@infracraft/pulumi 1.6.5 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -18,17 +18,31 @@ async function revealPassword(client, projectId, branchId, name) {
18
18
  return (await client.get(`/projects/${projectId}/branches/${branchId}/roles/${name}/reveal_password`)).password;
19
19
  }
20
20
  /**
21
+ * Resets an existing role's password to a fresh value and returns it.
22
+ * Used to isolate an adopted (copy-on-write) role from the parent branch's credential.
23
+ */
24
+ async function resetRolePassword(client, projectId, branchId, name) {
25
+ const result = await client.post(`/projects/${projectId}/branches/${branchId}/roles/${name}/reset_password`, {});
26
+ const password = result.role?.password ?? result.password;
27
+ if (!password) throw new Error(`Neon reset_password returned no password for role "${name}"`);
28
+ return password;
29
+ }
30
+ /**
21
31
  * Dynamic provider implementing CRUD for Neon database roles.
22
32
  *
23
33
  * Uses adopt-or-create on `create()`: finds an existing role by name
24
34
  * before creating a new one.
35
+ *
36
+ * @internal Exported only for unit testing; not part of the public API surface.
25
37
  */
26
38
  var NeonRoleResourceProvider = class {
27
39
  async create(inputs) {
28
40
  const client = new require_neon_client.NeonClient(inputs.apiKey);
29
- if (!await roleExists(client, inputs.projectId, inputs.branchId, inputs.name)) await client.post(`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`, { role: { name: inputs.name } });
41
+ const exists = await roleExists(client, inputs.projectId, inputs.branchId, inputs.name);
42
+ if (!exists) await client.post(`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`, { role: { name: inputs.name } });
43
+ else if (inputs.resetPassword) _pulumi_pulumi.log.info(`Resetting password for adopted Neon role "${inputs.name}" to isolate it from the parent branch`);
30
44
  else _pulumi_pulumi.log.info(`Adopting existing Neon role "${inputs.name}"`);
31
- const password = await revealPassword(client, inputs.projectId, inputs.branchId, inputs.name);
45
+ const password = exists && inputs.resetPassword ? await resetRolePassword(client, inputs.projectId, inputs.branchId, inputs.name) : await revealPassword(client, inputs.projectId, inputs.branchId, inputs.name);
32
46
  return {
33
47
  id: `${inputs.branchId}/${inputs.name}`,
34
48
  outs: {
@@ -72,8 +86,11 @@ var NeonRoleResource = class extends _pulumi_pulumi.dynamic.Resource {
72
86
  constructor(name, args, opts) {
73
87
  super(new NeonRoleResourceProvider(), name, {
74
88
  ...args,
75
- password: _pulumi_pulumi.secret(void 0)
76
- }, opts);
89
+ password: void 0
90
+ }, {
91
+ ...opts,
92
+ additionalSecretOutputs: ["password"]
93
+ });
77
94
  }
78
95
  };
79
96
  /**
@@ -95,7 +112,8 @@ var NeonRole = class extends _pulumi_pulumi.ComponentResource {
95
112
  apiKey: provider.apiKey,
96
113
  projectId: project.id,
97
114
  branchId: branch.id,
98
- name: args.name
115
+ name: args.name,
116
+ resetPassword: args.resetPassword ?? false
99
117
  }, { parent: this });
100
118
  this.password = resource.password;
101
119
  this.registerOutputs({ password: this.password });
@@ -104,4 +122,5 @@ var NeonRole = class extends _pulumi_pulumi.ComponentResource {
104
122
 
105
123
  //#endregion
106
124
  exports.NeonRole = NeonRole;
125
+ exports.NeonRoleResourceProvider = NeonRoleResourceProvider;
107
126
  //# sourceMappingURL=role.cjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"role.cjs","names":["NeonClient","pulumi"],"sources":["../../src/neon/role.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport type { NeonBranch } from \"./branch\";\nimport { NeonClient } from \"./client\";\nimport type { NeonProject } from \"./project\";\nimport type { NeonProvider } from \"./provider\";\n\n/** Resolved inputs for the Neon role dynamic provider. */\nexport interface NeonRoleInputs {\n\t/** Neon API key. */\n\tapiKey: string;\n\n\t/** Neon project ID. */\n\tprojectId: string;\n\n\t/** Branch ID the role belongs to. */\n\tbranchId: string;\n\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: string;\n}\n\n/** Persisted state for the Neon role. */\ninterface NeonRoleOutputs extends NeonRoleInputs {\n\t/** Role password (auto-generated by Neon). */\n\tpassword: string;\n}\n\n/** Neon API response for the reveal_password endpoint. */\ninterface PasswordResponse {\n\tpassword: string;\n}\n\n/** Neon API response for listing roles. */\ninterface RoleListResponse {\n\troles: Array<{\n\t\tname: string;\n\t}>;\n}\n\n/**\n * Checks if a role exists by name on a branch.\n */\nasync function roleExists(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<boolean> {\n\tconst result = await client.get<RoleListResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles`,\n\t);\n\n\treturn result.roles.some((r) => r.name === name);\n}\n\n/**\n * Reveals the password for an existing role via the dedicated API endpoint.\n */\nasync function revealPassword(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<string> {\n\tconst result = await client.get<PasswordResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles/${name}/reveal_password`,\n\t);\n\n\treturn result.password;\n}\n\n/**\n * Dynamic provider implementing CRUD for Neon database roles.\n *\n * Uses adopt-or-create on `create()`: finds an existing role by name\n * before creating a new one.\n */\nclass NeonRoleResourceProvider implements pulumi.dynamic.ResourceProvider {\n\tasync create(inputs: NeonRoleInputs): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new NeonClient(inputs.apiKey);\n\n\t\tconst exists = await roleExists(\n\t\t\tclient,\n\t\t\tinputs.projectId,\n\t\t\tinputs.branchId,\n\t\t\tinputs.name,\n\t\t);\n\n\t\tif (!exists) {\n\t\t\tawait client.post(\n\t\t\t\t`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`,\n\t\t\t\t{ role: { name: inputs.name } },\n\t\t\t);\n\t\t} else {\n\t\t\tpulumi.log.info(`Adopting existing Neon role \"${inputs.name}\"`);\n\t\t}\n\n\t\tconst password = await revealPassword(\n\t\t\tclient,\n\t\t\tinputs.projectId,\n\t\t\tinputs.branchId,\n\t\t\tinputs.name,\n\t\t);\n\n\t\treturn {\n\t\t\tid: `${inputs.branchId}/${inputs.name}`,\n\t\t\touts: { ...inputs, password },\n\t\t};\n\t}\n\n\tasync read(\n\t\tid: string,\n\t\tprops: NeonRoleOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\tconst password = await revealPassword(\n\t\t\tclient,\n\t\t\tprops.projectId,\n\t\t\tprops.branchId,\n\t\t\tprops.name,\n\t\t);\n\n\t\treturn {\n\t\t\tid,\n\t\t\tprops: { ...props, password },\n\t\t};\n\t}\n\n\tasync delete(_id: string, props: NeonRoleOutputs): Promise<void> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\ttry {\n\t\t\tawait client.delete(\n\t\t\t\t`/projects/${props.projectId}/branches/${props.branchId}/roles/${props.name}`,\n\t\t\t);\n\t\t} catch {\n\t\t\tpulumi.log.warn(\n\t\t\t\t`Failed to delete Neon role \"${props.name}\" (may already be deleted)`,\n\t\t\t);\n\t\t}\n\t}\n\n\tasync diff(\n\t\t_id: string,\n\t\tolds: NeonRoleOutputs,\n\t\tnews: NeonRoleInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.branchId !== news.branchId) {\n\t\t\treplaces.push(\"branchId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass NeonRoleResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly password: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\tapiKey: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tbranchId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\tsuper(\n\t\t\tnew NeonRoleResourceProvider(),\n\t\t\tname,\n\t\t\t{ ...args, password: pulumi.secret(undefined as unknown as string) },\n\t\t\topts,\n\t\t);\n\t}\n}\n\n/** Options type for NeonRole — replaces Pulumi's native `provider` field. */\ntype NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, \"provider\"> & {\n\t/** Neon authentication context. */\n\tprovider: NeonProvider;\n\n\t/** Neon project context. */\n\tproject: NeonProject;\n\n\t/** Neon branch context. */\n\tbranch: NeonBranch;\n};\n\n/** Args for NeonRole. */\nexport interface NeonRoleArgs {\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: pulumi.Input<string>;\n}\n\n/**\n * Manages a Neon database role with adopt-or-create semantics.\n * Exposes `password` as a secret output for connection string composition.\n *\n * @example\n * ```typescript\n * const role = new NeonRole(\"owner\", {\n * name: \"neondb_owner\",\n * }, { provider, project, branch });\n * ```\n */\nexport class NeonRole extends pulumi.ComponentResource {\n\t/** Role password (secret). */\n\tpublic readonly password: pulumi.Output<string>;\n\n\tconstructor(name: string, args: NeonRoleArgs, opts: NeonRoleOptions) {\n\t\tconst { provider, project, branch, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:neon:Role\", name, {}, pulumiOpts);\n\n\t\tconst resource = new NeonRoleResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\tapiKey: provider.apiKey,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tbranchId: branch.id,\n\t\t\t\tname: args.name,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.password = resource.password;\n\n\t\tthis.registerOutputs({ password: this.password });\n\t}\n}\n"],"mappings":";;;;;;;;;;AA0CA,eAAe,WACd,QACA,WACA,UACA,MACmB;CAKnB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,OAC7C,GAEc,MAAM,MAAM,MAAM,EAAE,SAAS,IAAI;AAChD;;;;AAKA,eAAe,eACd,QACA,WACA,UACA,MACkB;CAKlB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,SAAS,KAAK,iBAC3D,GAEc;AACf;;;;;;;AAQA,IAAM,2BAAN,MAA0E;CACzE,MAAM,OAAO,QAA8D;EAC1E,MAAM,SAAS,IAAIA,+BAAW,OAAO,MAAM;EAS3C,IAAI,CAAC,MAPgB,WACpB,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR,GAGC,MAAM,OAAO,KACZ,aAAa,OAAO,UAAU,YAAY,OAAO,SAAS,SAC1D,EAAE,MAAM,EAAE,MAAM,OAAO,KAAK,EAAE,CAC/B;OAEA,eAAO,IAAI,KAAK,gCAAgC,OAAO,KAAK,EAAE;EAG/D,MAAM,WAAW,MAAM,eACtB,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR;EAEA,OAAO;GACN,IAAI,GAAG,OAAO,SAAS,GAAG,OAAO;GACjC,MAAM;IAAE,GAAG;IAAQ;GAAS;EAC7B;CACD;CAEA,MAAM,KACL,IACA,OACqC;EAGrC,MAAM,WAAW,MAAM,eACtB,IAHkBA,+BAAW,MAAM,MAG9B,GACL,MAAM,WACN,MAAM,UACN,MAAM,IACP;EAEA,OAAO;GACN;GACA,OAAO;IAAE,GAAG;IAAO;GAAS;EAC7B;CACD;CAEA,MAAM,OAAO,KAAa,OAAuC;EAChE,MAAM,SAAS,IAAIA,+BAAW,MAAM,MAAM;EAE1C,IAAI;GACH,MAAM,OAAO,OACZ,aAAa,MAAM,UAAU,YAAY,MAAM,SAAS,SAAS,MAAM,MACxE;EACD,QAAQ;GACP,eAAO,IAAI,KACV,+BAA+B,MAAM,KAAK,2BAC3C;EACD;CACD;CAEA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,aAAa,KAAK,UAC1B,SAAS,KAAK,UAAU;EAGzB,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,mBAAN,cAA+BC,eAAO,QAAQ,SAAS;CAGtD,YACC,MACA,MAMA,MACC;EACD,MACC,IAAI,yBAAyB,GAC7B,MACA;GAAE,GAAG;GAAM,UAAUA,eAAO,OAAO,MAA8B;EAAE,GACnE,IACD;CACD;AACD;;;;;;;;;;;;AA+BA,IAAa,WAAb,cAA8BA,eAAO,kBAAkB;CAItD,YAAY,MAAc,MAAoB,MAAuB;EACpE,MAAM,EAAE,UAAU,SAAS,QAAQ,GAAG,eAAe;EAErD,MAAM,wBAAwB,MAAM,CAAC,GAAG,UAAU;EAElD,MAAM,WAAW,IAAI,iBACpB,GAAG,KAAK,YACR;GACC,QAAQ,SAAS;GACjB,WAAW,QAAQ;GACnB,UAAU,OAAO;GACjB,MAAM,KAAK;EACZ,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,WAAW,SAAS;EAEzB,KAAK,gBAAgB,EAAE,UAAU,KAAK,SAAS,CAAC;CACjD;AACD"}
1
+ {"version":3,"file":"role.cjs","names":["NeonClient","pulumi"],"sources":["../../src/neon/role.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport type { NeonBranch } from \"./branch\";\nimport { NeonClient } from \"./client\";\nimport type { NeonProject } from \"./project\";\nimport type { NeonProvider } from \"./provider\";\n\n/** Resolved inputs for the Neon role dynamic provider. */\nexport interface NeonRoleInputs {\n\t/** Neon API key. */\n\tapiKey: string;\n\n\t/** Neon project ID. */\n\tprojectId: string;\n\n\t/** Branch ID the role belongs to. */\n\tbranchId: string;\n\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: string;\n\n\t/**\n\t * When the role already exists (adopted), reset its password to a fresh value\n\t * instead of revealing the inherited one. Use on copy-on-write branches to\n\t * isolate the credential from the parent branch. Ignored when the role is\n\t * freshly created (a new role already gets its own password).\n\t */\n\tresetPassword: boolean;\n}\n\n/** Persisted state for the Neon role. */\ninterface NeonRoleOutputs extends NeonRoleInputs {\n\t/** Role password (auto-generated by Neon). */\n\tpassword: string;\n}\n\n/** Neon API response for the reveal_password endpoint. */\ninterface PasswordResponse {\n\tpassword: string;\n}\n\n/** Neon API response for the reset_password endpoint (nested under `role`). */\ninterface ResetPasswordResponse {\n\trole?: { password?: string };\n\tpassword?: string;\n}\n\n/** Neon API response for listing roles. */\ninterface RoleListResponse {\n\troles: Array<{\n\t\tname: string;\n\t}>;\n}\n\n/**\n * Checks if a role exists by name on a branch.\n */\nasync function roleExists(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<boolean> {\n\tconst result = await client.get<RoleListResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles`,\n\t);\n\n\treturn result.roles.some((r) => r.name === name);\n}\n\n/**\n * Reveals the password for an existing role via the dedicated API endpoint.\n */\nasync function revealPassword(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<string> {\n\tconst result = await client.get<PasswordResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles/${name}/reveal_password`,\n\t);\n\n\treturn result.password;\n}\n\n/**\n * Resets an existing role's password to a fresh value and returns it.