npm - @anvil-cloud/sdk - Versions diffs - 0.0.13 → 0.0.15 - Mend

@anvil-cloud/sdk 0.0.13 → 0.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/aws/cognitoAuth.ts +70 -0
package/aws/cognitoUserPool.ts +132 -0
package/aws/dynamoDB.ts +176 -0
package/aws/eventBus.ts +91 -0
package/aws/httpApi.ts +108 -0
package/aws/index.ts +63 -0
package/aws/lambda.ts +9 -3
package/aws/oauthAuthorizer.ts +70 -0
package/aws/queue.ts +156 -0
package/aws/svelteKitSite.ts +14 -0
package/aws/vpc.ts +159 -0
package/aws/vpcEndpoint.ts +98 -0
package/bin/aws/cognitoAuth.d.ts +36 -0
package/bin/aws/cognitoAuth.js +53 -0
package/bin/aws/cognitoAuth.js.map +1 -0
package/bin/aws/cognitoUserPool.d.ts +82 -0
package/bin/aws/cognitoUserPool.js +65 -0
package/bin/aws/cognitoUserPool.js.map +1 -0
package/bin/aws/dynamoDB.d.ts +115 -0
package/bin/aws/dynamoDB.js +121 -0
package/bin/aws/dynamoDB.js.map +1 -0
package/bin/aws/eventBus.d.ts +47 -0
package/bin/aws/eventBus.js +63 -0
package/bin/aws/eventBus.js.map +1 -0
package/bin/aws/httpApi.d.ts +66 -0
package/bin/aws/httpApi.js +60 -0
package/bin/aws/httpApi.js.map +1 -0
package/bin/aws/index.d.ts +27 -0
package/bin/aws/index.js +37 -1
package/bin/aws/index.js.map +1 -1
package/bin/aws/lambda.d.ts +7 -3
package/bin/aws/lambda.js +2 -0
package/bin/aws/lambda.js.map +1 -1
package/bin/aws/oauthAuthorizer.d.ts +36 -0
package/bin/aws/oauthAuthorizer.js +53 -0
package/bin/aws/oauthAuthorizer.js.map +1 -0
package/bin/aws/queue.d.ts +83 -0
package/bin/aws/queue.js +103 -0
package/bin/aws/queue.js.map +1 -0
package/bin/aws/svelteKitSite.d.ts +9 -0
package/bin/aws/svelteKitSite.js +3 -0
package/bin/aws/svelteKitSite.js.map +1 -1
package/bin/aws/vpc.d.ts +98 -0
package/bin/aws/vpc.js +94 -0
package/bin/aws/vpc.js.map +1 -0
package/bin/aws/vpcEndpoint.d.ts +53 -0
package/bin/aws/vpcEndpoint.js +62 -0
package/bin/aws/vpcEndpoint.js.map +1 -0
package/bin/grants.d.ts +0 -10
package/bin/grants.js +5 -10
package/bin/grants.js.map +1 -1
package/bin/package.json +1 -1
package/bin/types/enums/aws/index.d.ts +211 -7
package/bin/types/enums/aws/index.js +192 -8
package/bin/types/enums/aws/index.js.map +1 -1
package/bin/types/input.d.ts +1040 -0
package/bin/types/output.d.ts +13 -0
package/grants.ts +7 -22
package/package.json +1 -1
package/tsconfig.json +9 -0
package/types/enums/aws/index.ts +239 -7
package/types/input.ts +1079 -0
package/types/output.ts +14 -0

package/bin/types/input.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "../types/input";
+import * as enums from "../types/enums";
 import * as pulumiAws from "@pulumi/aws";
 import * as pulumiGcp from "@pulumi/gcp";
 export declare namespace aws {
@@ -345,6 +346,814 @@ export declare namespace aws {
          */
         routingRules?: pulumi.Input<pulumi.Input<pulumiAws.types.input.s3.BucketWebsiteConfigurationRoutingRule>[]>;
     }
+    /**
+     * Default app client configuration. Covers the 80% case — one client per pool.
+     */
+    interface CognitoUserPoolAppClientArgs {
+        /**
+         * Allowed redirect URLs after successful sign-in. Required when using the hosted UI.
+         */
+        callbackUrls?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Generate a client secret. Required for confidential clients (server-side apps). Must NOT be set for SPAs — never expose secrets in browser code. Default: false.
+         */
+        generateSecret?: pulumi.Input<boolean>;
+        /**
+         * Allowed redirect URLs after sign-out.
+         */
+        logoutUrls?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Allowed OAuth flows. Default: [code]. Use code (PKCE) for SPAs and server apps. client_credentials for M2M.
+         */
+        oauthFlows?: pulumi.Input<pulumi.Input<enums.aws.CognitoUserPoolOAuthFlow>[]>;
+        /**
+         * OAuth scopes to allow. Default: [openid, email, profile].
+         */
+        oauthScopes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Identity providers shown on the hosted UI login page for this client. Default: [COGNITO]. Add provider names from identityProviders here to show social login buttons.
+         */
+        supportedIdentityProviders?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Token validity periods. Anvil defaults: access 1h, id 1h, refresh 30d.
+         */
+        tokenValidity?: pulumi.Input<inputs.aws.CognitoUserPoolTokenValidityArgs>;
+    }
+    /**
+     * User attribute and sign-in configuration.
+     */
+    interface CognitoUserPoolAttributesArgs {
+        /**
+         * Custom attributes to add to user profiles. Cannot be deleted after pool creation.
+         */
+        customAttributes?: pulumi.Input<pulumi.Input<inputs.aws.CognitoUserPoolCustomAttributeArgs>[]>;
+        /**
+         * Standard attributes required on sign-up. Default: [email]. Cannot be changed after pool creation.
+         */
+        requiredAttributes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Attributes users can sign in with. Default: [email]. Set to [phone_number] or [email, phone_number] to allow both. Cannot be changed after pool creation.
+         */
+        usernameAttributes?: pulumi.Input<pulumi.Input<enums.aws.CognitoUserPoolUsernameAttribute>[]>;
+    }
+    /**
+     * A custom attribute to add to user profiles.
+     */
+    interface CognitoUserPoolCustomAttributeArgs {
+        /**
+         * Whether the attribute can be changed after a user is created. Default: true.
+         */
+        mutable?: pulumi.Input<boolean>;
+        /**
+         * Attribute name. Cognito prefixes this with 'custom:' automatically.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Attribute data type. Default: String.
+         */
+        type?: pulumi.Input<enums.aws.CognitoUserPoolCustomAttributeType>;
+    }
+    /**
+     * Email delivery configuration. Default uses Cognito-managed email which has a 50 emails/day limit. Configure SES for production workloads.
+     */
+    interface CognitoUserPoolEmailConfigurationArgs {
+        /**
+         * Reply-to address shown in outgoing emails. Optional.
+         */
+        replyToAddress?: pulumi.Input<string>;
+        /**
+         * Verified SES sender address (e.g. noreply@myapp.com). Setting this switches delivery to SES, removing the 50 emails/day limit. The address must be verified in SES in the same region as the user pool.
+         */
+        sesFromAddress?: pulumi.Input<string>;
+    }
+    /**
+     * Hosted UI (Managed Login) configuration. Enables the Cognito-hosted sign-in page.
+     */
+    interface CognitoUserPoolHostedUiArgs {
+        /**
+         * ACM certificate ARN for the custom domain. Must be in us-east-1 regardless of user pool region — this is a hard AWS requirement. Required when customDomain is true.
+         */
+        acmCertificateArn?: pulumi.Input<string>;
+        /**
+         * Set to true when domain is a custom FQDN you own. Requires acmCertificateArn. Anvil creates the CloudFront distribution and wires the alias automatically. Default: false.
+         */
+        customDomain?: pulumi.Input<boolean>;
+        /**
+         * Domain for the hosted UI. For Cognito-managed domains, provide just the prefix (e.g. 'myapp' → myapp.auth.{region}.amazoncognito.com). For custom domains, provide the fully-qualified domain name (e.g. 'auth.myapp.com'). Required.
+         */
+        domain: pulumi.Input<string>;
+    }
+    /**
+     * An external identity provider to federate with this user pool. Discriminated by type — the same schema covers all provider types. Add new providers by extending the identityProviders array, no schema changes required.
+     */
+    interface CognitoUserPoolIdentityProviderArgs {
+        /**
+         * Maps Cognito user attributes to provider-specific claim names. Key is the Cognito attribute (e.g. 'email'), value is the provider claim (e.g. 'email' for Google, or the full SAML attribute URI for SAML providers).
