@anvil-cloud/sdk 0.0.14 → 0.0.15

package/aws/oauthAuthorizer.ts

@@ -0,0 +1,70 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../utilities";
+
+/**
+ * An Anvil-managed JWT authorizer for HTTP API Gateway. Works with any OIDC-compliant identity provider — Auth0, Clerk, Google, Okta, Cognito. API Gateway verifies the JWT signature, issuer, audience, and expiry on every request natively — no Lambda or custom code required. Pass authorizerId to HttpApi defaultAuthorizerId to protect your routes.
+ */
+export class OAuthAuthorizer extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:OAuthAuthorizer';
+
+    /**
+     * Returns true if the given object is an instance of OAuthAuthorizer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is OAuthAuthorizer {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === OAuthAuthorizer.__pulumiType;
+    }
+
+    /**
+     * The API Gateway authorizer ID. Pass this to HttpApi defaultAuthorizerId to protect your API routes.
+     */
+    declare public /*out*/ readonly authorizerId: pulumi.Output<string>;
+
+    /**
+     * Create a OAuthAuthorizer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: OAuthAuthorizerArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.audience === undefined && !opts.urn) {
+                throw new Error("Missing required property 'audience'");
+            }
+            if (args?.issuer === undefined && !opts.urn) {
+                throw new Error("Missing required property 'issuer'");
+            }
+            resourceInputs["audience"] = args?.audience;
+            resourceInputs["issuer"] = args?.issuer;
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        } else {
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(OAuthAuthorizer.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+
+/**
+ * The set of arguments for constructing a OAuthAuthorizer resource.
+ */
+export interface OAuthAuthorizerArgs {
+    /**
+     * The intended recipients of the JWT. API Gateway rejects tokens whose 'aud' claim does not match one of these values. Typically your API's client ID registered with the identity provider.
+     */
+    audience: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The OIDC issuer URL of your identity provider. API Gateway fetches public signing keys from {issuer}/.well-known/jwks.json to verify token signatures. Examples: Auth0: 'https://your-tenant.auth0.com/', Clerk: 'https://your-instance.clerk.accounts.dev', Google: 'https://accounts.google.com'.
+     */
+    issuer: pulumi.Input<string>;
+}

