@gradientedge/cdk-utils 10.1.0 → 10.3.0

package/src/lib/azure/services/storage/main.ts

@@ -1,30 +1,31 @@
-import { DataAzurermResourceGroup } from '@cdktf/provider-azurerm/lib/data-azurerm-resource-group/index.js'
-import { DataAzurermStorageAccountBlobContainerSas } from '@cdktf/provider-azurerm/lib/data-azurerm-storage-account-blob-container-sas/index.js'
-import { DataAzurermStorageAccount } from '@cdktf/provider-azurerm/lib/data-azurerm-storage-account/index.js'
-import { DataAzurermStorageContainer } from '@cdktf/provider-azurerm/lib/data-azurerm-storage-container/index.js'
-import { StorageAccount } from '@cdktf/provider-azurerm/lib/storage-account/index.js'
-import { StorageBlob } from '@cdktf/provider-azurerm/lib/storage-blob/index.js'
-import { StorageContainer } from '@cdktf/provider-azurerm/lib/storage-container/index.js'
-import { CommonAzureConstruct } from '../../common/index.js'
-import { createAzureTfOutput } from '../../utils/index.js'
+import * as azure from '@pulumi/azure'
 import {
-  DataAzurermStorageAccountBlobContainerSasProps,
-  StorageAccountProps,
-  StorageBlobProps,
-  StorageContainerProps,
-} from './types.js'
+  Blob,
+  BlobContainer,
+  HttpProtocol,
+  Kind,
+  listStorageAccountSAS,
+  Permissions,
+  Services,
+  SignedResourceTypes,
+  SkuName,
+  StorageAccount,
+} from '@pulumi/azure-native/storage/index.js'
+import * as pulumi from '@pulumi/pulumi'
+import { CommonAzureConstruct } from '../../common/index.js'
+import { ContainerSasTokenProps, StorageAccountProps, StorageBlobProps, StorageContainerProps } from './types.js'
 
 /**
- * @classdesc Provides operations on Azure Storage
+ * @classdesc Provides operations on Azure Storage using Pulumi
  * - A new instance of this class is injected into {@link CommonAzureConstruct} constructor.
  * - If a custom construct extends {@link CommonAzureConstruct}, an instance is available within the context.
  * @example
- * ```
+ * ```typescript
  * import { CommonAzureConstruct, CommonAzureStackProps } from '@gradientedge/cdk-utils'
  *
  * class CustomConstruct extends CommonAzureConstruct {
- *   constructor(parent: Construct, id: string, props: CommonAzureStackProps) {
- *     super(parent, id, props)
+ *   constructor(name: string, props: CommonAzureStackProps) {
+ *     super(name, props)
  *     this.props = props
  *     this.storageManager.createStorageAccount('MyAccount', this, props)
  *   }
@@ -37,60 +38,64 @@ export class AzureStorageManager {
    * @param id scoped id of the resource
    * @param scope scope in which this resource is defined
    * @param props storage account properties
-   * @see [CDKTF Storage Account Module]{@link https://github.com/cdktf/cdktf-provider-azurerm/blob/main/docs/storageAccount.typescript.md}
+   * @see [Pulumi Azure Native Storage Account]{@link https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/storageaccount/}
    */
   public createStorageAccount(id: string, scope: CommonAzureConstruct, props: StorageAccountProps) {
     if (!props) throw `Props undefined for ${id}`
 