+         */
+        attributeMapping?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+        /**
+         * OAuth client ID from the identity provider. Required for Google, Facebook, LoginWithAmazon, SignInWithApple, OIDC.
+         */
+        clientId?: pulumi.Input<string>;
+        /**
+         * OAuth client secret from the identity provider. Required for Google, Facebook, LoginWithAmazon, OIDC. Not used for SAML.
+         */
+        clientSecret?: pulumi.Input<string>;
+        /**
+         * Inline SAML metadata XML. Required for SAML when metadataUrl is not provided.
+         */
+        metadataContent?: pulumi.Input<string>;
+        /**
+         * URL of the SAML metadata document. Required for SAML when metadataContent is not provided.
+         */
+        metadataUrl?: pulumi.Input<string>;
+        /**
+         * Friendly name for this provider. Required for OIDC and SAML providers. Optional for well-known social providers (Google, Facebook etc.) — defaults to the type name.
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * OIDC issuer URL. Required when type is OIDC. Cognito fetches the discovery document from {oidcIssuer}/.well-known/openid-configuration.
+         */
+        oidcIssuer?: pulumi.Input<string>;
+        /**
+         * Provider type. Determines which fields are required. Google/Facebook/LoginWithAmazon/SignInWithApple require clientId and clientSecret. OIDC additionally requires oidcIssuer. SAML requires metadataUrl or metadataContent.
+         */
+        type: pulumi.Input<enums.aws.CognitoUserPoolIdentityProviderType>;
+    }
+    /**
+     * MFA configuration for the user pool.
+     */
+    interface CognitoUserPoolMfaArgs {
+        /**
+         * MFA methods to enable. TOTP requires no additional AWS resources. SMS requires snsCallerArn.
+         */
+        methods?: pulumi.Input<pulumi.Input<enums.aws.CognitoUserPoolMfaMethod>[]>;
+        /**
+         * MFA enforcement mode. Default: OFF.
+         */
+        mode?: pulumi.Input<enums.aws.CognitoUserPoolMfaMode>;
+        /**
+         * ARN of the IAM role Cognito uses to send SMS messages via SNS. Required when methods includes SMS. Anvil will create this role automatically if omitted and SMS is enabled.
+         */
+        snsCallerArn?: pulumi.Input<string>;
+    }
+    interface CognitoUserPoolOverridesArgs {
+        /**
+         * Configuration block to define which verified available method a user can use to recover their forgotten password. Detailed below.
+         */
+        accountRecoverySetting?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolAccountRecoverySetting>;
+        /**
+         * Configuration block for creating a new user profile. Detailed below.
+         */
+        adminCreateUserConfig?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolAdminCreateUserConfig>;
+        /**
+         * Attributes supported as an alias for this user pool. Valid values: <span pulumi-lang-nodejs="`phoneNumber`" pulumi-lang-dotnet="`PhoneNumber`" pulumi-lang-go="`phoneNumber`" pulumi-lang-python="`phone_number`" pulumi-lang-yaml="`phoneNumber`" pulumi-lang-java="`phoneNumber`">`phone_number`</span>, <span pulumi-lang-nodejs="`email`" pulumi-lang-dotnet="`Email`" pulumi-lang-go="`email`" pulumi-lang-python="`email`" pulumi-lang-yaml="`email`" pulumi-lang-java="`email`">`email`</span>, or <span pulumi-lang-nodejs="`preferredUsername`" pulumi-lang-dotnet="`PreferredUsername`" pulumi-lang-go="`preferredUsername`" pulumi-lang-python="`preferred_username`" pulumi-lang-yaml="`preferredUsername`" pulumi-lang-java="`preferredUsername`">`preferred_username`</span>. Conflicts with <span pulumi-lang-nodejs="`usernameAttributes`" pulumi-lang-dotnet="`UsernameAttributes`" pulumi-lang-go="`usernameAttributes`" pulumi-lang-python="`username_attributes`" pulumi-lang-yaml="`usernameAttributes`" pulumi-lang-java="`usernameAttributes`">`username_attributes`</span>.
+         */
+        aliasAttributes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Attributes to be auto-verified. Valid values: <span pulumi-lang-nodejs="`email`" pulumi-lang-dotnet="`Email`" pulumi-lang-go="`email`" pulumi-lang-python="`email`" pulumi-lang-yaml="`email`" pulumi-lang-java="`email`">`email`</span>, <span pulumi-lang-nodejs="`phoneNumber`" pulumi-lang-dotnet="`PhoneNumber`" pulumi-lang-go="`phoneNumber`" pulumi-lang-python="`phone_number`" pulumi-lang-yaml="`phoneNumber`" pulumi-lang-java="`phoneNumber`">`phone_number`</span>.
+         */
+        autoVerifiedAttributes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * When active, DeletionProtection prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. Valid values are `ACTIVE` and `INACTIVE`, Default value is `INACTIVE`.
+         */
+        deletionProtection?: pulumi.Input<string>;
+        /**
+         * Configuration block for the user pool's device tracking. Detailed below.
+         */
+        deviceConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolDeviceConfiguration>;
+        /**
+         * Configuration block for configuring email. Detailed below.
+         */
+        emailConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolEmailConfiguration>;
+        /**
+         * Configuration block for configuring email Multi-Factor Authentication (MFA); requires at least 2 <span pulumi-lang-nodejs="`accountRecoverySetting`" pulumi-lang-dotnet="`AccountRecoverySetting`" pulumi-lang-go="`accountRecoverySetting`" pulumi-lang-python="`account_recovery_setting`" pulumi-lang-yaml="`accountRecoverySetting`" pulumi-lang-java="`accountRecoverySetting`">`account_recovery_setting`</span> entries; requires an <span pulumi-lang-nodejs="`emailConfiguration`" pulumi-lang-dotnet="`EmailConfiguration`" pulumi-lang-go="`emailConfiguration`" pulumi-lang-python="`email_configuration`" pulumi-lang-yaml="`emailConfiguration`" pulumi-lang-java="`emailConfiguration`">`email_configuration`</span> configuration block. Effective only when <span pulumi-lang-nodejs="`mfaConfiguration`" pulumi-lang-dotnet="`MfaConfiguration`" pulumi-lang-go="`mfaConfiguration`" pulumi-lang-python="`mfa_configuration`" pulumi-lang-yaml="`mfaConfiguration`" pulumi-lang-java="`mfaConfiguration`">`mfa_configuration`</span> is `ON` or `OPTIONAL`. Detailed below.
+         */
+        emailMfaConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolEmailMfaConfiguration>;
+        /**
+         * String representing the email verification message. Conflicts with <span pulumi-lang-nodejs="`verificationMessageTemplate`" pulumi-lang-dotnet="`VerificationMessageTemplate`" pulumi-lang-go="`verificationMessageTemplate`" pulumi-lang-python="`verification_message_template`" pulumi-lang-yaml="`verificationMessageTemplate`" pulumi-lang-java="`verificationMessageTemplate`">`verification_message_template`</span> configuration block <span pulumi-lang-nodejs="`emailMessage`" pulumi-lang-dotnet="`EmailMessage`" pulumi-lang-go="`emailMessage`" pulumi-lang-python="`email_message`" pulumi-lang-yaml="`emailMessage`" pulumi-lang-java="`emailMessage`">`email_message`</span> argument.
+         */
+        emailVerificationMessage?: pulumi.Input<string>;
+        /**
+         * String representing the email verification subject. Conflicts with <span pulumi-lang-nodejs="`verificationMessageTemplate`" pulumi-lang-dotnet="`VerificationMessageTemplate`" pulumi-lang-go="`verificationMessageTemplate`" pulumi-lang-python="`verification_message_template`" pulumi-lang-yaml="`verificationMessageTemplate`" pulumi-lang-java="`verificationMessageTemplate`">`verification_message_template`</span> configuration block <span pulumi-lang-nodejs="`emailSubject`" pulumi-lang-dotnet="`EmailSubject`" pulumi-lang-go="`emailSubject`" pulumi-lang-python="`email_subject`" pulumi-lang-yaml="`emailSubject`" pulumi-lang-java="`emailSubject`">`email_subject`</span> argument.
+         */
+        emailVerificationSubject?: pulumi.Input<string>;
+        /**
+         * Configuration block for the AWS Lambda triggers associated with the user pool. Detailed below.
