@anvil-cloud/sdk 0.0.14 → 0.0.15

package/bin/aws/dynamoDB.d.ts

@@ -0,0 +1,115 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as grants from "../grants";
+/**
+ * Serverless key-value and document store. Secure-by-default DynamoDB table with GSI support, optional streams, and Lambda/EventBridge consumers. First data layer component — pairs naturally with anvil.aws.Lambda.
+ */
+export declare class DynamoDB extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of DynamoDB.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is DynamoDB;
+    /**
+     * The ARN of the DynamoDB stream. Only present when stream is enabled.
+     */
+    readonly streamArn: pulumi.Output<string | undefined>;
+    /**
+     * The ARN of the DynamoDB table.
+     */
+    readonly tableArn: pulumi.Output<string>;
+    /**
+     * The physical DynamoDB table name. Scoped as {name}-{stage}.
+     */
+    readonly tableName: pulumi.Output<string>;
+    /**
+     * Create a DynamoDB resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: DynamoDBArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Grants read access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantRead(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+    /**
+     * Grants write access (dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantWrite(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+    /**
+     * Grants readwrite access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan, dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantReadWrite(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+    /**
+     * Grants delete access (dynamodb:DeleteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantDelete(target: grants.GrantTarget, opts?: {
+        indexes?: string[];
+        justification?: string;
+    }): void;
+}
+/**
+ * The set of arguments for constructing a DynamoDB resource.
+ */
+export interface DynamoDBArgs {
+    /**
+     * Global Secondary Indexes. All GSI key types must be explicitly declared — Anvil derives attributeDefinitions automatically from all declared keys.
+     */
+    globalSecondaryIndexes?: pulumi.Input<pulumi.Input<inputs.aws.DynamoDBGlobalSecondaryIndexArgs>[]>;
+    /**
+     * Primary hash (partition) key. Required.
+     */
+    hashKey: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    /**
+     * Tier 2 opt-in. ARN of a KMS CMK for encryption at rest. If omitted, AWS_OWNED_KMS is used (Tier 1 default — always on, zero cost). Use this for compliance workloads requiring key rotation control, audit trail, or the ability to revoke access by disabling the key.
+     */
+    kmsKeyArn?: pulumi.Input<string>;
+    /**
+     * Primary range (sort) key. Optional.
+     */
+    rangeKey?: pulumi.Input<inputs.aws.DynamoDBKeyAttributeArgs>;
+    /**
+     * DynamoDB Streams configuration. Opt-in. Enables change data capture on the table.
+     */
+    stream?: pulumi.Input<inputs.aws.DynamoDBStreamArgs>;
+    transform?: pulumi.Input<inputs.aws.DynamoTransformArgsArgs>;
+    /**
+     * Name of the attribute used for TTL (time-to-live). Items with this attribute set to a past Unix timestamp are automatically deleted by DynamoDB.
+     */
+    ttlAttribute?: pulumi.Input<string>;
+}