\n * Used to isolate an adopted (copy-on-write) role from the parent branch's credential.\n */\nasync function resetRolePassword(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<string> {\n\tconst result = await client.post<ResetPasswordResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles/${name}/reset_password`,\n\t\t{},\n\t);\n\n\tconst password = result.role?.password ?? result.password;\n\n\tif (!password) {\n\t\tthrow new Error(\n\t\t\t`Neon reset_password returned no password for role \"${name}\"`,\n\t\t);\n\t}\n\n\treturn password;\n}\n\n/**\n * Dynamic provider implementing CRUD for Neon database roles.\n *\n * Uses adopt-or-create on `create()`: finds an existing role by name\n * before creating a new one.\n *\n * @internal Exported only for unit testing; not part of the public API surface.\n */\nexport class NeonRoleResourceProvider\n\timplements pulumi.dynamic.ResourceProvider\n{\n\tasync create(inputs: NeonRoleInputs): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new NeonClient(inputs.apiKey);\n\n\t\tconst exists = await roleExists(\n\t\t\tclient,\n\t\t\tinputs.projectId,\n\t\t\tinputs.branchId,\n\t\t\tinputs.name,\n\t\t);\n\n\t\tif (!exists) {\n\t\t\tawait client.post(\n\t\t\t\t`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`,\n\t\t\t\t{ role: { name: inputs.name } },\n\t\t\t);\n\t\t} else if (inputs.resetPassword) {\n\t\t\tpulumi.log.info(\n\t\t\t\t`Resetting password for adopted Neon role \"${inputs.name}\" to isolate it from the parent branch`,\n\t\t\t);\n\t\t} else {\n\t\t\tpulumi.log.info(`Adopting existing Neon role \"${inputs.name}\"`);\n\t\t}\n\n\t\tconst password =\n\t\t\texists && inputs.resetPassword\n\t\t\t\t? await resetRolePassword(\n\t\t\t\t\t\tclient,\n\t\t\t\t\t\tinputs.projectId,\n\t\t\t\t\t\tinputs.branchId,\n\t\t\t\t\t\tinputs.name,\n\t\t\t\t\t)\n\t\t\t\t: await revealPassword(\n\t\t\t\t\t\tclient,\n\t\t\t\t\t\tinputs.projectId,\n\t\t\t\t\t\tinputs.branchId,\n\t\t\t\t\t\tinputs.name,\n\t\t\t\t\t);\n\n\t\treturn {\n\t\t\tid: `${inputs.branchId}/${inputs.name}`,\n\t\t\touts: { ...inputs, password },\n\t\t};\n\t}\n\n\tasync read(\n\t\tid: string,\n\t\tprops: NeonRoleOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\tconst password = await revealPassword(\n\t\t\tclient,\n\t\t\tprops.projectId,\n\t\t\tprops.branchId,\n\t\t\tprops.name,\n\t\t);\n\n\t\treturn {\n\t\t\tid,\n\t\t\tprops: { ...props, password },\n\t\t};\n\t}\n\n\tasync delete(_id: string, props: NeonRoleOutputs): Promise<void> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\ttry {\n\t\t\tawait client.delete(\n\t\t\t\t`/projects/${props.projectId}/branches/${props.branchId}/roles/${props.name}`,\n\t\t\t);\n\t\t} catch {\n\t\t\tpulumi.log.warn(\n\t\t\t\t`Failed to delete Neon role \"${props.name}\" (may already be deleted)`,\n\t\t\t);\n\t\t}\n\t}\n\n\tasync diff(\n\t\t_id: string,\n\t\tolds: NeonRoleOutputs,\n\t\tnews: NeonRoleInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.branchId !== news.branchId) {\n\t\t\treplaces.push(\"branchId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass NeonRoleResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly password: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\tapiKey: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tbranchId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t\tresetPassword: pulumi.Input<boolean>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\t// `password` is an output-only secret. Declaring it via additionalSecretOutputs\n\t\t// (rather than a pulumi.secret(undefined) input placeholder) is the only reliable\n\t\t// way to mark a dynamic-provider output secret: the placeholder gives the property\n\t\t// both a secret-undefined input and a real output, and a downstream dynamic resource\n\t\t// consuming it can race onto the undefined, producing \"Unexpected struct type\"\n\t\t// during protobuf serialization (Pulumi #16041, #3012).\n\t\tsuper(\n\t\t\tnew NeonRoleResourceProvider(),\n\t\t\tname,\n\t\t\t{ ...args, password: undefined },\n\t\t\t{ ...opts, additionalSecretOutputs: [\"password\"] },\n\t\t);\n\t}\n}\n\n/** Options type for NeonRole — replaces Pulumi's native `provider` field. */\ntype NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, \"provider\"> & {\n\t/** Neon authentication context. */\n\tprovider: NeonProvider;\n\n\t/** Neon project context. */\n\tproject: NeonProject;\n\n\t/** Neon branch context. */\n\tbranch: NeonBranch;\n};\n\n/** Args for NeonRole. */\nexport interface NeonRoleArgs {\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: pulumi.Input<string>;\n\n\t/**\n\t * When the role is adopted (already exists on the branch), reset its password to a\n\t * fresh value instead of inheriting the parent's. Set this on copy-on-write\n\t * (non-production) branches to isolate the credential from production. Defaults to\n\t * `false` (adopt and reveal the existing password). The reset runs once, at creation.\n\t */\n\tresetPassword?: pulumi.Input<boolean>;\n}\n\n/**\n * Manages a Neon database role with adopt-or-create semantics.\n * Exposes `password` as a secret output for connection string composition.\n *\n * @example\n * ```typescript\n * const role = new NeonRole(\"owner\", {\n * name: \"neondb_owner\",\n * }, { provider, project, branch });\n * ```\n */\nexport class NeonRole extends pulumi.ComponentResource {\n\t/** Role password (secret). */\n\tpublic readonly password: pulumi.Output<string>;\n\n\tconstructor(name: string, args: NeonRoleArgs, opts: NeonRoleOptions) {\n\t\tconst { provider, project, branch, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:neon:Role\", name, {}, pulumiOpts);\n\n\t\tconst resource = new NeonRoleResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\tapiKey: provider.apiKey,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tbranchId: branch.id,\n\t\t\t\tname: args.name,\n\t\t\t\tresetPassword: args.resetPassword ?? false,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.password = resource.password;\n\n\t\tthis.registerOutputs({ password: this.password });\n\t}\n}\n"],"mappings":";;;;;;;;;;AAwDA,eAAe,WACd,QACA,WACA,UACA,MACmB;CAKnB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,OAC7C,GAEc,MAAM,MAAM,MAAM,EAAE,SAAS,IAAI;AAChD;;;;AAKA,eAAe,eACd,QACA,WACA,UACA,MACkB;CAKlB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,SAAS,KAAK,iBAC3D,GAEc;AACf;;;;;AAMA,eAAe,kBACd,QACA,WACA,UACA,MACkB;CAClB,MAAM,SAAS,MAAM,OAAO,KAC3B,aAAa,UAAU,YAAY,SAAS,SAAS,KAAK,kBAC1D,CAAC,CACF;CAEA,MAAM,WAAW,OAAO,MAAM,YAAY,OAAO;CAEjD,IAAI,CAAC,UACJ,MAAM,IAAI,MACT,sDAAsD,KAAK,EAC5D;CAGD,OAAO;AACR;;;;;;;;;AAUA,IAAa,2BAAb,MAEA;CACC,MAAM,OAAO,QAA8D;EAC1E,MAAM,SAAS,IAAIA,+BAAW,OAAO,MAAM;EAE3C,MAAM,SAAS,MAAM,WACpB,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR;EAEA,IAAI,CAAC,QACJ,MAAM,OAAO,KACZ,aAAa,OAAO,UAAU,YAAY,OAAO,SAAS,SAC1D,EAAE,MAAM,EAAE,MAAM,OAAO,KAAK,EAAE,CAC/B;OACM,IAAI,OAAO,eACjB,eAAO,IAAI,KACV,6CAA6C,OAAO,KAAK,uCAC1D;OAEA,eAAO,IAAI,KAAK,gCAAgC,OAAO,KAAK,EAAE;EAG/D,MAAM,WACL,UAAU,OAAO,gBACd,MAAM,kBACN,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR,IACC,MAAM,eACN,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR;EAEH,OAAO;GACN,IAAI,GAAG,OAAO,SAAS,GAAG,OAAO;GACjC,MAAM;IAAE,GAAG;IAAQ;GAAS;EAC7B;CACD;CAEA,MAAM,KACL,IACA,OACqC;EAGrC,MAAM,WAAW,MAAM,eACtB,IAHkBA,+BAAW,MAAM,MAG9B,GACL,MAAM,WACN,MAAM,UACN,MAAM,IACP;EAEA,OAAO;GACN;GACA,OAAO;IAAE,GAAG;IAAO;GAAS;EAC7B;CACD;CAEA,MAAM,OAAO,KAAa,OAAuC;EAChE,MAAM,SAAS,IAAIA,+BAAW,MAAM,MAAM;EAE1C,IAAI;GACH,MAAM,OAAO,OACZ,aAAa,MAAM,UAAU,YAAY,MAAM,SAAS,SAAS,MAAM,MACxE;EACD,QAAQ;GACP,eAAO,IAAI,KACV,+BAA+B,MAAM,KAAK,2BAC3C;EACD;CACD;CAEA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,aAAa,KAAK,UAC1B,SAAS,KAAK,UAAU;EAGzB,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,mBAAN,cAA+BC,eAAO,QAAQ,SAAS;CAGtD,YACC,MACA,MAOA,MACC;EAOD,MACC,IAAI,yBAAyB,GAC7B,MACA;GAAE,GAAG;GAAM,UAAU;EAAU,GAC/B;GAAE,GAAG;GAAM,yBAAyB,CAAC,UAAU;EAAE,CAClD;CACD;AACD;;;;;;;;;;;;AAuCA,IAAa,WAAb,cAA8BA,eAAO,kBAAkB;CAItD,YAAY,MAAc,MAAoB,MAAuB;EACpE,MAAM,EAAE,UAAU,SAAS,QAAQ,GAAG,eAAe;EAErD,MAAM,wBAAwB,MAAM,CAAC,GAAG,UAAU;EAElD,MAAM,WAAW,IAAI,iBACpB,GAAG,KAAK,YACR;GACC,QAAQ,SAAS;GACjB,WAAW,QAAQ;GACnB,UAAU,OAAO;GACjB,MAAM,KAAK;GACX,eAAe,KAAK,iBAAiB;EACtC,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,WAAW,SAAS;EAEzB,KAAK,gBAAgB,EAAE,UAAU,KAAK,SAAS,CAAC;CACjD;AACD"}
@@ -15,6 +15,32 @@ interface NeonRoleInputs {
15
15
  branchId: string;
16
16
  /** Role name (e.g. `"neondb_owner"`). */
17
17
  name: string;
18
+ /**
19
+ * When the role already exists (adopted), reset its password to a fresh value
20
+ * instead of revealing the inherited one. Use on copy-on-write branches to
21
+ * isolate the credential from the parent branch. Ignored when the role is
22
+ * freshly created (a new role already gets its own password).
23
+ */
24
+ resetPassword: boolean;
25
+ }
26
+ /** Persisted state for the Neon role. */
27
+ interface NeonRoleOutputs extends NeonRoleInputs {
28
+ /** Role password (auto-generated by Neon). */
29
+ password: string;
30
+ }
31
+ /**
32
+ * Dynamic provider implementing CRUD for Neon database roles.
33
+ *
34
+ * Uses adopt-or-create on `create()`: finds an existing role by name
35
+ * before creating a new one.
36
+ *
37
+ * @internal Exported only for unit testing; not part of the public API surface.
38
+ */
39
+ declare class NeonRoleResourceProvider implements pulumi.dynamic.ResourceProvider {
40
+ create(inputs: NeonRoleInputs): Promise<pulumi.dynamic.CreateResult>;
41
+ read(id: string, props: NeonRoleOutputs): Promise<pulumi.dynamic.ReadResult>;
42
+ delete(_id: string, props: NeonRoleOutputs): Promise<void>;
43
+ diff(_id: string, olds: NeonRoleOutputs, news: NeonRoleInputs): Promise<pulumi.dynamic.DiffResult>;
18
44
  }
19
45
  /** Options type for NeonRole — replaces Pulumi's native `provider` field. */
20
46
  type NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, "provider"> & {
@@ -26,6 +52,13 @@ type NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, "provider"> & {
26
52
  interface NeonRoleArgs {
27
53
  /** Role name (e.g. `"neondb_owner"`). */
28
54
  name: pulumi.Input<string>;
55
+ /**
56
+ * When the role is adopted (already exists on the branch), reset its password to a
57
+ * fresh value instead of inheriting the parent's. Set this on copy-on-write
58
+ * (non-production) branches to isolate the credential from production. Defaults to
59
+ * `false` (adopt and reveal the existing password). The reset runs once, at creation.
60
+ */
61
+ resetPassword?: pulumi.Input<boolean>;
29
62
  }
30
63
  /**
31
64
  * Manages a Neon database role with adopt-or-create semantics.
@@ -44,5 +77,5 @@ declare class NeonRole extends pulumi.ComponentResource {
44
77
  constructor(name: string, args: NeonRoleArgs, opts: NeonRoleOptions);
45
78
  }
46
79
  //#endregion
47
- export { NeonRole, NeonRoleArgs, NeonRoleInputs };
80
+ export { NeonRole, NeonRoleArgs, NeonRoleInputs, NeonRoleResourceProvider };
48
81
  //# sourceMappingURL=role.d.cts.map
@@ -1 +1 @@
1
- {"version":3,"file":"role.d.cts","names":[],"sources":["../../src/neon/role.ts"],"mappings":";;;;;;;;UAOiB,cAAA;;EAEhB,MAAA;EAF8B;EAK9B,SAAA;EAL8B;EAQ9B,QAAA;EAHA;EAMA,IAAA;AAAA;;KAgLI,eAAA,GAAkB,IAAA,CAAK,MAAA,CAAO,wBAAA;EAA9B,mCAEJ,QAAA,EAAU,YAAA;EAGV,OAAA,EAAS,WAAA,EALa;EAQtB,MAAA,EAAQ,UAAA;AAAA;;UAIQ,YAAA;EAJE;EAMlB,IAAA,EAAM,MAAA,CAAO,KAAK;AAAA;;;;;;;;;AANA;AAInB;;cAgBa,QAAA,SAAiB,MAAA,CAAO,iBAAA;EAdlB;EAAA,SAgBF,QAAA,EAAU,MAAA,CAAO,MAAA;cAErB,IAAA,UAAc,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,eAAA;AAAA"}
1
+ {"version":3,"file":"role.d.cts","names":[],"sources":["../../src/neon/role.ts"],"mappings":";;;;;;;;UAOiB,cAAA;;EAEhB,MAAA;EAF8B;EAK9B,SAAA;EAL8B;EAQ9B,QAAA;EAHA;EAMA,IAAA;EAAA;;;AAQa;AACb;;EADA,aAAA;AAAA;AAMQ;AAAA,UAFC,eAAA,SAAwB,cAAc;EA0F/C;EAxFA,QAAQ;AAAA;;;;;;;;;cAuFI,wBAAA,YACD,MAAA,CAAO,OAAA,CAAQ,gBAAA;EAEpB,MAAA,CAAO,MAAA,EAAQ,cAAA,GAAiB,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,YAAA;EA4CvD,IAAA,CACL,EAAA,UACA,KAAA,EAAO,eAAA,GACL,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;EAgBpB,MAAA,CAAO,GAAA,UAAa,KAAA,EAAO,eAAA,GAAkB,OAAA;EAc7C,IAAA,CACL,GAAA,UACA,IAAA,EAAM,eAAA,EACN,IAAA,EAAM,cAAA,GACJ,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;AAAA;;KAsDtB,eAAA,GAAkB,IAAA,CAAK,MAAA,CAAO,wBAAA;EAzIR,mCA2I1B,QAAA,EAAU,YAAA,EAzIW;EA4IrB,OAAA,EAAS,WAAA,EA5I6B;EA+ItC,MAAA,EAAQ,UAAA;AAAA;;UAIQ,YAAA;EAtGf;EAwGD,IAAA,EAAM,MAAA,CAAO,KAAA;EAvGZ;;;;;;EA+GD,aAAA,GAAgB,MAAA,CAAO,KAAK;AAAA;;;;;;;;;;;;cAchB,QAAA,SAAiB,MAAA,CAAO,iBAAA;EA1FA;EAAA,SA4FpB,QAAA,EAAU,MAAA,CAAO,MAAA;cAErB,IAAA,UAAc,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,eAAA;AAAA"}
@@ -15,6 +15,32 @@ interface NeonRoleInputs {
15
15
  branchId: string;
16
16
  /** Role name (e.g. `"neondb_owner"`). */
17
17
  name: string;
18
+ /**
19
+ * When the role already exists (adopted), reset its password to a fresh value
20
+ * instead of revealing the inherited one. Use on copy-on-write branches to
21
+ * isolate the credential from the parent branch. Ignored when the role is
22
+ * freshly created (a new role already gets its own password).
