ministackorg/ministack v1.3.38

on GitHub

What's Changed

[1.3.38] — 2026-05-13

Added

• ECS task IAM role credentials endpoint (GET /v2/credentials/<uuid>) — real ECS injects AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/<uuid> per task and SDKs fetch credentials by GETting that path against 169.254.170.2. MiniStack now serves the same path on the gateway and returns the AWS-strict 5-field credentials document (AccessKeyId, SecretAccessKey, Token, Expiration, RoleArn) — distinct from the IMDS shape served at /latest/meta-data/iam/security-credentials/<role>. Contributed by @YakirOren.
• ECS task env injection for SDK-driven workloads — tasks launched by MiniStack's ECS emulator now also get AWS_CONTAINER_CREDENTIALS_FULL_URI (so SDKs in task containers fetch emulated credentials automatically from the new /v2/credentials/<uuid> endpoint), AWS_CONTAINER_AUTHORIZATION_TOKEN (satisfies botocore's allow-list when the gateway host is not loopback, e.g. host.docker.internal or a Docker bridge IP), and AWS_ENDPOINT_URL (so SDK service calls auto-route to the gateway). Together with the existing ECS_CONTAINER_METADATA_URI_V4, unmodified AWS SDKs running inside an emulated ECS task now use MiniStack end-to-end with no client config. Contributed by @YakirOren.
• CloudFormation AWS::CertificateManager::Certificate — provisions a Certificate record matching RequestCertificate shape. Ref resolves to the ARN; honours DomainName, SubjectAlternativeNames, ValidationMethod, Tags, KeyAlgorithm, CertificateTransparencyLoggingPreference. Closes a gap that blocked any HTTPS-related IaC stack from applying against MiniStack. Reported by @parv0888.
• CloudFormation AWS::ElasticLoadBalancingV2::TargetGroup — MS' ALB CFN story was previously partial: LoadBalancer and Listener provisioned but TargetGroup was missing, leaving the listener with nothing to forward to. The new handler writes a target-group record matching CreateTargetGroup, with AWS-documented defaults (HTTP, port 80, health-check interval 30, healthy/unhealthy thresholds 5/2, matcher 200). Tags and TargetGroupAttributes honoured. Reported by @parv0888.
• CloudFormation AWS::ElasticLoadBalancingV2::ListenerRule — host- and path-based ALB routing now provisions. Conditions accept both the flat {Field, Values} shape and CFN's per-field nested config form (PathPatternConfig.Values, HostHeaderConfig.Values, HttpHeaderConfig, HttpRequestMethodConfig, QueryStringConfig, SourceIpConfig). Actions support forward / redirect / fixed-response. Reported by @parv0888.
• CloudFormation AWS::RDS::DBInstance — standalone DB instances (non-Aurora) and Aurora cluster members now provision. Writes a record matching CreateDBInstance (metadata-only, like the existing AWS::RDS::DBCluster handler — Docker container spawn remains on the CLI/SDK path). Aurora cluster members inherit master credentials from the cluster automatically. Fn::GetAtt returns Endpoint.Address, Endpoint.Port, DbiResourceId, DBInstanceArn. Reported by @parv0888.
• CloudFormation AWS::StepFunctions::StateMachine Definition and DefinitionS3Location — CDK's DefinitionBody.fromFile() emits DefinitionS3Location referencing an S3 asset, and DefinitionBody.fromString() emits the inline Definition object; MiniStack previously honoured only DefinitionString and silently fell back to {}, producing InvalidDefinition: StartAt state 'None' not found at execution time. Both forms are now honoured, DefinitionS3Location is fetched from the in-memory S3 service, and DefinitionSubstitutions placeholders (${KEY}) are applied to the resolved definition. Reported by @youngkwangk.

Fixed

• ECS connectivityAt and stoppingAt timestamps wire-formatted as numbers — both fields are set on tasks but were missing from the _ECS_TIMESTAMP_FIELDS normalization set, so they shipped as ISO strings in DescribeTasks / ListTasks responses. The Go AWS SDK v2 (strict JSON 1.1 timestamp parsing) rejected the response; boto3 was lenient and hid the issue. Both fields are now epoch-normalized alongside the other task timestamps. Contributed by @YakirOren.
• CloudFormation AWS::ECS::TaskDefinition populates registeredAt, registeredBy, and compatibilities — the CFN provisioner constructed the task-definition record without these three fields, so DescribeTaskDefinition returned them as missing for CFN-created TDs even though the CLI/SDK path (RegisterTaskDefinition) always set them. Workloads that read registeredAt (e.g. the ARMO ECS operator and other reconcilers) had to fall back to "now". The CFN path now mirrors the CLI path. Contributed by @YakirOren.