package/bin/aws/dynamoDB.js

@@ -0,0 +1,121 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DynamoDB = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+const grants = require("../grants");
+/**
+ * Serverless key-value and document store. Secure-by-default DynamoDB table with GSI support, optional streams, and Lambda/EventBridge consumers. First data layer component — pairs naturally with anvil.aws.Lambda.
+ */
+class DynamoDB extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of DynamoDB.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === DynamoDB.__pulumiType;
+    }
+    /**
+     * Create a DynamoDB resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.hashKey === undefined && !opts.urn) {
+                throw new Error("Missing required property 'hashKey'");
+            }
+            resourceInputs["globalSecondaryIndexes"] = args?.globalSecondaryIndexes;
+            resourceInputs["hashKey"] = args?.hashKey;
+            resourceInputs["kmsKeyArn"] = args?.kmsKeyArn;
+            resourceInputs["rangeKey"] = args?.rangeKey;
+            resourceInputs["stream"] = args?.stream;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["ttlAttribute"] = args?.ttlAttribute;
+            resourceInputs["streamArn"] = undefined /*out*/;
+            resourceInputs["tableArn"] = undefined /*out*/;
+            resourceInputs["tableName"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["streamArn"] = undefined /*out*/;
+            resourceInputs["tableArn"] = undefined /*out*/;
+            resourceInputs["tableName"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(DynamoDB.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+    /**
+     * Grants read access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantRead(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-read`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan"], arns, { justification: opts?.justification });
+    }
+    /**
+     * Grants write access (dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantWrite(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-write`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem"], arns, { justification: opts?.justification });
+    }
+    /**
+     * Grants readwrite access (dynamodb:GetItem, dynamodb:BatchGetItem, dynamodb:Query, dynamodb:Scan, dynamodb:PutItem, dynamodb:UpdateItem, dynamodb:BatchWriteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantReadWrite(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-readwrite`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem"], arns, { justification: opts?.justification });
+    }
+    /**
+     * Grants delete access (dynamodb:DeleteItem) on this dynamodb
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional. indexes: scope to specific GSI names only.
+     *               If omitted, grants table access only — no index access.
+     * @param opts.justification - Optional audit trail note.
+     */
+    grantDelete(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-delete`;
+        const indexPaths = opts?.indexes?.map(i => `index/${i}`) ?? null;
+        const arns = grants.buildResourceArns(this.tableArn, indexPaths);
+        grants.createGrant(this, name, target, ["dynamodb:DeleteItem"], arns, { justification: opts?.justification });
+    }
+}
+exports.DynamoDB = DynamoDB;
+/** @internal */
+DynamoDB.__pulumiType = 'anvil:aws:DynamoDB';
+//# sourceMappingURL=dynamoDB.js.map

package/bin/aws/dynamoDB.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamoDB.js","sourceRoot":"","sources":["../../aws/dynamoDB.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAG1C,oCAAoC;AAEpC;;GAEG;AACH,MAAa,QAAS,SAAQ,MAAM,CAAC,iBAAiB;IAOlD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,YAAY,CAAC;IACzD,CAAC;IAeD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAkB,EAAE,IAAsC;QAChF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC1C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,cAAc,CAAC,wBAAwB,CAAC,GAAG,IAAI,EAAE,sBAAsB,CAAC;YACxE,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC;YAC1C,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAChD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACnD;aAAM;YACH,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAChD,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACnD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAEC;;;;;;;;OAQG;IACI,SAAS,CAAC,MAA0B,EAAE,IAAqD;QAC9F,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,eAAe,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAC3K,CAAC;IAED;;;;;;;;OAQG;IACI,UAAU,CAAC,MAA0B,EAAE,IAAqD;QAC/F,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,EAAE,qBAAqB,EAAE,yBAAyB,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACjK,CAAC;IAED;;;;;;;;OAQG;IACI,cAAc,CAAC,MAA0B,EAAE,IAAqD;QACnG,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC;QAC9D,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,yBAAyB,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACjP,CAAC;IAED;;;;;;;;OAQG;IACI,WAAW,CAAC,MAA0B,EAAE,IAAqD;QAChG,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC;QAC3D,MAAM,UAAU,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,qBAAqB,CAAC,EAAE,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAClH,CAAC;;AA/HP,4BAiIC;AAhIG,gBAAgB;AACO,qBAAY,GAAG,oBAAoB,CAAC"}