-    const resourceGroup = new DataAzurermResourceGroup(scope, `${id}-sa-rg`, {
-      name: scope.props.resourceGroupName
-        ? scope.resourceNameFormatter.format(scope.props.resourceGroupName)
-        : `${props.resourceGroupName}`,
-    })
-
-    if (!resourceGroup) throw `Resource group undefined for ${id}`
-
-    const storageAccount = new StorageAccount(scope, `${id}-sa`, {
-      ...props,
-      accountTier: props.accountTier ?? 'Standard',
-      location: props.location ?? resourceGroup.location,
-      name: scope.resourceNameFormatter
-        .format(props.name, scope.props.resourceNameOptions?.storageAccount)
-        .replace(/\W/g, '')
-        .toLowerCase(),
-      resourceGroupName: resourceGroup.name,
-      tags: props.tags ?? {
-        environment: scope.props.stage,
+    const resourceGroupName = scope.props.resourceGroupName
+      ? scope.resourceNameFormatter.format(scope.props.resourceGroupName)
+      : `${props.resourceGroupName}`
+
+    return new StorageAccount(
+      `${id}-sa`,
+      {
+        ...props,
+        accountName: scope.resourceNameFormatter
+          .format(props.accountName?.toString(), scope.props.resourceNameOptions?.storageAccount)
+          .replace(/\W/g, '')
+          .toLowerCase(),
+        resourceGroupName,
+        sku: props.sku ?? {
+          name: SkuName.Standard_LRS,
+        },
+        kind: props.kind ?? Kind.StorageV2,
+        location: props.location ?? scope.props.location,
+        tags: props.tags ?? {
+          environment: scope.props.stage,
+        },
       },
-    })
-
-    createAzureTfOutput(`${id}-storageAccountName`, scope, storageAccount.name)
-    createAzureTfOutput(`${id}-storageAccountFriendlyUniqueId`, scope, storageAccount.friendlyUniqueId)
-    createAzureTfOutput(`${id}-storageAccountId`, scope, storageAccount.id)
-
-    return storageAccount
+      { parent: scope }
+    )
   }
 
   /**
-   * @summary Method to create a new storage container
+   * @summary Method to create a new storage container (blob container)
    * @param id scoped id of the resource
    * @param scope scope in which this resource is defined
    * @param props storage container properties
-   * @see [CDKTF Storage Container Module]{@link https://github.com/cdktf/cdktf-provider-azurerm/blob/main/docs/storageContainer.typescript.md}
+   * @see [Pulumi Azure Native Blob Container]{@link https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/blobcontainer/}
    */
   public createStorageContainer(id: string, scope: CommonAzureConstruct, props: StorageContainerProps) {
     if (!props) throw `Props undefined for ${id}`
 
-    const storageContainer = new StorageContainer(scope, `${id}-sc`, {
-      ...props,
-      name: scope.resourceNameFormatter.format(props.name, scope.props.resourceNameOptions?.storageContainer),
-    })
-
-    createAzureTfOutput(`${id}-storageContainerName`, scope, storageContainer.name)
-    createAzureTfOutput(`${id}-storageContainerFriendlyUniqueId`, scope, storageContainer.friendlyUniqueId)
-    createAzureTfOutput(`${id}-storageContainerId`, scope, storageContainer.id)
-
-    return storageContainer
+    const resourceGroupName = scope.props.resourceGroupName
+      ? scope.resourceNameFormatter.format(scope.props.resourceGroupName)
+      : `${props.resourceGroupName}`
+
+    return new BlobContainer(
+      `${id}-sc`,
+      {
+        ...props,
+        containerName: scope.resourceNameFormatter.format(
+          props.containerName?.toString(),
+          scope.props.resourceNameOptions?.storageContainer
+        ),
+        accountName: props.accountName,
+        resourceGroupName,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -98,12 +103,12 @@ export class AzureStorageManager {
    * @param id scoped id of the resource
    * @param scope scope in which this resource is defined
    * @param props storage blob properties
-   * @see [CDKTF Storage Blob Module]{@link https://github.com/cdktf/cdktf-provider-azurerm/blob/main/docs/storageBlob.typescript.md}
+   * @see [Pulumi Azure Native Blob]{@link https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/blob/}
    */
   public createStorageBlob(id: string, scope: CommonAzureConstruct, props: StorageBlobProps) {
     if (!props) throw `Props undefined for ${id}`
 
