June 15, 2026 · v1.3.64
v1.3.64 is a fixes release — AWS-parity corrections across EC2, ECS, S3, CloudFormation, Lambda, CloudWatch Logs, EventBridge, Step Functions, Glue, and IAM, every one driven by a reported issue or a contributed PR.
UserIdGroupPairs) are returned by DescribeSecurityGroupRules and DescribeSecurityGroups. An AuthorizeSecurityGroupIngress / Egress rule that references another security group was dropped at ingestion and never surfaced — DescribeSecurityGroupRules omitted ReferencedGroupInfo and DescribeSecurityGroups returned an empty <groups>, so Terraform and the CLI saw the rule as missing. Source-group pairs are now parsed from the request and emitted by both APIs. Reported by @kamegoro.RunTask injects containerDefinitions[].secrets from Secrets Manager. Secret valueFrom references — including the :json-key: form that selects one field from a JSON secret — were silently dropped, so containers started without those environment variables. They are now resolved in-process and merged into the container environment before container overrides are applied (SSM Parameter Store references are not yet resolved). Reported by @kamegoro. Contributed by @kurok.RunTask applies containerOverrides.command to the launched container. An overridden command (including an explicit empty command) was ignored at runtime because the Docker containers.run(...) call still used the task-definition command; the effective container definition now carries the matched override command into Docker, while non-overridden containers keep their defaults. Contributed by @noynoy83.DeletePublicAccessBlock now actually clears the configuration. After a delete, GetPublicAccessBlock returned a default all-blocked configuration with HTTP 200 instead of NoSuchPublicAccessBlockConfiguration (404), so the delete was not observable and Terraform's aws_s3_bucket_public_access_block delete waiter timed out, blocking terraform destroy. GetPublicAccessBlock now returns 404 when no configuration is set. Reported by @kamegoro. Contributed by @kurok.WebsiteRedirectLocation is preserved. The x-amz-website-redirect-location header set on PutObject is now stored and returned by GetObject / HeadObject. Contributed by @murlock.GetTemplateSummary returns Capabilities and CapabilitiesReason. The handler accepted TemplateBody and returned Parameters / ResourceTypes but omitted the capability fields, so tooling could not tell that a template needed --capabilities. They are now computed from the template: CAPABILITY_NAMED_IAM for IAM resources with explicit name properties, CAPABILITY_IAM for unnamed IAM resources, and CAPABILITY_AUTO_EXPAND for templates with a Transform. Contributed by @maximoosemine.CreateEventSourceMapping persists FilterCriteria. The parameter was silently dropped at creation time, so any filter specified on the mapping was never applied and never read back by GetEventSourceMapping. Contributed by @maximoosemine.FunctionName was a full ARN with a qualifier was mis-parsed, so the poller could not resolve the function and the stream was never consumed; a LATEST mapping on an initially-empty table also skipped its first record. Both are fixed. Contributed by @maximoosemine.SubscriptionFilter created via CloudFormation or PutSubscriptionFilter was provisioned but never forwarded log events, so the processor Lambda was never invoked. Matching events from PutLogEvents and from Lambda's own log emission are now delivered to Lambda destinations in AWS's awslogs gzip+base64 DATA_MESSAGE envelope, with a self-loop guard so a filter on a function's own log group can't recurse. Reported by @ankitaabad.<aws.events.event.json>, <aws.events.event>, <aws.events.rule-name>, <aws.events.rule-arn>, and <aws.events.event.ingestion-time> were left literal, producing invalid JSON in the delivered payload — breaking CDK-style templates that embed the source event. They now resolve to the matched event, rule metadata, and a generated ingestion timestamp. Contributed by @AbdoNile.Throw responses route to Catch. A SFN_MOCK_CONFIG Throw was raised above the state's Retry/Catch handling, so the execution always failed instead of routing to a matching Catch handler. The mocked error now flows through the same Retry/Catch machinery as a real task failure. Reported by @amissemer.GetUserDefinedFunctions treats Pattern as a regular expression. The pattern was matched as a glob, so regex patterns — such as the Trino Glue connector's trino__<name>__.* — never matched; an invalid pattern now returns InvalidInputException. Contributed by @yonatoasis.TagInstanceProfile, UntagInstanceProfile, and ListInstanceProfileTags previously failed with InvalidAction; they are now handled, tags are stored (including those supplied at CreateInstanceProfile time) and read back from GetInstanceProfile / ListInstanceProfiles, so Terraform's aws_iam_instance_profile settles to “No changes” on re-apply. Contributed by @c-julin.docker pull ministackorg/ministack:1.3.64 docker run -d -p 4566:4566 ministackorg/ministack:1.3.64
Or pin in compose.yaml:
services:
ministack:
image: ministackorg/ministack:1.3.64
ports:
- "4566:4566"
Issues and PRs welcome on GitHub. Discussion on r/ministack.