+         */
+        lambdaConfig?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolLambdaConfig>;
+        /**
+         * Multi-Factor Authentication (MFA) configuration for the User Pool. Defaults of `OFF`. Valid values are `OFF` (MFA Tokens are not required), `ON` (MFA is required for all users to sign in; requires at least one of <span pulumi-lang-nodejs="`emailMfaConfiguration`" pulumi-lang-dotnet="`EmailMfaConfiguration`" pulumi-lang-go="`emailMfaConfiguration`" pulumi-lang-python="`email_mfa_configuration`" pulumi-lang-yaml="`emailMfaConfiguration`" pulumi-lang-java="`emailMfaConfiguration`">`email_mfa_configuration`</span>, <span pulumi-lang-nodejs="`smsConfiguration`" pulumi-lang-dotnet="`SmsConfiguration`" pulumi-lang-go="`smsConfiguration`" pulumi-lang-python="`sms_configuration`" pulumi-lang-yaml="`smsConfiguration`" pulumi-lang-java="`smsConfiguration`">`sms_configuration`</span> or <span pulumi-lang-nodejs="`softwareTokenMfaConfiguration`" pulumi-lang-dotnet="`SoftwareTokenMfaConfiguration`" pulumi-lang-go="`softwareTokenMfaConfiguration`" pulumi-lang-python="`software_token_mfa_configuration`" pulumi-lang-yaml="`softwareTokenMfaConfiguration`" pulumi-lang-java="`softwareTokenMfaConfiguration`">`software_token_mfa_configuration`</span> to be configured), or `OPTIONAL` (MFA Will be required only for individual users who have MFA Enabled; requires at least one of <span pulumi-lang-nodejs="`emailMfaConfiguration`" pulumi-lang-dotnet="`EmailMfaConfiguration`" pulumi-lang-go="`emailMfaConfiguration`" pulumi-lang-python="`email_mfa_configuration`" pulumi-lang-yaml="`emailMfaConfiguration`" pulumi-lang-java="`emailMfaConfiguration`">`email_mfa_configuration`</span>, <span pulumi-lang-nodejs="`smsConfiguration`" pulumi-lang-dotnet="`SmsConfiguration`" pulumi-lang-go="`smsConfiguration`" pulumi-lang-python="`sms_configuration`" pulumi-lang-yaml="`smsConfiguration`" pulumi-lang-java="`smsConfiguration`">`sms_configuration`</span> or <span pulumi-lang-nodejs="`softwareTokenMfaConfiguration`" pulumi-lang-dotnet="`SoftwareTokenMfaConfiguration`" pulumi-lang-go="`softwareTokenMfaConfiguration`" pulumi-lang-python="`software_token_mfa_configuration`" pulumi-lang-yaml="`softwareTokenMfaConfiguration`" pulumi-lang-java="`softwareTokenMfaConfiguration`">`software_token_mfa_configuration`</span> to be configured).
+         */
+        mfaConfiguration?: pulumi.Input<string>;
+        /**
+         * Name of the user pool.
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * Configuration block for information about the user pool password policy. Detailed below.
+         */
+        passwordPolicy?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolPasswordPolicy>;
+        /**
+         * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+         */
+        region?: pulumi.Input<string>;
+        /**
+         * Configuration block for the schema attributes of a user pool. Detailed below. Schema attributes from the [standard attribute set](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#cognito-user-pools-standard-attributes) only need to be specified if they are different from the default configuration. Attributes can be added, but not modified or removed. Maximum of 50 attributes.
+         */
+        schemas?: pulumi.Input<pulumi.Input<pulumiAws.types.input.cognito.UserPoolSchema>[]>;
+        /**
+         * Configuration block for information about the user pool sign in policy. Detailed below.
+         */
+        signInPolicy?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolSignInPolicy>;
+        /**
+         * String representing the SMS authentication message. The Message must contain the `{####}` placeholder, which will be replaced with the code.
+         */
+        smsAuthenticationMessage?: pulumi.Input<string>;
+        /**
+         * Configuration block for Short Message Service (SMS) settings. Detailed below. These settings apply to SMS user verification and SMS Multi-Factor Authentication (MFA). SMS MFA is activated only when <span pulumi-lang-nodejs="`mfaConfiguration`" pulumi-lang-dotnet="`MfaConfiguration`" pulumi-lang-go="`mfaConfiguration`" pulumi-lang-python="`mfa_configuration`" pulumi-lang-yaml="`mfaConfiguration`" pulumi-lang-java="`mfaConfiguration`">`mfa_configuration`</span> is set to `ON` or `OPTIONAL` along with this block. Due to Cognito API restrictions, the SMS configuration cannot be removed without recreating the Cognito User Pool. For user data safety, this resource will ignore the removal of this configuration by disabling drift detection. To force resource recreation after this configuration has been applied, see the <span pulumi-lang-nodejs="`taint`" pulumi-lang-dotnet="`Taint`" pulumi-lang-go="`taint`" pulumi-lang-python="`taint`" pulumi-lang-yaml="`taint`" pulumi-lang-java="`taint`">`taint`</span> command.
+         */
+        smsConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolSmsConfiguration>;
+        /**
+         * String representing the SMS verification message. Conflicts with <span pulumi-lang-nodejs="`verificationMessageTemplate`" pulumi-lang-dotnet="`VerificationMessageTemplate`" pulumi-lang-go="`verificationMessageTemplate`" pulumi-lang-python="`verification_message_template`" pulumi-lang-yaml="`verificationMessageTemplate`" pulumi-lang-java="`verificationMessageTemplate`">`verification_message_template`</span> configuration block <span pulumi-lang-nodejs="`smsMessage`" pulumi-lang-dotnet="`SmsMessage`" pulumi-lang-go="`smsMessage`" pulumi-lang-python="`sms_message`" pulumi-lang-yaml="`smsMessage`" pulumi-lang-java="`smsMessage`">`sms_message`</span> argument.
+         */
+        smsVerificationMessage?: pulumi.Input<string>;
+        /**
+         * Configuration block for software token Mult-Factor Authentication (MFA) settings. Effective only when <span pulumi-lang-nodejs="`mfaConfiguration`" pulumi-lang-dotnet="`MfaConfiguration`" pulumi-lang-go="`mfaConfiguration`" pulumi-lang-python="`mfa_configuration`" pulumi-lang-yaml="`mfaConfiguration`" pulumi-lang-java="`mfaConfiguration`">`mfa_configuration`</span> is `ON` or `OPTIONAL`. Detailed below.
+         */
+        softwareTokenMfaConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolSoftwareTokenMfaConfiguration>;
+        /**
+         * Map of tags to assign to the User Pool. If configured with a provider <span pulumi-lang-nodejs="`defaultTags`" pulumi-lang-dotnet="`DefaultTags`" pulumi-lang-go="`defaultTags`" pulumi-lang-python="`default_tags`" pulumi-lang-yaml="`defaultTags`" pulumi-lang-java="`defaultTags`">`default_tags`</span> configuration block present, tags with matching keys will overwrite those defined at the provider-level.
+         */
+        tags?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+        /**
+         * Configuration block for user attribute update settings. Detailed below.
+         */
+        userAttributeUpdateSettings?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolUserAttributeUpdateSettings>;
+        /**
+         * Configuration block for user pool add-ons to enable user pool advanced security mode features. Detailed below.
+         */
+        userPoolAddOns?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolUserPoolAddOns>;
+        /**
+         * The user pool [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html), or tier. Valid values: `LITE`, `ESSENTIALS`, `PLUS`.
+         */
+        userPoolTier?: pulumi.Input<string>;
+        /**
+         * Whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with <span pulumi-lang-nodejs="`aliasAttributes`" pulumi-lang-dotnet="`AliasAttributes`" pulumi-lang-go="`aliasAttributes`" pulumi-lang-python="`alias_attributes`" pulumi-lang-yaml="`aliasAttributes`" pulumi-lang-java="`aliasAttributes`">`alias_attributes`</span>.
+         */
+        usernameAttributes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Configuration block for username configuration. Detailed below.
+         */
+        usernameConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolUsernameConfiguration>;
+        /**
+         * Configuration block for verification message templates. Detailed below.
+         */
+        verificationMessageTemplate?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolVerificationMessageTemplate>;
+        /**
+         * Configuration block for web authn configuration. Detailed below.
+         */
+        webAuthnConfiguration?: pulumi.Input<pulumiAws.types.input.cognito.UserPoolWebAuthnConfiguration>;
+    }
+    /**
+     * Password policy for the user pool. Anvil defaults satisfy CIS Benchmarks and SOC 2 baseline.
+     */
+    interface CognitoUserPoolPasswordPolicyArgs {
+        /**
+         * Minimum password length. Default: 12. Minimum allowed: 6.
+         */
+        minLength?: pulumi.Input<number>;
+        /**
+         * Require at least one lowercase letter. Default: true.