-    const resourceGroup = new DataAzurermResourceGroup(scope, `${id}-sb-rg`, {
+    const resourceGroup = azure.core.getResourceGroupOutput({
       name: scope.props.resourceGroupName
         ? scope.resourceNameFormatter.format(scope.props.resourceGroupName)
         : `${props.resourceGroupName}`,
@@ -111,76 +116,70 @@ export class AzureStorageManager {
 
     if (!resourceGroup) throw `Resource group undefined for ${id}`
 
-    const storageAccount = new DataAzurermStorageAccount(scope, `${id}-sa`, {
-      name: `${props.storageAccountName}-${scope.props.stage}`,
-      resourceGroupName: resourceGroup.name,
-    })
-
-    const storageContainer = new DataAzurermStorageContainer(scope, `${id}-sc`, {
-      name: `${props.storageContainerName}-${scope.props.stage}`,
-      storageAccountName: undefined, // the `storage_account_name` property has been deprecated in favour of `storage_account_id` and will be removed in version 5.0 of the Provider.
-      storageAccountId: storageAccount.id,
-    })
-
-    const storageBlob = new StorageBlob(scope, `${id}-sb`, {
-      ...props,
-      name: scope.resourceNameFormatter.format(props.name, scope.props.resourceNameOptions?.storageBlob),
-      storageAccountName: storageAccount.name,
-      storageContainerName: storageContainer.name,
-    })
-
-    createAzureTfOutput(`${id}-storageBlobName`, scope, storageBlob.name)
-    createAzureTfOutput(`${id}-storageBlobFriendlyUniqueId`, scope, storageBlob.friendlyUniqueId)
-    createAzureTfOutput(`${id}-storageBlobId`, scope, storageBlob.id)
-
-    return storageBlob
+    const resourceGroupName = scope.props.resourceGroupName
+      ? scope.resourceNameFormatter.format(scope.props.resourceGroupName)
+      : `${props.resourceGroupName}`
+
+    return new Blob(
+      `${id}-sb`,
+      {
+        ...props,
+        blobName: scope.resourceNameFormatter.format(
+          props.blobName?.toString(),
+          scope.props.resourceNameOptions?.storageBlob
+        ),
+        accountName: props.accountName,
+        containerName: `${props.containerName}-${scope.props.stage}`,
+        resourceGroupName,
+      },
+      { parent: scope }
+    )
   }
 
   /**
    * @summary Generates a container-level SAS token for an existing Azure Storage container.
    *
    * @description
-   * This method creates a `DataAzurermStorageAccountBlobContainerSas` resource, allowing secure access
-   * to a container via a generated Shared Access Signature (SAS) token.
+   * This method generates a Shared Access Signature (SAS) token for secure container access.
+   * The token is generated using Pulumi's listStorageAccountSAS function.
    *
    * @param id - Unique scoped identifier for the SAS token resource
-   * @param scope - CDKTF construct scope in which the resource will be created
+   * @param scope - Pulumi construct scope
    * @param props - SAS options:
-   *   - start: Optional start date in the format 'YYYY-MM-DD'. If not provided, defaults to today’s date.
-   *   To avoid diffs on every deploy, it is recommended to supply a fixed value.
-   *   - expiry: Optional expiry date in the format 'YYYY-MM-DD'. Defaults to 7 days from current date if not provided.
-   * @param storageAccount
-   * @param storageContainer
+   *   - start: Optional start date in the format 'YYYY-MM-DD'. Defaults to today's date.
+   *   - expiry: Optional expiry date in the format 'YYYY-MM-DD'. Defaults to 7 days from current date.
+   * @param storageAccount - The storage account resource
+   * @param storageContainer - Optional blob container resource
    *
-   * @returns A `DataAzurermStorageAccountBlobContainerSas` instance with the generated SAS token
+   * @returns A Pulumi Output containing the SAS token
    *
-   * @see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account_blob_container_sas
+   * @see https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/liststorageaccountsas/
    */
   public generateContainerSasToken(
     id: string,
     scope: CommonAzureConstruct,
-    props: DataAzurermStorageAccountBlobContainerSasProps,
-    storageAccount: StorageAccount,
-    storageContainer?: StorageContainer
+    props: ContainerSasTokenProps,
+    storageAccount: StorageAccount
   ) {
-    const containerSas = new DataAzurermStorageAccountBlobContainerSas(scope, `${id}-sc-sas`, {
-      connectionString: storageAccount.primaryConnectionString,
-      containerName: props.containerName ?? storageContainer?.name,
-      httpsOnly: props.httpsOnly ?? true,
-      start: props.start ?? new Date().toISOString().split('T')[0],
-      expiry: props.expiry ?? new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString().split('T')[0],
-      permissions: props.permissions ?? {
-        read: true,
-        add: false,
-        create: false,
-        delete: false,
-        list: false,
-        write: false,
-      },
-    })
-
-    createAzureTfOutput(`${id}-sas-token`, scope, containerSas.sas, 'output', true)
-
-    return containerSas
+    const resourceGroupName = scope.props.resourceGroupName
+      ? scope.resourceNameFormatter.format(scope.props.resourceGroupName)
+      : `${props.resourceGroupName}`
+
+    return pulumi
+      .all([storageAccount.name])
+      .apply(([accountName]) => {
+        return listStorageAccountSAS({
+          accountName,
+          resourceGroupName,
+          protocols: props.httpsOnly === false ? HttpProtocol.Https_http : HttpProtocol.Https,
+          sharedAccessStartTime: props.start ?? new Date().toISOString().split('T')[0],
+          sharedAccessExpiryTime:
+            props.expiry ?? new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString().split('T')[0],
+          permissions: props.permissions ?? Permissions.R,
+          services: Services.B,
+          resourceTypes: SignedResourceTypes.C,
+        })
+      })
+      .apply(result => result.accountSasToken)
   }
 }