package/bin/aws/eventBus.d.ts

@@ -0,0 +1,47 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as grants from "../grants";
+/**
+ * An Anvil-managed EventBridge event bus. Archives events for 7 days by default for replay and debugging. Rules route matching events to Lambda targets.
+ */
+export declare class EventBus extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of EventBus.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is EventBus;
+    /**
+     * The ARN of the EventBridge event bus.
+     */
+    readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the EventBridge event bus. Pass to HttpApi consumer: { eventBridge: { name: bus.name } }
+     */
+    readonly name: pulumi.Output<string>;
+    /**
+     * Create a EventBus resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: EventBusArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Grants putevents access (events:PutEvents) on this eventbus
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantPutEvents(target: grants.GrantTarget, opts?: grants.GrantOptions): void;
+}
+/**
+ * The set of arguments for constructing a EventBus resource.
+ */
+export interface EventBusArgs {
+    /**
+     * EventBridge rules on this bus. Each rule matches events by pattern and routes them to a target.
+     */
+    rules?: pulumi.Input<pulumi.Input<inputs.aws.EventBusRuleArgs>[]>;
+    transform?: pulumi.Input<inputs.aws.EventBridgeTransformArgsArgs>;
+}

package/bin/aws/eventBus.js

@@ -0,0 +1,63 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EventBus = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+const grants = require("../grants");
+/**
+ * An Anvil-managed EventBridge event bus. Archives events for 7 days by default for replay and debugging. Rules route matching events to Lambda targets.
+ */
+class EventBus extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of EventBus.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === EventBus.__pulumiType;
+    }
+    /**
+     * Create a EventBus resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["rules"] = args?.rules;
+            resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["name"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(EventBus.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+    /**
+     * Grants putevents access (events:PutEvents) on this eventbus
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantPutEvents(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-putevents`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["events:PutEvents"], arns, opts);
+    }
+}
+exports.EventBus = EventBus;
+/** @internal */
+EventBus.__pulumiType = 'anvil:aws:EventBus';
+//# sourceMappingURL=eventBus.js.map

package/bin/aws/eventBus.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eventBus.js","sourceRoot":"","sources":["../../aws/eventBus.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAG1C,oCAAoC;AAEpC;;GAEG;AACH,MAAa,QAAS,SAAQ,MAAM,CAAC,iBAAiB;IAOlD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,YAAY,CAAC;IACzD,CAAC;IAWD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAmB,EAAE,IAAsC;QACjF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC;YACtC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC9C;aAAM;YACH,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC9C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,cAAc,CAAC,MAA0B,EAAE,IAA0B;QACxE,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC;QAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7E,CAAC;;AA9DL,4BAgEC;AA/DG,gBAAgB;AACO,qBAAY,GAAG,oBAAoB,CAAC"}