23
+ */
24
+ resetPassword: boolean;
25
+ }
26
+ /** Persisted state for the Neon role. */
27
+ interface NeonRoleOutputs extends NeonRoleInputs {
28
+ /** Role password (auto-generated by Neon). */
29
+ password: string;
30
+ }
31
+ /**
32
+ * Dynamic provider implementing CRUD for Neon database roles.
33
+ *
34
+ * Uses adopt-or-create on `create()`: finds an existing role by name
35
+ * before creating a new one.
36
+ *
37
+ * @internal Exported only for unit testing; not part of the public API surface.
38
+ */
39
+ declare class NeonRoleResourceProvider implements pulumi.dynamic.ResourceProvider {
40
+ create(inputs: NeonRoleInputs): Promise<pulumi.dynamic.CreateResult>;
41
+ read(id: string, props: NeonRoleOutputs): Promise<pulumi.dynamic.ReadResult>;
42
+ delete(_id: string, props: NeonRoleOutputs): Promise<void>;
43
+ diff(_id: string, olds: NeonRoleOutputs, news: NeonRoleInputs): Promise<pulumi.dynamic.DiffResult>;
18
44
  }
19
45
  /** Options type for NeonRole — replaces Pulumi's native `provider` field. */
20
46
  type NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, "provider"> & {
@@ -26,6 +52,13 @@ type NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, "provider"> & {
26
52
  interface NeonRoleArgs {
27
53
  /** Role name (e.g. `"neondb_owner"`). */
28
54
  name: pulumi.Input<string>;
55
+ /**
56
+ * When the role is adopted (already exists on the branch), reset its password to a
57
+ * fresh value instead of inheriting the parent's. Set this on copy-on-write
58
+ * (non-production) branches to isolate the credential from production. Defaults to
59
+ * `false` (adopt and reveal the existing password). The reset runs once, at creation.
60
+ */
61
+ resetPassword?: pulumi.Input<boolean>;
29
62
  }
30
63
  /**
31
64
  * Manages a Neon database role with adopt-or-create semantics.
@@ -44,5 +77,5 @@ declare class NeonRole extends pulumi.ComponentResource {
44
77
  constructor(name: string, args: NeonRoleArgs, opts: NeonRoleOptions);
45
78
  }
46
79
  //#endregion
47
- export { NeonRole, NeonRoleArgs, NeonRoleInputs };
80
+ export { NeonRole, NeonRoleArgs, NeonRoleInputs, NeonRoleResourceProvider };
48
81
  //# sourceMappingURL=role.d.mts.map
@@ -1 +1 @@
1
- {"version":3,"file":"role.d.mts","names":[],"sources":["../../src/neon/role.ts"],"mappings":";;;;;;;;UAOiB,cAAA;;EAEhB,MAAA;EAF8B;EAK9B,SAAA;EAL8B;EAQ9B,QAAA;EAHA;EAMA,IAAA;AAAA;;KAgLI,eAAA,GAAkB,IAAA,CAAK,MAAA,CAAO,wBAAA;EAA9B,mCAEJ,QAAA,EAAU,YAAA;EAGV,OAAA,EAAS,WAAA,EALa;EAQtB,MAAA,EAAQ,UAAA;AAAA;;UAIQ,YAAA;EAJE;EAMlB,IAAA,EAAM,MAAA,CAAO,KAAK;AAAA;;;;;;;;;AANA;AAInB;;cAgBa,QAAA,SAAiB,MAAA,CAAO,iBAAA;EAdlB;EAAA,SAgBF,QAAA,EAAU,MAAA,CAAO,MAAA;cAErB,IAAA,UAAc,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,eAAA;AAAA"}
1
+ {"version":3,"file":"role.d.mts","names":[],"sources":["../../src/neon/role.ts"],"mappings":";;;;;;;;UAOiB,cAAA;;EAEhB,MAAA;EAF8B;EAK9B,SAAA;EAL8B;EAQ9B,QAAA;EAHA;EAMA,IAAA;EAAA;;;AAQa;AACb;;EADA,aAAA;AAAA;AAMQ;AAAA,UAFC,eAAA,SAAwB,cAAc;EA0F/C;EAxFA,QAAQ;AAAA;;;;;;;;;cAuFI,wBAAA,YACD,MAAA,CAAO,OAAA,CAAQ,gBAAA;EAEpB,MAAA,CAAO,MAAA,EAAQ,cAAA,GAAiB,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,YAAA;EA4CvD,IAAA,CACL,EAAA,UACA,KAAA,EAAO,eAAA,GACL,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;EAgBpB,MAAA,CAAO,GAAA,UAAa,KAAA,EAAO,eAAA,GAAkB,OAAA;EAc7C,IAAA,CACL,GAAA,UACA,IAAA,EAAM,eAAA,EACN,IAAA,EAAM,cAAA,GACJ,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;AAAA;;KAsDtB,eAAA,GAAkB,IAAA,CAAK,MAAA,CAAO,wBAAA;EAzIR,mCA2I1B,QAAA,EAAU,YAAA,EAzIW;EA4IrB,OAAA,EAAS,WAAA,EA5I6B;EA+ItC,MAAA,EAAQ,UAAA;AAAA;;UAIQ,YAAA;EAtGf;EAwGD,IAAA,EAAM,MAAA,CAAO,KAAA;EAvGZ;;;;;;EA+GD,aAAA,GAAgB,MAAA,CAAO,KAAK;AAAA;;;;;;;;;;;;cAchB,QAAA,SAAiB,MAAA,CAAO,iBAAA;EA1FA;EAAA,SA4FpB,QAAA,EAAU,MAAA,CAAO,MAAA;cAErB,IAAA,UAAc,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,eAAA;AAAA"}
@@ -16,17 +16,31 @@ async function revealPassword(client, projectId, branchId, name) {
16
16
  return (await client.get(`/projects/${projectId}/branches/${branchId}/roles/${name}/reveal_password`)).password;
17
17
  }
18
18
  /**
19
+ * Resets an existing role's password to a fresh value and returns it.
20
+ * Used to isolate an adopted (copy-on-write) role from the parent branch's credential.
21
+ */
22
+ async function resetRolePassword(client, projectId, branchId, name) {
23
+ const result = await client.post(`/projects/${projectId}/branches/${branchId}/roles/${name}/reset_password`, {});
24
+ const password = result.role?.password ?? result.password;
25
+ if (!password) throw new Error(`Neon reset_password returned no password for role "${name}"`);
26
+ return password;
27
+ }
28
+ /**
19
29
  * Dynamic provider implementing CRUD for Neon database roles.
20
30
  *
21
31
  * Uses adopt-or-create on `create()`: finds an existing role by name
22
32
  * before creating a new one.
33
+ *
34
+ * @internal Exported only for unit testing; not part of the public API surface.
23
35
  */
24
36
  var NeonRoleResourceProvider = class {
25
37
  async create(inputs) {
26
38
  const client = new NeonClient(inputs.apiKey);
27
- if (!await roleExists(client, inputs.projectId, inputs.branchId, inputs.name)) await client.post(`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`, { role: { name: inputs.name } });
39
+ const exists = await roleExists(client, inputs.projectId, inputs.branchId, inputs.name);
40
+ if (!exists) await client.post(`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`, { role: { name: inputs.name } });
41
+ else if (inputs.resetPassword) pulumi.log.info(`Resetting password for adopted Neon role "${inputs.name}" to isolate it from the parent branch`);
28
42
  else pulumi.log.info(`Adopting existing Neon role "${inputs.name}"`);
29
- const password = await revealPassword(client, inputs.projectId, inputs.branchId, inputs.name);
43
+ const password = exists && inputs.resetPassword ? await resetRolePassword(client, inputs.projectId, inputs.branchId, inputs.name) : await revealPassword(client, inputs.projectId, inputs.branchId, inputs.name);
30
44
  return {
31
45
  id: `${inputs.branchId}/${inputs.name}`,
32
46
  outs: {
@@ -70,8 +84,11 @@ var NeonRoleResource = class extends pulumi.dynamic.Resource {
70
84
  constructor(name, args, opts) {
71
85
  super(new NeonRoleResourceProvider(), name, {
72
86
  ...args,
73
- password: pulumi.secret(void 0)
74
- }, opts);
87
+ password: void 0
88
+ }, {
89
+ ...opts,
90
+ additionalSecretOutputs: ["password"]
91
+ });
75
92
  }
76
93
  };
77
94
  /**
@@ -93,7 +110,8 @@ var NeonRole = class extends pulumi.ComponentResource {
93
110
  apiKey: provider.apiKey,
94
111
  projectId: project.id,
95
112
  branchId: branch.id,
96
- name: args.name
113
+ name: args.name,
114
+ resetPassword: args.resetPassword ?? false
97
115
  }, { parent: this });
98
116
  this.password = resource.password;
99
117
  this.registerOutputs({ password: this.password });
@@ -101,5 +119,5 @@ var NeonRole = class extends pulumi.ComponentResource {
101
119
  };
102
120
 
103
121
  //#endregion
104
- export { NeonRole };
122
+ export { NeonRole, NeonRoleResourceProvider };
105
123
  //# sourceMappingURL=role.mjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"role.mjs","names":[],"sources":["../../src/neon/role.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport type { NeonBranch } from \"./branch\";\nimport { NeonClient } from \"./client\";\nimport type { NeonProject } from \"./project\";\nimport type { NeonProvider } from \"./provider\";\n\n/** Resolved inputs for the Neon role dynamic provider. */\nexport interface NeonRoleInputs {\n\t/** Neon API key. */\n\tapiKey: string;\n\n\t/** Neon project ID. */\n\tprojectId: string;\n\n\t/** Branch ID the role belongs to. */\n\tbranchId: string;\n\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: string;\n}\n\n/** Persisted state for the Neon role. */\ninterface NeonRoleOutputs extends NeonRoleInputs {\n\t/** Role password (auto-generated by Neon). */\n\tpassword: string;\n}\n\n/** Neon API response for the reveal_password endpoint. */\ninterface PasswordResponse {\n\tpassword: string;\n}\n\n/** Neon API response for listing roles. */\ninterface RoleListResponse {\n\troles: Array<{\n\t\tname: string;\n\t}>;\n}\n\n/**\n * Checks if a role exists by name on a branch.\n */\nasync function roleExists(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<boolean> {\n\tconst result = await client.get<RoleListResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles`,\n\t);\n\n\treturn result.roles.some((r) => r.name === name);\n}\n\n/**\n * Reveals the password for an existing role via the dedicated API endpoint.\n */\nasync function revealPassword(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<string> {\n\tconst result = await client.get<PasswordResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles/${name}/reveal_password`,\n\t);\n\n\treturn result.password;\n}\n\n/**\n * Dynamic provider implementing CRUD for Neon database roles.\n *\n * Uses adopt-or-create on `create()`: finds an existing role by name\n * before creating a new one.\n */\nclass NeonRoleResourceProvider implements pulumi.dynamic.ResourceProvider {\n\tasync create(inputs: NeonRoleInputs): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new NeonClient(inputs.apiKey);\n\n\t\tconst exists = await roleExists(\n\t\t\tclient,\n\t\t\tinputs.projectId,\n\t\t\tinputs.branchId,\n\t\t\tinputs.name,\n\t\t);\n\n\t\tif (!exists) {\n\t\t\tawait client.post(\n\t\t\t\t`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`,\n\t\t\t\t{ role: { name: inputs.name } },\n\t\t\t);\n\t\t} else {\n\t\t\tpulumi.log.info(`Adopting existing Neon role \"${inputs.name}\"`);\n\t\t}\n\n\t\tconst password = await revealPassword(\n\t\t\tclient,\n\t\t\tinputs.projectId,\n\t\t\tinputs.branchId,\n\t\t\tinputs.name,\n\t\t);\n\n\t\treturn {\n\t\t\tid: `${inputs.branchId}/${inputs.name}`,\n\t\t\touts: { ...inputs, password },\n\t\t};\n\t}\n\n\tasync read(\n\t\tid: string,\n\t\tprops: NeonRoleOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\tconst password = await revealPassword(\n\t\t\tclient,\n\t\t\tprops.projectId,\n\t\t\tprops.branchId,\n\t\t\tprops.name,\n\t\t);\n\n\t\treturn {\n\t\t\tid,\n\t\t\tprops: { ...props, password },\n\t\t};\n\t}\n\n\tasync delete(_id: string, props: NeonRoleOutputs): Promise<void> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\ttry {\n\t\t\tawait client.delete(\n\t\t\t\t`/projects/${props.projectId}/branches/${props.branchId}/roles/${props.name}`,\n\t\t\t);\n\t\t} catch {\n\t\t\tpulumi.log.warn(\n\t\t\t\t`Failed to delete Neon role \"${props.name}\" (may already be deleted)`,\n\t\t\t);\n\t\t}\n\t}\n\n\tasync diff(\n\t\t_id: string,\n\t\tolds: NeonRoleOutputs,\n\t\tnews: NeonRoleInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.branchId !== news.branchId) {\n\t\t\treplaces.push(\"branchId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass NeonRoleResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly password: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\tapiKey: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tbranchId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\tsuper(\n\t\t\tnew NeonRoleResourceProvider(),\n\t\t\tname,\n\t\t\t{ ...args, password: pulumi.secret(undefined as unknown as string) },\n\t\t\topts,\n\t\t);\n\t}\n}\n\n/** Options type for NeonRole — replaces Pulumi's native `provider` field. */\ntype NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, \"provider\"> & {\n\t/** Neon authentication context. */\n\tprovider: NeonProvider;\n\n\t/** Neon project context. */\n\tproject: NeonProject;\n\n\t/** Neon branch context. */\n\tbranch: NeonBranch;\n};\n\n/** Args for NeonRole. */\nexport interface NeonRoleArgs {\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: pulumi.Input<string>;\n}\n\n/**\n * Manages a Neon database role with adopt-or-create semantics.\n * Exposes `password` as a secret output for connection string composition.