+         */
+        requireLowercase?: pulumi.Input<boolean>;
+        /**
+         * Require at least one number. Default: true.
+         */
+        requireNumbers?: pulumi.Input<boolean>;
+        /**
+         * Require at least one symbol. Default: true.
+         */
+        requireSymbols?: pulumi.Input<boolean>;
+        /**
+         * Require at least one uppercase letter. Default: true.
+         */
+        requireUppercase?: pulumi.Input<boolean>;
+        /**
+         * Number of days a temporary password is valid. Default: 7.
+         */
+        temporaryPasswordValidityDays?: pulumi.Input<number>;
+    }
+    /**
+     * Token validity configuration.
+     */
+    interface CognitoUserPoolTokenValidityArgs {
+        /**
+         * Access token validity in hours. Default: 1.
+         */
+        accessTokenValidity?: pulumi.Input<number>;
+        /**
+         * ID token validity in hours. Default: 1.
+         */
+        idTokenValidity?: pulumi.Input<number>;
+        /**
+         * Refresh token validity in days. Default: 30.
+         */
+        refreshTokenValidity?: pulumi.Input<number>;
+    }
+    interface CognitoUserPoolTransformArgsArgs {
+        cognitoUserPool?: pulumi.Input<inputs.aws.CognitoUserPoolOverridesArgs>;
+    }
+    /**
+     * A Global Secondary Index. All key attributes must use the explicit { name, type } shape — Anvil merges these into the table attributeDefinitions automatically.
+     */
+    interface DynamoDBGlobalSecondaryIndexArgs {
+        /**
+         * GSI hash key. Must include name and type explicitly.
+         */
+        hashKey: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+        /**
+         * GSI name.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Non-key attributes to project. Only valid when projectionType is INCLUDE.
+         */
+        nonKeyAttributes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Projection type. Defaults to ALL.
+         */
+        projectionType?: pulumi.Input<enums.aws.DynamoDBProjectionType>;
+        /**
+         * GSI range key. Optional. Must include name and type explicitly.
+         */
+        rangeKey?: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    }
+    /**
+     * A DynamoDB key attribute with an explicit name and type. All keys — table and GSI — must use this shape. Anvil derives attributeDefinitions automatically.
+     */
+    interface DynamoDBKeyAttributeArgs {
+        /**
+         * Attribute name.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Attribute type. S = String, N = Number, B = Binary.
+         */
+        type: pulumi.Input<enums.aws.DynamoDBAttributeType>;
+    }
+    /**
+     * DynamoDB Streams configuration. Opt-in.
+     */
+    interface DynamoDBStreamArgs {
+        /**
+         * Number of stream records to send to the consumer per batch. Defaults to 100.
+         */
+        batchSize?: pulumi.Input<number>;
+        /**
+         * The consumer of the stream. Discriminated union — exactly one of lambda or eventBridge.
+         */
+        consumer: pulumi.Input<inputs.aws.DynamoDBStreamConsumerArgs>;
+        /**
+         * Where to start reading the stream. Defaults to TRIM_HORIZON (AWS default — replays all existing records). Set to LATEST to only receive new events from the point of consumer creation.
+         */
+        startingPosition?: pulumi.Input<enums.aws.DynamoDBStreamStartingPosition>;
+        /**
+         * The stream view type. Controls what data is written to the stream on item changes.
+         */
+        viewType: pulumi.Input<enums.aws.DynamoDBStreamViewType>;
+    }
+    /**
+     * Discriminated union for the stream consumer. Exactly one of lambda or eventBridge must be set.
+     */
+    interface DynamoDBStreamConsumerArgs {
+        /**
+         * Wire an EventBridge bus as the stream consumer via an EventBridge Pipe. Use this for fanout — the bus routes to multiple targets via rules. Bypasses the 2-consumer-per-shard limit of direct Lambda ESM.
+         */
+        eventBridge?: pulumi.Input<inputs.aws.DynamoDBStreamEventBridgeConsumerArgs>;
+        /**
+         * Wire a Lambda function as the stream consumer via AWS-managed Event Source Mapping.
+         */
+        lambda?: pulumi.Input<inputs.aws.DynamoDBStreamLambdaConsumerArgs>;
+    }
+    /**
+     * EventBridge Pipe consumer. Anvil creates the Pipe, a scoped IAM role for the Pipe, and wires the stream to the target bus. Use this for fanout to multiple targets via EventBridge rules.
+     */
+    interface DynamoDBStreamEventBridgeConsumerArgs {
+        /**
+         * ARN of the target EventBridge event bus.
+         */
+        busArn: pulumi.Input<string>;
+        /**
+         * Name of the target EventBridge event bus (anvil.aws.EventBus).
+         */
+        name: pulumi.Input<string>;
+    }
+    /**
+     * Lambda stream consumer. Anvil creates the ESM, lambda:InvokeFunction permission, and attaches stream read permissions to the Lambda role. Does not grant table read/write access — call grantRead/Write separately if needed.
+     */
+    interface DynamoDBStreamLambdaConsumerArgs {
+        /**
+         * ARN of the Lambda function.
+         */
+        arn: pulumi.Input<string>;
+        /**
+         * ARN of the Lambda execution role. Anvil attaches an inline policy granting stream read permissions (GetRecords, GetShardIterator, DescribeStream, ListStreams).
+         */
+        lambdaRoleArn: pulumi.Input<string>;
+    }
+    interface DynamoOverridesArgs {
+        /**
+         * Set of nested attribute definitions. Only required for <span pulumi-lang-nodejs="`hashKey`" pulumi-lang-dotnet="`HashKey`" pulumi-lang-go="`hashKey`" pulumi-lang-python="`hash_key`" pulumi-lang-yaml="`hashKey`" pulumi-lang-java="`hashKey`">`hash_key`</span> and <span pulumi-lang-nodejs="`rangeKey`" pulumi-lang-dotnet="`RangeKey`" pulumi-lang-go="`rangeKey`" pulumi-lang-python="`range_key`" pulumi-lang-yaml="`rangeKey`" pulumi-lang-java="`rangeKey`">`range_key`</span> attributes. See below.
+         */
+        attributes?: pulumi.Input<pulumi.Input<pulumiAws.types.input.dynamodb.TableAttribute>[]>;
+        /**
+         * Controls how you are charged for read and write throughput and how you manage capacity. The valid values are `PROVISIONED` and `PAY_PER_REQUEST`. Defaults to `PROVISIONED`.
+         */
+        billingMode?: pulumi.Input<string>;
+        /**
+         * Enables deletion protection for table. Defaults to <span pulumi-lang-nodejs="`false`" pulumi-lang-dotnet="`False`" pulumi-lang-go="`false`" pulumi-lang-python="`false`" pulumi-lang-yaml="`false`" pulumi-lang-java="`false`">`false`</span>.
+         */
+        deletionProtectionEnabled?: pulumi.Input<boolean>;
+        /**
+         * Describe a GSI for the table; subject to the normal limits on the number of GSIs, projected attributes, etc. See below.
+         */
+        globalSecondaryIndexes?: pulumi.Input<pulumi.Input<pulumiAws.types.input.dynamodb.TableGlobalSecondaryIndex>[]>;
+        /**
+         * Witness Region in a Multi-Region Strong Consistency deployment. **Note** This must be used alongside a single <span pulumi-lang-nodejs="`replica`" pulumi-lang-dotnet="`Replica`" pulumi-lang-go="`replica`" pulumi-lang-python="`replica`" pulumi-lang-yaml="`replica`" pulumi-lang-java="`replica`">`replica`</span> with <span pulumi-lang-nodejs="`consistencyMode`" pulumi-lang-dotnet="`ConsistencyMode`" pulumi-lang-go="`consistencyMode`" pulumi-lang-python="`consistency_mode`" pulumi-lang-yaml="`consistencyMode`" pulumi-lang-java="`consistencyMode`">`consistency_mode`</span> set to `STRONG`. Other combinations will fail to provision. See below.
+         */
+        globalTableWitness?: pulumi.Input<pulumiAws.types.input.dynamodb.TableGlobalTableWitness>;
+        /**
+         * Attribute to use as the hash (partition) key. Must also be defined as an <span pulumi-lang-nodejs="`attribute`" pulumi-lang-dotnet="`Attribute`" pulumi-lang-go="`attribute`" pulumi-lang-python="`attribute`" pulumi-lang-yaml="`attribute`" pulumi-lang-java="`attribute`">`attribute`</span>. See below.
+         */
+        hashKey?: pulumi.Input<string>;
+        /**
+         * Import Amazon S3 data into a new table. See below.
