ministackorg/ministack v1.3.58

on GitHub

What's Changed

New Contributors

• @KABBOUCHI made their first contribution in #756

[1.3.58] — 2026-06-04

Added

• EKS — default topology.kubernetes.io/zone and topology.kubernetes.io/region labels on k3s nodes — every cluster's k3s container now receives --node-label topology.kubernetes.io/zone={region}a and --node-label topology.kubernetes.io/region={region}, matching the labels real EKS nodes carry via the AWS cloud-controller-manager. Unblocks topology-aware controllers (Karpenter, Cluster Autoscaler, scheduler topologySpreadConstraints) without manual kubectl label node workarounds. Region resolves through get_region(). Per-node-group label overrides belong on CreateNodegroup.labels — the AWS-shape-correct surface. Contributed by @b-rajesh.
• KMS — Ed25519 (ECC_NIST_EDWARDS25519) sign/verify — CreateKey accepts ECC_NIST_EDWARDS25519, returns SigningAlgorithms=["ED25519_SHA_512","ED25519_PH_SHA_512"] (both algorithms per the AWS Developer Guide "Supported signing algorithms for ECC key specs" table). Sign/Verify for ED25519_SHA_512 enforces MessageType=RAW per the AWS Sign API contract ("ED25519_SHA_512 signing algorithm requires MessageType:RAW… cannot be used interchangeably"); ED25519_PH_SHA_512 (Ed25519ph / HashEdDSA, RFC 8032 §5.1) returns UnsupportedOperationException rather than route through pure Ed25519 — those signatures would be incompatible with real AWS KMS. Contributed by @KABBOUCHI.
• ELBv2 — SetSubnets, SetIpAddressType, SetSecurityGroups — three load-balancer mutation actions now implemented per botocore output shapes: SetSubnets returns AvailabilityZones + IpAddressType, SetIpAddressType returns IpAddressType, SetSecurityGroups returns SecurityGroupIds (note: not SecurityGroups).
• Glue — CreateUserDefinedFunction / UpdateUserDefinedFunction / DeleteUserDefinedFunction / GetUserDefinedFunction / GetUserDefinedFunctions — full UDF lifecycle at AWSGlue.<verb>. Records carry FunctionName, DatabaseName, ClassName, OwnerName, OwnerType, CreateTime, ResourceUris, CatalogId per the AWS UserDefinedFunction output shape. GetUserDefinedFunctions honors the AWS-required Pattern glob.
• IAM — seeded AWS-managed policies for EKS — AmazonEKSClusterPolicy, AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, AmazonEKSServicePolicy now resolve to the real AWS policy documents (verbatim from the AWS Managed Policy Reference), not the wildcard Allow * fallback. GetPolicyVersion returns the real action lists so policy simulators / Terraform diffs match real AWS.

Fixed

• EC2 — Attachment.AttachTime on ENI describe — AttachNetworkInterface now records the attach timestamp on the ENI's Attachment record; DescribeNetworkInterfaces surfaces it as <attachTime> in the wire XML, matching the AWS NetworkInterfaceAttachment shape. Required by tools that audit attachment age (Cloud Custodian, Config rules).
• Glue — CreateDatabase honors top-level Tags — CreateDatabase previously dropped Tags on the floor; tags are now stored against the database ARN (arn:aws:glue:{region}:{account}:database/{name}) and retrievable via GetTags. DeleteDatabase cleans them up.
• Glue — UpdateTable optimistic concurrency via VersionId — table records now carry a monotonically-increasing VersionId (string, per the AWS Table output shape). UpdateTable with a stale VersionId returns ConcurrentModificationException; matching version bumps and applies. Calls without VersionId keep the old last-write-wins behaviour for back-compat.
• ECS — DeleteService marks INACTIVE instead of removing the record — matches the AWS contract: "Services in the DRAINING or INACTIVE status can still be viewed with the DescribeServices API operation." Tasks are stopped synchronously, the service stays describable with status=INACTIVE, and tags remain attached. Re-creating a service with the same name is allowed once the prior incarnation is INACTIVE (matches the AWS-documented conflict-only-on-ACTIVE/DRAINING rule).
• Lambda — layer CodeSize and post-attachment invocation — CreateFunction(Layers=[...]) and UpdateFunctionConfiguration(Layers=[...]) now surface each layer's real CodeSize on GetFunctionConfiguration.Layers[*].CodeSize (looked up from the published layer version) instead of a hardcoded 0. UpdateFunctionConfiguration also recycles the $LATEST warm worker when worker-affecting fields change (Layers, Runtime, Handler, Environment, MemorySize, Architectures, VpcConfig, FileSystemConfigs) — without this, a layer attached after the first invoke was never extracted into /opt/layer_N for the running worker, and import from the layer failed at handler entry. Reported by @omargr299.
• Cognito — CUSTOM_AUTH trigger Lambdas no longer deadlock the event loop — _dispatch_idp and _dispatch_identity are now async and run their sync handlers via asyncio.to_thread. Previously, a Cognito op that invoked a trigger Lambda (Define / Create / Verify auth challenge, pre-token, etc.) blocked the ASGI event loop while waiting for the Lambda HTTP callback that the same loop needed to serve — every CUSTOM_AUTH flow hung at the first trigger. Reported by @aahoughton.