@anvil-cloud/sdk 0.0.14 → 0.0.15

package/bin/types/output.d.ts

@@ -1,4 +1,17 @@
 export declare namespace aws {
+    /**
+     * ACM certificate DNS validation CNAME record. Only populated when domain.dns: false and domain.certificateArn is omitted. Add this record in your DNS provider (e.g. Cloudflare) then re-run deploy — Anvil blocks until ACM confirms validation.
+     */
+    interface HttpApiCertValidationCname {
+        /**
+         * The CNAME record name to add in your DNS provider.
+         */
+        name: string;
+        /**
+         * The CNAME record value to point to.
+         */
+        value: string;
+    }
 }
 export declare namespace gcp {
 }

package/grants.ts

@@ -83,10 +83,15 @@ function sanitize(s: string): string {
  */
 export function buildResourceArns(
   baseArn: pulumi.Output<string>,
-  paths?: string[]
+  paths?: string[] | null
 ): pulumi.Output<string>[] {
   const arns: pulumi.Output<string>[] = [baseArn];
 
+  if (paths === null) {
+    // Explicit null = base ARN only, no sub-paths (used by DynamoDB index grants)
+    return arns;
+  }
+
   if (!paths || paths.length === 0) {
     arns.push(pulumi.interpolate`${baseArn}/*`);
   } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.14",
+  "version": "0.0.15",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },

package/tsconfig.json

@@ -14,8 +14,15 @@
     },
     "files": [
         "aws/bucket.ts",
+        "aws/cognitoAuth.ts",
+        "aws/cognitoUserPool.ts",
+        "aws/dynamoDB.ts",
+        "aws/eventBus.ts",
+        "aws/httpApi.ts",
         "aws/index.ts",
         "aws/lambda.ts",
+        "aws/oauthAuthorizer.ts",
+        "aws/queue.ts",
         "aws/svelteKitSite.ts",
         "aws/vpc.ts",
         "aws/vpcEndpoint.ts",

