@anvil-cloud/sdk 0.0.13 → 0.0.15

package/bin/types/output.d.ts

@@ -1,4 +1,17 @@
 export declare namespace aws {
+    /**
+     * ACM certificate DNS validation CNAME record. Only populated when domain.dns: false and domain.certificateArn is omitted. Add this record in your DNS provider (e.g. Cloudflare) then re-run deploy — Anvil blocks until ACM confirms validation.
+     */
+    interface HttpApiCertValidationCname {
+        /**
+         * The CNAME record name to add in your DNS provider.
+         */
+        name: string;
+        /**
+         * The CNAME record value to point to.
+         */
+        value: string;
+    }
 }
 export declare namespace gcp {
 }

package/grants.ts

@@ -12,14 +12,7 @@ import * as aws from '@pulumi/aws';
  * Compute resources (Lambda, SvelteKitSite, etc.) satisfy this interface.
  */
 export interface GrantTarget {
-  /**
-   * The logical resource name passed to the constructor.
-   */
   grantName(): string;
-
-  /**
-   * The ARN of the IAM execution role attached to this compute resource.
-   */
   grantRoleArn(): pulumi.Output<string>;
 }
 
@@ -27,10 +20,6 @@ export interface GrantTarget {
  * Optional metadata for grant methods.
  */
 export interface GrantOptions {
-  /**
-   * Documents why this grant is needed.
-   * Stored as a tag on the generated IAM policy resource for audit purposes.
-   */
   justification?: string;
 }
 
@@ -38,8 +27,6 @@ export interface GrantOptions {
  * Creates a scoped IAM RolePolicy granting the specified actions on the
  * specified resource ARNs to the target's execution role.
  *
- * This is the core engine that all resource-specific grant methods delegate to.
- *
  * @internal
  */
 export function createGrant(
@@ -63,14 +50,11 @@ export function createGrant(
     })
   );
 
-  // Extract role name from ARN (everything after the last "/")
   const roleName = target.grantRoleArn().apply((arn) => {
     const idx = arn.lastIndexOf('/');
     return idx >= 0 ? arn.substring(idx + 1) : arn;
   });
 
-  // Justification is stored in the resource name suffix for audit trail.
-  // Future: compliance audit trail (Pro tier) will capture this metadata separately.
   const policyName = opts?.justification
     ? `${name}-${sanitize(opts.justification)}`
     : name;
@@ -85,7 +69,7 @@ export function createGrant(
   );
 }
 
-/** @internal Sanitize a string for use in resource names. */
+/** @internal */
 function sanitize(s: string): string {
   return s
     .toLowerCase()
@@ -95,18 +79,19 @@ function sanitize(s: string): string {
 
 /**
  * Builds the list of ARNs for a grant based on a base ARN and optional path scoping.
- *
- * - No paths: grants access to the entire resource (baseArn + baseArn/*)
- * - With paths: grants access to baseArn (for list operations) + each scoped path
- *
  * @internal
  */
 export function buildResourceArns(
   baseArn: pulumi.Output<string>,
-  paths?: string[]
+  paths?: string[] | null
 ): pulumi.Output<string>[] {
   const arns: pulumi.Output<string>[] = [baseArn];
 
+  if (paths === null) {
+    // Explicit null = base ARN only, no sub-paths (used by DynamoDB index grants)
+    return arns;
+  }
+
   if (!paths || paths.length === 0) {
     arns.push(pulumi.interpolate`${baseArn}/*`);
   } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },

package/tsconfig.json

@@ -14,9 +14,18 @@
     },
     "files": [
         "aws/bucket.ts",
+        "aws/cognitoAuth.ts",
+        "aws/cognitoUserPool.ts",
+        "aws/dynamoDB.ts",
+        "aws/eventBus.ts",
+        "aws/httpApi.ts",
         "aws/index.ts",
         "aws/lambda.ts",
+        "aws/oauthAuthorizer.ts",
+        "aws/queue.ts",
         "aws/svelteKitSite.ts",
+        "aws/vpc.ts",
+        "aws/vpcEndpoint.ts",
         "gcp/function.ts",
         "gcp/index.ts",
         "gcp/storageBucket.ts",

