";
+};
+export type S3FlowLogLifecycle = (typeof S3FlowLogLifecycle)[keyof typeof S3FlowLogLifecycle];
+export declare const SiteOriginProtectionProvider: {
+    /**
+     * Cloudflare — inject x-origin-secret via a Cloudflare Transform Rule.
+     */
+    readonly Cloudflare: "cloudflare";
+};
+/**
+ * The CDN/proxy provider sitting in front of CloudFront.
+ */
+export type SiteOriginProtectionProvider = (typeof SiteOriginProtectionProvider)[keyof typeof SiteOriginProtectionProvider];
+export declare const VpcNatType: {
+    /**
+     * AWS managed NAT Gateway. One per AZ for true HA. ~$32/month per AZ plus $0.045/GB data processed.
+     */
+    readonly Gateway: "gateway";
+    /**
+     * fck-nat EC2 instance. Single instance regardless of AZ count. ~$4-6/month for t4g.small. Accepted single point of failure tradeoff for cost savings.
+     */
+    readonly Fck_nat: "fck-nat";
+};
+export type VpcNatType = (typeof VpcNatType)[keyof typeof VpcNatType];