package/src/lib/azure/services/storage/types.ts

@@ -1,13 +1,21 @@
-import { DataAzurermStorageAccountBlobContainerSasConfig } from '@cdktf/provider-azurerm/lib/data-azurerm-storage-account-blob-container-sas/index.js'
-import { StorageAccountConfig } from '@cdktf/provider-azurerm/lib/storage-account/index.js'
-import { StorageBlobConfig } from '@cdktf/provider-azurerm/lib/storage-blob/index.js'
-import { StorageContainerConfig } from '@cdktf/provider-azurerm/lib/storage-container/index.js'
+import {
+  BlobArgs,
+  BlobContainerArgs,
+  ListStorageAccountSASArgs,
+  StorageAccountArgs,
+} from '@pulumi/azure-native/storage/index.js'
 import { BaseAzureConfigProps } from '../../types/index.js'
 
-export interface StorageAccountProps extends StorageAccountConfig {}
+export interface StorageAccountProps extends StorageAccountArgs {}
 
-export interface StorageContainerProps extends BaseAzureConfigProps, StorageContainerConfig {}
+export interface StorageContainerProps extends BaseAzureConfigProps, BlobContainerArgs {}
 
-export interface StorageBlobProps extends BaseAzureConfigProps, StorageBlobConfig {}
+export interface StorageBlobProps extends BaseAzureConfigProps, BlobArgs {}
 
-export interface DataAzurermStorageAccountBlobContainerSasProps extends DataAzurermStorageAccountBlobContainerSasConfig {}
+export interface ContainerSasTokenProps extends ListStorageAccountSASArgs {
+  resourceGroupName: string
+  containerName?: string
+  httpsOnly?: boolean
+  start?: string
+  expiry?: string
+}

package/src/lib/azure/types/index.ts

@@ -1,3 +1,4 @@
+import * as pulumi from '@pulumi/pulumi'
 export interface BaseAzureConfigProps {
-  resourceGroupName: string
+  resourceGroupName: pulumi.Input<string>
 }