package/aws/queue.ts

@@ -0,0 +1,156 @@
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
+import * as utilities from "../utilities";
+import * as grants from "../grants";
+
+/**
+ * An Anvil-managed SQS queue. A dead letter queue is always provisioned to prevent silent message loss. SSE-SQS encryption is enabled by default at no cost.
+ */
+export class Queue extends pulumi.ComponentResource {
+    /** @internal */
+    public static readonly __pulumiType = 'anvil:aws:Queue';
+
+    /** @internal Logical resource name for grant policy naming. */
+    private __name: string;
+
+    /**
+     * Returns true if the given object is an instance of Queue.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Queue {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Queue.__pulumiType;
+    }
+
+    /**
+     * The ARN of the SQS queue.
+     */
+    declare public /*out*/ readonly arn: pulumi.Output<string>;
+    /**
+     * The ARN of the dead letter queue.
+     */
+    declare public /*out*/ readonly dlqArn: pulumi.Output<string>;
+    /**
+     * The URL of the dead letter queue.
+     */
+    declare public /*out*/ readonly dlqUrl: pulumi.Output<string>;
+    /**
+     * The physical name of the SQS queue.
+     */
+    declare public /*out*/ readonly name: pulumi.Output<string>;
+    /**
+     * The URL of the SQS queue. Use this to send and receive messages.
+     */
+    declare public /*out*/ readonly url: pulumi.Output<string>;
+
+    /**
+     * Create a Queue resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: QueueArgs, opts?: pulumi.ComponentResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["consumer"] = args?.consumer;
+            resourceInputs["dlq"] = args?.dlq;
+            resourceInputs["fifo"] = args?.fifo;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["dlqArn"] = undefined /*out*/;
+            resourceInputs["dlqUrl"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        } else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["dlqArn"] = undefined /*out*/;
+            resourceInputs["dlqUrl"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Queue.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+
+    /**
+     * Grants sendmessage access (sqs:SendMessage) on this queue
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantSendMessage(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-sendmessage`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["sqs:SendMessage"], arns, opts);
+    }
+
+    /**
+     * Grants consumemessages access (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes) on this queue
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantConsumeMessages(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-consumemessages`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes"], arns, opts);
+    }
+
+    /**
+     * Grants full access (sqs:SendMessage, sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, sqs:ChangeMessageVisibility, sqs:PurgeQueue) on this queue
+     * to the target compute resource's execution role.
+     *
+     * This is an escape hatch — prefer scoped grants (grantRead, grantWrite, etc.).
+     * A warning is logged if no justification is provided.
+     */
+    public grantFullAccess(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        if (!opts?.justification) {
+            pulumi.log.warn(
+                `⚠ ${this.__name} → ${target.grantName()}: full access granted with no justification. ` +
+                `Consider scoping with grantRead, grantWrite, or grantDelete, ` +
+                `or add a justification.`,
+                this,
+            );
+        } else {
+            pulumi.log.info(
+                `ℹ ${this.__name} → ${target.grantName()}: full access granted. Justification: "${opts.justification}"`,
+                this,
+            );
+        }
+        const name = `${this.__name}-${target.grantName()}-fullaccess`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:ChangeMessageVisibility", "sqs:PurgeQueue"], arns, opts);
+    }
+
+}
+
+/**
+ * The set of arguments for constructing a Queue resource.
+ */
+export interface QueueArgs {
+    /**
+     * Wires a compute resource to consume messages from this queue. Creates the event source mapping (trigger) and grants the necessary IAM permissions automatically.
+     */
+    consumer?: pulumi.Input<inputs.aws.QueueConsumerArgsArgs>;
+    /**
+     * Dead letter queue configuration. Always provisioned — messages that fail processing are moved here instead of being silently dropped. Omit to use defaults (managed DLQ, maxReceiveCount: 3). Set arn to reuse an existing queue.
+     */
+    dlq?: pulumi.Input<inputs.aws.QueueDlqArgsArgs>;
+    /**
+     * Creates a FIFO queue when true. FIFO queues guarantee message ordering and exactly-once processing but have lower throughput (~3,000 msg/s vs unlimited for standard). Use for financial transactions, inventory updates, or any workflow where ordering or deduplication matters. Default: false.
+     */
+    fifo?: pulumi.Input<boolean>;
+    transform?: pulumi.Input<inputs.aws.QueueTransformArgsArgs>;
+}

package/aws/svelteKitSite.ts

@@ -2,6 +2,9 @@
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 
 import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+import * as enums from "../types/enums";
 import * as utilities from "../utilities";
 
 export class SvelteKitSite extends pulumi.ComponentResource {
@@ -23,6 +26,10 @@ export class SvelteKitSite extends pulumi.ComponentResource {
     declare public /*out*/ readonly cloudFrontDistributionId: pulumi.Output<string | undefined>;
     declare public /*out*/ readonly dnsRecords: pulumi.Output<string | undefined>;
     declare public /*out*/ readonly functionName: pulumi.Output<string | undefined>;
+    /**
+     * OriginSecret is the x-origin-secret header value to configure in Cloudflare Transform Rules. Only populated when originProtection is set.
+     */
+    declare public /*out*/ readonly originSecret: pulumi.Output<string | undefined>;
     declare public /*out*/ readonly url: pulumi.Output<string | undefined>;
 