package/bin/aws/httpApi.d.ts

@@ -0,0 +1,66 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+/**
+ * An Anvil-managed AWS HTTP API Gateway (API Gateway v2). Route-level consumers support Lambda, SQS, EventBridge, Step Functions, and HTTP proxy integrations. Secure by default: TLS 1.2 minimum enforced on custom domains, execute-api endpoint disabled when a custom domain is set, conservative throttling defaults (1000 rps / 500 burst), CORS opt-in with wildcard origin blocked, per-consumer least-privilege IAM roles, access logs on by default.
+ */
+export declare class HttpApi extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of HttpApi.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HttpApi;
+    /**
+     * The default execute-api endpoint URL. Empty string when a custom domain is set and the execute-api endpoint is disabled.
+     */
+    readonly apiEndpoint: pulumi.Output<string>;
+    /**
+     * The API Gateway HTTP API ID.
+     */
+    readonly apiId: pulumi.Output<string>;
+    /**
+     * ACM cert validation CNAME. Only populated when domain.dns: false and domain.certificateArn is omitted. Add this record in Cloudflare (or your DNS provider) then re-run deploy — Anvil blocks until ACM confirms validation.
+     */
+    readonly certValidationCname: pulumi.Output<outputs.aws.HttpApiCertValidationCname>;
+    /**
+     * The primary URL for the API. When a custom domain is configured this is the custom domain URL. Otherwise it is the execute-api endpoint URL.
+     */
+    readonly url: pulumi.Output<string>;
+    /**
+     * Create a HttpApi resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: HttpApiArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HttpApi resource.
+ */
+export interface HttpApiArgs {
+    /**
+     * Optional CORS configuration. Opt-in — omit to disable CORS entirely. When enabled, allowOrigins is required and wildcard '*' is blocked as a security measure.
+     */
+    cors?: pulumi.Input<inputs.aws.HttpApiCorsArgs>;
+    /**
+     * The API Gateway authorizer ID to apply to all routes. Pass auth.authorizerId from an OAuthAuthorizer or CognitoAuth component. All routes inherit this authorizer unless skipAuth: true is set on the route. Omit to leave all routes public.
+     */
+    defaultAuthorizerId?: any;
+    /**
+     * Optional custom domain for the API. When set, Anvil provisions the ACM certificate, API Gateway domain name, and Route 53 DNS record automatically. The raw execute-api endpoint is disabled — all traffic must flow through the custom domain.
+     */
+    domain?: pulumi.Input<inputs.aws.HttpApiDomainArgs>;
+    /**
+     * CloudWatch access log retention period. Presets: '7d' | '30d' | '90d' | '1y' | '3y' | '6y' | '7y'. Default: '1y' — satisfies SOC 2, ISO 27001, and PCI DSS baseline retention requirements.
+     */
+    logRetention?: pulumi.Input<string>;
+    /**
+     * The API routes. Each route maps a method and path to a consumer. At least one route is required.
+     */
+    routes: pulumi.Input<pulumi.Input<inputs.aws.HttpApiRouteArgs>[]>;
+    /**
+     * Optional throttling configuration. Defaults to rateLimit: 1000 rps and burstLimit: 500 concurrent requests when omitted. Without throttling a single route can exhaust the account-level limit shared across all APIs.
+     */
+    throttling?: pulumi.Input<inputs.aws.HttpApiThrottlingArgs>;
+}

package/bin/aws/httpApi.js

@@ -0,0 +1,60 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HttpApi = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * An Anvil-managed AWS HTTP API Gateway (API Gateway v2). Route-level consumers support Lambda, SQS, EventBridge, Step Functions, and HTTP proxy integrations. Secure by default: TLS 1.2 minimum enforced on custom domains, execute-api endpoint disabled when a custom domain is set, conservative throttling defaults (1000 rps / 500 burst), CORS opt-in with wildcard origin blocked, per-consumer least-privilege IAM roles, access logs on by default.
+ */
+class HttpApi extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of HttpApi.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HttpApi.__pulumiType;
+    }
+    /**
+     * Create a HttpApi resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if (args?.routes === undefined && !opts.urn) {
+                throw new Error("Missing required property 'routes'");
+            }
+            resourceInputs["cors"] = args?.cors;
+            resourceInputs["defaultAuthorizerId"] = args?.defaultAuthorizerId;
+            resourceInputs["domain"] = args?.domain;
+            resourceInputs["logRetention"] = args?.logRetention;
+            resourceInputs["routes"] = args?.routes;
+            resourceInputs["throttling"] = args?.throttling;
+            resourceInputs["apiEndpoint"] = undefined /*out*/;
+            resourceInputs["apiId"] = undefined /*out*/;
+            resourceInputs["certValidationCname"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiEndpoint"] = undefined /*out*/;
+            resourceInputs["apiId"] = undefined /*out*/;
+            resourceInputs["certValidationCname"] = undefined /*out*/;
+            resourceInputs["url"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(HttpApi.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+    }
+}
+exports.HttpApi = HttpApi;
+/** @internal */
+HttpApi.__pulumiType = 'anvil:aws:HttpApi';
+//# sourceMappingURL=httpApi.js.map