+         */
+        importTable?: pulumi.Input<pulumiAws.types.input.dynamodb.TableImportTable>;
+        /**
+         * Describe an LSI on the table; these can only be allocated _at creation_ so you cannot change this definition after you have created the resource. See below.
+         */
+        localSecondaryIndexes?: pulumi.Input<pulumi.Input<pulumiAws.types.input.dynamodb.TableLocalSecondaryIndex>[]>;
+        /**
+         * Unique within a region name of the table.
+         *
+         * The following arguments are optional:
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * Sets the maximum number of read and write units for the specified on-demand table. See below.
+         */
+        onDemandThroughput?: pulumi.Input<pulumiAws.types.input.dynamodb.TableOnDemandThroughput>;
+        /**
+         * Enable point-in-time recovery options. See below.
+         */
+        pointInTimeRecovery?: pulumi.Input<pulumiAws.types.input.dynamodb.TablePointInTimeRecovery>;
+        /**
+         * Attribute to use as the range (sort) key. Must also be defined as an <span pulumi-lang-nodejs="`attribute`" pulumi-lang-dotnet="`Attribute`" pulumi-lang-go="`attribute`" pulumi-lang-python="`attribute`" pulumi-lang-yaml="`attribute`" pulumi-lang-java="`attribute`">`attribute`</span>, see below.
+         */
+        rangeKey?: pulumi.Input<string>;
+        /**
+         * Number of read units for this table. If the <span pulumi-lang-nodejs="`billingMode`" pulumi-lang-dotnet="`BillingMode`" pulumi-lang-go="`billingMode`" pulumi-lang-python="`billing_mode`" pulumi-lang-yaml="`billingMode`" pulumi-lang-java="`billingMode`">`billing_mode`</span> is `PROVISIONED`, this field is required.
+         */
+        readCapacity?: pulumi.Input<number>;
+        /**
+         * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+         */
+        region?: pulumi.Input<string>;
+        /**
+         * Configuration block(s) with [DynamoDB Global Tables V2 (version 2019.11.21)](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables.V2.html) replication configurations. See below.
+         */
+        replicas?: pulumi.Input<pulumi.Input<pulumiAws.types.input.dynamodb.TableReplica>[]>;
+        /**
+         * Time of the point-in-time recovery point to restore.
+         */
+        restoreDateTime?: pulumi.Input<string>;
+        /**
+         * Name of the table to restore. Must match the name of an existing table.
+         */
+        restoreSourceName?: pulumi.Input<string>;
+        /**
+         * ARN of the source table to restore. Must be supplied for cross-region restores.
+         */
+        restoreSourceTableArn?: pulumi.Input<string>;
+        /**
+         * If set, restores table to the most recent point-in-time recovery point.
+         */
+        restoreToLatestTime?: pulumi.Input<boolean>;
+        /**
+         * Encryption at rest options. AWS DynamoDB tables are automatically encrypted at rest with an AWS-owned Customer Master Key if this argument isn't specified. Must be supplied for cross-region restores. See below.
+         */
+        serverSideEncryption?: pulumi.Input<pulumiAws.types.input.dynamodb.TableServerSideEncryption>;
+        /**
+         * Whether Streams are enabled.
+         */
+        streamEnabled?: pulumi.Input<boolean>;
+        /**
+         * When an item in the table is modified, StreamViewType determines what information is written to the table's stream.
+         * Valid values are `KEYS_ONLY`, `NEW_IMAGE`, `OLD_IMAGE`, `NEW_AND_OLD_IMAGES`.
+         * Only valid when <span pulumi-lang-nodejs="`streamEnabled`" pulumi-lang-dotnet="`StreamEnabled`" pulumi-lang-go="`streamEnabled`" pulumi-lang-python="`stream_enabled`" pulumi-lang-yaml="`streamEnabled`" pulumi-lang-java="`streamEnabled`">`stream_enabled`</span> is true.
+         */
+        streamViewType?: pulumi.Input<string>;
+        /**
+         * Storage class of the table.
+         * Valid values are `STANDARD` and `STANDARD_INFREQUENT_ACCESS`.
+         * Default value is `STANDARD`.
+         */
+        tableClass?: pulumi.Input<string>;
+        /**
+         * A map of tags to populate on the created table. If configured with a provider <span pulumi-lang-nodejs="`defaultTags`" pulumi-lang-dotnet="`DefaultTags`" pulumi-lang-go="`defaultTags`" pulumi-lang-python="`default_tags`" pulumi-lang-yaml="`defaultTags`" pulumi-lang-java="`defaultTags`">`default_tags`</span> configuration block present, tags with matching keys will overwrite those defined at the provider-level.
+         */
+        tags?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+        /**
+         * Configuration block for TTL. See below.
+         */
+        ttl?: pulumi.Input<pulumiAws.types.input.dynamodb.TableTtl>;
+        /**
+         * Sets the number of warm read and write units for the specified table. See below.
+         */
+        warmThroughput?: pulumi.Input<pulumiAws.types.input.dynamodb.TableWarmThroughput>;
+        /**
+         * Number of write units for this table. If the <span pulumi-lang-nodejs="`billingMode`" pulumi-lang-dotnet="`BillingMode`" pulumi-lang-go="`billingMode`" pulumi-lang-python="`billing_mode`" pulumi-lang-yaml="`billingMode`" pulumi-lang-java="`billingMode`">`billing_mode`</span> is `PROVISIONED`, this field is required.
+         */
+        writeCapacity?: pulumi.Input<number>;
+    }
+    interface DynamoTransformArgsArgs {
+        dynamo?: pulumi.Input<inputs.aws.DynamoOverridesArgs>;
+    }
+    interface EventBridgeOverridesArgs {
+        /**
+         * Configuration details of the Amazon SQS queue for EventBridge to use as a dead-letter queue (DLQ). This block supports the following arguments:
+         */
+        deadLetterConfig?: pulumi.Input<pulumiAws.types.input.cloudwatch.EventBusDeadLetterConfig>;
+        /**
+         * Event bus description.
+         */
+        description?: pulumi.Input<string>;
+        /**
+         * Partner event source that the new event bus will be matched with. Must match <span pulumi-lang-nodejs="`name`" pulumi-lang-dotnet="`Name`" pulumi-lang-go="`name`" pulumi-lang-python="`name`" pulumi-lang-yaml="`name`" pulumi-lang-java="`name`">`name`</span>.
+         */
+        eventSourceName?: pulumi.Input<string>;
+        /**
+         * Identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt events on this event bus. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN.
+         */
+        kmsKeyIdentifier?: pulumi.Input<string>;
+        /**
+         * Block for logging configuration settings for the event bus.
+         */
+        logConfig?: pulumi.Input<pulumiAws.types.input.cloudwatch.EventBusLogConfig>;
+        /**
+         * Name of the new event bus. The names of custom event buses can't contain the / character. To create a partner event bus, ensure that the <span pulumi-lang-nodejs="`name`" pulumi-lang-dotnet="`Name`" pulumi-lang-go="`name`" pulumi-lang-python="`name`" pulumi-lang-yaml="`name`" pulumi-lang-java="`name`">`name`</span> matches the <span pulumi-lang-nodejs="`eventSourceName`" pulumi-lang-dotnet="`EventSourceName`" pulumi-lang-go="`eventSourceName`" pulumi-lang-python="`event_source_name`" pulumi-lang-yaml="`eventSourceName`" pulumi-lang-java="`eventSourceName`">`event_source_name`</span>.
+         *
+         * The following arguments are optional:
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+         */
+        region?: pulumi.Input<string>;
+        /**
+         * Map of tags assigned to the resource. If configured with a provider <span pulumi-lang-nodejs="`defaultTags`" pulumi-lang-dotnet="`DefaultTags`" pulumi-lang-go="`defaultTags`" pulumi-lang-python="`default_tags`" pulumi-lang-yaml="`defaultTags`" pulumi-lang-java="`defaultTags`">`default_tags`</span> configuration block present, tags with matching keys will overwrite those defined at the provider-level.
+         */
+        tags?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+    }
+    interface EventBridgeTransformArgsArgs {
+        eventBridge?: pulumi.Input<inputs.aws.EventBridgeOverridesArgs>;
+    }
+    /**
+     * Lambda function target for an EventBridge rule. Pass fn.arn and fn.roleArn from an Anvil Lambda component.
+     */
+    interface EventBusLambdaTargetArgsArgs {
+        /**
+         * The ARN of the Lambda function to invoke. Use fn.arn from an Anvil Lambda component.
+         */
+        arn: any;
+        /**
+         * The ARN of the Lambda's execution role. Use fn.roleArn from an Anvil Lambda component.