     /**
@@ -38,6 +45,7 @@ export class SvelteKitSite extends pulumi.ComponentResource {
         if (!opts.id) {
             resourceInputs["domain"] = args?.domain;
             resourceInputs["environment"] = args?.environment;
+            resourceInputs["originProtection"] = args?.originProtection;
             resourceInputs["path"] = args?.path;
             resourceInputs["runtimeEnvironment"] = args?.runtimeEnvironment;
             resourceInputs["transform"] = args?.transform;
@@ -45,12 +53,14 @@ export class SvelteKitSite extends pulumi.ComponentResource {
             resourceInputs["cloudFrontDistributionId"] = undefined /*out*/;
             resourceInputs["dnsRecords"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["originSecret"] = undefined /*out*/;
             resourceInputs["url"] = undefined /*out*/;
         } else {
             resourceInputs["bucketName"] = undefined /*out*/;
             resourceInputs["cloudFrontDistributionId"] = undefined /*out*/;
             resourceInputs["dnsRecords"] = undefined /*out*/;
             resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["originSecret"] = undefined /*out*/;
             resourceInputs["url"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
@@ -67,6 +77,10 @@ export interface SvelteKitSiteArgs {
      * Environment vars available at BOTH build time and runtime. Values must be string literals since they're needed before the build runs.
      */
     environment?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+    /**
+     * OriginProtection enables WAF-based origin protection. When set, a WAF WebACL is created that blocks requests missing the x-origin-secret header. The secret value is output as originSecret. Requires domain to be set.
+     */
+    originProtection?: pulumi.Input<inputs.aws.SiteOriginProtectionArgs>;
     path?: pulumi.Input<string>;
     /**
      * Runtime-only environment vars set on the Lambda function. Supports Pulumi Output values (e.g. bucket.name, fn.arn). Only available at request time, NOT during build/prerendering.

package/aws/vpcEndpoint.ts

@@ -8,7 +8,7 @@ import * as enums from "../types/enums";
 import * as utilities from "../utilities";
 
 /**
- * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled — standard AWS service hostnames resolve to ENI IPs inside the VPC automatically. Includes a dedicated security group with zero rules by default. Use grantEndpointAccess on compute resources to open the network path. IAM permissions are managed separately via grantPermissions.
+ * An Anvil-managed AWS Interface VPC Endpoint. Creates one ENI per private subnet with private DNS enabled. The endpoint security group uses a self-referencing ingress rule on port 443 — only compute resources that have been explicitly granted access can reach the endpoint at the network layer. Access is enforced at three layers: network (self-referencing SG), IAM role policy (scoped per compute resource), and endpoint policy (blanket ceiling on allowed actions for all compute principals — Lambda, ECS, EC2).
  */
 export class VpcEndpoint extends pulumi.ComponentResource {
     /** @internal */
@@ -26,7 +26,7 @@ export class VpcEndpoint extends pulumi.ComponentResource {
     }
 
     /**
-     * The first DNS name assigned to the endpoint, e.g. vpce-xxx.ssm.ap-southeast-2.vpce.amazonaws.com. With private DNS enabled, normal consumers use the standard AWS SDK hostname — this is exposed for debugging and multi-VPC architectures only.
+     * The first DNS name assigned to the endpoint, e.g. vpce-xxx.sqs.ap-southeast-2.vpce.amazonaws.com. With private DNS enabled, normal consumers use the standard AWS SDK hostname — this is exposed for debugging and multi-VPC architectures only.
      */
     declare public /*out*/ readonly dnsName: pulumi.Output<string>;
     /**
@@ -34,7 +34,7 @@ export class VpcEndpoint extends pulumi.ComponentResource {
      */
     declare public /*out*/ readonly endpointId: pulumi.Output<string>;
     /**
-     * The ID of the dedicated security group attached to this endpoint. Zero rules by default. Ingress rules are added when compute resources call grantEndpointAccess.
+     * The ID of the dedicated security group attached to this endpoint. Uses a self-referencing ingress rule on port 443 — only compute resources with this SG explicitly attached can reach the endpoint at the network layer.
      */
     declare public /*out*/ readonly securityGroupId: pulumi.Output<string>;
 