package/types/enums/aws/index.ts

@@ -2,73 +2,211 @@
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 
 
-export const AwsVpcEndpointService = {
+export const CognitoUserPoolCustomAttributeType = {
+    String: "String",
+    Number: "Number",
+    DateTime: "DateTime",
+    Boolean: "Boolean",
+} as const;
+
+export type CognitoUserPoolCustomAttributeType = (typeof CognitoUserPoolCustomAttributeType)[keyof typeof CognitoUserPoolCustomAttributeType];
+
+export const CognitoUserPoolIdentityProviderType = {
+    /**
+     * Google OAuth 2.0. Requires clientId and clientSecret.
+     */
+    Google: "Google",
+    /**
+     * Facebook OAuth 2.0. Requires clientId and clientSecret.
+     */
+    Facebook: "Facebook",
+    /**
+     * Login with Amazon. Requires clientId and clientSecret.
+     */
+    LoginWithAmazon: "LoginWithAmazon",
+    /**
+     * Sign in with Apple. Requires clientId and clientSecret.
+     */
+    SignInWithApple: "SignInWithApple",
+    /**
+     * Generic OIDC provider (Okta, Auth0, Microsoft Entra, etc.). Requires clientId, clientSecret, and oidcIssuer.
+     */
+    OIDC: "OIDC",
+    /**
+     * SAML 2.0 provider (corporate SSO, Active Directory Federation Services etc.). Requires metadataUrl or metadataContent.
+     */
+    SAML: "SAML",
+} as const;
+
+export type CognitoUserPoolIdentityProviderType = (typeof CognitoUserPoolIdentityProviderType)[keyof typeof CognitoUserPoolIdentityProviderType];
+
+export const CognitoUserPoolMfaMethod = {
+    /**
+     * Time-based one-time password (authenticator app). No additional AWS resources required.
+     */
+    TOTP: "TOTP",
     /**
-     * AWS Systems Manager. Required alongside ssmmessages and ec2messages for full SSM functionality including Session Manager and Run Command.
+     * SMS one-time password via SNS. Requires snsCallerArn.
      */
-    Ssm: "ssm",
+    SMS: "SMS",
+} as const;
+
+export type CognitoUserPoolMfaMethod = (typeof CognitoUserPoolMfaMethod)[keyof typeof CognitoUserPoolMfaMethod];
+
+export const CognitoUserPoolMfaMode = {
+    /**
+     * MFA disabled. Default.
+     */
+    OFF: "OFF",
     /**
-     * SSM Session Manager messaging. Required alongside ssm and ec2messages.
+     * MFA available but not required. Users opt in.
      */
-    Ssmmessages: "ssmmessages",
+    OPTIONAL: "OPTIONAL",
+    /**
+     * MFA required for all users.
+     */
+    REQUIRED: "REQUIRED",
+} as const;
+
+export type CognitoUserPoolMfaMode = (typeof CognitoUserPoolMfaMode)[keyof typeof CognitoUserPoolMfaMode];
+
+export const CognitoUserPoolOAuthFlow = {
     /**
-     * SSM Run Command messaging. Required alongside ssm and ssmmessages.
+     * Authorization code grant (PKCE). Most secure — use for all browser and server apps.
      */
-    Ec2messages: "ec2messages",
+    Code: "code",
     /**
-     * AWS Secrets Manager. Allows compute resources to call GetSecretValue and other Secrets Manager APIs without traversing the public internet.
+     * Implicit grant. Deprecated — tokens visible in browser URL. Avoid for new applications.
      */
-    Secretsmanager: "secretsmanager",
+    Implicit: "implicit",
     /**
-     * ECR control plane — authentication, image manifests, and repository metadata. Required alongside ecr.dkr for private image pulls.
+     * Client credentials grant. M2M only — no user interaction.
      */
-    Ecr_api: "ecr.api",
+    Client_credentials: "client_credentials",
+} as const;
+
+export type CognitoUserPoolOAuthFlow = (typeof CognitoUserPoolOAuthFlow)[keyof typeof CognitoUserPoolOAuthFlow];
+
+export const CognitoUserPoolUsernameAttribute = {
     /**
-     * ECR data plane — image layer pulls. Required alongside ecr.api for private image pulls.
+     * Users sign in with their email address.
      */
-    Ecr_dkr: "ecr.dkr",
+    Email: "email",
     /**
-     * Amazon Simple Queue Service. Covers all SQS operations including SendMessage, ReceiveMessage, and DeleteMessage — all are client-initiated HTTPS, one endpoint covers all operations.
+     * Users sign in with their phone number.
      */
-    Sqs: "sqs",
+    Phone_number: "phone_number",
+} as const;
+
+export type CognitoUserPoolUsernameAttribute = (typeof CognitoUserPoolUsernameAttribute)[keyof typeof CognitoUserPoolUsernameAttribute];
+
+export const DynamoDBAttributeType = {
     /**
-     * Amazon Simple Notification Service. Allows compute resources to publish to SNS topics without traversing the public internet.
+     * String
      */
-    Sns: "sns",
+    S: "S",
     /**
-     * AWS Lambda invoke. Allows private invocation of Lambda functions from within the VPC.
+     * Number
      */
-    Lambda: "lambda",
+    N: "N",
     /**
-     * Amazon CloudWatch Logs. Required for compute resources in private subnets to ship logs to CloudWatch without a NAT Gateway.
+     * Binary
      */
-    Logs: "logs",
+    B: "B",
+} as const;
+
+export type DynamoDBAttributeType = (typeof DynamoDBAttributeType)[keyof typeof DynamoDBAttributeType];
+
+export const DynamoDBProjectionType = {
     /**
-     * Amazon CloudWatch Metrics. Required for compute resources in private subnets to publish custom metrics without a NAT Gateway.
+     * All attributes are projected. Default.
      */
-    Monitoring: "monitoring",
+    ALL: "ALL",
     /**
-     * AWS Key Management Service. Required for compute resources that perform envelope encryption, use KMS-managed secrets, or interact with services that call KMS on their behalf.
+     * Only the table and GSI key attributes are projected.
      */
-    Kms: "kms",
+    KEYS_ONLY: "KEYS_ONLY",
     /**
-     * AWS Security Token Service. Required for IAM role assumption and temporary credential generation within private subnets.
+     * Only the specified nonKeyAttributes are projected in addition to keys.
      */
-    Sts: "sts",
+    INCLUDE: "INCLUDE",
+} as const;
+
+export type DynamoDBProjectionType = (typeof DynamoDBProjectionType)[keyof typeof DynamoDBProjectionType];
+
+export const DynamoDBStreamStartingPosition = {
+    /**
+     * Start reading from the oldest available record in the stream. Replays all existing records up to 24hr retention window. AWS default.
+     */
+    TRIM_HORIZON: "TRIM_HORIZON",
+    /**
+     * Start reading from the most recent record. Only processes new events from the point of consumer creation.
+     */
+    LATEST: "LATEST",
+} as const;
+
+export type DynamoDBStreamStartingPosition = (typeof DynamoDBStreamStartingPosition)[keyof typeof DynamoDBStreamStartingPosition];
+
+export const DynamoDBStreamViewType = {
+    /**
+     * Only the new item image is written to the stream.
+     */
+    NEW_IMAGE: "NEW_IMAGE",
+    /**
+     * Only the old item image is written to the stream.
+     */
+    OLD_IMAGE: "OLD_IMAGE",
+    /**
+     * Both old and new item images are written to the stream.
+     */
+    NEW_AND_OLD_IMAGES: "NEW_AND_OLD_IMAGES",
+    /**
+     * Only the key attributes are written to the stream.
+     */
+    KEYS_ONLY: "KEYS_ONLY",
+} as const;
+
+export type DynamoDBStreamViewType = (typeof DynamoDBStreamViewType)[keyof typeof DynamoDBStreamViewType];
+
+export const HttpApiMethod = {
+    /**
+     * HTTP GET — read operations.
+     */
+    GET: "GET",
+    /**
+     * HTTP POST — create operations and async consumers (SQS, EventBridge, Step Functions).
+     */
+    POST: "POST",
+    /**
+     * HTTP PUT — replace operations.
+     */
+    PUT: "PUT",
+    /**
+     * HTTP PATCH — partial update operations.
+     */
+    PATCH: "PATCH",
+    /**
+     * HTTP DELETE — delete operations.
+     */
+    DELETE: "DELETE",
+    /**
+     * Matches all HTTP methods. Maps to the $default route key.
+     */
+    ANY: "ANY",
 } as const;
 