package/types/enums/aws/index.ts

@@ -2,13 +2,211 @@
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 
 
+export const CognitoUserPoolCustomAttributeType = {
+    String: "String",
+    Number: "Number",
+    DateTime: "DateTime",
+    Boolean: "Boolean",
+} as const;
+
+export type CognitoUserPoolCustomAttributeType = (typeof CognitoUserPoolCustomAttributeType)[keyof typeof CognitoUserPoolCustomAttributeType];
+
+export const CognitoUserPoolIdentityProviderType = {
+    /**
+     * Google OAuth 2.0. Requires clientId and clientSecret.
+     */
+    Google: "Google",
+    /**
+     * Facebook OAuth 2.0. Requires clientId and clientSecret.
+     */
+    Facebook: "Facebook",
+    /**
+     * Login with Amazon. Requires clientId and clientSecret.
+     */
+    LoginWithAmazon: "LoginWithAmazon",
+    /**
+     * Sign in with Apple. Requires clientId and clientSecret.
+     */
+    SignInWithApple: "SignInWithApple",
+    /**
+     * Generic OIDC provider (Okta, Auth0, Microsoft Entra, etc.). Requires clientId, clientSecret, and oidcIssuer.
+     */
+    OIDC: "OIDC",
+    /**
+     * SAML 2.0 provider (corporate SSO, Active Directory Federation Services etc.). Requires metadataUrl or metadataContent.
+     */
+    SAML: "SAML",
+} as const;
+
+export type CognitoUserPoolIdentityProviderType = (typeof CognitoUserPoolIdentityProviderType)[keyof typeof CognitoUserPoolIdentityProviderType];
+
+export const CognitoUserPoolMfaMethod = {
+    /**
+     * Time-based one-time password (authenticator app). No additional AWS resources required.
+     */
+    TOTP: "TOTP",
+    /**
+     * SMS one-time password via SNS. Requires snsCallerArn.
+     */
+    SMS: "SMS",
+} as const;
+
+export type CognitoUserPoolMfaMethod = (typeof CognitoUserPoolMfaMethod)[keyof typeof CognitoUserPoolMfaMethod];
+
+export const CognitoUserPoolMfaMode = {
+    /**
+     * MFA disabled. Default.
+     */
+    OFF: "OFF",
+    /**
+     * MFA available but not required. Users opt in.
+     */
+    OPTIONAL: "OPTIONAL",
+    /**
+     * MFA required for all users.
+     */
+    REQUIRED: "REQUIRED",
+} as const;
+
+export type CognitoUserPoolMfaMode = (typeof CognitoUserPoolMfaMode)[keyof typeof CognitoUserPoolMfaMode];
+
+export const CognitoUserPoolOAuthFlow = {
+    /**
+     * Authorization code grant (PKCE). Most secure — use for all browser and server apps.
+     */
+    Code: "code",
+    /**
+     * Implicit grant. Deprecated — tokens visible in browser URL. Avoid for new applications.
+     */
+    Implicit: "implicit",
+    /**
+     * Client credentials grant. M2M only — no user interaction.
+     */
+    Client_credentials: "client_credentials",
+} as const;
+
+export type CognitoUserPoolOAuthFlow = (typeof CognitoUserPoolOAuthFlow)[keyof typeof CognitoUserPoolOAuthFlow];
+
+export const CognitoUserPoolUsernameAttribute = {
+    /**
+     * Users sign in with their email address.
+     */
+    Email: "email",
+    /**
+     * Users sign in with their phone number.
+     */
+    Phone_number: "phone_number",
+} as const;
+
+export type CognitoUserPoolUsernameAttribute = (typeof CognitoUserPoolUsernameAttribute)[keyof typeof CognitoUserPoolUsernameAttribute];
+
+export const DynamoDBAttributeType = {
+    /**
+     * String
+     */
+    S: "S",
+    /**
+     * Number
+     */
+    N: "N",
+    /**
+     * Binary
+     */
+    B: "B",
+} as const;
+
+export type DynamoDBAttributeType = (typeof DynamoDBAttributeType)[keyof typeof DynamoDBAttributeType];
+
+export const DynamoDBProjectionType = {
+    /**
+     * All attributes are projected. Default.
+     */
+    ALL: "ALL",
+    /**
+     * Only the table and GSI key attributes are projected.
+     */
+    KEYS_ONLY: "KEYS_ONLY",
+    /**
+     * Only the specified nonKeyAttributes are projected in addition to keys.
+     */
+    INCLUDE: "INCLUDE",
+} as const;
+
+export type DynamoDBProjectionType = (typeof DynamoDBProjectionType)[keyof typeof DynamoDBProjectionType];
+
+export const DynamoDBStreamStartingPosition = {
+    /**
+     * Start reading from the oldest available record in the stream. Replays all existing records up to 24hr retention window. AWS default.
+     */
+    TRIM_HORIZON: "TRIM_HORIZON",
+    /**
+     * Start reading from the most recent record. Only processes new events from the point of consumer creation.
+     */
+    LATEST: "LATEST",
+} as const;
+
+export type DynamoDBStreamStartingPosition = (typeof DynamoDBStreamStartingPosition)[keyof typeof DynamoDBStreamStartingPosition];
+
+export const DynamoDBStreamViewType = {
+    /**
+     * Only the new item image is written to the stream.
+     */
+    NEW_IMAGE: "NEW_IMAGE",
+    /**
+     * Only the old item image is written to the stream.
+     */
+    OLD_IMAGE: "OLD_IMAGE",
+    /**
+     * Both old and new item images are written to the stream.
+     */
+    NEW_AND_OLD_IMAGES: "NEW_AND_OLD_IMAGES",
+    /**
+     * Only the key attributes are written to the stream.
+     */
+    KEYS_ONLY: "KEYS_ONLY",
+} as const;
+
+export type DynamoDBStreamViewType = (typeof DynamoDBStreamViewType)[keyof typeof DynamoDBStreamViewType];
+
+export const HttpApiMethod = {
+    /**
+     * HTTP GET — read operations.
+     */
+    GET: "GET",
+    /**
+     * HTTP POST — create operations and async consumers (SQS, EventBridge, Step Functions).
+     */
+    POST: "POST",
+    /**
+     * HTTP PUT — replace operations.
+     */
+    PUT: "PUT",
+    /**
+     * HTTP PATCH — partial update operations.
+     */
+    PATCH: "PATCH",
+    /**
+     * HTTP DELETE — delete operations.
+     */
+    DELETE: "DELETE",
+    /**
+     * Matches all HTTP methods. Maps to the $default route key.
+     */
+    ANY: "ANY",
+} as const;
+
+/**
+ * HTTP method for an API route.
+ */
+export type HttpApiMethod = (typeof HttpApiMethod)[keyof typeof HttpApiMethod];
+
 export const LambdaArchitecture = {
     /**
-     * Graviton — 20% cheaper, better performance. Default.
+     * Graviton - 20% cheaper, better performance. Default.
      */
     Arm64: "arm64",
     /**
-     * Intel/AMD — use for x86-specific native dependencies.
+     * Intel/AMD - use for x86-specific native dependencies.
      */
     X86_64: "x86_64",
 } as const;
@@ -29,19 +227,19 @@ export const LambdaLogRetention = {
      */
     LambdaLogRetention_90d: "90d",
     /**
-     * 1 year (365 days) — SOC 2 / ISO 27001 / PCI-DSS baseline. Default.
+     * 1 year (365 days) - SOC 2 / ISO 27001 / PCI-DSS baseline. Default.
      */
     LambdaLogRetention_1y: "1y",
     /**
-     * 3 years (1095 days) — FedRAMP minimum
+     * 3 years (1095 days) - FedRAMP minimum
      */
     LambdaLogRetention_3y: "3y",
     /**
-     * 6 years (2190 days) — HIPAA minimum
+     * 6 years (2190 days) - HIPAA minimum
      */
     LambdaLogRetention_6y: "6y",
     /**
-     * 7 years (2555 days) — IRAP minimum
+     * 7 years (2555 days) - IRAP minimum
      */
     LambdaLogRetention_7y: "7y",
 } as const;
@@ -50,7 +248,7 @@ export type LambdaLogRetention = (typeof LambdaLogRetention)[keyof typeof Lambda
 