@@ -58,6 +58,7 @@ export class VpcEndpoint extends pulumi.ComponentResource {
             if (args?.vpcId === undefined && !opts.urn) {
                 throw new Error("Missing required property 'vpcId'");
             }
+            resourceInputs["overridePermissions"] = args?.overridePermissions;
             resourceInputs["privateSubnetIds"] = args?.privateSubnetIds;
             resourceInputs["service"] = args?.service;
             resourceInputs["vpcId"] = args?.vpcId;
@@ -78,6 +79,10 @@ export class VpcEndpoint extends pulumi.ComponentResource {
  * The set of arguments for constructing a VpcEndpoint resource.
  */
 export interface VpcEndpointArgs {
+    /**
+     * Explicit Allow and Deny permission statements for the endpoint policy. When omitted, the endpoint policy allows all actions (*) for all Anvil compute principals (Lambda, ECS, EC2). When set, only the declared actions are permitted — the caller is responsible for declaring every action their compute resources need. Supports both Allow and Deny effects. Resource defaults to "*" if omitted on a permission entry.
+     */
+    overridePermissions?: pulumi.Input<pulumi.Input<inputs.aws.VpcEndpointPermissionArgs>[]>;
     /**
      * The IDs of the private subnets to attach the endpoint to. AWS places one ENI per subnet. Pass all private subnet IDs from your VPC — typically one per AZ.
      */
@@ -85,7 +90,7 @@ export interface VpcEndpointArgs {
     /**
      * The AWS service to route privately. The full com.amazonaws.{region}.{service} name is constructed at deploy time from the resolved region — you never write it manually.
      */
-    service: pulumi.Input<enums.aws.AwsVpcEndpointService>;
+    service: pulumi.Input<string>;
     /**
      * The ID of the VPC to create the endpoint in. Accepts both Anvil-managed VPC IDs and imported VPC IDs.
      */

package/bin/aws/cognitoAuth.d.ts

@@ -0,0 +1,36 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * An Anvil-managed JWT authorizer backed by a Cognito user pool. Derives the issuer URL automatically from the user pool ID — no manual Cognito endpoint construction required. Creates a native API Gateway JWT authorizer; verification is handled entirely by API Gateway with no Lambda or custom code. Pass authorizerId to HttpApi defaultAuthorizerId to protect your API routes.
+ */
+export declare class CognitoAuth extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoAuth.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CognitoAuth;
+    /**
+     * The API Gateway authorizer ID. Pass this to HttpApi defaultAuthorizerId to protect your API routes.
+     */
+    readonly authorizerId: pulumi.Output<string>;
+    /**
+     * Create a CognitoAuth resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: CognitoAuthArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CognitoAuth resource.
+ */
+export interface CognitoAuthArgs {
+    /**
+     * The Cognito app client IDs allowed to access this API. API Gateway rejects tokens whose 'aud' claim does not match one of these values. Pass your Cognito app client ID(s) here.
+     */
+    audience: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The Cognito user pool ID. Pass pool.userPoolId directly. Accepts Output<string>. Anvil derives the issuer URL automatically: https://cognito-idp.{region}.amazonaws.com/{userPoolId}.
+     */
+    userPoolId: any;
+}

package/bin/aws/cognitoAuth.js

@@ -0,0 +1,53 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoAuth = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed JWT authorizer backed by a Cognito user pool. Derives the issuer URL automatically from the user pool ID — no manual Cognito endpoint construction required. Creates a native API Gateway JWT authorizer; verification is handled entirely by API Gateway with no Lambda or custom code. Pass authorizerId to HttpApi defaultAuthorizerId to protect your API routes.
+ */
+class CognitoAuth extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoAuth.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CognitoAuth.__pulumiType;
+    }
+    /**
+     * Create a CognitoAuth resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.audience === undefined && !opts.urn) {
+                throw new Error("Missing required property 'audience'");
+            }
+            if (args?.userPoolId === undefined && !opts.urn) {
+                throw new Error("Missing required property 'userPoolId'");
+            }
+            resourceInputs["audience"] = args?.audience;
+            resourceInputs["userPoolId"] = args?.userPoolId;
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["authorizerId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CognitoAuth.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.CognitoAuth = CognitoAuth;
+/** @internal */
+CognitoAuth.__pulumiType = 'anvil:aws:CognitoAuth';
+//# sourceMappingURL=cognitoAuth.js.map