package/bin/aws/httpApi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"httpApi.js","sourceRoot":"","sources":["../../aws/httpApi.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAIzC,0CAA0C;AAE1C;;GAEG;AACH,MAAa,OAAQ,SAAQ,MAAM,CAAC,iBAAiB;IAIjD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,OAAO,CAAC,YAAY,CAAC;IACxD,CAAC;IAmBD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAiB,EAAE,IAAsC;QAC/E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,MAAM,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;aACzD;YACD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,qBAAqB,CAAC,GAAG,IAAI,EAAE,mBAAmB,CAAC;YAClE,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,EAAE,YAAY,CAAC;YACpD,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,YAAY,CAAC,GAAG,IAAI,EAAE,UAAU,CAAC;YAChD,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC5C,cAAc,CAAC,qBAAqB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1D,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7C;aAAM;YACH,cAAc,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAClD,cAAc,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC5C,cAAc,CAAC,qBAAqB,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1D,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7E,CAAC;;AAhEL,0BAiEC;AAhEG,gBAAgB;AACO,oBAAY,GAAG,mBAAmB,CAAC"}

package/bin/aws/index.d.ts

@@ -1,9 +1,30 @@
 export { BucketArgs } from "./bucket";
 export type Bucket = import("./bucket").Bucket;
 export declare const Bucket: typeof import("./bucket").Bucket;
+export { CognitoAuthArgs } from "./cognitoAuth";
+export type CognitoAuth = import("./cognitoAuth").CognitoAuth;
+export declare const CognitoAuth: typeof import("./cognitoAuth").CognitoAuth;
+export { CognitoUserPoolArgs } from "./cognitoUserPool";
+export type CognitoUserPool = import("./cognitoUserPool").CognitoUserPool;
+export declare const CognitoUserPool: typeof import("./cognitoUserPool").CognitoUserPool;
+export { DynamoDBArgs } from "./dynamoDB";
+export type DynamoDB = import("./dynamoDB").DynamoDB;
+export declare const DynamoDB: typeof import("./dynamoDB").DynamoDB;
+export { EventBusArgs } from "./eventBus";
+export type EventBus = import("./eventBus").EventBus;
+export declare const EventBus: typeof import("./eventBus").EventBus;
+export { HttpApiArgs } from "./httpApi";
+export type HttpApi = import("./httpApi").HttpApi;
+export declare const HttpApi: typeof import("./httpApi").HttpApi;
 export { LambdaArgs } from "./lambda";
 export type Lambda = import("./lambda").Lambda;
 export declare const Lambda: typeof import("./lambda").Lambda;
+export { OAuthAuthorizerArgs } from "./oauthAuthorizer";
+export type OAuthAuthorizer = import("./oauthAuthorizer").OAuthAuthorizer;
+export declare const OAuthAuthorizer: typeof import("./oauthAuthorizer").OAuthAuthorizer;
+export { QueueArgs } from "./queue";
+export type Queue = import("./queue").Queue;
+export declare const Queue: typeof import("./queue").Queue;
 export { SvelteKitSiteArgs } from "./svelteKitSite";
 export type SvelteKitSite = import("./svelteKitSite").SvelteKitSite;
 export declare const SvelteKitSite: typeof import("./svelteKitSite").SvelteKitSite;

