anvil-cloud 0.0.14

Anvil — secure-by-default cloud infrastructure components

anvil-cloud

Cloud infrastructure that's secure by default — not by accident.

Anvil wraps raw cloud resources into opinionated, production-ready components. No boilerplate. No copy-pasting security configs. Just declare what you need.

Built on Pulumi.

Install

pip install anvil-cloud

Secure by default

Every Anvil component ships with defaults aligned to production from day one — public access blocked, encryption enforced, cost tags applied. The goal isn't to make compliance automatic, but to make it a platform you can actually build on.

The App class

Every Anvil program starts with anvil.App(). The run callback receives a Context with:

• ctx.stage — current deployment stage (defaults to your OS username for dev isolation)
• ctx.project — project name from anvil.yaml
• ctx.export(name, value) — export stack outputs
• ctx.providers — named cloud providers for multi-region / multi-account

Grants

Grants are how Anvil wires permissions between resources. Instead of writing IAM policies by hand, you call .grant() on a resource and Anvil handles both the IAM role policy and the environment variable injection automatically.

A Lambda reading from a Bucket:

import anvil_cloud as anvil

def infra(ctx: anvil.Context):
    bucket = anvil.aws.Bucket("uploads",
        data_classification="sensitive",
    )

    fn = anvil.aws.Lambda("processor",
        runtime="nodejs20.x",
        handler="index.handler",
        code="./src",
    )

    # Grants the Lambda read access to the bucket and scopes down to specific bucket paths.
    # Anvil creates the IAM policy and injects UPLOADS_BUCKET_NAME
    # into the Lambda's environment automatically.
    bucket.grant(fn, actions=["read"], path=["user/*"])

anvil.App(run=infra)

What Anvil does under the hood:

• Creates an IAM RolePolicy scoped to the exact actions requested
• Injects the resource identifier as an environment variable on the target (e.g. UPLOADS_BUCKET_NAME)
• No manual ARN wiring, no forgotten permissions

SvelteKit deployment

Deploy a SvelteKit app to AWS with a single component. Anvil provisions S3, CloudFront, ACM, Lambda (via Lambda Web Adapter), and Route53 — with HTTPS and a custom domain out of the box:

import anvil_cloud as anvil

def infra(ctx: anvil.Context):
    site = anvil.aws.SvelteKitSite("web",
        domain="myapp.com",
    )
    ctx.export("url", site.url)

anvil.App(run=infra)

Overrides

Every component accepts a transform argument to override the underlying resource config when you need to break from the defaults:

bucket = anvil.aws.Bucket("custom",
    data_classification="non-sensitive",
    transform=anvil.aws.BucketTransformArgsArgs(
        overrides=anvil.aws.BucketOverridesArgs(
            force_destroy=True,
            tags={"env": "dev"},
        ),
    ),
)

Requirements

• Python >= 3.8
• Pulumi >= 3.0.0
• Anvil CLI: curl -fsSL https://raw.githubusercontent.com/DamienPace15/anvil/master/install.sh | sh

Links

• Docs
• GitHub
• npm SDK
• Go SDK

License

Apache-2.0