\n *\n * @example\n * ```typescript\n * const role = new NeonRole(\"owner\", {\n * name: \"neondb_owner\",\n * }, { provider, project, branch });\n * ```\n */\nexport class NeonRole extends pulumi.ComponentResource {\n\t/** Role password (secret). */\n\tpublic readonly password: pulumi.Output<string>;\n\n\tconstructor(name: string, args: NeonRoleArgs, opts: NeonRoleOptions) {\n\t\tconst { provider, project, branch, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:neon:Role\", name, {}, pulumiOpts);\n\n\t\tconst resource = new NeonRoleResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\tapiKey: provider.apiKey,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tbranchId: branch.id,\n\t\t\t\tname: args.name,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.password = resource.password;\n\n\t\tthis.registerOutputs({ password: this.password });\n\t}\n}\n"],"mappings":";;;;;;;;AA0CA,eAAe,WACd,QACA,WACA,UACA,MACmB;CAKnB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,OAC7C,GAEc,MAAM,MAAM,MAAM,EAAE,SAAS,IAAI;AAChD;;;;AAKA,eAAe,eACd,QACA,WACA,UACA,MACkB;CAKlB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,SAAS,KAAK,iBAC3D,GAEc;AACf;;;;;;;AAQA,IAAM,2BAAN,MAA0E;CACzE,MAAM,OAAO,QAA8D;EAC1E,MAAM,SAAS,IAAI,WAAW,OAAO,MAAM;EAS3C,IAAI,CAAC,MAPgB,WACpB,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR,GAGC,MAAM,OAAO,KACZ,aAAa,OAAO,UAAU,YAAY,OAAO,SAAS,SAC1D,EAAE,MAAM,EAAE,MAAM,OAAO,KAAK,EAAE,CAC/B;OAEA,OAAO,IAAI,KAAK,gCAAgC,OAAO,KAAK,EAAE;EAG/D,MAAM,WAAW,MAAM,eACtB,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR;EAEA,OAAO;GACN,IAAI,GAAG,OAAO,SAAS,GAAG,OAAO;GACjC,MAAM;IAAE,GAAG;IAAQ;GAAS;EAC7B;CACD;CAEA,MAAM,KACL,IACA,OACqC;EAGrC,MAAM,WAAW,MAAM,eACtB,IAHkB,WAAW,MAAM,MAG9B,GACL,MAAM,WACN,MAAM,UACN,MAAM,IACP;EAEA,OAAO;GACN;GACA,OAAO;IAAE,GAAG;IAAO;GAAS;EAC7B;CACD;CAEA,MAAM,OAAO,KAAa,OAAuC;EAChE,MAAM,SAAS,IAAI,WAAW,MAAM,MAAM;EAE1C,IAAI;GACH,MAAM,OAAO,OACZ,aAAa,MAAM,UAAU,YAAY,MAAM,SAAS,SAAS,MAAM,MACxE;EACD,QAAQ;GACP,OAAO,IAAI,KACV,+BAA+B,MAAM,KAAK,2BAC3C;EACD;CACD;CAEA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,aAAa,KAAK,UAC1B,SAAS,KAAK,UAAU;EAGzB,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,mBAAN,cAA+B,OAAO,QAAQ,SAAS;CAGtD,YACC,MACA,MAMA,MACC;EACD,MACC,IAAI,yBAAyB,GAC7B,MACA;GAAE,GAAG;GAAM,UAAU,OAAO,OAAO,MAA8B;EAAE,GACnE,IACD;CACD;AACD;;;;;;;;;;;;AA+BA,IAAa,WAAb,cAA8B,OAAO,kBAAkB;CAItD,YAAY,MAAc,MAAoB,MAAuB;EACpE,MAAM,EAAE,UAAU,SAAS,QAAQ,GAAG,eAAe;EAErD,MAAM,wBAAwB,MAAM,CAAC,GAAG,UAAU;EAElD,MAAM,WAAW,IAAI,iBACpB,GAAG,KAAK,YACR;GACC,QAAQ,SAAS;GACjB,WAAW,QAAQ;GACnB,UAAU,OAAO;GACjB,MAAM,KAAK;EACZ,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,WAAW,SAAS;EAEzB,KAAK,gBAAgB,EAAE,UAAU,KAAK,SAAS,CAAC;CACjD;AACD"}
1
+ {"version":3,"file":"role.mjs","names":[],"sources":["../../src/neon/role.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport type { NeonBranch } from \"./branch\";\nimport { NeonClient } from \"./client\";\nimport type { NeonProject } from \"./project\";\nimport type { NeonProvider } from \"./provider\";\n\n/** Resolved inputs for the Neon role dynamic provider. */\nexport interface NeonRoleInputs {\n\t/** Neon API key. */\n\tapiKey: string;\n\n\t/** Neon project ID. */\n\tprojectId: string;\n\n\t/** Branch ID the role belongs to. */\n\tbranchId: string;\n\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: string;\n\n\t/**\n\t * When the role already exists (adopted), reset its password to a fresh value\n\t * instead of revealing the inherited one. Use on copy-on-write branches to\n\t * isolate the credential from the parent branch. Ignored when the role is\n\t * freshly created (a new role already gets its own password).\n\t */\n\tresetPassword: boolean;\n}\n\n/** Persisted state for the Neon role. */\ninterface NeonRoleOutputs extends NeonRoleInputs {\n\t/** Role password (auto-generated by Neon). */\n\tpassword: string;\n}\n\n/** Neon API response for the reveal_password endpoint. */\ninterface PasswordResponse {\n\tpassword: string;\n}\n\n/** Neon API response for the reset_password endpoint (nested under `role`). */\ninterface ResetPasswordResponse {\n\trole?: { password?: string };\n\tpassword?: string;\n}\n\n/** Neon API response for listing roles. */\ninterface RoleListResponse {\n\troles: Array<{\n\t\tname: string;\n\t}>;\n}\n\n/**\n * Checks if a role exists by name on a branch.\n */\nasync function roleExists(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<boolean> {\n\tconst result = await client.get<RoleListResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles`,\n\t);\n\n\treturn result.roles.some((r) => r.name === name);\n}\n\n/**\n * Reveals the password for an existing role via the dedicated API endpoint.\n */\nasync function revealPassword(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<string> {\n\tconst result = await client.get<PasswordResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles/${name}/reveal_password`,\n\t);\n\n\treturn result.password;\n}\n\n/**\n * Resets an existing role's password to a fresh value and returns it.\n * Used to isolate an adopted (copy-on-write) role from the parent branch's credential.\n */\nasync function resetRolePassword(\n\tclient: NeonClient,\n\tprojectId: string,\n\tbranchId: string,\n\tname: string,\n): Promise<string> {\n\tconst result = await client.post<ResetPasswordResponse>(\n\t\t`/projects/${projectId}/branches/${branchId}/roles/${name}/reset_password`,\n\t\t{},\n\t);\n\n\tconst password = result.role?.password ?? result.password;\n\n\tif (!password) {\n\t\tthrow new Error(\n\t\t\t`Neon reset_password returned no password for role \"${name}\"`,\n\t\t);\n\t}\n\n\treturn password;\n}\n\n/**\n * Dynamic provider implementing CRUD for Neon database roles.\n *\n * Uses adopt-or-create on `create()`: finds an existing role by name\n * before creating a new one.\n *\n * @internal Exported only for unit testing; not part of the public API surface.\n */\nexport class NeonRoleResourceProvider\n\timplements pulumi.dynamic.ResourceProvider\n{\n\tasync create(inputs: NeonRoleInputs): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new NeonClient(inputs.apiKey);\n\n\t\tconst exists = await roleExists(\n\t\t\tclient,\n\t\t\tinputs.projectId,\n\t\t\tinputs.branchId,\n\t\t\tinputs.name,\n\t\t);\n\n\t\tif (!exists) {\n\t\t\tawait client.post(\n\t\t\t\t`/projects/${inputs.projectId}/branches/${inputs.branchId}/roles`,\n\t\t\t\t{ role: { name: inputs.name } },\n\t\t\t);\n\t\t} else if (inputs.resetPassword) {\n\t\t\tpulumi.log.info(\n\t\t\t\t`Resetting password for adopted Neon role \"${inputs.name}\" to isolate it from the parent branch`,\n\t\t\t);\n\t\t} else {\n\t\t\tpulumi.log.info(`Adopting existing Neon role \"${inputs.name}\"`);\n\t\t}\n\n\t\tconst password =\n\t\t\texists && inputs.resetPassword\n\t\t\t\t? await resetRolePassword(\n\t\t\t\t\t\tclient,\n\t\t\t\t\t\tinputs.projectId,\n\t\t\t\t\t\tinputs.branchId,\n\t\t\t\t\t\tinputs.name,\n\t\t\t\t\t)\n\t\t\t\t: await revealPassword(\n\t\t\t\t\t\tclient,\n\t\t\t\t\t\tinputs.projectId,\n\t\t\t\t\t\tinputs.branchId,\n\t\t\t\t\t\tinputs.name,\n\t\t\t\t\t);\n\n\t\treturn {\n\t\t\tid: `${inputs.branchId}/${inputs.name}`,\n\t\t\touts: { ...inputs, password },\n\t\t};\n\t}\n\n\tasync read(\n\t\tid: string,\n\t\tprops: NeonRoleOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\tconst password = await revealPassword(\n\t\t\tclient,\n\t\t\tprops.projectId,\n\t\t\tprops.branchId,\n\t\t\tprops.name,\n\t\t);\n\n\t\treturn {\n\t\t\tid,\n\t\t\tprops: { ...props, password },\n\t\t};\n\t}\n\n\tasync delete(_id: string, props: NeonRoleOutputs): Promise<void> {\n\t\tconst client = new NeonClient(props.apiKey);\n\n\t\ttry {\n\t\t\tawait client.delete(\n\t\t\t\t`/projects/${props.projectId}/branches/${props.branchId}/roles/${props.name}`,\n\t\t\t);\n\t\t} catch {\n\t\t\tpulumi.log.warn(\n\t\t\t\t`Failed to delete Neon role \"${props.name}\" (may already be deleted)`,\n\t\t\t);\n\t\t}\n\t}\n\n\tasync diff(\n\t\t_id: string,\n\t\tolds: NeonRoleOutputs,\n\t\tnews: NeonRoleInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.branchId !== news.branchId) {\n\t\t\treplaces.push(\"branchId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass NeonRoleResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly password: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\tapiKey: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tbranchId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t\tresetPassword: pulumi.Input<boolean>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\t// `password` is an output-only secret. Declaring it via additionalSecretOutputs\n\t\t// (rather than a pulumi.secret(undefined) input placeholder) is the only reliable\n\t\t// way to mark a dynamic-provider output secret: the placeholder gives the property\n\t\t// both a secret-undefined input and a real output, and a downstream dynamic resource\n\t\t// consuming it can race onto the undefined, producing \"Unexpected struct type\"\n\t\t// during protobuf serialization (Pulumi #16041, #3012).\n\t\tsuper(\n\t\t\tnew NeonRoleResourceProvider(),\n\t\t\tname,\n\t\t\t{ ...args, password: undefined },\n\t\t\t{ ...opts, additionalSecretOutputs: [\"password\"] },\n\t\t);\n\t}\n}\n\n/** Options type for NeonRole — replaces Pulumi's native `provider` field. */\ntype NeonRoleOptions = Omit<pulumi.ComponentResourceOptions, \"provider\"> & {\n\t/** Neon authentication context. */\n\tprovider: NeonProvider;\n\n\t/** Neon project context. */\n\tproject: NeonProject;\n\n\t/** Neon branch context. */\n\tbranch: NeonBranch;\n};\n\n/** Args for NeonRole. */\nexport interface NeonRoleArgs {\n\t/** Role name (e.g. `\"neondb_owner\"`). */\n\tname: pulumi.Input<string>;\n\n\t/**\n\t * When the role is adopted (already exists on the branch), reset its password to a\n\t * fresh value instead of inheriting the parent's. Set this on copy-on-write\n\t * (non-production) branches to isolate the credential from production. Defaults to\n\t * `false` (adopt and reveal the existing password). The reset runs once, at creation.\n\t */\n\tresetPassword?: pulumi.Input<boolean>;\n}\n\n/**\n * Manages a Neon database role with adopt-or-create semantics.\n * Exposes `password` as a secret output for connection string composition.\n *\n * @example\n * ```typescript\n * const role = new NeonRole(\"owner\", {\n * name: \"neondb_owner\",\n * }, { provider, project, branch });\n * ```\n */\nexport class NeonRole extends pulumi.ComponentResource {\n\t/** Role password (secret). */\n\tpublic readonly password: pulumi.Output<string>;\n\n\tconstructor(name: string, args: NeonRoleArgs, opts: NeonRoleOptions) {\n\t\tconst { provider, project, branch, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:neon:Role\", name, {}, pulumiOpts);\n\n\t\tconst resource = new NeonRoleResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\tapiKey: provider.apiKey,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tbranchId: branch.id,\n\t\t\t\tname: args.name,\n\t\t\t\tresetPassword: args.resetPassword ?? false,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.password = resource.password;\n\n\t\tthis.registerOutputs({ password: this.password });\n\t}\n}\n"],"mappings":";;;;;;;;AAwDA,eAAe,WACd,QACA,WACA,UACA,MACmB;CAKnB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,OAC7C,GAEc,MAAM,MAAM,MAAM,EAAE,SAAS,IAAI;AAChD;;;;AAKA,eAAe,eACd,QACA,WACA,UACA,MACkB;CAKlB,QAAO,MAJc,OAAO,IAC3B,aAAa,UAAU,YAAY,SAAS,SAAS,KAAK,iBAC3D,GAEc;AACf;;;;;AAMA,eAAe,kBACd,QACA,WACA,UACA,MACkB;CAClB,MAAM,SAAS,MAAM,OAAO,KAC3B,aAAa,UAAU,YAAY,SAAS,SAAS,KAAK,kBAC1D,CAAC,CACF;CAEA,MAAM,WAAW,OAAO,MAAM,YAAY,OAAO;CAEjD,IAAI,CAAC,UACJ,MAAM,IAAI,MACT,sDAAsD,KAAK,EAC5D;CAGD,OAAO;AACR;;;;;;;;;AAUA,IAAa,2BAAb,MAEA;CACC,MAAM,OAAO,QAA8D;EAC1E,MAAM,SAAS,IAAI,WAAW,OAAO,MAAM;EAE3C,MAAM,SAAS,MAAM,WACpB,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR;EAEA,IAAI,CAAC,QACJ,MAAM,OAAO,KACZ,aAAa,OAAO,UAAU,YAAY,OAAO,SAAS,SAC1D,EAAE,MAAM,EAAE,MAAM,OAAO,KAAK,EAAE,CAC/B;OACM,IAAI,OAAO,eACjB,OAAO,IAAI,KACV,6CAA6C,OAAO,KAAK,uCAC1D;OAEA,OAAO,IAAI,KAAK,gCAAgC,OAAO,KAAK,EAAE;EAG/D,MAAM,WACL,UAAU,OAAO,gBACd,MAAM,kBACN,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR,IACC,MAAM,eACN,QACA,OAAO,WACP,OAAO,UACP,OAAO,IACR;EAEH,OAAO;GACN,IAAI,GAAG,OAAO,SAAS,GAAG,OAAO;GACjC,MAAM;IAAE,GAAG;IAAQ;GAAS;EAC7B;CACD;CAEA,MAAM,KACL,IACA,OACqC;EAGrC,MAAM,WAAW,MAAM,eACtB,IAHkB,WAAW,MAAM,MAG9B,GACL,MAAM,WACN,MAAM,UACN,MAAM,IACP;EAEA,OAAO;GACN;GACA,OAAO;IAAE,GAAG;IAAO;GAAS;EAC7B;CACD;CAEA,MAAM,OAAO,KAAa,OAAuC;EAChE,MAAM,SAAS,IAAI,WAAW,MAAM,MAAM;EAE1C,IAAI;GACH,MAAM,OAAO,OACZ,aAAa,MAAM,UAAU,YAAY,MAAM,SAAS,SAAS,MAAM,MACxE;EACD,QAAQ;GACP,OAAO,IAAI,KACV,+BAA+B,MAAM,KAAK,2BAC3C;EACD;CACD;CAEA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,aAAa,KAAK,UAC1B,SAAS,KAAK,UAAU;EAGzB,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,mBAAN,cAA+B,OAAO,QAAQ,SAAS;CAGtD,YACC,MACA,MAOA,MACC;EAOD,MACC,IAAI,yBAAyB,GAC7B,MACA;GAAE,GAAG;GAAM,UAAU;EAAU,GAC/B;GAAE,GAAG;GAAM,yBAAyB,CAAC,UAAU;EAAE,CAClD;CACD;AACD;;;;;;;;;;;;AAuCA,IAAa,WAAb,cAA8B,OAAO,kBAAkB;CAItD,YAAY,MAAc,MAAoB,MAAuB;EACpE,MAAM,EAAE,UAAU,SAAS,QAAQ,GAAG,eAAe;EAErD,MAAM,wBAAwB,MAAM,CAAC,GAAG,UAAU;EAElD,MAAM,WAAW,IAAI,iBACpB,GAAG,KAAK,YACR;GACC,QAAQ,SAAS;GACjB,WAAW,QAAQ;GACnB,UAAU,OAAO;GACjB,MAAM,KAAK;GACX,eAAe,KAAK,iBAAiB;EACtC,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,WAAW,SAAS;EAEzB,KAAK,gBAAgB,EAAE,UAAU,KAAK,SAAS,CAAC;CACjD;AACD"}