package/bin/aws/index.js

@@ -16,13 +16,27 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.VpcEndpoint = exports.Vpc = exports.SvelteKitSite = exports.Lambda = exports.Bucket = void 0;
+exports.VpcEndpoint = exports.Vpc = exports.SvelteKitSite = exports.Queue = exports.OAuthAuthorizer = exports.Lambda = exports.HttpApi = exports.EventBus = exports.DynamoDB = exports.CognitoUserPool = exports.CognitoAuth = exports.Bucket = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 exports.Bucket = null;
 utilities.lazyLoad(exports, ["Bucket"], () => require("./bucket"));
+exports.CognitoAuth = null;
+utilities.lazyLoad(exports, ["CognitoAuth"], () => require("./cognitoAuth"));
+exports.CognitoUserPool = null;
+utilities.lazyLoad(exports, ["CognitoUserPool"], () => require("./cognitoUserPool"));
+exports.DynamoDB = null;
+utilities.lazyLoad(exports, ["DynamoDB"], () => require("./dynamoDB"));
+exports.EventBus = null;
+utilities.lazyLoad(exports, ["EventBus"], () => require("./eventBus"));
+exports.HttpApi = null;
+utilities.lazyLoad(exports, ["HttpApi"], () => require("./httpApi"));
 exports.Lambda = null;
 utilities.lazyLoad(exports, ["Lambda"], () => require("./lambda"));
+exports.OAuthAuthorizer = null;
+utilities.lazyLoad(exports, ["OAuthAuthorizer"], () => require("./oauthAuthorizer"));
+exports.Queue = null;
+utilities.lazyLoad(exports, ["Queue"], () => require("./queue"));
 exports.SvelteKitSite = null;
 utilities.lazyLoad(exports, ["SvelteKitSite"], () => require("./svelteKitSite"));
 exports.Vpc = null;
@@ -37,8 +51,22 @@ const _module = {
         switch (type) {
             case "anvil:aws:Bucket":
                 return new exports.Bucket(name, undefined, { urn });
+            case "anvil:aws:CognitoAuth":
+                return new exports.CognitoAuth(name, undefined, { urn });
+            case "anvil:aws:CognitoUserPool":
+                return new exports.CognitoUserPool(name, undefined, { urn });
+            case "anvil:aws:DynamoDB":
+                return new exports.DynamoDB(name, undefined, { urn });
+            case "anvil:aws:EventBus":
+                return new exports.EventBus(name, undefined, { urn });
+            case "anvil:aws:HttpApi":
+                return new exports.HttpApi(name, undefined, { urn });
             case "anvil:aws:Lambda":
                 return new exports.Lambda(name, undefined, { urn });
+            case "anvil:aws:OAuthAuthorizer":
+                return new exports.OAuthAuthorizer(name, undefined, { urn });
+            case "anvil:aws:Queue":
+                return new exports.Queue(name, undefined, { urn });
             case "anvil:aws:SvelteKitSite":
                 return new exports.SvelteKitSite(name, undefined, { urn });
             case "anvil:aws:Vpc":

package/bin/aws/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../aws/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;;;;;;;;;;;;;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAK7B,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,aAAa,GAAmD,IAAW,CAAC;AACzF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAIpE,QAAA,GAAG,GAA+B,IAAW,CAAC;AAC3D,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAIhD,QAAA,WAAW,GAA+C,IAAW,CAAC;AACnF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;AAG7E,gBAAgB;AAChB,qDAAmC;AAEnC,MAAM,OAAO,GAAG;IACZ,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,SAAS,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAAmB,EAAE;QACpE,QAAQ,IAAI,EAAE;YACV,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,yBAAyB;gBAC1B,OAAO,IAAI,qBAAa,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC3D,KAAK,eAAe;gBAChB,OAAO,IAAI,WAAG,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACjD,KAAK,uBAAuB;gBACxB,OAAO,IAAI,mBAAW,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACzD;gBACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACxD;IACL,CAAC;CACJ,CAAC;AACF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../aws/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;;;;;;;;;;;;;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAK7B,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,WAAW,GAA+C,IAAW,CAAC;AACnF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;AAIhE,QAAA,eAAe,GAAuD,IAAW,CAAC;AAC/F,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAIxE,QAAA,QAAQ,GAAyC,IAAW,CAAC;AAC1E,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAI1D,QAAA,QAAQ,GAAyC,IAAW,CAAC;AAC1E,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAI1D,QAAA,OAAO,GAAuC,IAAW,CAAC;AACvE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;AAIxD,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAItD,QAAA,eAAe,GAAuD,IAAW,CAAC;AAC/F,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAIxE,QAAA,KAAK,GAAmC,IAAW,CAAC;AACjE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;AAIpD,QAAA,aAAa,GAAmD,IAAW,CAAC;AACzF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAIpE,QAAA,GAAG,GAA+B,IAAW,CAAC;AAC3D,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAIhD,QAAA,WAAW,GAA+C,IAAW,CAAC;AACnF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;AAG7E,gBAAgB;AAChB,qDAAmC;AAEnC,MAAM,OAAO,GAAG;IACZ,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,SAAS,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAAmB,EAAE;QACpE,QAAQ,IAAI,EAAE;YACV,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,uBAAuB;gBACxB,OAAO,IAAI,mBAAW,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACzD,KAAK,2BAA2B;gBAC5B,OAAO,IAAI,uBAAe,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC7D,KAAK,oBAAoB;gBACrB,OAAO,IAAI,gBAAQ,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACtD,KAAK,oBAAoB;gBACrB,OAAO,IAAI,gBAAQ,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACtD,KAAK,mBAAmB;gBACpB,OAAO,IAAI,eAAO,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACrD,KAAK,kBAAkB;gBACnB,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD,KAAK,2BAA2B;gBAC5B,OAAO,IAAI,uBAAe,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC7D,KAAK,iBAAiB;gBAClB,OAAO,IAAI,aAAK,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACnD,KAAK,yBAAyB;gBAC1B,OAAO,IAAI,qBAAa,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC3D,KAAK,eAAe;gBAChB,OAAO,IAAI,WAAG,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACjD,KAAK,uBAAuB;gBACxB,OAAO,IAAI,mBAAW,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACzD;gBACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACxD;IACL,CAAC;CACJ,CAAC;AACF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA"}

