May 4, 2026 · v1.3.27
Two new services and a sweep of AWS-spec parity fixes. Every fix is anchored against botocore/data/<service>/service-2.json or the AWS API docs — not against guesswork.
In-memory audit log plus the control plane. Recording is opt-in via CLOUDTRAIL_RECORDING=1 (or the runtime config endpoint); when enabled, every API call MiniStack handles is appended to a per-account collections.deque capped at CLOUDTRAIL_MAX_EVENTS (default 10 000). requestParameters is scrubbed of secrets (SecretAccessKey, Password, AuthToken, Signature, Authorization, X-Amz-Security-Token, Credentials, SecretString, SecretBinary) before storage.
LookupEvents supports all 8 AWS LookupAttributeKey values verified against botocore: EventName, EventSource, Username, ResourceName, ResourceType, EventId, ReadOnly, AccessKeyId. Control-plane: CreateTrail, DeleteTrail, GetTrail, DescribeTrails, ListTrails, UpdateTrail, GetTrailStatus, StartLogging / StopLogging with real IsLogging state transitions, PutEventSelectors, GetEventSelectors, AddTags, ListTags, RemoveTags. Contributed by @AdigaAkhil.
$ aws --endpoint-url=http://localhost:4566 cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=CreateBucket
Service code resource-groups, API version 2017-11-27. 19 of the 23 spec operations: group CRUD (CreateGroup, GetGroup, DeleteGroup, UpdateGroup, ListGroups), resource queries (GetGroupQuery, UpdateGroupQuery), configuration (GetGroupConfiguration, PutGroupConfiguration), membership (GroupResources, UngroupResources, ListGroupResources, ListGroupingStatuses, SearchResources), tagging (Tag, Untag, GetTags), and account settings (GetAccountSettings, UpdateAccountSettings). Tag-sync ops (CancelTagSyncTask, GetTagSyncTask, ListTagSyncTasks, StartTagSyncTask) are intentionally omitted — they aren't exposed by the AWS CLI or the Terraform AWS provider.
Group input fields accept either the bare name or a full ARN; both forms normalise to the bare name internally. SearchResources is a stub that returns empty results and round-trips pagination tokens, since MiniStack doesn't maintain a global resource index across services. Requested by @staranto.
A sweep of divergences caught while reviewing the merge queue.
GetUsagePlanKey. GET /usageplans/{planId}/keys/{keyId} handler was missing; the per-key path fell through to a 404. Terraform's AWS provider issues this call right after CreateUsagePlanKey to confirm the resource exists, so every aws_api_gateway_usage_plan_key apply aborted with "couldn't find resource". Contributed by @marcin-nowak-scl.uri's {paramName} placeholders were forwarded literally; the inbound execute path was appended to the integration URI; the request query string was dropped. Now the request-parameter mappings (integration.request.path.X = method.request.path.X plus {proxy} for {proxy+}) are applied, the substituted URI is the upstream URL, and the query string is forwarded. Contributed by @marcin-nowak-scl.UpdateModel. PATCH /restapis/{id}/models/{name} was missing; Terraform aws_api_gateway_model updates 404'd.LOGICAL root home-directory mappings. HomeDirectoryMappings entries with Entry="/" failed to match SFTP paths because the resolver constructed an unreachable "//" prefix. Contributed by @stefanmb.Credentials.Expiration is int epoch seconds. The JSON path of AssumeRole / AssumeRoleWithWebIdentity / GetSessionToken returned a float; Java SDK v2 / Go SDK v2 timestamp parsers reject it. The XML path already used the ISO form correctly.ConditionalCheckFailedException populates Item. When a caller passes ReturnValuesOnConditionCheckFailure="ALL_OLD", AWS returns the prior item alongside the error so the caller doesn't have to re-fetch. PutItem / UpdateItem / DeleteItem / TransactWriteItems all honour it now (the failing CancellationReason in transactions also carries Item). Reported by @darkamgine.AWS::S3::Bucket preserves the physical resource id on stack update. Auto-named buckets (no explicit BucketName) used to get a new random name on every UpdateStack, breaking {Ref: Bucket} after redeploy — a Serverless Framework redeploy would point Lambdas at a brand-new empty bucket. Contributed by @erick-reis-gran.AWS::Lambda::Function returns real CodeSize and CodeSha256. Both were hardcoded (CodeSize missing, CodeSha256 = "cfn-deployed"); UIs displayed "NaN undefined" for code size. Now computed from the deployment-package bytes (len(zip) and base64-encoded SHA-256). Contributed by @erick-reis-gran.CloudTrail_20131101; backup and eks internal time helpers return int epoch instead of float (consistency with the project-wide convention).docker pull ministackorg/ministack:1.3.27 docker run -d -p 4566:4566 ministackorg/ministack:1.3.27
Or pin in compose.yaml:
services:
ministack:
image: ministackorg/ministack:1.3.27
ports:
- "4566:4566"
Shipped by the MiniStack community. Contributions credited throughout. GitHub · r/ministack