ministackorg/ministack v1.3.51

on GitHub

What's Changed

New Contributors

• @Areson made their first contribution in #722

[1.3.51] — 2026-05-27

Added

• DynamoDB Backups — CreateBackup, DescribeBackup, DeleteBackup, ListBackups, RestoreTableFromBackup, and RestoreTableToPointInTime. Restore rebuilds the target table with the snapshot's items, key schema, and indexes; BillingModeOverride, GlobalSecondaryIndexOverride, and LocalSecondaryIndexOverride are honored. State persists across restarts via the existing ministack persistence hooks.
• DynamoDB Export / Import — ExportTableToPointInTime, DescribeExport, ListExports, ImportTable, DescribeImport, ListImports. Both ops are idempotent on ClientToken. The emulator completes exports synchronously and re-creates the destination table from TableCreationParameters on import. Driven by the dynamodb-conformance.org gap report.
• DynamoDB Contributor Insights — UpdateContributorInsights, DescribeContributorInsights, ListContributorInsights. ENABLING→ENABLED and DISABLING→DISABLED state machine matches the way real AWS settles status on subsequent Describe calls; optional IndexName is validated against the table's GSI list.
• DynamoDB Resource-Based Policies — PutResourcePolicy, GetResourcePolicy, DeleteResourcePolicy with full revision-id semantics. ExpectedRevisionId mismatches raise PolicyNotFoundException, including the NO_POLICY conditional path documented in the AWS API reference. Policy size is capped at 20 KB per the AWS quota.
• DynamoDB PartiQL transactions and batches — BatchExecuteStatement and ExecuteTransaction, including ClientRequestToken idempotency, all-or-nothing rollback on any statement failure, and DuplicateItemException on INSERT against an existing primary key. ExecuteStatement now also returns ConsumedCapacity when ReturnConsumedCapacity is set.
• DynamoDB DescribeLimits — returns canonical account- and table-level read/write capacity limits.
• EC2 CreateSecurityGroup returns SecurityGroupArn, DeleteSecurityGroup returns the deleted GroupId, and RevokeSecurityGroupEgress returns RevokedSecurityGroupRules — security group lifecycle responses now carry the fields real AWS emits, so workflows that inspect create / revoke / delete output get the same shapes as production. Contributed by @Areson.