package/bin/aws/cognitoAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognitoAuth.js","sourceRoot":"","sources":["../../aws/cognitoAuth.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;GAEG;AACH,MAAa,WAAY,SAAQ,MAAM,CAAC,iBAAiB;IAIrD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,WAAW,CAAC,YAAY,CAAC;IAC5D,CAAC;IAOD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAqB,EAAE,IAAsC;QACnF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,QAAQ,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC3C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;aAC3D;YACD,IAAI,IAAI,EAAE,UAAU,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC7C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;aAC7D;YACD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACtD;aAAM;YACH,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACtD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACjF,CAAC;;AA7CL,kCA8CC;AA7CG,gBAAgB;AACO,wBAAY,GAAG,uBAAuB,CAAC"}

package/bin/aws/cognitoUserPool.d.ts

@@ -0,0 +1,82 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+/**
+ * An Anvil-managed Cognito user pool. Tier 1 controls (deletion protection, enforced password policy, account recovery via email) are always on. Pair with CognitoAuth to protect API Gateway routes.
+ */
+export declare class CognitoUserPool extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoUserPool.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CognitoUserPool;
+    /**
+     * The ID of the default app client. Pass to CognitoAuth audience.
+     */
+    readonly appClientId: pulumi.Output<string>;
+    /**
+     * The client secret of the default app client. Only populated when appClient.generateSecret is true. Treat as sensitive.
+     */
+    readonly appClientSecret: pulumi.Output<string | undefined>;
+    /**
+     * The CloudFront distribution domain for the custom hosted UI. Only populated when hostedUi.customDomain is true. Create a Route53 alias record pointing hostedUi.domain to this value to complete DNS setup. Empty string for Cognito-managed domains.
+     */
+    readonly cloudFrontDomain: pulumi.Output<string>;
+    /**
+     * The Cognito OIDC issuer URL. Format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}. Pass directly to CognitoAuth if building the authorizer manually.
+     */
+    readonly endpoint: pulumi.Output<string>;
+    /**
+     * The full hosted UI domain (e.g. https://auth.myapp.com or https://myprefix.auth.us-east-1.amazoncognito.com). Empty string if hostedUi is not configured.
+     */
+    readonly hostedUiDomain: pulumi.Output<string>;
+    /**
+     * The ARN of the Cognito user pool.
+     */
+    readonly userPoolArn: pulumi.Output<string>;
+    /**
+     * The Cognito user pool ID. Pass to CognitoAuth.userPoolId.
+     */
+    readonly userPoolId: pulumi.Output<string>;
+    /**
+     * Create a CognitoUserPool resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CognitoUserPoolArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CognitoUserPool resource.
+ */
+export interface CognitoUserPoolArgs {
+    /**
+     * Default app client created with the user pool. Covers the 80% case of one application per pool. Use transform for additional clients.
+     */
+    appClient?: pulumi.Input<inputs.aws.CognitoUserPoolAppClientArgs>;
+    /**
+     * User attribute configuration. Controls sign-in identifiers and required attributes on sign-up.
+     */
+    attributes?: pulumi.Input<inputs.aws.CognitoUserPoolAttributesArgs>;
+    /**
+     * Email delivery configuration. Default: Cognito-managed email (5 emails/day limit). Set sesFromAddress for SES delivery in production.
+     */
+    emailConfiguration?: pulumi.Input<inputs.aws.CognitoUserPoolEmailConfigurationArgs>;
+    /**
+     * Hosted UI / Managed Login configuration. Omit to use the Cognito user pools API directly without a hosted sign-in page.
+     */
+    hostedUi?: pulumi.Input<inputs.aws.CognitoUserPoolHostedUiArgs>;
+    /**
+     * External identity providers to federate with this user pool. Supports Google, Facebook, LoginWithAmazon, SignInWithApple, OIDC, and SAML. Schema never changes per provider — add new providers by extending this array.
+     */
+    identityProviders?: pulumi.Input<pulumi.Input<inputs.aws.CognitoUserPoolIdentityProviderArgs>[]>;
+    /**
+     * MFA configuration. TOTP requires no additional AWS resources. SMS requires an SNS caller ARN.
+     */
+    mfa?: pulumi.Input<inputs.aws.CognitoUserPoolMfaArgs>;
+    /**
+     * Password policy for the user pool. Anvil enforces a secure baseline by default — override only to strengthen.
+     */
+    passwordPolicy?: pulumi.Input<inputs.aws.CognitoUserPoolPasswordPolicyArgs>;
+    transform?: pulumi.Input<inputs.aws.CognitoUserPoolTransformArgsArgs>;
+}

