import { z } from 'zod'; export declare const GatewayAuthorizerTypeSchema: z.ZodEnum<{ NONE: "NONE"; AWS_IAM: "AWS_IAM"; CUSTOM_JWT: "CUSTOM_JWT"; }>; export type GatewayAuthorizerType = z.infer; export declare const RuntimeAuthorizerTypeSchema: z.ZodEnum<{ AWS_IAM: "AWS_IAM"; CUSTOM_JWT: "CUSTOM_JWT"; }>; export type RuntimeAuthorizerType = z.infer; export declare const ClaimMatchOperatorSchema: z.ZodEnum<{ EQUALS: "EQUALS"; CONTAINS: "CONTAINS"; CONTAINS_ANY: "CONTAINS_ANY"; }>; export type ClaimMatchOperator = z.infer; export declare const ClaimMatchValueSchema: z.ZodObject<{ matchValueString: z.ZodOptional; matchValueStringList: z.ZodOptional>; }, z.core.$strip>; export type ClaimMatchValue = z.infer; export declare const InboundTokenClaimValueTypeSchema: z.ZodEnum<{ STRING: "STRING"; STRING_ARRAY: "STRING_ARRAY"; }>; export type InboundTokenClaimValueType = z.infer; export declare const CustomClaimValidationSchema: z.ZodObject<{ inboundTokenClaimName: z.ZodString; inboundTokenClaimValueType: z.ZodEnum<{ STRING: "STRING"; STRING_ARRAY: "STRING_ARRAY"; }>; authorizingClaimMatchValue: z.ZodObject<{ claimMatchOperator: z.ZodEnum<{ EQUALS: "EQUALS"; CONTAINS: "CONTAINS"; CONTAINS_ANY: "CONTAINS_ANY"; }>; claimMatchValue: z.ZodObject<{ matchValueString: z.ZodOptional; matchValueStringList: z.ZodOptional>; }, z.core.$strip>; }, z.core.$strip>; }, z.core.$strict>; export type CustomClaimValidation = z.infer; export declare const EndpointIpAddressTypeSchema: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; export type EndpointIpAddressType = z.infer; /** Reach the discovery endpoint via a self-managed VPC Lattice resource configuration. */ export declare const SelfManagedLatticeResourceSchema: z.ZodObject<{ resourceConfigurationIdentifier: z.ZodString; }, z.core.$strict>; export type SelfManagedLatticeResource = z.infer; /** Reach the discovery endpoint via a service-managed VPC interface endpoint. */ export declare const ManagedVpcResourceSchema: z.ZodObject<{ vpcIdentifier: z.ZodString; subnetIds: z.ZodArray; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>; export type ManagedVpcResource = z.infer; /** * A private endpoint: exactly one of selfManagedLatticeResource or managedVpcResource. * The CFN spec dropped `oneOf` (contract-test antipattern) and enforces exactly-one structurally; * we mirror that with a superRefine rather than a discriminated union. */ export declare const PrivateEndpointSchema: z.ZodObject<{ selfManagedLatticeResource: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>; export type PrivateEndpoint = z.infer; /** Maps a specific domain to its own private endpoint (overrides the discovery-URL endpoint for that domain). */ export declare const PrivateEndpointOverrideSchema: z.ZodObject<{ domain: z.ZodString; privateEndpoint: z.ZodObject<{ selfManagedLatticeResource: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>; }, z.core.$strict>; export type PrivateEndpointOverride = z.infer; /** * Custom JWT authorizer configuration. * Used when authorizerType is 'CUSTOM_JWT'. * * At least one of allowedAudience, allowedClients, allowedScopes, or customClaims * must be provided. Only discoveryUrl is unconditionally required. */ export declare const CustomJwtAuthorizerConfigSchema: z.ZodObject<{ discoveryUrl: z.ZodString; allowedAudience: z.ZodOptional>; allowedClients: z.ZodOptional>; allowedScopes: z.ZodOptional>; customClaims: z.ZodOptional; authorizingClaimMatchValue: z.ZodObject<{ claimMatchOperator: z.ZodEnum<{ EQUALS: "EQUALS"; CONTAINS: "CONTAINS"; CONTAINS_ANY: "CONTAINS_ANY"; }>; claimMatchValue: z.ZodObject<{ matchValueString: z.ZodOptional; matchValueStringList: z.ZodOptional>; }, z.core.$strip>; }, z.core.$strip>; }, z.core.$strict>>>; privateEndpoint: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>>; privateEndpointOverrides: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>; }, z.core.$strict>>>; }, z.core.$strict>; export type CustomJwtAuthorizerConfig = z.infer; /** * Resource-agnostic authorizer configuration container. * Used by both Gateway and Runtime resources. */ export declare const AuthorizerConfigSchema: z.ZodObject<{ customJwtAuthorizer: z.ZodOptional>; allowedClients: z.ZodOptional>; allowedScopes: z.ZodOptional>; customClaims: z.ZodOptional; authorizingClaimMatchValue: z.ZodObject<{ claimMatchOperator: z.ZodEnum<{ EQUALS: "EQUALS"; CONTAINS: "CONTAINS"; CONTAINS_ANY: "CONTAINS_ANY"; }>; claimMatchValue: z.ZodObject<{ matchValueString: z.ZodOptional; matchValueStringList: z.ZodOptional>; }, z.core.$strip>; }, z.core.$strip>; }, z.core.$strict>>>; privateEndpoint: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>>; privateEndpointOverrides: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>; }, z.core.$strict>>>; }, z.core.$strict>>; }, z.core.$strip>; export type AuthorizerConfig = z.infer; /** @deprecated Use AuthorizerConfigSchema. Backwards-compatible alias for Gateway. */ export declare const GatewayAuthorizerConfigSchema: z.ZodObject<{ customJwtAuthorizer: z.ZodOptional>; allowedClients: z.ZodOptional>; allowedScopes: z.ZodOptional>; customClaims: z.ZodOptional; authorizingClaimMatchValue: z.ZodObject<{ claimMatchOperator: z.ZodEnum<{ EQUALS: "EQUALS"; CONTAINS: "CONTAINS"; CONTAINS_ANY: "CONTAINS_ANY"; }>; claimMatchValue: z.ZodObject<{ matchValueString: z.ZodOptional; matchValueStringList: z.ZodOptional>; }, z.core.$strip>; }, z.core.$strip>; }, z.core.$strict>>>; privateEndpoint: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>>; privateEndpointOverrides: z.ZodOptional>; managedVpcResource: z.ZodOptional; endpointIpAddressType: z.ZodEnum<{ IPV4: "IPV4"; IPV6: "IPV6"; }>; securityGroupIds: z.ZodOptional>; tags: z.ZodOptional>; routingDomain: z.ZodOptional; }, z.core.$strict>>; }, z.core.$strict>; }, z.core.$strict>>>; }, z.core.$strict>>; }, z.core.$strip>; /** @deprecated Use AuthorizerConfig. Backwards-compatible alias for Gateway. */ export type GatewayAuthorizerConfig = AuthorizerConfig; //# sourceMappingURL=auth.d.ts.map