package/src/lib/azure/utils/index.ts

@@ -1,23 +1,21 @@
-import { TerraformOutput } from 'cdktf'
-import _ from 'lodash'
-import { CommonAzureConstruct } from '../common/index.js'
+/**
+ * @fileoverview Azure utility functions for Pulumi
+ *
+ * Note: Pulumi automatically exposes resource properties as outputs.
+ * Unlike CDKTF, explicit output creation is not required.
+ * Resource properties are already pulumi.Output<T> types and can be
+ * exported directly or used with .apply() for transformations.
+ *
+ * @example
+ * ```typescript
+ * // In CDKTF (old):
+ * createAzureTfOutput('resourceGroupName', scope, resourceGroup.name)
+ *
+ * // In Pulumi (new):
+ * // No explicit output creation needed - resourceGroup.name is already an output
+ * export const resourceGroupName = resourceGroup.name
+ * ```
+ */
 
-export const createAzureTfOutput = (
-  id: string,
-  scope: CommonAzureConstruct,
-  value?: string,
-  description?: string,
-  sensitive?: boolean,
-  overrideId = true
-) => {
-  const output = new TerraformOutput(scope, id, {
-    description,
-    sensitive,
-    value,
-  })
-
-  if (overrideId) {
-    output.overrideLogicalId(_.camelCase(id))
-  }
-  return output
-}
+// Utility functions can be added here as needed for Pulumi Azure operations
+export {}

package/src/lib/cloudflare/common/stack.ts

@@ -99,7 +99,7 @@ export class CommonCloudflareStack extends ComponentResource {
    * - Primary use is to have layered config for each environment which is injected into the context
    */
   protected determineStageContexts(props: CommonCloudflareStackProps) {
-    const stageContextFilePath = path.join(appRoot.path, props.stageContextPath ?? 'cdkEnv', `${props.stage}.json`)
+    const stageContextFilePath = path.join(appRoot.path, props.stageContextPath ?? 'env', `${props.stage}.json`)
 
     if (isDevStage(props.stage)) {
       if (props.debug) console.debug(`Development stage. Using default stage context properties`)

package/src/lib/cloudflare/services/access/main.ts

@@ -1,4 +1,16 @@
-import * as cloudflare from '@pulumi/cloudflare'
+import {
+  AccessRule,
+  ZeroTrustAccessApplication,
+  ZeroTrustAccessCustomPage,
+  ZeroTrustAccessGroup,
+  ZeroTrustAccessIdentityProvider,
+  ZeroTrustAccessMtlsCertificate,
+  ZeroTrustAccessPolicy,
+  ZeroTrustAccessServiceToken,
+  ZeroTrustAccessShortLivedCertificate,
+  ZeroTrustAccessTag,
+  ZeroTrustOrganization,
+} from '@pulumi/cloudflare'
 import { CommonCloudflareConstruct } from '../../common/construct.js'
 import {
   AccessRuleProps,
@@ -47,12 +59,16 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustAccessApplication(`${id}`, {
-      ...props,
-      domain: `${props.domain}-${scope.props.domainName}`,
-      name: `${props.name}-${scope.props.stage}`,
-      zoneId,
-    })
+    return new ZeroTrustAccessApplication(
+      `${id}`,
+      {
+        ...props,
+        domain: `${props.domain}-${scope.props.domainName}`,
+        name: `${props.name}-${scope.props.stage}`,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -75,10 +91,14 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustAccessShortLivedCertificate(`${id}`, {
-      ...props,
-      zoneId,
-    })
+    return new ZeroTrustAccessShortLivedCertificate(
+      `${id}`,
+      {
+        ...props,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -91,11 +111,15 @@ export class CloudflareAccessManager {
   public createAccessCustomPage(id: string, scope: CommonCloudflareConstruct, props: ZeroTrustAccessCustomPageProps) {
     if (!props) throw `Props undefined for ${id}`
 