+         */
+        lambdaRoleArn: any;
+    }
+    /**
+     * An EventBridge rule that matches events by pattern and routes them to a target.
+     */
+    interface EventBusRuleArgs {
+        /**
+         * Logical name for this rule. Used to construct the physical rule name.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Defines which events this rule matches.
+         */
+        pattern: pulumi.Input<inputs.aws.EventBusRulePatternArgs>;
+        /**
+         * Defines what receives matching events.
+         */
+        target: pulumi.Input<inputs.aws.EventBusRuleTargetArgs>;
+    }
+    /**
+     * EventBridge content-based filtering pattern. All fields are AND-ed — an event must match every specified field.
+     */
+    interface EventBusRulePatternArgs {
+        /**
+         * Matches against fields inside the event detail payload. Structure depends on the event producer. e.g. { "orderId": [{ "exists": true }], "status": ["pending"] }
+         */
+        detail?: any;
+        /**
+         * Filters on the detail-type field. e.g. ["order.created", "order.cancelled"]
+         */
+        detailType?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Filters on the event source field. e.g. ["anvil.api", "anvil.worker"]
+         */
+        source?: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    /**
+     * Target that receives matching events from an EventBridge rule.
+     */
+    interface EventBusRuleTargetArgs {
+        /**
+         * Invoke a Lambda function when events match the rule pattern. Anvil creates the EventBridge target and grants EventBridge permission to invoke the function.
+         */
+        lambda?: pulumi.Input<inputs.aws.EventBusLambdaTargetArgsArgs>;
+    }
+    /**
+     * Cross-Origin Resource Sharing configuration. Opt-in — omit to disable CORS. Security rules: allowOrigins '*' is blocked, allowCredentials requires explicit origins, allowMethods is inferred from routes when omitted.
+     */
+    interface HttpApiCorsArgs {
+        /**
+         * Allow cookies and auth headers in cross-origin requests. Default: false. When true, allowOrigins must not contain '*' — browsers reject this combination per the CORS specification.
+         */
+        allowCredentials?: pulumi.Input<boolean>;
+        /**
+         * Allowed request headers. Default: ['Content-Type', 'Authorization', 'X-Request-ID'].
+         */
+        allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Allowed HTTP methods. Default: inferred automatically from the routes declared on this API.
+         */
+        allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Allowed origins. Required when CORS is enabled. Wildcard '*' is blocked — specify explicit origins. e.g. ['https://app.mysite.com'].
+         */
+        allowOrigins: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Preflight cache duration in seconds. Default: 86400 (24 hours) — reduces preflight requests significantly.
+         */
+        maxAge?: pulumi.Input<number>;
+    }
+    /**
+     * Custom domain configuration. When set, Anvil provisions the ACM certificate (with DNS validation), API Gateway domain name resource, and Route 53 A alias record. TLS 1.2 minimum is always enforced. The execute-api endpoint is disabled when a domain is set. Set dns: false for Cloudflare or other non-Route 53 providers.
+     */
+    interface HttpApiDomainArgs {
+        /**
+         * Optional API mapping base path. e.g. 'v1' makes the API accessible at https://name/v1. Omit for root path mapping.
+         */
+        basePath?: pulumi.Input<string>;
+        /**
+         * BYO ACM certificate ARN. When omitted Anvil creates and validates the certificate automatically via DNS validation. Required when dns: false to skip Route 53 cert validation entirely.
+         */
+        certificateArn?: pulumi.Input<string>;
+        /**
+         * Create Route 53 DNS and cert validation records automatically. Default: true. Set to false for Cloudflare or other non-Route 53 DNS providers — Anvil will output the API Gateway target domain and (when certificateArn is omitted) the ACM validation CNAME for manual configuration.
+         */
+        dns?: pulumi.Input<boolean>;
+        /**
+         * The fully qualified domain name. e.g. 'api.mysite.com'.
+         */
+        name: pulumi.Input<string>;
+        /**
+         * Route 53 hosted zone ID. When omitted Anvil discovers the zone by domain name automatically. Ignored when dns: false.
+         */
+        zoneId?: pulumi.Input<string>;
+    }
+    /**
+     * Routes requests directly to an EventBridge bus. API Gateway puts the request body as an event — no Lambda required. Anvil creates a least-privilege IAM role granting events:PutEvents on this bus only.
+     */
+    interface HttpApiEventBridgeConsumerArgs {
+        /**
+         * The EventBridge bus name. Pass bus.name directly. Accepts Output<string>.
+         */
+        name: any;
+    }
+    /**
+     * Proxies requests to an external HTTP URL. Useful for gradual migration from legacy APIs or third-party integrations. No IAM configuration required.
+     */
+    interface HttpApiHttpConsumerArgs {
+        /**
+         * The external HTTP URL to proxy to. e.g. 'https://legacy-api.mycompany.com'.
+         */
+        url: pulumi.Input<string>;
+    }
+    /**
+     * Routes requests to a Lambda function via AWS_PROXY integration. API Gateway invokes the Lambda synchronously and returns its response directly.
+     */
+    interface HttpApiLambdaConsumerArgs {
+        /**
+         * The Lambda function ARN. Pass lambda.arn directly. Accepts Output<string>.
+         */
+        arn: any;
+    }
+    /**
+     * A single route on the HTTP API mapping a method and path to a consumer target.
+     */
+    interface HttpApiRouteArgs {
+        /**
+         * The target that handles this route. Exactly one consumer type must be set.
+         */
+        consumer: pulumi.Input<inputs.aws.HttpApiRouteConsumerArgs>;
+        /**
+         * The HTTP method for this route.
+         */
+        method: pulumi.Input<enums.aws.HttpApiMethod>;
+        /**
+         * The route path. e.g. '/users' or '/users/{id}'. Use {param} for path parameters and {proxy+} for greedy paths.
+         */
+        path: pulumi.Input<string>;
+        /**
+         * OAuth scopes required to access this route. API Gateway rejects tokens that do not contain all listed scopes. Only applies when defaultAuthorizerId is set and skipAuth is false. Example: ['read:users', 'write:orders'].
+         */
+        scopes?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Explicitly opt this route out of the API-level defaultAuthorizer. Use for health checks, webhook endpoints, or any route that handles its own validation. Has no effect if defaultAuthorizerId is not set.
+         */
+        skipAuth?: pulumi.Input<boolean>;
+        /**
+         * Optional per-route throttling override. Inherits API-level throttling when omitted.
+         */
+        throttling?: pulumi.Input<inputs.aws.HttpApiThrottlingArgs>;
+    }
+    /**
+     * The target that handles a route. Exactly one field must be set — Anvil validates this at deploy time and returns a clear error if zero or multiple are set.
+     */
+    interface HttpApiRouteConsumerArgs {
+        /**
+         * Route directly to an EventBridge bus. No Lambda required. Must use POST, PUT, or PATCH.
+         */
+        eventBridge?: pulumi.Input<inputs.aws.HttpApiEventBridgeConsumerArgs>;
+        /**
+         * Proxy to an external HTTP URL. Useful for gradual migration from legacy APIs.
+         */
+        http?: pulumi.Input<inputs.aws.HttpApiHttpConsumerArgs>;
+        /**
+         * Route to a Lambda function. Pass lambda.arn directly.
+         */
+        lambda?: pulumi.Input<inputs.aws.HttpApiLambdaConsumerArgs>;
+        /**
+         * Route directly to an SQS queue. No Lambda required. Returns 202 Accepted immediately — message is processed asynchronously. Must use POST, PUT, or PATCH.
+         */
+        sqs?: pulumi.Input<inputs.aws.HttpApiSqsConsumerArgs>;
+        /**
+         * Route to a Step Functions state machine. Async by default. Must use POST, PUT, or PATCH.
+         */
+        stepFunctions?: pulumi.Input<inputs.aws.HttpApiStepFunctionsConsumerArgs>;
+    }
+    /**
+     * Routes requests directly to an SQS queue. API Gateway sends the request body as a message — no Lambda required. Returns 202 Accepted immediately. Anvil creates a least-privilege IAM role granting sqs:SendMessage on this queue only.
+     */
+    interface HttpApiSqsConsumerArgs {
+        /**
+         * The SQS queue ARN. Pass queue.arn directly. Accepts Output<string>.
+         */
+        arn: any;
+        /**
+         * The SQS queue URL. Pass queue.url directly. Accepts Output<string>.
+         */
+        url: any;
+    }
+    /**
+     * Routes requests to a Step Functions state machine. Async by default (StartExecution). Set sync: true for StartSyncExecution — note the 29s API Gateway timeout applies. Anvil creates a least-privilege IAM role granting the appropriate Start action on this state machine only.