@@ -105,9 +105,12 @@ var RailwayProjectTokenResource = class extends _pulumi_pulumi.dynamic.Resource
105
105
  constructor(name, args, opts) {
106
106
  super(new RailwayProjectTokenResourceProvider(), name, {
107
107
  ...args,
108
- value: _pulumi_pulumi.secret(void 0),
108
+ value: void 0,
109
109
  tokenId: void 0
110
- }, opts);
110
+ }, {
111
+ ...opts,
112
+ additionalSecretOutputs: ["value"]
113
+ });
111
114
  }
112
115
  };
113
116
  /**
@@ -1 +1 @@
1
- {"version":3,"file":"project-token.cjs","names":["RailwayClient","pulumi"],"sources":["../../src/railway/project-token.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport { RailwayClient } from \"./client\";\nimport type { RailwayEnvironment } from \"./environment\";\nimport type { RailwayProject } from \"./project\";\nimport type { RailwayProvider } from \"./provider\";\n\n/** Resolved inputs for the Railway project token dynamic provider. */\ninterface RailwayProjectTokenInputs {\n\t/** Railway API bearer token (account-scoped, used for API calls). */\n\ttoken: string;\n\n\t/** Railway project UUID. */\n\tprojectId: string;\n\n\t/** Railway environment UUID this deploy token is scoped to. */\n\tenvironmentId: string;\n\n\t/** Distinct token name, e.g. `\"pulumi-staging\"`. Must be unique per environment. */\n\tname: string;\n}\n\n/** Persisted state for the Railway project token. */\ninterface RailwayProjectTokenOutputs extends RailwayProjectTokenInputs {\n\t/** Minted deploy token secret value. */\n\tvalue: string;\n\n\t/** Railway-assigned token UUID (used for clean teardown on delete). */\n\ttokenId: string;\n}\n\nconst PROJECT_TOKENS_QUERY = `\n query($projectId: String!) {\n projectTokens(projectId: $projectId) {\n edges { node { id name } }\n }\n }\n`;\n\nconst PROJECT_TOKEN_CREATE = `\n mutation($input: ProjectTokenCreateInput!) {\n projectTokenCreate(input: $input)\n }\n`;\n\nconst PROJECT_TOKEN_DELETE = `\n mutation($id: String!) { projectTokenDelete(id: $id) }\n`;\n\n/**\n * Dynamic provider that mints a Railway environment-scoped deploy token.\n *\n * On create, it deletes any existing tokens with the same name (stale tokens\n * from previous runs), mints a fresh one scoped to the target environment, then\n * re-lists tokens to capture the Railway-assigned ID for later teardown.\n *\n * @internal Exported only for unit testing; not part of the public API surface.\n */\nexport class RailwayProjectTokenResourceProvider\n\timplements pulumi.dynamic.ResourceProvider\n{\n\t/**\n\t * Deletes stale same-named tokens, mints a new environment-scoped token,\n\t * and captures its ID via a follow-up list query.\n\t *\n\t * @param inputs Resolved provider inputs.\n\t * @returns Pulumi dynamic create result with `value` (secret) and `tokenId`.\n\t */\n\tasync create(\n\t\tinputs: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new RailwayClient(inputs.token);\n\n\t\tconst tokensResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\tconst stale = tokensResult.projectTokens.edges.filter(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tfor (const entry of stale) {\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: entry.node.id });\n\t\t}\n\n\t\tconst createResult = await client.query<{ projectTokenCreate: string }>(\n\t\t\tPROJECT_TOKEN_CREATE,\n\t\t\t{\n\t\t\t\tinput: {\n\t\t\t\t\tprojectId: inputs.projectId,\n\t\t\t\t\tenvironmentId: inputs.environmentId,\n\t\t\t\t\tname: inputs.name,\n\t\t\t\t},\n\t\t\t},\n\t\t);\n\n\t\tconst value = createResult.projectTokenCreate;\n\n\t\t// Re-list tokens to capture the Railway-assigned ID: the create mutation\n\t\t// returns only the token value, not its UUID.\n\t\tconst refreshResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\t// After the delete sweep above, exactly one token with this name exists (the one we just\n\t\t// created). Resolve its id from the re-list so delete() can revoke it later.\n\t\tconst found = refreshResult.projectTokens.edges.find(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tif (!found) {\n\t\t\tthrow new Error(\n\t\t\t\t`Could not resolve token id for newly created token \"${inputs.name}\" in project ${inputs.projectId}`,\n\t\t\t);\n\t\t}\n\n\t\tconst tokenId = found.node.id;\n\n\t\tconst outs: RailwayProjectTokenOutputs = {\n\t\t\t...inputs,\n\t\t\tvalue,\n\t\t\ttokenId,\n\t\t};\n\n\t\treturn { id: `${inputs.projectId}:${inputs.name}`, outs };\n\t}\n\n\t/**\n\t * Pass-through read — the token value is a write-once secret that Railway\n\t * never re-exposes via API, so the stored state is the only source of truth.\n\t *\n\t * @param id Resource ID.\n\t * @param props Currently stored outputs.\n\t */\n\tasync read(\n\t\tid: string,\n\t\tprops: RailwayProjectTokenOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\treturn { id, props };\n\t}\n\n\t/**\n\t * Deletes the Railway token by its stored UUID for clean teardown.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param props Currently stored outputs containing the tokenId.\n\t */\n\tasync delete(_id: string, props: RailwayProjectTokenOutputs): Promise<void> {\n\t\tif (props.tokenId) {\n\t\t\tconst client = new RailwayClient(props.token);\n\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: props.tokenId });\n\t\t}\n\t}\n\n\t/**\n\t * Triggers replacement when the project, environment, or token name changes.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param olds Previously stored outputs.\n\t * @param news Newly resolved inputs.\n\t */\n\tasync diff(\n\t\t_id: string,\n\t\tolds: RailwayProjectTokenOutputs,\n\t\tnews: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.environmentId !== news.environmentId) {\n\t\t\treplaces.push(\"environmentId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass RailwayProjectTokenResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly value: pulumi.Output<string>;\n\tpublic declare readonly tokenId: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\ttoken: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tenvironmentId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\tsuper(\n\t\t\tnew RailwayProjectTokenResourceProvider(),\n\t\t\tname,\n\t\t\t{\n\t\t\t\t...args,\n\t\t\t\tvalue: pulumi.secret(undefined as unknown as string),\n\t\t\t\ttokenId: undefined,\n\t\t\t},\n\t\t\topts,\n\t\t);\n\t}\n}\n\n/** Options type for RailwayProjectToken — replaces Pulumi's native `provider` field. */\ntype RailwayProjectTokenOptions = Omit<\n\tpulumi.ComponentResourceOptions,\n\t\"provider\"\n> & {\n\t/** Railway authentication context. */\n\tprovider: RailwayProvider;\n\n\t/** Railway project this token belongs to. */\n\tproject: RailwayProject;\n\n\t/** Railway environment this deploy token is scoped to. */\n\tenvironment: RailwayEnvironment;\n};\n\n/** Args for RailwayProjectToken. */\nexport interface RailwayProjectTokenArgs {\n\t/**\n\t * Distinct token name, e.g. `\"pulumi-staging\"`.\n\t * Each environment should use a unique name so multiple stacks sharing\n\t * a project never collide on token ownership.\n\t */\n\tname: pulumi.Input<string>;\n}\n\n/**\n * Provisions an environment-scoped Railway deploy token.\n *\n * Each environment gets its own correctly-scoped token with a distinct name,\n * so multiple stacks sharing the same Railway project never collide.\n * The token value is exposed as a secret output for use in {@link RailwayDeploy}.\n *\n * @example\n * ```typescript\n * const project = new RailwayProject(\"my-project\", { name: \"my-app\" }, { provider });\n * const staging = new RailwayEnvironment(\"staging\", { name: \"staging\" }, { provider, project });\n *\n * const stagingToken = new RailwayProjectToken(\"staging-token\", {\n * name: \"pulumi-staging\",\n * }, { provider, project, environment: staging });\n *\n * new RailwayDeploy(\"api-deploy\", {\n * directory: monorepoRoot,\n * triggers: [sourceHash],\n * }, { provider, project, environment: staging, service, projectToken: stagingToken.token });\n * ```\n */\nexport class RailwayProjectToken extends pulumi.ComponentResource {\n\t/**\n\t * Environment-scoped Railway deploy token value (secret).\n\t * Pass this to `RailwayDeployOptions.projectToken`.\n\t */\n\tpublic readonly token: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: RailwayProjectTokenArgs,\n\t\topts: RailwayProjectTokenOptions,\n\t) {\n\t\tconst { provider, project, environment, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:railway:ProjectToken\", name, {}, pulumiOpts);\n\n\t\tconst resource = new RailwayProjectTokenResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\ttoken: provider.token,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tenvironmentId: environment.id,\n\t\t\t\tname: args.name,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.token = resource.value;\n\n\t\tthis.registerOutputs({ token: this.token });\n\t}\n}\n"],"mappings":";;;;;;;AA8BA,MAAM,uBAAuB;;;;;;;AAQ7B,MAAM,uBAAuB;;;;;AAM7B,MAAM,uBAAuB;;;;;;;;;;;;AAa7B,IAAa,sCAAb,MAEA;;;;;;;;CAQC,MAAM,OACL,QACuC;EACvC,MAAM,SAAS,IAAIA,qCAAc,OAAO,KAAK;EAQ7C,MAAM,SAAQ,MANa,OAAO,MAI/B,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAE7B,cAAc,MAAM,QAC7C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,KAAK,MAAM,SAAS,OACnB,MAAM,OAAO,MAAM,sBAAsB,EAAE,IAAI,MAAM,KAAK,GAAG,CAAC;EAc/D,MAAM,SAAQ,MAXa,OAAO,MACjC,sBACA,EACC,OAAO;GACN,WAAW,OAAO;GAClB,eAAe,OAAO;GACtB,MAAM,OAAO;EACd,EACD,CACD,GAE2B;EAY3B,MAAM,SAAQ,MARc,OAAO,MAIhC,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAI5B,cAAc,MAAM,MAC9C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,IAAI,CAAC,OACJ,MAAM,IAAI,MACT,uDAAuD,OAAO,KAAK,eAAe,OAAO,WAC1F;EAGD,MAAM,UAAU,MAAM,KAAK;EAE3B,MAAM,OAAmC;GACxC,GAAG;GACH;GACA;EACD;EAEA,OAAO;GAAE,IAAI,GAAG,OAAO,UAAU,GAAG,OAAO;GAAQ;EAAK;CACzD;;;;;;;;CASA,MAAM,KACL,IACA,OACqC;EACrC,OAAO;GAAE;GAAI;EAAM;CACpB;;;;;;;CAQA,MAAM,OAAO,KAAa,OAAkD;EAC3E,IAAI,MAAM,SAGT,MAAM,IAFaA,qCAAc,MAAM,KAE5B,EAAE,MAAM,sBAAsB,EAAE,IAAI,MAAM,QAAQ,CAAC;CAEhE;;;;;;;;CASA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,kBAAkB,KAAK,eAC/B,SAAS,KAAK,eAAe;EAG9B,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,8BAAN,cAA0CC,eAAO,QAAQ,SAAS;CAIjE,YACC,MACA,MAMA,MACC;EACD,MACC,IAAI,oCAAoC,GACxC,MACA;GACC,GAAG;GACH,OAAOA,eAAO,OAAO,MAA8B;GACnD,SAAS;EACV,GACA,IACD;CACD;AACD;;;;;;;;;;;;;;;;;;;;;;;AAiDA,IAAa,sBAAb,cAAyCA,eAAO,kBAAkB;CAOjE,YACC,MACA,MACA,MACC;EACD,MAAM,EAAE,UAAU,SAAS,aAAa,GAAG,eAAe;EAE1D,MAAM,mCAAmC,MAAM,CAAC,GAAG,UAAU;EAE7D,MAAM,WAAW,IAAI,4BACpB,GAAG,KAAK,YACR;GACC,OAAO,SAAS;GAChB,WAAW,QAAQ;GACnB,eAAe,YAAY;GAC3B,MAAM,KAAK;EACZ,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,QAAQ,SAAS;EAEtB,KAAK,gBAAgB,EAAE,OAAO,KAAK,MAAM,CAAC;CAC3C;AACD"}
1