Fixed

• DynamoDB item-level validation — PutItem, BatchWriteItem, and TransactWriteItems now reject empty SS / NS / BS, duplicate set elements, and empty strings for hash or sort key values. Numbers are canonicalized (leading-zero strip, negative-zero normalization, trailing-decimal trim) and bounded to 38 significant digits and magnitude [1E-130, 9.9999...E+125]. The 400 KB item-size cap is now enforced with attribute names contributing to the total per the AWS Developer Guide accounting.
• DynamoDB batch caps — BatchWriteItem rejects more than 25 requests, BatchGetItem rejects more than 100 keys, both with the AWS-canonical validation error. Duplicate target keys are rejected in both ops, and BatchGetItem against a non-existent table now raises ResourceNotFoundException up front instead of silently routing the table to UnprocessedKeys.
• DynamoDB transaction caps and accounting — TransactWriteItems and TransactGetItems cap at 100 actions, TransactWriteItems caps at 4 MB total payload, both reject duplicate target keys, and both return ConsumedCapacity at 2× the per-item rate per the AWS Developer Guide. ClientRequestToken idempotency raises IdempotentParameterMismatchException on payload mismatch.
• DynamoDB CreateTable validation — table name pattern [A-Za-z0-9_.-]+ and length 3-255, exactly one HASH and at most one RANGE in KeySchema, every key attribute must appear in AttributeDefinitions with no unused entries, duplicate IndexName across LSI/GSI rejected, LSIs require a RANGE key on the base table and must use the same HASH key, BillingMode enum enforced, ProvisionedThroughput only allowed on PROVISIONED tables. TableClass, OnDemandThroughput, and AWS-managed-key SSEDescription now round-trip via DescribeTable.
• DynamoDB UpdateTable validation — rejects PROVISIONED → PROVISIONED no-op, rejects ProvisionedThroughput with PAY_PER_REQUEST, rejects zero or negative capacity values, validates TableClass enum, adds GSI duplicate-name and undefined-attribute detection, and returns ResourceNotFoundException when deleting or updating a non-existent GSI. OnDemandThroughput changes round-trip via DescribeTable. Deletion protection on DeleteTable is enforced.
• DynamoDB Query validation — KeyConditionExpression may only reference key attributes (returns Query condition missed key schema element on violation), empty KeyConditionExpression rejected, Select enum enforced (ALL_PROJECTED_ATTRIBUTES only on an indexed query, SPECIFIC_ATTRIBUTES requires a ProjectionExpression or AttributesToGet), ConsistentRead=true on a GSI rejected, Limit >= 1 enforced, malformed ExclusiveStartKey rejected.
• DynamoDB Scan validation — Segment / TotalSegments co-requirement and range checks, Limit >= 1, ConsistentRead on a GSI rejected, Select enum same as Query, ScanFilter + FilterExpression mutually exclusive, AttributesToGet + ProjectionExpression mutually exclusive.
• DynamoDB UpdateItem semantics — SET references now resolve against the pre-update snapshot of the item (so SET a = b, b = :v assigns the OLD value of b to a), an intermediate path that doesn't exist is rejected, hash- and range-key attribute mutation is rejected, REMOVE with ReturnValues=UPDATED_NEW omits Attributes from the response (no new values to report), and empty UpdateExpression is rejected.
• DynamoDB GetItem ProjectionExpression honors nested paths — nested map paths (level1.level2.leaf), list indexes (items[1]), combined nested + index (rec.tags[0]), and multiple sibling paths under the same root all return the correctly-pruned attribute tree instead of the whole root attribute.
• DynamoDB ReturnValues and ReturnItemCollectionMetrics per op — invalid ReturnValues enum is rejected per op (PutItem and DeleteItem only accept NONE and ALL_OLD), invalid ReturnItemCollectionMetrics rejected, and SIZE returns the AWS shape {ItemCollectionKey, SizeEstimateRangeGB} on tables with at least one LSI.
• DynamoDB binary keys order bytewise and size() counts UTF-16 code units — binary sort keys are compared after base64 decoding so b'\x01' < b'\xff', begins_with on binary now decodes both operands before comparing prefixes, and size(s) returns the UTF-16 code-unit count for strings (a surrogate-pair emoji counts as 2) and the decoded byte length for binary, matching the AWS Developer Guide.
• DynamoDB rejects unaliased AWS reserved keywords in expressions — every bare identifier in ConditionExpression, UpdateExpression, FilterExpression, KeyConditionExpression, or ProjectionExpression that matches the canonical AWS DynamoDB reserved-word list is now rejected with Attribute name is a reserved keyword; reserved keyword: <word>. Users must alias the name via ExpressionAttributeNames exactly as with real AWS.
• DynamoDB rejects redundant parentheses and contains(x, x) — the ((expr)) pattern is rejected across all expression fields (returns the AWS "expression has redundant parentheses" validator), and contains() with structurally identical operands is rejected with the AWS "operands must be distinct" message.
• DynamoDB ExpressionAttributeNames / ExpressionAttributeValues bookkeeping — every defined #alias and :placeholder must be referenced by some expression in the request, and every #alias or :placeholder used in an expression must be defined. Mismatches return the AWS-canonical "unused" or "not defined" validation error instead of silently passing.
• DynamoDB PartiQL INSERT against an existing item now raises DuplicateItemException — previously emitted ConditionalCheckFailedException. Matches the error code listed in botocore's ExecuteStatement service-2.json shape.
• DynamoDB TagResource / UntagResource / ListTagsOfResource validate the ResourceArn — non-DynamoDB ARNs and ARNs pointing at non-existent tables now return ValidationException and ResourceNotFoundException respectively, instead of silently storing tags against a phantom resource.
• DynamoDB UpdateTimeToLive rejects empty AttributeName — matches AWS shape validation.
• EC2 DescribeSecurityGroups distinguishes malformed IDs from missing ones — malformed security group IDs now return InvalidGroupId.Malformed and valid-looking but unknown IDs continue to return InvalidGroup.NotFound, matching the way AWS classifies the two failure modes. Contributed by @Areson.
• Glue StartJobRun no longer auto-pulls a missing image — Spark jobs that target a Glue Docker image now check whether the image is already present locally and stub the run to SUCCEEDED when it is not, instead of triggering a multi-gigabyte pull on the request path.
• MWAA worker containers auto-remove on exit — Airflow task containers spawned by the MWAA emulator now self-clean instead of leaving stopped containers on the Docker daemon after every DAG run.