 export const LambdaRuntime = {
     /**
-     * Node.js 24 (LTS) — recommended
+     * Node.js 24 (LTS) - recommended
      */
     Nodejs24_x: "nodejs24.x",
     /**
@@ -60,3 +258,37 @@ export const LambdaRuntime = {
 } as const;
 
 export type LambdaRuntime = (typeof LambdaRuntime)[keyof typeof LambdaRuntime];
+
+export const S3FlowLogLifecycle = {
+    /**
+     * Auto-tiered: Standard (0-30d) → Standard-IA (30-90d) → Glacier Instant Retrieval (90d+). Suitable for compliance retention at minimal long-term cost.
+     */
+    Standard: "standard",
+} as const;
+
+export type S3FlowLogLifecycle = (typeof S3FlowLogLifecycle)[keyof typeof S3FlowLogLifecycle];
+
+export const SiteOriginProtectionProvider = {
+    /**
+     * Cloudflare — inject x-origin-secret via a Cloudflare Transform Rule.
+     */
+    Cloudflare: "cloudflare",
+} as const;
+
+/**
+ * The CDN/proxy provider sitting in front of CloudFront.
+ */
+export type SiteOriginProtectionProvider = (typeof SiteOriginProtectionProvider)[keyof typeof SiteOriginProtectionProvider];
+
+export const VpcNatType = {
+    /**
+     * AWS managed NAT Gateway. One per AZ for true HA. ~$32/month per AZ plus $0.045/GB data processed.
+     */
+    Gateway: "gateway",
+    /**
+     * fck-nat EC2 instance. Single instance regardless of AZ count. ~$4-6/month for t4g.small. Accepted single point of failure tradeoff for cost savings.
+     */
+    Fck_nat: "fck-nat",
+} as const;
+
+export type VpcNatType = (typeof VpcNatType)[keyof typeof VpcNatType];