+ {"version":3,"file":"project-token.cjs","names":["RailwayClient","pulumi"],"sources":["../../src/railway/project-token.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport { RailwayClient } from \"./client\";\nimport type { RailwayEnvironment } from \"./environment\";\nimport type { RailwayProject } from \"./project\";\nimport type { RailwayProvider } from \"./provider\";\n\n/** Resolved inputs for the Railway project token dynamic provider. */\ninterface RailwayProjectTokenInputs {\n\t/** Railway API bearer token (account-scoped, used for API calls). */\n\ttoken: string;\n\n\t/** Railway project UUID. */\n\tprojectId: string;\n\n\t/** Railway environment UUID this deploy token is scoped to. */\n\tenvironmentId: string;\n\n\t/** Distinct token name, e.g. `\"pulumi-staging\"`. Must be unique per environment. */\n\tname: string;\n}\n\n/** Persisted state for the Railway project token. */\ninterface RailwayProjectTokenOutputs extends RailwayProjectTokenInputs {\n\t/** Minted deploy token secret value. */\n\tvalue: string;\n\n\t/** Railway-assigned token UUID (used for clean teardown on delete). */\n\ttokenId: string;\n}\n\nconst PROJECT_TOKENS_QUERY = `\n query($projectId: String!) {\n projectTokens(projectId: $projectId) {\n edges { node { id name } }\n }\n }\n`;\n\nconst PROJECT_TOKEN_CREATE = `\n mutation($input: ProjectTokenCreateInput!) {\n projectTokenCreate(input: $input)\n }\n`;\n\nconst PROJECT_TOKEN_DELETE = `\n mutation($id: String!) { projectTokenDelete(id: $id) }\n`;\n\n/**\n * Dynamic provider that mints a Railway environment-scoped deploy token.\n *\n * On create, it deletes any existing tokens with the same name (stale tokens\n * from previous runs), mints a fresh one scoped to the target environment, then\n * re-lists tokens to capture the Railway-assigned ID for later teardown.\n *\n * @internal Exported only for unit testing; not part of the public API surface.\n */\nexport class RailwayProjectTokenResourceProvider\n\timplements pulumi.dynamic.ResourceProvider\n{\n\t/**\n\t * Deletes stale same-named tokens, mints a new environment-scoped token,\n\t * and captures its ID via a follow-up list query.\n\t *\n\t * @param inputs Resolved provider inputs.\n\t * @returns Pulumi dynamic create result with `value` (secret) and `tokenId`.\n\t */\n\tasync create(\n\t\tinputs: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new RailwayClient(inputs.token);\n\n\t\tconst tokensResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\tconst stale = tokensResult.projectTokens.edges.filter(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tfor (const entry of stale) {\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: entry.node.id });\n\t\t}\n\n\t\tconst createResult = await client.query<{ projectTokenCreate: string }>(\n\t\t\tPROJECT_TOKEN_CREATE,\n\t\t\t{\n\t\t\t\tinput: {\n\t\t\t\t\tprojectId: inputs.projectId,\n\t\t\t\t\tenvironmentId: inputs.environmentId,\n\t\t\t\t\tname: inputs.name,\n\t\t\t\t},\n\t\t\t},\n\t\t);\n\n\t\tconst value = createResult.projectTokenCreate;\n\n\t\t// Re-list tokens to capture the Railway-assigned ID: the create mutation\n\t\t// returns only the token value, not its UUID.\n\t\tconst refreshResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\t// After the delete sweep above, exactly one token with this name exists (the one we just\n\t\t// created). Resolve its id from the re-list so delete() can revoke it later.\n\t\tconst found = refreshResult.projectTokens.edges.find(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tif (!found) {\n\t\t\tthrow new Error(\n\t\t\t\t`Could not resolve token id for newly created token \"${inputs.name}\" in project ${inputs.projectId}`,\n\t\t\t);\n\t\t}\n\n\t\tconst tokenId = found.node.id;\n\n\t\tconst outs: RailwayProjectTokenOutputs = {\n\t\t\t...inputs,\n\t\t\tvalue,\n\t\t\ttokenId,\n\t\t};\n\n\t\treturn { id: `${inputs.projectId}:${inputs.name}`, outs };\n\t}\n\n\t/**\n\t * Pass-through read — the token value is a write-once secret that Railway\n\t * never re-exposes via API, so the stored state is the only source of truth.\n\t *\n\t * @param id Resource ID.\n\t * @param props Currently stored outputs.\n\t */\n\tasync read(\n\t\tid: string,\n\t\tprops: RailwayProjectTokenOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\treturn { id, props };\n\t}\n\n\t/**\n\t * Deletes the Railway token by its stored UUID for clean teardown.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param props Currently stored outputs containing the tokenId.\n\t */\n\tasync delete(_id: string, props: RailwayProjectTokenOutputs): Promise<void> {\n\t\tif (props.tokenId) {\n\t\t\tconst client = new RailwayClient(props.token);\n\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: props.tokenId });\n\t\t}\n\t}\n\n\t/**\n\t * Triggers replacement when the project, environment, or token name changes.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param olds Previously stored outputs.\n\t * @param news Newly resolved inputs.\n\t */\n\tasync diff(\n\t\t_id: string,\n\t\tolds: RailwayProjectTokenOutputs,\n\t\tnews: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.environmentId !== news.environmentId) {\n\t\t\treplaces.push(\"environmentId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass RailwayProjectTokenResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly value: pulumi.Output<string>;\n\tpublic declare readonly tokenId: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\ttoken: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tenvironmentId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\t// `value` is an output-only secret. Declaring it via additionalSecretOutputs\n\t\t// (rather than a pulumi.secret(undefined) input placeholder) is the only reliable\n\t\t// way to mark a dynamic-provider output secret: the placeholder gives the property\n\t\t// both a secret-undefined input and a real output, so a downstream dynamic resource\n\t\t// consuming the token can race onto the undefined (\"malformed RPC secret: missing\n\t\t// value\" / \"Unexpected struct type\"). `tokenId` is a plain (non-secret) output. See\n\t\t// Pulumi #16041, #3012.\n\t\tsuper(\n\t\t\tnew RailwayProjectTokenResourceProvider(),\n\t\t\tname,\n\t\t\t{\n\t\t\t\t...args,\n\t\t\t\tvalue: undefined,\n\t\t\t\ttokenId: undefined,\n\t\t\t},\n\t\t\t{ ...opts, additionalSecretOutputs: [\"value\"] },\n\t\t);\n\t}\n}\n\n/** Options type for RailwayProjectToken — replaces Pulumi's native `provider` field. */\ntype RailwayProjectTokenOptions = Omit<\n\tpulumi.ComponentResourceOptions,\n\t\"provider\"\n> & {\n\t/** Railway authentication context. */\n\tprovider: RailwayProvider;\n\n\t/** Railway project this token belongs to. */\n\tproject: RailwayProject;\n\n\t/** Railway environment this deploy token is scoped to. */\n\tenvironment: RailwayEnvironment;\n};\n\n/** Args for RailwayProjectToken. */\nexport interface RailwayProjectTokenArgs {\n\t/**\n\t * Distinct token name, e.g. `\"pulumi-staging\"`.\n\t * Each environment should use a unique name so multiple stacks sharing\n\t * a project never collide on token ownership.\n\t */\n\tname: pulumi.Input<string>;\n}\n\n/**\n * Provisions an environment-scoped Railway deploy token.\n *\n * Each environment gets its own correctly-scoped token with a distinct name,\n * so multiple stacks sharing the same Railway project never collide.\n * The token value is exposed as a secret output for use in {@link RailwayDeploy}.\n *\n * @example\n * ```typescript\n * const project = new RailwayProject(\"my-project\", { name: \"my-app\" }, { provider });\n * const staging = new RailwayEnvironment(\"staging\", { name: \"staging\" }, { provider, project });\n *\n * const stagingToken = new RailwayProjectToken(\"staging-token\", {\n * name: \"pulumi-staging\",\n * }, { provider, project, environment: staging });\n *\n * new RailwayDeploy(\"api-deploy\", {\n * directory: monorepoRoot,\n * triggers: [sourceHash],\n * }, { provider, project, environment: staging, service, projectToken: stagingToken.token });\n * ```\n */\nexport class RailwayProjectToken extends pulumi.ComponentResource {\n\t/**\n\t * Environment-scoped Railway deploy token value (secret).\n\t * Pass this to `RailwayDeployOptions.projectToken`.\n\t */\n\tpublic readonly token: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: RailwayProjectTokenArgs,\n\t\topts: RailwayProjectTokenOptions,\n\t) {\n\t\tconst { provider, project, environment, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:railway:ProjectToken\", name, {}, pulumiOpts);\n\n\t\tconst resource = new RailwayProjectTokenResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\ttoken: provider.token,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tenvironmentId: environment.id,\n\t\t\t\tname: args.name,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.token = resource.value;\n\n\t\tthis.registerOutputs({ token: this.token });\n\t}\n}\n"],"mappings":";;;;;;;AA8BA,MAAM,uBAAuB;;;;;;;AAQ7B,MAAM,uBAAuB;;;;;AAM7B,MAAM,uBAAuB;;;;;;;;;;;;AAa7B,IAAa,sCAAb,MAEA;;;;;;;;CAQC,MAAM,OACL,QACuC;EACvC,MAAM,SAAS,IAAIA,qCAAc,OAAO,KAAK;EAQ7C,MAAM,SAAQ,MANa,OAAO,MAI/B,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAE7B,cAAc,MAAM,QAC7C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,KAAK,MAAM,SAAS,OACnB,MAAM,OAAO,MAAM,sBAAsB,EAAE,IAAI,MAAM,KAAK,GAAG,CAAC;EAc/D,MAAM,SAAQ,MAXa,OAAO,MACjC,sBACA,EACC,OAAO;GACN,WAAW,OAAO;GAClB,eAAe,OAAO;GACtB,MAAM,OAAO;EACd,EACD,CACD,GAE2B;EAY3B,MAAM,SAAQ,MARc,OAAO,MAIhC,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAI5B,cAAc,MAAM,MAC9C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,IAAI,CAAC,OACJ,MAAM,IAAI,MACT,uDAAuD,OAAO,KAAK,eAAe,OAAO,WAC1F;EAGD,MAAM,UAAU,MAAM,KAAK;EAE3B,MAAM,OAAmC;GACxC,GAAG;GACH;GACA;EACD;EAEA,OAAO;GAAE,IAAI,GAAG,OAAO,UAAU,GAAG,OAAO;GAAQ;EAAK;CACzD;;;;;;;;CASA,MAAM,KACL,IACA,OACqC;EACrC,OAAO;GAAE;GAAI;EAAM;CACpB;;;;;;;CAQA,MAAM,OAAO,KAAa,OAAkD;EAC3E,IAAI,MAAM,SAGT,MAAM,IAFaA,qCAAc,MAAM,KAE5B,EAAE,MAAM,sBAAsB,EAAE,IAAI,MAAM,QAAQ,CAAC;CAEhE;;;;;;;;CASA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,kBAAkB,KAAK,eAC/B,SAAS,KAAK,eAAe;EAG9B,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,8BAAN,cAA0CC,eAAO,QAAQ,SAAS;CAIjE,YACC,MACA,MAMA,MACC;EAQD,MACC,IAAI,oCAAoC,GACxC,MACA;GACC,GAAG;GACH,OAAO;GACP,SAAS;EACV,GACA;GAAE,GAAG;GAAM,yBAAyB,CAAC,OAAO;EAAE,CAC/C;CACD;AACD;;;;;;;;;;;;;;;;;;;;;;;AAiDA,IAAa,sBAAb,cAAyCA,eAAO,kBAAkB;CAOjE,YACC,MACA,MACA,MACC;EACD,MAAM,EAAE,UAAU,SAAS,aAAa,GAAG,eAAe;EAE1D,MAAM,mCAAmC,MAAM,CAAC,GAAG,UAAU;EAE7D,MAAM,WAAW,IAAI,4BACpB,GAAG,KAAK,YACR;GACC,OAAO,SAAS;GAChB,WAAW,QAAQ;GACnB,eAAe,YAAY;GAC3B,MAAM,KAAK;EACZ,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,QAAQ,SAAS;EAEtB,KAAK,gBAAgB,EAAE,OAAO,KAAK,MAAM,CAAC;CAC3C;AACD"}
@@ -1 +1 @@
1
- {"version":3,"file":"project-token.d.cts","names":[],"sources":["../../src/railway/project-token.ts"],"mappings":";;;;;;;;UAOU,yBAAA;;EAET,KAAA;EAFkC;EAKlC,SAAA;EALkC;EAQlC,aAAA;EAHA;EAMA,IAAA;AAAA;;UAIS,0BAAA,SAAmC,yBAAyB;EAA5D;EAET,KAAA;;EAGA,OAAA;AAAA;;;;AAAO;AA8BR;;;;;cAAa,mCAAA,YACD,MAAA,CAAO,OAAA,CAAQ,gBAAA;EAiFlB;;;;;;;EAxEF,MAAA,CACL,MAAA,EAAQ,yBAAA,GACN,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,YAAA;EAoGvB;;;;;;;EAhCG,IAAA,CACL,EAAA,UACA,KAAA,EAAO,0BAAA,GACL,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;EAxEjB;;;;;;EAkFH,MAAA,CAAO,GAAA,UAAa,KAAA,EAAO,0BAAA,GAA6B,OAAA;EAZ7D;;;;;;;EA2BK,IAAA,CACL,GAAA,UACA,IAAA,EAAM,0BAAA,EACN,IAAA,EAAM,yBAAA,GACJ,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;AAAA;;KAoDtB,0BAAA,GAA6B,IAAA,CACjC,MAAA,CAAO,wBAAA;EAxEuD,sCA4E9D,QAAA,EAAU,eAAA,EA5DT;EA+DD,OAAA,EAAS,cAAA,EA9DR;EAiED,WAAA,EAAa,kBAAA;AAAA;;UAIG,uBAAA;EAnEE;;;AAAkB;AAqBpC;EAoDA,IAAA,EAAM,MAAA,CAAO,KAAK;AAAA;;;;;;;;;;;;;;;;;;AAVa;AAIhC;;;;cA+Ba,mBAAA,SAA4B,MAAA,CAAO,iBAAA;EAzBzC;;;AAAY;EAAZ,SA8BU,KAAA,EAAO,MAAA,CAAO,MAAA;cAG7B,IAAA,UACA,IAAA,EAAM,uBAAA,EACN,IAAA,EAAM,0BAAA;AAAA"}
1
+ {"version":3,"file":"project-token.d.cts","names":[],"sources":["../../src/railway/project-token.ts"],"mappings":";;;;;;;;UAOU,yBAAA;;EAET,KAAA;EAFkC;EAKlC,SAAA;EALkC;EAQlC,aAAA;EAHA;EAMA,IAAA;AAAA;;UAIS,0BAAA,SAAmC,yBAAyB;EAA5D;EAET,KAAA;;EAGA,OAAA;AAAA;;;;AAAO;AA8BR;;;;;cAAa,mCAAA,YACD,MAAA,CAAO,OAAA,CAAQ,gBAAA;EAiFlB;;;;;;;EAxEF,MAAA,CACL,MAAA,EAAQ,yBAAA,GACN,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,YAAA;EAoGvB;;;;;;;EAhCG,IAAA,CACL,EAAA,UACA,KAAA,EAAO,0BAAA,GACL,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;EAxEjB;;;;;;EAkFH,MAAA,CAAO,GAAA,UAAa,KAAA,EAAO,0BAAA,GAA6B,OAAA;EAZ7D;;;;;;;EA2BK,IAAA,CACL,GAAA,UACA,IAAA,EAAM,0BAAA,EACN,IAAA,EAAM,yBAAA,GACJ,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;AAAA;;KA2DtB,0BAAA,GAA6B,IAAA,CACjC,MAAA,CAAO,wBAAA;EA/EuD,sCAmF9D,QAAA,EAAU,eAAA,EAnET;EAsED,OAAA,EAAS,cAAA,EArER;EAwED,WAAA,EAAa,kBAAA;AAAA;;UAIG,uBAAA;EA1EE;;;AAAkB;AAqBpC;EA2DA,IAAA,EAAM,MAAA,CAAO,KAAK;AAAA;;;;;;;;;;;;;;;;;;AAVa;AAIhC;;;;cA+Ba,mBAAA,SAA4B,MAAA,CAAO,iBAAA;EAzBzC;;;AAAY;EAAZ,SA8BU,KAAA,EAAO,MAAA,CAAO,MAAA;cAG7B,IAAA,UACA,IAAA,EAAM,uBAAA,EACN,IAAA,EAAM,0BAAA;AAAA"}