package/bin/aws/lambda.d.ts

@@ -101,7 +101,7 @@ export interface LambdaArgs {
     tracing?: pulumi.Input<boolean>;
     transform?: pulumi.Input<inputs.aws.LambdaTransformArgsArgs>;
     /**
-     * Enable a direct HTTPS endpoint for the function. Auth mode is AWS_IAM — never public. Default: false.
+     * Enable a direct HTTPS endpoint for the function. Auth mode is AWS_IAM - never public. Default: false.
      */
     url?: pulumi.Input<boolean>;
     /**

package/bin/aws/oauthAuthorizer.d.ts

@@ -0,0 +1,36 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * An Anvil-managed JWT authorizer for HTTP API Gateway. Works with any OIDC-compliant identity provider — Auth0, Clerk, Google, Okta, Cognito. API Gateway verifies the JWT signature, issuer, audience, and expiry on every request natively — no Lambda or custom code required. Pass authorizerId to HttpApi defaultAuthorizerId to protect your routes.
+ */
+export declare class OAuthAuthorizer extends pulumi.ComponentResource {
+    /**
+     * Returns true if the given object is an instance of OAuthAuthorizer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is OAuthAuthorizer;
+    /**
+     * The API Gateway authorizer ID. Pass this to HttpApi defaultAuthorizerId to protect your API routes.
+     */
+    readonly authorizerId: pulumi.Output<string>;
+    /**
+     * Create a OAuthAuthorizer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: OAuthAuthorizerArgs, opts?: pulumi.ComponentResourceOptions);
+}
+/**
+ * The set of arguments for constructing a OAuthAuthorizer resource.
+ */
+export interface OAuthAuthorizerArgs {
+    /**
+     * The intended recipients of the JWT. API Gateway rejects tokens whose 'aud' claim does not match one of these values. Typically your API's client ID registered with the identity provider.
+     */
+    audience: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The OIDC issuer URL of your identity provider. API Gateway fetches public signing keys from {issuer}/.well-known/jwks.json to verify token signatures. Examples: Auth0: 'https://your-tenant.auth0.com/', Clerk: 'https://your-instance.clerk.accounts.dev', Google: 'https://accounts.google.com'.
+     */
+    issuer: pulumi.Input<string>;
+}