ministackorg/ministack v1.3.64

on GitHub

What's Changed

New Contributors

• @AbdoNile made their first contribution in #900
• @murlock made their first contribution in #925
• @kurok made their first contribution in #921
• @c-julin made their first contribution in #926

[1.3.64] — 2026-06-15

Fixed

• EC2 — source security groups (UserIdGroupPairs) now returned by DescribeSecurityGroupRules / DescribeSecurityGroups — AuthorizeSecurityGroupIngress/Egress rules that reference another security group were dropped at ingestion and never surfaced: DescribeSecurityGroupRules omitted ReferencedGroupInfo and DescribeSecurityGroups returned an empty <groups>. Source-group pairs are now parsed and emitted by both. Reported by @kamegoro.
• Step Functions — mocked Throw responses now route to Catch — a SFN_MOCK_CONFIG Throw was raised above the state's Retry/Catch handling, so the execution always failed instead of routing to a matching Catch handler. The mocked error now flows through the same Retry/Catch machinery as a real task failure. Reported by @amissemer.
• Glue — GetUserDefinedFunctions treats Pattern as a regular expression — the pattern was matched as a glob, so regex patterns (such as the Trino Glue connector's trino__<name>__.*) never matched; an invalid pattern now returns InvalidInputException. Contributed by @yonatoasis.
• S3 — WebsiteRedirectLocation is now preserved — x-amz-website-redirect-location set on PutObject is now stored and returned by GetObject / HeadObject. Contributed by @murlock.
• IAM — instance-profile tagging actions implemented — TagInstanceProfile, UntagInstanceProfile, and ListInstanceProfileTags previously failed with InvalidAction: Unknown IAM action. They are now handled, tags are stored on the instance-profile object (including tags supplied at CreateInstanceProfile time), and they read back from GetInstanceProfile / ListInstanceProfiles (via the Tags member) and ListInstanceProfileTags. This read-back lets Terraform's aws_iam_instance_profile settle to "No changes" on re-apply instead of detecting tag drift. Contributed by @c-julin.
• EventBridge — input transformer reserved variables — substitute <aws.events.event.json>, <aws.events.event>, <aws.events.rule-name>, <aws.events.rule-arn>, and <aws.events.event.ingestion-time> so CDK-style templates that embed the source event deliver valid JSON. Contributed by @AbdoNile.
• CloudFormation — GetTemplateSummary now returns Capabilities and CapabilitiesReason — the handler already accepted TemplateBody and returned Parameters / ResourceTypes correctly, but omitted the Capabilities and CapabilitiesReason fields. These are now computed from the template: CAPABILITY_NAMED_IAM for IAM resources with explicit name properties (RoleName, UserName, etc.), CAPABILITY_IAM for unnamed IAM resources, and CAPABILITY_AUTO_EXPAND for templates with a Transform. CapabilitiesReason uses the format confirmed against the AWS API: "The following resource(s) require capabilities: [<type>]". Contributed by @maximoosemine.
• Lambda - CreateEventSourceMapping persists FilterCriteria — CreateEventSourceMapping was silently dropping the FilterCriteria parameter, so any filter specified at creation time was never applied. Contributed by @maximoosemine.
• ECS — RunTask now applies containerOverrides.command to the launched Docker container — Overridden commands (including an explicit empty command) were ignored at runtime because the Docker containers.run(...) call still used the task-definition command. The effective container definition now carries the matched override command into Docker, while non-overridden containers keep their defaults. Contributed by @noynoy83.
• ECS — RunTask now injects containerDefinitions[].secrets from Secrets Manager — secret valueFrom references (including the :json-key: form that selects one field from a JSON secret) were silently dropped, so containers started without those environment variables. They are now resolved in-process and merged into the container environment before container overrides are applied; SSM Parameter Store references are not yet resolved. Reported by @kamegoro. Contributed by @kurok.
• S3 — DeletePublicAccessBlock now actually clears the configuration — after delete, GetPublicAccessBlock returned a default all-blocked configuration with HTTP 200 instead of NoSuchPublicAccessBlockConfiguration (404), so the delete was not observable and Terraform's aws_s3_bucket_public_access_block delete waiter timed out (found resource), blocking terraform destroy. GetPublicAccessBlock now returns 404 when no configuration is set (never configured, or deleted). Reported by @kamegoro. Contributed by @kurok.
• Lambda - CloudFormation-created ESMs now poll DynamoDB Streams — Before, these streams were not getting polled. Contributed by @maximoosemine.
• CloudWatch Logs — subscription filters now deliver matching log events to the destination Lambda — a SubscriptionFilter (created via CloudFormation or PutSubscriptionFilter) was provisioned but never forwarded log events, so the processor Lambda was never invoked. Matching events from PutLogEvents and from Lambda's own log emission are now delivered to Lambda destinations in AWS's awslogs gzip+base64 DATA_MESSAGE envelope, with a self-loop guard so a filter on a function's own log group can't recurse. Reported by @ankitaabad.