+     */
+    interface HttpApiStepFunctionsConsumerArgs {
+        /**
+         * The state machine ARN. Pass stateMachine.arn directly. Accepts Output<string>.
+         */
+        arn: any;
+        /**
+         * Wait for execution to complete before responding. Default: false (async). Only use for fast state machines — subject to the 29s API Gateway timeout.
+         */
+        sync?: pulumi.Input<boolean>;
+    }
+    /**
+     * Rate and burst throttling limits. Applied at the API level by default — individual routes can override. Defaults: rateLimit 1000 rps, burstLimit 500 concurrent. Without throttling a single route can exhaust the account-level limit (10,000 rps) shared across all APIs in the account.
+     */
+    interface HttpApiThrottlingArgs {
+        /**
+         * Maximum concurrent requests (token bucket capacity). Default: 500.
+         */
+        burstLimit?: pulumi.Input<number>;
+        /**
+         * Maximum sustained requests per second. Default: 1000.
+         */
+        rateLimit?: pulumi.Input<number>;
+    }
     interface LambdaOverridesArgs {
         /**
          * Instruction set architecture for your Lambda function. Valid values are `[<span pulumi-lang-nodejs=""x8664"" pulumi-lang-dotnet=""X8664"" pulumi-lang-go=""x8664"" pulumi-lang-python=""x86_64"" pulumi-lang-yaml=""x8664"" pulumi-lang-java=""x8664"">"x86_64"</span>]` and `["arm64"]`. Default is `[<span pulumi-lang-nodejs=""x8664"" pulumi-lang-dotnet=""X8664"" pulumi-lang-go=""x8664"" pulumi-lang-python=""x86_64"" pulumi-lang-yaml=""x8664"" pulumi-lang-java=""x8664"">"x86_64"</span>]`. Removing this attribute, function's architecture stays the same.
@@ -522,6 +1331,51 @@ export declare namespace aws {
     interface LambdaTransformArgsArgs {
         lambda?: pulumi.Input<inputs.aws.LambdaOverridesArgs>;
     }
+    interface LambdaVpcArgsArgs {
+        /**
+         * CIDR-scoped egress rules. One SG rule per port per CIDR. Use for peered VPCs or on-premise ranges.
+         */
+        cidrs?: pulumi.Input<pulumi.Input<inputs.aws.LambdaVpcCidrArgsArgs>[]>;
+        /**
+         * Only needed for imported VPCs with NAT. Omit when using an Anvil Vpc component.
+         */
+        hasNat?: pulumi.Input<boolean>;
+        /**
+         * The IDs of the private subnets to attach the Lambda to. Always private - Lambda must never be placed in public subnets. Accepts Output<string[]> - pass vpc.privateSubnetIds directly.
+         */
+        privateSubnetIds: any;
+        /**
+         * VPC endpoints this Lambda needs access to. Anvil wires both SG rules automatically.
+         */
+        vpcEndpoints?: pulumi.Input<pulumi.Input<inputs.aws.LambdaVpcEndpointArgsArgs>[]>;
+        /**
+         * The ID of the VPC to place the Lambda in. Accepts Output<string> - pass vpc.vpcId directly.
+         */
+        vpcId: any;
+    }
+    interface LambdaVpcCidrArgsArgs {
+        /**
+         * TCP ports to allow. Required - be explicit.
+         */
+        ports: pulumi.Input<pulumi.Input<number>[]>;
+        /**
+         * IPv4 CIDR block, e.g. 10.0.0.0/8
+         */
+        range: pulumi.Input<string>;
+    }
+    /**
+     * A VPC endpoint to grant this Lambda access to. Both fields accept Output<string> - pass component outputs directly.
+     */
+    interface LambdaVpcEndpointArgsArgs {
+        /**
+         * The endpoint's ID. Use ep.endpointId. Accepts Output<string>.
+         */
+        endpointId: any;
+        /**
+         * The endpoint's security group ID. Use ep.securityGroupId. Accepts Output<string>.
+         */
+        securityGroupId: any;
+    }
     interface PABTransformArgs {
         /**
          * Whether Amazon S3 should block public ACLs for this bucket. Defaults to <span pulumi-lang-nodejs="`false`" pulumi-lang-dotnet="`False`" pulumi-lang-go="`false`" pulumi-lang-python="`false`" pulumi-lang-yaml="`false`" pulumi-lang-java="`false`">`false`</span>. Enabling this setting does not affect existing policies or ACLs. When set to <span pulumi-lang-nodejs="`true`" pulumi-lang-dotnet="`True`" pulumi-lang-go="`true`" pulumi-lang-python="`true`" pulumi-lang-yaml="`true`" pulumi-lang-java="`true`">`true`</span> causes the following behavior:
@@ -557,6 +1411,192 @@ export declare namespace aws {
          */
         skipDestroy?: pulumi.Input<boolean>;
     }
+    /**
+     * Consumer configuration for this queue.
+     */
+    interface QueueConsumerArgsArgs {
+        /**
+         * Wire an Anvil Lambda function as the SQS consumer. Creates the event source mapping and grants sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes to the Lambda's execution role.
+         */
+        lambda?: pulumi.Input<inputs.aws.QueueLambdaConsumerArgsArgs>;
+    }
+    /**
+     * Dead letter queue configuration. Set arn to reuse an existing queue. Omit arn to create a managed DLQ.
+     */
+    interface QueueDlqArgsArgs {
+        /**
+         * ARN of an existing queue to use as the DLQ. If the parent queue is fifo: true, this ARN must end with ".fifo". When omitted, Anvil creates a managed DLQ.
+         */
+        arn?: pulumi.Input<string>;
+        /**
+         * How many times a message can be received before being moved to the DLQ. Default: 3.
+         */
+        maxReceiveCount?: pulumi.Input<number>;
+    }
+    /**
+     * Lambda consumer configuration. Pass fn.arn and fn.roleArn from an Anvil Lambda component.
+     */
+    interface QueueLambdaConsumerArgsArgs {
+        /**
+         * The ARN of the Lambda function to trigger. Use fn.arn from an Anvil Lambda component.
+         */
+        arn: pulumi.Input<string>;
+        /**
+         * The ARN of the Lambda's execution role. Use fn.roleArn from an Anvil Lambda component. Required for Anvil to attach the consume permissions policy.
+         */
+        lambdaRoleArn: pulumi.Input<string>;
+    }
+    interface QueueOverridesArgs {
+        /**
+         * Enables content-based deduplication for FIFO queues. For more information, see the [related documentation](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues.html#FIFO-queues-exactly-once-processing).
+         */
+        contentBasedDeduplication?: pulumi.Input<boolean>;
+        /**
+         * Specifies whether message deduplication occurs at the message group or queue level. Valid values are `messageGroup` and <span pulumi-lang-nodejs="`queue`" pulumi-lang-dotnet="`Queue`" pulumi-lang-go="`queue`" pulumi-lang-python="`queue`" pulumi-lang-yaml="`queue`" pulumi-lang-java="`queue`">`queue`</span> (default).
+         */
+        deduplicationScope?: pulumi.Input<string>;
+        /**
+         * Time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes). The default for this attribute is 0 seconds.
+         */
+        delaySeconds?: pulumi.Input<number>;
+        /**
+         * Boolean designating a FIFO queue. If not set, it defaults to <span pulumi-lang-nodejs="`false`" pulumi-lang-dotnet="`False`" pulumi-lang-go="`false`" pulumi-lang-python="`false`" pulumi-lang-yaml="`false`" pulumi-lang-java="`false`">`false`</span> making it standard.
+         */
+        fifoQueue?: pulumi.Input<boolean>;
+        /**
+         * Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are `perQueue` (default) and `perMessageGroupId`.
+         */
+        fifoThroughputLimit?: pulumi.Input<string>;
+        /**
+         * Length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). The default is 300 (5 minutes).
+         */
+        kmsDataKeyReusePeriodSeconds?: pulumi.Input<number>;
+        /**
+         * ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see [Key Terms](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html#sqs-sse-key-terms).
+         */
+        kmsMasterKeyId?: pulumi.Input<string>;
+        /**
+         * Limit of how many bytes a message can contain before Amazon SQS rejects it. An integer from 1024 bytes (1 KiB) up to 1048576 bytes (1024 KiB). The default for this attribute is 262144 (256 KiB).
+         */
+        maxMessageSize?: pulumi.Input<number>;
+        /**
+         * Number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days). The default for this attribute is 345600 (4 days).