@@ -1 +1 @@
1
- {"version":3,"file":"project-token.d.mts","names":[],"sources":["../../src/railway/project-token.ts"],"mappings":";;;;;;;;UAOU,yBAAA;;EAET,KAAA;EAFkC;EAKlC,SAAA;EALkC;EAQlC,aAAA;EAHA;EAMA,IAAA;AAAA;;UAIS,0BAAA,SAAmC,yBAAyB;EAA5D;EAET,KAAA;;EAGA,OAAA;AAAA;;;;AAAO;AA8BR;;;;;cAAa,mCAAA,YACD,MAAA,CAAO,OAAA,CAAQ,gBAAA;EAiFlB;;;;;;;EAxEF,MAAA,CACL,MAAA,EAAQ,yBAAA,GACN,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,YAAA;EAoGvB;;;;;;;EAhCG,IAAA,CACL,EAAA,UACA,KAAA,EAAO,0BAAA,GACL,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;EAxEjB;;;;;;EAkFH,MAAA,CAAO,GAAA,UAAa,KAAA,EAAO,0BAAA,GAA6B,OAAA;EAZ7D;;;;;;;EA2BK,IAAA,CACL,GAAA,UACA,IAAA,EAAM,0BAAA,EACN,IAAA,EAAM,yBAAA,GACJ,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;AAAA;;KAoDtB,0BAAA,GAA6B,IAAA,CACjC,MAAA,CAAO,wBAAA;EAxEuD,sCA4E9D,QAAA,EAAU,eAAA,EA5DT;EA+DD,OAAA,EAAS,cAAA,EA9DR;EAiED,WAAA,EAAa,kBAAA;AAAA;;UAIG,uBAAA;EAnEE;;;AAAkB;AAqBpC;EAoDA,IAAA,EAAM,MAAA,CAAO,KAAK;AAAA;;;;;;;;;;;;;;;;;;AAVa;AAIhC;;;;cA+Ba,mBAAA,SAA4B,MAAA,CAAO,iBAAA;EAzBzC;;;AAAY;EAAZ,SA8BU,KAAA,EAAO,MAAA,CAAO,MAAA;cAG7B,IAAA,UACA,IAAA,EAAM,uBAAA,EACN,IAAA,EAAM,0BAAA;AAAA"}
1
+ {"version":3,"file":"project-token.d.mts","names":[],"sources":["../../src/railway/project-token.ts"],"mappings":";;;;;;;;UAOU,yBAAA;;EAET,KAAA;EAFkC;EAKlC,SAAA;EALkC;EAQlC,aAAA;EAHA;EAMA,IAAA;AAAA;;UAIS,0BAAA,SAAmC,yBAAyB;EAA5D;EAET,KAAA;;EAGA,OAAA;AAAA;;;;AAAO;AA8BR;;;;;cAAa,mCAAA,YACD,MAAA,CAAO,OAAA,CAAQ,gBAAA;EAiFlB;;;;;;;EAxEF,MAAA,CACL,MAAA,EAAQ,yBAAA,GACN,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,YAAA;EAoGvB;;;;;;;EAhCG,IAAA,CACL,EAAA,UACA,KAAA,EAAO,0BAAA,GACL,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;EAxEjB;;;;;;EAkFH,MAAA,CAAO,GAAA,UAAa,KAAA,EAAO,0BAAA,GAA6B,OAAA;EAZ7D;;;;;;;EA2BK,IAAA,CACL,GAAA,UACA,IAAA,EAAM,0BAAA,EACN,IAAA,EAAM,yBAAA,GACJ,OAAA,CAAQ,MAAA,CAAO,OAAA,CAAQ,UAAA;AAAA;;KA2DtB,0BAAA,GAA6B,IAAA,CACjC,MAAA,CAAO,wBAAA;EA/EuD,sCAmF9D,QAAA,EAAU,eAAA,EAnET;EAsED,OAAA,EAAS,cAAA,EArER;EAwED,WAAA,EAAa,kBAAA;AAAA;;UAIG,uBAAA;EA1EE;;;AAAkB;AAqBpC;EA2DA,IAAA,EAAM,MAAA,CAAO,KAAK;AAAA;;;;;;;;;;;;;;;;;;AAVa;AAIhC;;;;cA+Ba,mBAAA,SAA4B,MAAA,CAAO,iBAAA;EAzBzC;;;AAAY;EAAZ,SA8BU,KAAA,EAAO,MAAA,CAAO,MAAA;cAG7B,IAAA,UACA,IAAA,EAAM,uBAAA,EACN,IAAA,EAAM,0BAAA;AAAA"}
@@ -103,9 +103,12 @@ var RailwayProjectTokenResource = class extends pulumi.dynamic.Resource {
103
103
  constructor(name, args, opts) {
104
104
  super(new RailwayProjectTokenResourceProvider(), name, {
105
105
  ...args,
106
- value: pulumi.secret(void 0),
106
+ value: void 0,
107
107
  tokenId: void 0
108
- }, opts);
108
+ }, {
109
+ ...opts,
110
+ additionalSecretOutputs: ["value"]
111
+ });
109
112
  }
110
113
  };
111
114
  /**
@@ -1 +1 @@
1
- {"version":3,"file":"project-token.mjs","names":[],"sources":["../../src/railway/project-token.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport { RailwayClient } from \"./client\";\nimport type { RailwayEnvironment } from \"./environment\";\nimport type { RailwayProject } from \"./project\";\nimport type { RailwayProvider } from \"./provider\";\n\n/** Resolved inputs for the Railway project token dynamic provider. */\ninterface RailwayProjectTokenInputs {\n\t/** Railway API bearer token (account-scoped, used for API calls). */\n\ttoken: string;\n\n\t/** Railway project UUID. */\n\tprojectId: string;\n\n\t/** Railway environment UUID this deploy token is scoped to. */\n\tenvironmentId: string;\n\n\t/** Distinct token name, e.g. `\"pulumi-staging\"`. Must be unique per environment. */\n\tname: string;\n}\n\n/** Persisted state for the Railway project token. */\ninterface RailwayProjectTokenOutputs extends RailwayProjectTokenInputs {\n\t/** Minted deploy token secret value. */\n\tvalue: string;\n\n\t/** Railway-assigned token UUID (used for clean teardown on delete). */\n\ttokenId: string;\n}\n\nconst PROJECT_TOKENS_QUERY = `\n query($projectId: String!) {\n projectTokens(projectId: $projectId) {\n edges { node { id name } }\n }\n }\n`;\n\nconst PROJECT_TOKEN_CREATE = `\n mutation($input: ProjectTokenCreateInput!) {\n projectTokenCreate(input: $input)\n }\n`;\n\nconst PROJECT_TOKEN_DELETE = `\n mutation($id: String!) { projectTokenDelete(id: $id) }\n`;\n\n/**\n * Dynamic provider that mints a Railway environment-scoped deploy token.\n *\n * On create, it deletes any existing tokens with the same name (stale tokens\n * from previous runs), mints a fresh one scoped to the target environment, then\n * re-lists tokens to capture the Railway-assigned ID for later teardown.\n *\n * @internal Exported only for unit testing; not part of the public API surface.\n */\nexport class RailwayProjectTokenResourceProvider\n\timplements pulumi.dynamic.ResourceProvider\n{\n\t/**\n\t * Deletes stale same-named tokens, mints a new environment-scoped token,\n\t * and captures its ID via a follow-up list query.\n\t *\n\t * @param inputs Resolved provider inputs.\n\t * @returns Pulumi dynamic create result with `value` (secret) and `tokenId`.\n\t */\n\tasync create(\n\t\tinputs: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new RailwayClient(inputs.token);\n\n\t\tconst tokensResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\tconst stale = tokensResult.projectTokens.edges.filter(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tfor (const entry of stale) {\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: entry.node.id });\n\t\t}\n\n\t\tconst createResult = await client.query<{ projectTokenCreate: string }>(\n\t\t\tPROJECT_TOKEN_CREATE,\n\t\t\t{\n\t\t\t\tinput: {\n\t\t\t\t\tprojectId: inputs.projectId,\n\t\t\t\t\tenvironmentId: inputs.environmentId,\n\t\t\t\t\tname: inputs.name,\n\t\t\t\t},\n\t\t\t},\n\t\t);\n\n\t\tconst value = createResult.projectTokenCreate;\n\n\t\t// Re-list tokens to capture the Railway-assigned ID: the create mutation\n\t\t// returns only the token value, not its UUID.\n\t\tconst refreshResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\t// After the delete sweep above, exactly one token with this name exists (the one we just\n\t\t// created). Resolve its id from the re-list so delete() can revoke it later.\n\t\tconst found = refreshResult.projectTokens.edges.find(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tif (!found) {\n\t\t\tthrow new Error(\n\t\t\t\t`Could not resolve token id for newly created token \"${inputs.name}\" in project ${inputs.projectId}`,\n\t\t\t);\n\t\t}\n\n\t\tconst tokenId = found.node.id;\n\n\t\tconst outs: RailwayProjectTokenOutputs = {\n\t\t\t...inputs,\n\t\t\tvalue,\n\t\t\ttokenId,\n\t\t};\n\n\t\treturn { id: `${inputs.projectId}:${inputs.name}`, outs };\n\t}\n\n\t/**\n\t * Pass-through read — the token value is a write-once secret that Railway\n\t * never re-exposes via API, so the stored state is the only source of truth.\n\t *\n\t * @param id Resource ID.\n\t * @param props Currently stored outputs.\n\t */\n\tasync read(\n\t\tid: string,\n\t\tprops: RailwayProjectTokenOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\treturn { id, props };\n\t}\n\n\t/**\n\t * Deletes the Railway token by its stored UUID for clean teardown.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param props Currently stored outputs containing the tokenId.\n\t */\n\tasync delete(_id: string, props: RailwayProjectTokenOutputs): Promise<void> {\n\t\tif (props.tokenId) {\n\t\t\tconst client = new RailwayClient(props.token);\n\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: props.tokenId });\n\t\t}\n\t}\n\n\t/**\n\t * Triggers replacement when the project, environment, or token name changes.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param olds Previously stored outputs.\n\t * @param news Newly resolved inputs.\n\t */\n\tasync diff(\n\t\t_id: string,\n\t\tolds: RailwayProjectTokenOutputs,\n\t\tnews: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.environmentId !== news.environmentId) {\n\t\t\treplaces.push(\"environmentId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass RailwayProjectTokenResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly value: pulumi.Output<string>;\n\tpublic declare readonly tokenId: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\ttoken: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tenvironmentId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\tsuper(\n\t\t\tnew RailwayProjectTokenResourceProvider(),\n\t\t\tname,\n\t\t\t{\n\t\t\t\t...args,\n\t\t\t\tvalue: pulumi.secret(undefined as unknown as string),\n\t\t\t\ttokenId: undefined,\n\t\t\t},\n\t\t\topts,\n\t\t);\n\t}\n}\n\n/** Options type for RailwayProjectToken — replaces Pulumi's native `provider` field. */\ntype RailwayProjectTokenOptions = Omit<\n\tpulumi.ComponentResourceOptions,\n\t\"provider\"\n> & {\n\t/** Railway authentication context. */\n\tprovider: RailwayProvider;\n\n\t/** Railway project this token belongs to. */\n\tproject: RailwayProject;\n\n\t/** Railway environment this deploy token is scoped to. */\n\tenvironment: RailwayEnvironment;\n};\n\n/** Args for RailwayProjectToken. */\nexport interface RailwayProjectTokenArgs {\n\t/**\n\t * Distinct token name, e.g. `\"pulumi-staging\"`.\n\t * Each environment should use a unique name so multiple stacks sharing\n\t * a project never collide on token ownership.\n\t */\n\tname: pulumi.Input<string>;\n}\n\n/**\n * Provisions an environment-scoped Railway deploy token.\n *\n * Each environment gets its own correctly-scoped token with a distinct name,\n * so multiple stacks sharing the same Railway project never collide.\n * The token value is exposed as a secret output for use in {@link RailwayDeploy}.\n *\n * @example\n * ```typescript\n * const project = new RailwayProject(\"my-project\", { name: \"my-app\" }, { provider });\n * const staging = new RailwayEnvironment(\"staging\", { name: \"staging\" }, { provider, project });\n *\n * const stagingToken = new RailwayProjectToken(\"staging-token\", {\n * name: \"pulumi-staging\",\n * }, { provider, project, environment: staging });\n *\n * new RailwayDeploy(\"api-deploy\", {\n * directory: monorepoRoot,\n * triggers: [sourceHash],\n * }, { provider, project, environment: staging, service, projectToken: stagingToken.token });\n * ```\n */\nexport class RailwayProjectToken extends pulumi.ComponentResource {\n\t/**\n\t * Environment-scoped Railway deploy token value (secret).\n\t * Pass this to `RailwayDeployOptions.projectToken`.\n\t */\n\tpublic readonly token: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: RailwayProjectTokenArgs,\n\t\topts: RailwayProjectTokenOptions,\n\t) {\n\t\tconst { provider, project, environment, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:railway:ProjectToken\", name, {}, pulumiOpts);\n\n\t\tconst resource = new RailwayProjectTokenResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\ttoken: provider.token,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tenvironmentId: environment.id,\n\t\t\t\tname: args.name,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.token = resource.value;\n\n\t\tthis.registerOutputs({ token: this.token });\n\t}\n}\n"],"mappings":";;;;;AA8BA,MAAM,uBAAuB;;;;;;;AAQ7B,MAAM,uBAAuB;;;;;AAM7B,MAAM,uBAAuB;;;;;;;;;;;;AAa7B,IAAa,sCAAb,MAEA;;;;;;;;CAQC,MAAM,OACL,QACuC;EACvC,MAAM,SAAS,IAAI,cAAc,OAAO,KAAK;EAQ7C,MAAM,SAAQ,MANa,OAAO,MAI/B,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAE7B,cAAc,MAAM,QAC7C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,KAAK,MAAM,SAAS,OACnB,MAAM,OAAO,MAAM,sBAAsB,EAAE,IAAI,MAAM,KAAK,GAAG,CAAC;EAc/D,MAAM,SAAQ,MAXa,OAAO,MACjC,sBACA,EACC,OAAO;GACN,WAAW,OAAO;GAClB,eAAe,OAAO;GACtB,MAAM,OAAO;EACd,EACD,CACD,GAE2B;EAY3B,MAAM,SAAQ,MARc,OAAO,MAIhC,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAI5B,cAAc,MAAM,MAC9C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,IAAI,CAAC,OACJ,MAAM,IAAI,MACT,uDAAuD,OAAO,KAAK,eAAe,OAAO,WAC1F;EAGD,MAAM,UAAU,MAAM,KAAK;EAE3B,MAAM,OAAmC;GACxC,GAAG;GACH;GACA;EACD;EAEA,OAAO;GAAE,IAAI,GAAG,OAAO,UAAU,GAAG,OAAO;GAAQ;EAAK;CACzD;;;;;;;;CASA,MAAM,KACL,IACA,OACqC;EACrC,OAAO;GAAE;GAAI;EAAM;CACpB;;;;;;;CAQA,MAAM,OAAO,KAAa,OAAkD;EAC3E,IAAI,MAAM,SAGT,MAAM,IAFa,cAAc,MAAM,KAE5B,EAAE,MAAM,sBAAsB,EAAE,IAAI,MAAM,QAAQ,CAAC;CAEhE;;;;;;;;CASA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,kBAAkB,KAAK,eAC/B,SAAS,KAAK,eAAe;EAG9B,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,8BAAN,cAA0C,OAAO,QAAQ,SAAS;CAIjE,YACC,MACA,MAMA,MACC;EACD,MACC,IAAI,oCAAoC,GACxC,MACA;GACC,GAAG;GACH,OAAO,OAAO,OAAO,MAA8B;GACnD,SAAS;EACV,GACA,IACD;CACD;AACD;;;;;;;;;;;;;;;;;;;;;;;AAiDA,IAAa,sBAAb,cAAyC,OAAO,kBAAkB;CAOjE,YACC,MACA,MACA,MACC;EACD,MAAM,EAAE,UAAU,SAAS,aAAa,GAAG,eAAe;EAE1D,MAAM,mCAAmC,MAAM,CAAC,GAAG,UAAU;EAE7D,MAAM,WAAW,IAAI,4BACpB,GAAG,KAAK,YACR;GACC,OAAO,SAAS;GAChB,WAAW,QAAQ;GACnB,eAAe,YAAY;GAC3B,MAAM,KAAK;EACZ,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,QAAQ,SAAS;EAEtB,KAAK,gBAAgB,EAAE,OAAO,KAAK,MAAM,CAAC;CAC3C;AACD"}