-    return new cloudflare.ZeroTrustAccessCustomPage(`${id}`, {
-      ...props,
-      accountId: props.accountId ?? scope.props.accountId,
-      name: `${props.name}-${scope.props.stage}`,
-    })
+    return new ZeroTrustAccessCustomPage(
+      `${id}`,
+      {
+        ...props,
+        accountId: props.accountId ?? scope.props.accountId,
+        name: `${props.name}-${scope.props.stage}`,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -114,11 +138,15 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustAccessGroup(`${id}`, {
-      ...props,
-      name: `${props.name} - ${scope.props.stage.toUpperCase()}`,
-      zoneId,
-    })
+    return new ZeroTrustAccessGroup(
+      `${id}`,
+      {
+        ...props,
+        name: `${props.name} - ${scope.props.stage.toUpperCase()}`,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -141,12 +169,16 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustAccessIdentityProvider(`${id}`, {
-      ...props,
-      config: props.config ?? {},
-      name: `${props.name}-${scope.props.stage}`,
-      zoneId,
-    })
+    return new ZeroTrustAccessIdentityProvider(
+      `${id}`,
+      {
+        ...props,
+        config: props.config ?? {},
+        name: `${props.name}-${scope.props.stage}`,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -169,11 +201,15 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustAccessMtlsCertificate(`${id}`, {
-      ...props,
-      name: `${props.name}-${scope.props.stage}`,
-      zoneId,
-    })
+    return new ZeroTrustAccessMtlsCertificate(
+      `${id}`,
+      {
+        ...props,
+        name: `${props.name}-${scope.props.stage}`,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -192,11 +228,15 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustOrganization(`${id}`, {
-      ...props,
-      name: `${props.name}-${scope.props.stage}`,
-      zoneId,
-    })
+    return new ZeroTrustOrganization(
+      `${id}`,
+      {
+        ...props,
+        name: `${props.name}-${scope.props.stage}`,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -209,11 +249,15 @@ export class CloudflareAccessManager {
   public createAccessPolicy(id: string, scope: CommonCloudflareConstruct, props: ZeroTrustAccessPolicyProps) {
     if (!props) throw `Props undefined for ${id}`
 
-    return new cloudflare.ZeroTrustAccessPolicy(`${id}`, {
-      ...props,
-      name: `${props.name}-${scope.props.stage}`,
-      accountId: props.accountId ?? scope.props.accountId,
-    })
+    return new ZeroTrustAccessPolicy(
+      `${id}`,
+      {
+        ...props,
+        name: `${props.name}-${scope.props.stage}`,
+        accountId: props.accountId ?? scope.props.accountId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -232,11 +276,15 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.AccessRule(`${id}`, {
-      ...props,
-      zoneId,
-      accountId: props.accountId ?? scope.props.accountId,
-    })
+    return new AccessRule(
+      `${id}`,
+      {
+        ...props,
+        zoneId,
+        accountId: props.accountId ?? scope.props.accountId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -259,12 +307,16 @@ export class CloudflareAccessManager {
           filter: { name: scope.props.domainName },
         })?.id
 
-    return new cloudflare.ZeroTrustAccessServiceToken(`${id}`, {
-      ...props,
-      name: `${props.name}-${scope.props.stage}`,
-      accountId: props.accountId ?? scope.props.accountId,
-      zoneId,
-    })
+    return new ZeroTrustAccessServiceToken(
+      `${id}`,
+      {
+        ...props,
+        name: `${props.name}-${scope.props.stage}`,
+        accountId: props.accountId ?? scope.props.accountId,
+        zoneId,
+      },
+      { parent: scope }
+    )
   }
 
   /**
@@ -277,10 +329,14 @@ export class CloudflareAccessManager {
   public createAccessTag(id: string, scope: CommonCloudflareConstruct, props: ZeroTrustAccessTagProps) {
     if (!props) throw `Props undefined for ${id}`
 
-    return new cloudflare.ZeroTrustAccessTag(`${id}`, {
-      ...props,
-      name: `${props.name}-${scope.props.stage}`,
-      accountId: props.accountId ?? scope.props.accountId,
-    })
+    return new ZeroTrustAccessTag(
+      `${id}`,
+      {
+        ...props,
+        name: `${props.name}-${scope.props.stage}`,
+        accountId: props.accountId ?? scope.props.accountId,
+      },
+      { parent: scope }
+    )
   }
 }