package/bin/aws/cognitoUserPool.js

@@ -0,0 +1,65 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoUserPool = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed Cognito user pool. Tier 1 controls (deletion protection, enforced password policy, account recovery via email) are always on. Pair with CognitoAuth to protect API Gateway routes.
+ */
+class CognitoUserPool extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of CognitoUserPool.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CognitoUserPool.__pulumiType;
+    }
+    /**
+     * Create a CognitoUserPool resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["appClient"] = args?.appClient;
+            resourceInputs["attributes"] = args?.attributes;
+            resourceInputs["emailConfiguration"] = args?.emailConfiguration;
+            resourceInputs["hostedUi"] = args?.hostedUi;
+            resourceInputs["identityProviders"] = args?.identityProviders;
+            resourceInputs["mfa"] = args?.mfa;
+            resourceInputs["passwordPolicy"] = args?.passwordPolicy;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["appClientId"] = undefined /*out*/;
+            resourceInputs["appClientSecret"] = undefined /*out*/;
+            resourceInputs["cloudFrontDomain"] = undefined /*out*/;
+            resourceInputs["endpoint"] = undefined /*out*/;
+            resourceInputs["hostedUiDomain"] = undefined /*out*/;
+            resourceInputs["userPoolArn"] = undefined /*out*/;
+            resourceInputs["userPoolId"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["appClientId"] = undefined /*out*/;
+            resourceInputs["appClientSecret"] = undefined /*out*/;
+            resourceInputs["cloudFrontDomain"] = undefined /*out*/;
+            resourceInputs["endpoint"] = undefined /*out*/;
+            resourceInputs["hostedUiDomain"] = undefined /*out*/;
+            resourceInputs["userPoolArn"] = undefined /*out*/;
+            resourceInputs["userPoolId"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CognitoUserPool.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.CognitoUserPool = CognitoUserPool;
+/** @internal */
+CognitoUserPool.__pulumiType = 'anvil:aws:CognitoUserPool';
+//# sourceMappingURL=cognitoUserPool.js.map

package/bin/aws/cognitoUserPool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognitoUserPool.js","sourceRoot":"","sources":["../../aws/cognitoUserPool.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAI1C;;GAEG;AACH,MAAa,eAAgB,SAAQ,MAAM,CAAC,iBAAiB;IAIzD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,eAAe,CAAC,YAAY,CAAC;IAChE,CAAC;IA+BD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAA0B,EAAE,IAAsC;QACxF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC;YAChE,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,EAAE,iBAAiB,CAAC;YAC9D,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,gBAAgB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACrD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACpD;aAAM;YACH,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACtD,cAAc,CAAC,kBAAkB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACvD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,gBAAgB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACrD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACpD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,eAAe,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACrF,CAAC;;AAjFL,0CAkFC;AAjFG,gBAAgB;AACO,4BAAY,GAAG,2BAA2B,CAAC"}