+         */
+        messageRetentionSeconds?: pulumi.Input<number>;
+        /**
+         * Name of the queue. Queue names must be made up of only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens, and must be between 1 and 80 characters long. For a FIFO (first-in-first-out) queue, the name must end with the `.fifo` suffix. If omitted, the provider will assign a random, unique name. Conflicts with <span pulumi-lang-nodejs="`namePrefix`" pulumi-lang-dotnet="`NamePrefix`" pulumi-lang-go="`namePrefix`" pulumi-lang-python="`name_prefix`" pulumi-lang-yaml="`namePrefix`" pulumi-lang-java="`namePrefix`">`name_prefix`</span>.
+         */
+        name?: pulumi.Input<string>;
+        /**
+         * Creates a unique name beginning with the specified prefix. Conflicts with <span pulumi-lang-nodejs="`name`" pulumi-lang-dotnet="`Name`" pulumi-lang-go="`name`" pulumi-lang-python="`name`" pulumi-lang-yaml="`name`" pulumi-lang-java="`name`">`name`</span>.
+         */
+        namePrefix?: pulumi.Input<string>;
+        /**
+         * JSON policy for the SQS queue. For more information about building AWS IAM policy documents see the AWS IAM Policy Document Guide. The provider will only perform drift detection of its value when present in a configuration. It is preferred to use the <span pulumi-lang-nodejs="`aws.sqs.QueuePolicy`" pulumi-lang-dotnet="`aws.sqs.QueuePolicy`" pulumi-lang-go="`sqs.QueuePolicy`" pulumi-lang-python="`sqs.QueuePolicy`" pulumi-lang-yaml="`aws.sqs.QueuePolicy`" pulumi-lang-java="`aws.sqs.QueuePolicy`">`aws.sqs.QueuePolicy`</span> resource instead.
+         */
+        policy?: pulumi.Input<string>;
+        /**
+         * Time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds). The default for this attribute is 0, meaning that the call will return immediately.
+         */
+        receiveWaitTimeSeconds?: pulumi.Input<number>;
+        /**
+         * JSON policy to set up the Dead Letter Queue redrive permission, see [AWS docs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSDeadLetterQueue.html). The provider will only perform drift detection of its value when present in a configuration. It is preferred to use the <span pulumi-lang-nodejs="`aws.sqs.RedriveAllowPolicy`" pulumi-lang-dotnet="`aws.sqs.RedriveAllowPolicy`" pulumi-lang-go="`sqs.RedriveAllowPolicy`" pulumi-lang-python="`sqs.RedriveAllowPolicy`" pulumi-lang-yaml="`aws.sqs.RedriveAllowPolicy`" pulumi-lang-java="`aws.sqs.RedriveAllowPolicy`">`aws.sqs.RedriveAllowPolicy`</span> resource instead.
+         */
+        redriveAllowPolicy?: pulumi.Input<string>;
+        /**
+         * JSON policy to set up the Dead Letter Queue, see [AWS docs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSDeadLetterQueue.html). The provider will only perform drift detection of its value when present in a configuration. It is preferred to use the <span pulumi-lang-nodejs="`aws.sqs.RedrivePolicy`" pulumi-lang-dotnet="`aws.sqs.RedrivePolicy`" pulumi-lang-go="`sqs.RedrivePolicy`" pulumi-lang-python="`sqs.RedrivePolicy`" pulumi-lang-yaml="`aws.sqs.RedrivePolicy`" pulumi-lang-java="`aws.sqs.RedrivePolicy`">`aws.sqs.RedrivePolicy`</span> resource instead. **Note:** when specifying `maxReceiveCount`, you must specify it as an integer (<span pulumi-lang-nodejs="`5`" pulumi-lang-dotnet="`5`" pulumi-lang-go="`5`" pulumi-lang-python="`5`" pulumi-lang-yaml="`5`" pulumi-lang-java="`5`">`5`</span>), and not a string (`"5"`).
+         */
+        redrivePolicy?: pulumi.Input<string>;
+        /**
+         * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration.
+         */
+        region?: pulumi.Input<string>;
+        /**
+         * Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys. See [Encryption at rest](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html). The provider will only perform drift detection of its value when present in a configuration.
+         */
+        sqsManagedSseEnabled?: pulumi.Input<boolean>;
+        /**
+         * Map of tags to assign to the queue. If configured with a provider <span pulumi-lang-nodejs="`defaultTags`" pulumi-lang-dotnet="`DefaultTags`" pulumi-lang-go="`defaultTags`" pulumi-lang-python="`default_tags`" pulumi-lang-yaml="`defaultTags`" pulumi-lang-java="`defaultTags`">`default_tags`</span> configuration block present, tags with matching keys will overwrite those defined at the provider-level.
+         */
+        tags?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+        /**
+         * Visibility timeout for the queue. An integer from 0 to 43200 (12 hours). The default for this attribute is 30. For more information about visibility timeout, see [AWS docs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/AboutVT.html).
+         */
+        visibilityTimeoutSeconds?: pulumi.Input<number>;
+    }
+    interface QueueTransformArgsArgs {
+        queue?: pulumi.Input<inputs.aws.QueueOverridesArgs>;
+    }
+    /**
+     * SiteOriginProtectionArgs configures CloudFront origin protection via WAF. When set, Anvil provisions a WAF WebACL that blocks any request missing the correct x-origin-secret header. Configure Cloudflare Transform Rules to inject this header on every proxied request using the outputted originSecret value.
+     */
+    interface SiteOriginProtectionArgs {
+        /**
+         * Provider is the CDN/proxy in front of CloudFront. Only "cloudflare" is supported.
+         */
+        provider?: pulumi.Input<enums.aws.SiteOriginProtectionProvider>;
+    }
+    interface VpcBastionArgsArgs {
+        /**
+         * Source IP CIDRs allowed to initiate SSM sessions via IAM policy condition. Omit to allow any authenticated IAM principal. Example: ['203.0.113.0/32'] to restrict to your office IP.
+         */
+        allowedCidrs?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * EC2 instance type for the bastion host. Default: 't4g.nano' — the bastion is purely a jump box with minimal resource requirements.
+         */
+        instanceType?: pulumi.Input<string>;
+    }
+    interface VpcCloudWatchFlowLogArgsArgs {
+        /**
+         * Number of days to retain flow log data in CloudWatch Logs. Common values: 7, 14, 30, 90.
+         */
+        retention: pulumi.Input<number>;
+    }
+    /**
+     * A single permission statement in the VPC endpoint policy. Effect must be Allow or Deny. Action is an IAM action string. Resource defaults to * if omitted.
+     */
+    interface VpcEndpointPermissionArgs {
+        /**
+         * The IAM action string, e.g. "sqs:SendMessage", "secretsmanager:GetSecretValue".
+         */
+        action: pulumi.Input<string>;
+        /**
+         * The IAM effect — "Allow" or "Deny".
+         */
+        effect: pulumi.Input<string>;
+        /**
+         * The ARN to scope this permission to. Defaults to "*" if omitted — applies to all resources of this service. Accepts Output<string> — pass resource ARNs directly, e.g. queue.arn, secret.arn.
+         */
+        resource?: pulumi.Input<string>;
+    }
+    interface VpcFlowLogsArgsArgs {
+        /**
+         * Enable flow log delivery to a CloudWatch Log Group. Use for fast querying with CloudWatch Logs Insights and active debugging of connection issues.
+         */
+        cloudwatch?: pulumi.Input<inputs.aws.VpcCloudWatchFlowLogArgsArgs>;
+        /**
+         * Enable flow log delivery to a dedicated S3 bucket with auto-tiered lifecycle policy. Use for compliance retention and audit evidence.
+         */
+        s3?: pulumi.Input<inputs.aws.VpcS3FlowLogArgsArgs>;
+    }
+    interface VpcNatArgsArgs {
+        /**
+         * EC2 instance type for the fck-nat instance. Only applies when natType is 'fck-nat'. Default: 't4g.small'.
+         */
+        instanceType?: pulumi.Input<string>;
+        /**
+         * Type of NAT to provision. 'gateway' provisions one AWS managed NAT Gateway per AZ. 'fck-nat' provisions a single fck-nat EC2 instance shared across all AZs.
+         */
+        natType: pulumi.Input<enums.aws.VpcNatType>;
+    }
+    interface VpcS3FlowLogArgsArgs {
+        /**
+         * Storage tiering policy for flow log retention.
+         */
+        lifecycle: pulumi.Input<enums.aws.S3FlowLogLifecycle>;
+    }
 }
 export declare namespace gcp {
     interface BucketOverridesArgs {