v1.3.29 — Step Functions aws-sdk parity push, EC2 VPC endpoint catalog, DDB legacy AttributeUpdates

May 6, 2026 · v1.3.29

Two new endpoints, four parity fixes — most of them concentrated on the Step Functions aws-sdk integration surface that real Terraform / CDK pipelines hit on every plan and apply.

1. EC2 DescribeVpcEndpointServices

Returns the standard catalog every Terraform / CDK template probes when planning VPC endpoints: 2 Gateway services (s3, dynamodb) and 17 Interface PrivateLink services (sts, logs, sqs, sns, kinesis, lambda, ssm, ssmmessages, ec2messages, secretsmanager, kms, ec2, monitoring, events, ecr.api, ecr.dkr, execute-api) with region-templated DNS names, owner=amazon, and stable per-service IDs (sha256, deterministic across restarts). ServiceNames, service-name, and service-type filters are honoured.

$ aws --endpoint-url=http://localhost:4566 ec2 describe-vpc-endpoint-services \
    --filters Name=service-type,Values=Gateway
{
  "ServiceNames": ["com.amazonaws.us-east-1.s3", "com.amazonaws.us-east-1.dynamodb"],
  ...
}

Reported by @svenikea.

2. DynamoDB legacy AttributeUpdates

The pre-expression UpdateItem parameter — AttributeUpdates with PUT (default), DELETE (full removal or set subtract via Value), and ADD (numeric increment or set union) actions — is now applied. Mutually exclusive with UpdateExpression: passing both returns the AWS-shape ValidationException. DELETE with a Value on a non-set attribute, and ADD on a non-numeric/non-set attribute, also raise ValidationException matching real DynamoDB.

The .NET AWS SDK's UpdateItem path uses this parameter under the hood for upserts; without it, all non-key fields silently dropped on the round-trip. Reported by @gnjack.

3. Step Functions aws-sdk:ec2 security-group compatibility

EC2's Query protocol isn't quite AWS Query — list members are bare-numbered (Filter.1.Value.1) instead of the member.N convention every other Query service uses. The Step Functions aws-sdk dispatcher was emitting member.N for EC2, so calls like aws-sdk:ec2:describeSecurityGroups never matched.

Now the dispatcher routes EC2 through a per-service flattener: CreateSecurityGroup maps the SDK Description input to the wire-name GroupDescription, DescribeSecurityGroups sends EC2-shaped filters, and the XML adapter normalises SecurityGroupInfo back to the AWS SDK output key SecurityGroups. Verified against botocore/data/ec2/2016-11-15/service-2.json. Contributed by @jayjanssen.

4. Step Functions aws-sdk:s3 integration

S3 was tagged as a generic rest-protocol with no dispatcher: every aws-sdk:s3:* call failed at runtime with States.Runtime — aws-sdk integration for rest-protocol service 's3' is not yet implemented. A new REST-XML dispatcher drives a hand-tabled spec for the most common S3 control-plane operations:

• ListBuckets, CreateBucket, DeleteBucket, HeadBucket, GetBucketVersioning
• ListObjectsV2, ListObjects, HeadObject, CopyObject, DeleteObject
• GetObjectTagging, PutObjectTagging

Each operation maps its Parameters fields to the URI / querystring / header location modelled in botocore's service-2.json, and the XML response is normalised to MiniStack's PascalCase SFN convention. GetObject / PutObject (Body-bearing operations) are deferred to Phase 2 pending a documented Body shape for binary payloads. Reported by @LeTrungNguyen1703.

5. SQS ReceiveMessage honours MessageSystemAttributeNames

The SQS service model marks AttributeNames as deprecated — modern SDK callers (Java SDK v2, Kotlin) send MessageSystemAttributeNames instead. MiniStack only read the deprecated field, so every modern-SDK consumer got an empty Attributes map even when they requested All. That broke ApproximateReceiveCount-based redelivery detection and DLQ logic for any Java SDK v2 caller. Both names are now honoured. Contributed by @joaomena.

6. CFN AWS::SNS::Subscription honours RawMessageDelivery

The CloudFormation provisioner read FilterPolicyScope and FilterPolicy from the resource properties but silently ignored RawMessageDelivery. SQS subscribers consequently received the SNS-wrapped envelope JSON even when the template explicitly set RawMessageDelivery=true, breaking attribute-based routing for any consumer reading SQS-level MessageAttributes. Now the provisioner stores the flag, and SNS publishes deliver the raw payload as configured. Contributed by @joaomena.

Upgrade

docker pull ministackorg/ministack:1.3.29
docker run -d -p 4566:4566 ministackorg/ministack:1.3.29

Or pin in compose.yaml:

services:
  ministack:
    image: ministackorg/ministack:1.3.29
    ports:
      - "4566:4566"