June 19, 2026 · v1.3.65
v1.3.65 is a fixes release — AWS-parity corrections across Auto Scaling, S3, API Gateway, EC2, Glue, Lambda, and ECS, driven by reported issues and contributed PRs.
StartInstanceRefresh, DescribeInstanceRefreshes, and CancelInstanceRefresh previously failed with InvalidAction: Unknown AutoScaling action. They are now handled and recorded on the Auto Scaling group, so a refresh can be started, polled, and cancelled. Contributed by @c-julin.GetBucketOwnershipControls now 404s after delete. It always returned a default ownership block with HTTP 200, so DeleteBucketOwnershipControls was not observable and Terraform's delete waiter looped (found resource), blocking terraform destroy. It now returns OwnershipControlsNotFoundError (404) once controls have been deleted, while still reporting the default Object Ownership for a never-configured bucket. Contributed by @c-julin.ms-custom-id tag. AWS::ApiGatewayV2::Api resources always received a random API id, ignoring an ms-custom-id tag in the template — even though the direct CreateApi path and the v1 REST provisioner already honoured it. The v2 provisioner now resolves the custom id before falling back to a generated one. Contributed by @hiddengearz.UserIdGroupPairs) are returned by DescribeSecurityGroupRules and DescribeSecurityGroups. An AuthorizeSecurityGroupIngress / Egress rule that references another security group was dropped at ingestion and never surfaced — DescribeSecurityGroupRules omitted ReferencedGroupInfo and DescribeSecurityGroups returned an empty <groups>. Source-group pairs are now parsed from the request and emitted by both APIs. Reported by @kamegoro. Contributed by @kurok.GetUserDefinedFunctions accepts java.util.regex \Q…\E patterns. Real AWS compiles Pattern with java.util.regex, so clients like Trino's Glue connector send literal-quoted patterns (e.g. trino__\Qname\E__.*); Python's re rejected \Q…\E with InvalidInputException: Invalid pattern syntax. The literal-quote sequences are now translated before matching. Contributed by @yonatoasis.get_state base64-encoded every code_zip inline into lambda.json, so a deployment with many large zips (e.g. 26 functions × ~30 MB) produced a ~1 GB state file that OOM'd on warm boot while decoding. Code bytes are now written as content-addressed blobs alongside the state and loaded lazily. Contributed by @mattwang44.ListLayers showed them. The provisioner now stores the layer bytes.LATEST at create time. Matching the CreateEventSourceMapping API path, a LATEST mapping now skips records that already existed when the stack was deployed instead of replaying them; this is a no-op for SQS / Kinesis sources.RunTask secrets now resolve SSM Parameter Store references. containerDefinitions[].secrets valueFrom entries pointing at SSM parameters were previously left unresolved; they are now fetched in-process and injected into the container environment alongside Secrets Manager references.docker pull ministackorg/ministack:1.3.65 docker run -d -p 4566:4566 ministackorg/ministack:1.3.65
Or pin in compose.yaml:
services:
ministack:
image: ministackorg/ministack:1.3.65
ports:
- "4566:4566"
Issues and PRs welcome on GitHub. Discussion on r/ministack.