What's Changed
New Contributors
- @chincharjuin made their first contribution in #1041
[1.3.72] — 2026-07-06
Added
- EC2 — placement group actions —
CreatePlacementGroup,DeletePlacementGroup, andDescribePlacementGroupsare implemented (they previously failed withInvalidAction: Unknown EC2 action), soaws_placement_groupin Terraform/CDK creates, reads, and deletes against MiniStack. Groups are account-scoped and tagged like every other EC2 resource (pg-ids,CreateTags/DescribeTags, andtag:/group-name/state/strategyfilters), duplicate names returnInvalidPlacementGroup.Duplicateand unknown names returnInvalidPlacementGroup.Unknown, andpartitionCountis emitted only for thepartitionstrategy — matching real EC2. Contributed by @c-julin. - Auto Scaling — groups report in-service instances so capacity waiters converge —
CreateAutoScalingGroup,UpdateAutoScalingGroup, and a newly handledSetDesiredCapacitynow materializeDesiredCapacitymock instances (InService/Healthy, round-robined across the group's Availability Zones), andDescribeAutoScalingGroups/DescribeAutoScalingInstancesreport them. Previously a group reported zero instances forever, so Terraform'saws_autoscaling_groupcapacity waiter blocked for the fullwait_for_capacity_timeoutand then failed on every apply; it now converges. Contributed by @c-julin.
Fixed
- Router — access key extraction from presigned-URL query parameters — the per-request account (multi-tenancy) and CloudTrail attribution were read only from the
Authorizationheader, so a presigned S3 URL created under a non-default account resolved to the default account and returned 404 on the bucket lookup. The access key is now also extracted from the SigV4X-Amz-Credentialand SigV2AWSAccessKeyIdquery parameters, matching how AWS honors query-string credentials as a general signing mechanism. Contributed by @neriyaco. - EKS — OIDC issuer scheme follows the gateway protocol — the cluster OIDC issuer advertised by
DescribeClusterand the discovery document was hardcoded tohttp, so Terraform'saws_iam_openid_connect_provider, which client-side rejects non-https urls, failed at plan time. The scheme now derives fromUSE_SSL:httpswhen the gateway serves TLS,httpotherwise, so the advertised issuer matches what MiniStack actually serves and IRSA Terraform applies against a TLS gateway. Reported by @c-julin. - DynamoDB —
UpdateItemvalidates values, andUPDATED_NEW/UPDATED_OLDmatch AWS —UpdateItemnow runs the same attribute and item-size validation asPutItem(it skipped it before), andUPDATED_NEW/UPDATED_OLDreport every attribute the update expression touched — including aSETthat assigns the same value, which was previously omitted as a no-op and diverged from AWS. String-set validation no longer rejects empty-string members. Contributed by @chincharjuin.