May 13, 2026 · v1.3.38
Five new CloudFormation provisioners closing the gap for HTTPS, ALB, RDS, and CDK Step Functions stacks. ECS tasks can now fetch IAM role credentials end-to-end with unmodified AWS SDKs.
Real ECS injects AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/<uuid> per task; the SDK resolves it against 169.254.170.2 to fetch task-role credentials. MiniStack now serves the same path on the gateway and returns the AWS-strict 5-field credentials document — AccessKeyId, SecretAccessKey, Token, Expiration, RoleArn — distinct from the IMDS shape served at /latest/meta-data/iam/security-credentials/<role>.
Alongside, RunTask injects AWS_CONTAINER_CREDENTIALS_FULL_URI (the full-URI form, used because MiniStack isn't on the magic 169.254.170.2 IP), AWS_CONTAINER_AUTHORIZATION_TOKEN (satisfies botocore's allow-list for non-loopback gateway hosts like host.docker.internal or a Docker bridge IP), and AWS_ENDPOINT_URL (so SDK service calls auto-route to the gateway). Together with the existing ECS_CONTAINER_METADATA_URI_V4, unmodified AWS SDKs running inside an emulated ECS task now use MiniStack end-to-end with no client config. Contributed by @YakirOren.
AWS::CertificateManager::CertificateAny HTTPS-related IaC stack needs ACM. MiniStack already had the ACM data plane; the CFN provisioner was missing, so stacks failed at provision time with Unsupported resource type. The new handler writes a certificate record matching RequestCertificate, returns the ARN as the physical id (so Ref resolves to the ARN), and honours DomainName, SubjectAlternativeNames, ValidationMethod, Tags, KeyAlgorithm, and CertificateTransparencyLoggingPreference. Reported by @parv0888.
AWS::ElasticLoadBalancingV2::TargetGroup and ListenerRuleMiniStack's ALB CFN story was previously partial: LoadBalancer and Listener provisioned, but TargetGroup was missing — leaving the listener with nothing to forward to. The new TargetGroup handler writes a record matching CreateTargetGroup with AWS-documented defaults (HTTP / port 80, health-check interval 30, healthy/unhealthy thresholds 5/2, matcher 200) and honours Tags and TargetGroupAttributes.
The new ListenerRule handler provisions host- and path-based ALB routing. Conditions accept both the flat {Field, Values} shape and CFN's per-field nested config form (PathPatternConfig.Values, HostHeaderConfig.Values, HttpHeaderConfig, HttpRequestMethodConfig, QueryStringConfig, SourceIpConfig). Actions support forward, redirect, and fixed-response. Reported by @parv0888.
AWS::RDS::DBInstanceStandalone DB instances (non-Aurora) and Aurora cluster members now provision. The handler writes an instance record matching CreateDBInstance — metadata-only, like the existing AWS::RDS::DBCluster handler. The Docker container spawn remains on the CLI/SDK path, so aws rds create-db-instance still gives you a real database; CFN-provisioned instances are metadata-only.
Aurora cluster members automatically inherit master credentials from their parent cluster. Fn::GetAtt returns Endpoint.Address, Endpoint.Port, DbiResourceId, and DBInstanceArn. Reported by @parv0888.
Definition and DefinitionS3LocationCDK's DefinitionBody.fromFile() emits DefinitionS3Location referencing an S3 asset, and DefinitionBody.fromString() emits the inline Definition object. MiniStack previously honoured only DefinitionString and silently fell back to {}, producing InvalidDefinition: StartAt state 'None' not found at execution time.
Both forms are now honoured. DefinitionS3Location is fetched from the in-memory S3 service, and DefinitionSubstitutions placeholders (${KEY}) are applied to the resolved definition. Reported by @youngkwangk.
connectivityAt and stoppingAt were set on tasks but missing from the timestamp normalization set, so they shipped as ISO strings in DescribeTasks / ListTasks. The Go AWS SDK v2 (strict JSON 1.1 timestamp parsing) rejected the response; boto3 was lenient and hid the issue. Both fields are now epoch-normalized alongside the other task timestamps. Contributed by @YakirOren.
AWS::ECS::TaskDefinition populates registeredAt, registeredBy, and compatibilitiesThe CFN provisioner constructed task-definition records without these three fields, so DescribeTaskDefinition returned them as missing for CFN-created TDs even though the CLI/SDK path always set them. Workloads that read registeredAt (e.g. the ARMO ECS operator and other reconcilers) had to fall back to time.Now(). The CFN path now mirrors the CLI path. Contributed by @YakirOren.
docker pull ministackorg/ministack:1.3.38 docker run -d -p 4566:4566 ministackorg/ministack:1.3.38
Or pin in compose.yaml:
services:
ministack:
image: ministackorg/ministack:1.3.38
ports:
- "4566:4566"
Shipped by the MiniStack community. Contributions credited throughout. GitHub · r/ministack