1
+ {"version":3,"file":"project-token.mjs","names":[],"sources":["../../src/railway/project-token.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport { RailwayClient } from \"./client\";\nimport type { RailwayEnvironment } from \"./environment\";\nimport type { RailwayProject } from \"./project\";\nimport type { RailwayProvider } from \"./provider\";\n\n/** Resolved inputs for the Railway project token dynamic provider. */\ninterface RailwayProjectTokenInputs {\n\t/** Railway API bearer token (account-scoped, used for API calls). */\n\ttoken: string;\n\n\t/** Railway project UUID. */\n\tprojectId: string;\n\n\t/** Railway environment UUID this deploy token is scoped to. */\n\tenvironmentId: string;\n\n\t/** Distinct token name, e.g. `\"pulumi-staging\"`. Must be unique per environment. */\n\tname: string;\n}\n\n/** Persisted state for the Railway project token. */\ninterface RailwayProjectTokenOutputs extends RailwayProjectTokenInputs {\n\t/** Minted deploy token secret value. */\n\tvalue: string;\n\n\t/** Railway-assigned token UUID (used for clean teardown on delete). */\n\ttokenId: string;\n}\n\nconst PROJECT_TOKENS_QUERY = `\n query($projectId: String!) {\n projectTokens(projectId: $projectId) {\n edges { node { id name } }\n }\n }\n`;\n\nconst PROJECT_TOKEN_CREATE = `\n mutation($input: ProjectTokenCreateInput!) {\n projectTokenCreate(input: $input)\n }\n`;\n\nconst PROJECT_TOKEN_DELETE = `\n mutation($id: String!) { projectTokenDelete(id: $id) }\n`;\n\n/**\n * Dynamic provider that mints a Railway environment-scoped deploy token.\n *\n * On create, it deletes any existing tokens with the same name (stale tokens\n * from previous runs), mints a fresh one scoped to the target environment, then\n * re-lists tokens to capture the Railway-assigned ID for later teardown.\n *\n * @internal Exported only for unit testing; not part of the public API surface.\n */\nexport class RailwayProjectTokenResourceProvider\n\timplements pulumi.dynamic.ResourceProvider\n{\n\t/**\n\t * Deletes stale same-named tokens, mints a new environment-scoped token,\n\t * and captures its ID via a follow-up list query.\n\t *\n\t * @param inputs Resolved provider inputs.\n\t * @returns Pulumi dynamic create result with `value` (secret) and `tokenId`.\n\t */\n\tasync create(\n\t\tinputs: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.CreateResult> {\n\t\tconst client = new RailwayClient(inputs.token);\n\n\t\tconst tokensResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\tconst stale = tokensResult.projectTokens.edges.filter(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tfor (const entry of stale) {\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: entry.node.id });\n\t\t}\n\n\t\tconst createResult = await client.query<{ projectTokenCreate: string }>(\n\t\t\tPROJECT_TOKEN_CREATE,\n\t\t\t{\n\t\t\t\tinput: {\n\t\t\t\t\tprojectId: inputs.projectId,\n\t\t\t\t\tenvironmentId: inputs.environmentId,\n\t\t\t\t\tname: inputs.name,\n\t\t\t\t},\n\t\t\t},\n\t\t);\n\n\t\tconst value = createResult.projectTokenCreate;\n\n\t\t// Re-list tokens to capture the Railway-assigned ID: the create mutation\n\t\t// returns only the token value, not its UUID.\n\t\tconst refreshResult = await client.query<{\n\t\t\tprojectTokens: {\n\t\t\t\tedges: Array<{ node: { id: string; name: string } }>;\n\t\t\t};\n\t\t}>(PROJECT_TOKENS_QUERY, { projectId: inputs.projectId });\n\n\t\t// After the delete sweep above, exactly one token with this name exists (the one we just\n\t\t// created). Resolve its id from the re-list so delete() can revoke it later.\n\t\tconst found = refreshResult.projectTokens.edges.find(\n\t\t\t(edge) => edge.node.name === inputs.name,\n\t\t);\n\n\t\tif (!found) {\n\t\t\tthrow new Error(\n\t\t\t\t`Could not resolve token id for newly created token \"${inputs.name}\" in project ${inputs.projectId}`,\n\t\t\t);\n\t\t}\n\n\t\tconst tokenId = found.node.id;\n\n\t\tconst outs: RailwayProjectTokenOutputs = {\n\t\t\t...inputs,\n\t\t\tvalue,\n\t\t\ttokenId,\n\t\t};\n\n\t\treturn { id: `${inputs.projectId}:${inputs.name}`, outs };\n\t}\n\n\t/**\n\t * Pass-through read — the token value is a write-once secret that Railway\n\t * never re-exposes via API, so the stored state is the only source of truth.\n\t *\n\t * @param id Resource ID.\n\t * @param props Currently stored outputs.\n\t */\n\tasync read(\n\t\tid: string,\n\t\tprops: RailwayProjectTokenOutputs,\n\t): Promise<pulumi.dynamic.ReadResult> {\n\t\treturn { id, props };\n\t}\n\n\t/**\n\t * Deletes the Railway token by its stored UUID for clean teardown.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param props Currently stored outputs containing the tokenId.\n\t */\n\tasync delete(_id: string, props: RailwayProjectTokenOutputs): Promise<void> {\n\t\tif (props.tokenId) {\n\t\t\tconst client = new RailwayClient(props.token);\n\n\t\t\tawait client.query(PROJECT_TOKEN_DELETE, { id: props.tokenId });\n\t\t}\n\t}\n\n\t/**\n\t * Triggers replacement when the project, environment, or token name changes.\n\t *\n\t * @param _id Resource ID (unused).\n\t * @param olds Previously stored outputs.\n\t * @param news Newly resolved inputs.\n\t */\n\tasync diff(\n\t\t_id: string,\n\t\tolds: RailwayProjectTokenOutputs,\n\t\tnews: RailwayProjectTokenInputs,\n\t): Promise<pulumi.dynamic.DiffResult> {\n\t\tconst replaces: string[] = [];\n\n\t\tif (olds.projectId !== news.projectId) {\n\t\t\treplaces.push(\"projectId\");\n\t\t}\n\n\t\tif (olds.environmentId !== news.environmentId) {\n\t\t\treplaces.push(\"environmentId\");\n\t\t}\n\n\t\tif (olds.name !== news.name) {\n\t\t\treplaces.push(\"name\");\n\t\t}\n\n\t\treturn {\n\t\t\tchanges: replaces.length > 0,\n\t\t\treplaces,\n\t\t\tdeleteBeforeReplace: true,\n\t\t};\n\t}\n}\n\n/** Internal dynamic resource — not part of the public API. */\nclass RailwayProjectTokenResource extends pulumi.dynamic.Resource {\n\tpublic declare readonly value: pulumi.Output<string>;\n\tpublic declare readonly tokenId: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: {\n\t\t\ttoken: pulumi.Input<string>;\n\t\t\tprojectId: pulumi.Input<string>;\n\t\t\tenvironmentId: pulumi.Input<string>;\n\t\t\tname: pulumi.Input<string>;\n\t\t},\n\t\topts?: pulumi.CustomResourceOptions,\n\t) {\n\t\t// `value` is an output-only secret. Declaring it via additionalSecretOutputs\n\t\t// (rather than a pulumi.secret(undefined) input placeholder) is the only reliable\n\t\t// way to mark a dynamic-provider output secret: the placeholder gives the property\n\t\t// both a secret-undefined input and a real output, so a downstream dynamic resource\n\t\t// consuming the token can race onto the undefined (\"malformed RPC secret: missing\n\t\t// value\" / \"Unexpected struct type\"). `tokenId` is a plain (non-secret) output. See\n\t\t// Pulumi #16041, #3012.\n\t\tsuper(\n\t\t\tnew RailwayProjectTokenResourceProvider(),\n\t\t\tname,\n\t\t\t{\n\t\t\t\t...args,\n\t\t\t\tvalue: undefined,\n\t\t\t\ttokenId: undefined,\n\t\t\t},\n\t\t\t{ ...opts, additionalSecretOutputs: [\"value\"] },\n\t\t);\n\t}\n}\n\n/** Options type for RailwayProjectToken — replaces Pulumi's native `provider` field. */\ntype RailwayProjectTokenOptions = Omit<\n\tpulumi.ComponentResourceOptions,\n\t\"provider\"\n> & {\n\t/** Railway authentication context. */\n\tprovider: RailwayProvider;\n\n\t/** Railway project this token belongs to. */\n\tproject: RailwayProject;\n\n\t/** Railway environment this deploy token is scoped to. */\n\tenvironment: RailwayEnvironment;\n};\n\n/** Args for RailwayProjectToken. */\nexport interface RailwayProjectTokenArgs {\n\t/**\n\t * Distinct token name, e.g. `\"pulumi-staging\"`.\n\t * Each environment should use a unique name so multiple stacks sharing\n\t * a project never collide on token ownership.\n\t */\n\tname: pulumi.Input<string>;\n}\n\n/**\n * Provisions an environment-scoped Railway deploy token.\n *\n * Each environment gets its own correctly-scoped token with a distinct name,\n * so multiple stacks sharing the same Railway project never collide.\n * The token value is exposed as a secret output for use in {@link RailwayDeploy}.\n *\n * @example\n * ```typescript\n * const project = new RailwayProject(\"my-project\", { name: \"my-app\" }, { provider });\n * const staging = new RailwayEnvironment(\"staging\", { name: \"staging\" }, { provider, project });\n *\n * const stagingToken = new RailwayProjectToken(\"staging-token\", {\n * name: \"pulumi-staging\",\n * }, { provider, project, environment: staging });\n *\n * new RailwayDeploy(\"api-deploy\", {\n * directory: monorepoRoot,\n * triggers: [sourceHash],\n * }, { provider, project, environment: staging, service, projectToken: stagingToken.token });\n * ```\n */\nexport class RailwayProjectToken extends pulumi.ComponentResource {\n\t/**\n\t * Environment-scoped Railway deploy token value (secret).\n\t * Pass this to `RailwayDeployOptions.projectToken`.\n\t */\n\tpublic readonly token: pulumi.Output<string>;\n\n\tconstructor(\n\t\tname: string,\n\t\targs: RailwayProjectTokenArgs,\n\t\topts: RailwayProjectTokenOptions,\n\t) {\n\t\tconst { provider, project, environment, ...pulumiOpts } = opts;\n\n\t\tsuper(\"infracraft:railway:ProjectToken\", name, {}, pulumiOpts);\n\n\t\tconst resource = new RailwayProjectTokenResource(\n\t\t\t`${name}-resource`,\n\t\t\t{\n\t\t\t\ttoken: provider.token,\n\t\t\t\tprojectId: project.id,\n\t\t\t\tenvironmentId: environment.id,\n\t\t\t\tname: args.name,\n\t\t\t},\n\t\t\t{ parent: this },\n\t\t);\n\n\t\tthis.token = resource.value;\n\n\t\tthis.registerOutputs({ token: this.token });\n\t}\n}\n"],"mappings":";;;;;AA8BA,MAAM,uBAAuB;;;;;;;AAQ7B,MAAM,uBAAuB;;;;;AAM7B,MAAM,uBAAuB;;;;;;;;;;;;AAa7B,IAAa,sCAAb,MAEA;;;;;;;;CAQC,MAAM,OACL,QACuC;EACvC,MAAM,SAAS,IAAI,cAAc,OAAO,KAAK;EAQ7C,MAAM,SAAQ,MANa,OAAO,MAI/B,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAE7B,cAAc,MAAM,QAC7C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,KAAK,MAAM,SAAS,OACnB,MAAM,OAAO,MAAM,sBAAsB,EAAE,IAAI,MAAM,KAAK,GAAG,CAAC;EAc/D,MAAM,SAAQ,MAXa,OAAO,MACjC,sBACA,EACC,OAAO;GACN,WAAW,OAAO;GAClB,eAAe,OAAO;GACtB,MAAM,OAAO;EACd,EACD,CACD,GAE2B;EAY3B,MAAM,SAAQ,MARc,OAAO,MAIhC,sBAAsB,EAAE,WAAW,OAAO,UAAU,CAAC,GAI5B,cAAc,MAAM,MAC9C,SAAS,KAAK,KAAK,SAAS,OAAO,IACrC;EAEA,IAAI,CAAC,OACJ,MAAM,IAAI,MACT,uDAAuD,OAAO,KAAK,eAAe,OAAO,WAC1F;EAGD,MAAM,UAAU,MAAM,KAAK;EAE3B,MAAM,OAAmC;GACxC,GAAG;GACH;GACA;EACD;EAEA,OAAO;GAAE,IAAI,GAAG,OAAO,UAAU,GAAG,OAAO;GAAQ;EAAK;CACzD;;;;;;;;CASA,MAAM,KACL,IACA,OACqC;EACrC,OAAO;GAAE;GAAI;EAAM;CACpB;;;;;;;CAQA,MAAM,OAAO,KAAa,OAAkD;EAC3E,IAAI,MAAM,SAGT,MAAM,IAFa,cAAc,MAAM,KAE5B,EAAE,MAAM,sBAAsB,EAAE,IAAI,MAAM,QAAQ,CAAC;CAEhE;;;;;;;;CASA,MAAM,KACL,KACA,MACA,MACqC;EACrC,MAAM,WAAqB,CAAC;EAE5B,IAAI,KAAK,cAAc,KAAK,WAC3B,SAAS,KAAK,WAAW;EAG1B,IAAI,KAAK,kBAAkB,KAAK,eAC/B,SAAS,KAAK,eAAe;EAG9B,IAAI,KAAK,SAAS,KAAK,MACtB,SAAS,KAAK,MAAM;EAGrB,OAAO;GACN,SAAS,SAAS,SAAS;GAC3B;GACA,qBAAqB;EACtB;CACD;AACD;;AAGA,IAAM,8BAAN,cAA0C,OAAO,QAAQ,SAAS;CAIjE,YACC,MACA,MAMA,MACC;EAQD,MACC,IAAI,oCAAoC,GACxC,MACA;GACC,GAAG;GACH,OAAO;GACP,SAAS;EACV,GACA;GAAE,GAAG;GAAM,yBAAyB,CAAC,OAAO;EAAE,CAC/C;CACD;AACD;;;;;;;;;;;;;;;;;;;;;;;AAiDA,IAAa,sBAAb,cAAyC,OAAO,kBAAkB;CAOjE,YACC,MACA,MACA,MACC;EACD,MAAM,EAAE,UAAU,SAAS,aAAa,GAAG,eAAe;EAE1D,MAAM,mCAAmC,MAAM,CAAC,GAAG,UAAU;EAE7D,MAAM,WAAW,IAAI,4BACpB,GAAG,KAAK,YACR;GACC,OAAO,SAAS;GAChB,WAAW,QAAQ;GACnB,eAAe,YAAY;GAC3B,MAAM,KAAK;EACZ,GACA,EAAE,QAAQ,KAAK,CAChB;EAEA,KAAK,QAAQ,SAAS;EAEtB,KAAK,gBAAgB,EAAE,OAAO,KAAK,MAAM,CAAC;CAC3C;AACD"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@infracraft/pulumi",
3
- "version": "1.6.5",
3
+ "version": "1.6.6",
4
4
  "type": "module",
5
5
  "license": "MIT",
6
6
  "repository": {