 /**
- * The AWS service to route privately via an Interface VPC Endpoint. Each value maps to the com.amazonaws.{region}.{suffix} endpoint service name.
+ * HTTP method for an API route.
  */
-export type AwsVpcEndpointService = (typeof AwsVpcEndpointService)[keyof typeof AwsVpcEndpointService];
+export type HttpApiMethod = (typeof HttpApiMethod)[keyof typeof HttpApiMethod];
 
 export const LambdaArchitecture = {
     /**
-     * Graviton — 20% cheaper, better performance. Default.
+     * Graviton - 20% cheaper, better performance. Default.
      */
     Arm64: "arm64",
     /**
-     * Intel/AMD — use for x86-specific native dependencies.
+     * Intel/AMD - use for x86-specific native dependencies.
      */
     X86_64: "x86_64",
 } as const;
@@ -89,19 +227,19 @@ export const LambdaLogRetention = {
      */
     LambdaLogRetention_90d: "90d",
     /**
-     * 1 year (365 days) — SOC 2 / ISO 27001 / PCI-DSS baseline. Default.
+     * 1 year (365 days) - SOC 2 / ISO 27001 / PCI-DSS baseline. Default.
      */
     LambdaLogRetention_1y: "1y",
     /**
-     * 3 years (1095 days) — FedRAMP minimum
+     * 3 years (1095 days) - FedRAMP minimum
      */
     LambdaLogRetention_3y: "3y",
     /**
-     * 6 years (2190 days) — HIPAA minimum
+     * 6 years (2190 days) - HIPAA minimum
      */
     LambdaLogRetention_6y: "6y",
     /**
-     * 7 years (2555 days) — IRAP minimum
+     * 7 years (2555 days) - IRAP minimum
      */
     LambdaLogRetention_7y: "7y",
 } as const;
@@ -110,7 +248,7 @@ export type LambdaLogRetention = (typeof LambdaLogRetention)[keyof typeof Lambda
 
 export const LambdaRuntime = {
     /**
-     * Node.js 24 (LTS) — recommended
+     * Node.js 24 (LTS) - recommended
      */
     Nodejs24_x: "nodejs24.x",
     /**
@@ -130,6 +268,18 @@ export const S3FlowLogLifecycle = {
 
 export type S3FlowLogLifecycle = (typeof S3FlowLogLifecycle)[keyof typeof S3FlowLogLifecycle];
 
+export const SiteOriginProtectionProvider = {
+    /**
+     * Cloudflare — inject x-origin-secret via a Cloudflare Transform Rule.
+     */
+    Cloudflare: "cloudflare",
+} as const;
+
+/**
+ * The CDN/proxy provider sitting in front of CloudFront.
+ */
+export type SiteOriginProtectionProvider = (typeof SiteOriginProtectionProvider)[keyof typeof SiteOriginProtectionProvider];
+
 export const VpcNatType = {
     /**
      * AWS managed NAT Gateway. One per AZ for true HA. ~$32/month per AZ plus $0.045/GB data processed.