CloudFormation engine

MiniStack ships its own CloudFormation engine — not a template-to-SDK translator. Templates are parsed, intrinsics are evaluated, and resources are provisioned by calling each service's internal create-path directly. This page is the reference for what the engine supports.

85 resource types 15 intrinsics change sets cross-stack exports

Stack lifecycle

Stacks move through the standard CloudFormation states. All transitions are synchronous from the API's perspective — the create call returns when the stack reaches a terminal state.

Transition	States visited
Create	`CREATE_IN_PROGRESS` → `CREATE_COMPLETE` / `CREATE_FAILED` / `ROLLBACK_COMPLETE`
Update	`UPDATE_IN_PROGRESS` → `UPDATE_COMPLETE` / `UPDATE_FAILED` / `UPDATE_ROLLBACK_COMPLETE`
Delete	`DELETE_IN_PROGRESS` → `DELETE_COMPLETE` / `DELETE_FAILED`

Resources are provisioned in dependency order (parameters → conditions → resources by DependsOn / Ref / Fn::GetAtt edges). On failure, provisioned resources are rolled back in reverse order.

Stack events are emitted per resource transition and retrievable via DescribeStackEvents. Termination protection is honored — UpdateTerminationProtection prevents DeleteStack while set.

Intrinsics

All 15 CloudFormation intrinsics plus the standard pseudo-parameters are supported. Evaluation is recursive and order-independent within a template.

Intrinsic	Notes
`Ref`	Parameters → default/override; resources → physical ID.
`Fn::GetAtt`	Scalar `Resource.Attribute` or list form. Split on first dot for nested attrs.
`Fn::Sub`	`${Var}` and `${Resource.Attr}` substitution, including explicit variable map.
`Fn::Join`	Delimiter + list.
`Fn::Split`	Delimiter split into a list.
`Fn::Select`	Zero-indexed element from a list.
`Fn::FindInMap`	Three-level Mappings lookup.
`Fn::If` / `Fn::Equals` / `Fn::And` / `Fn::Or` / `Fn::Not`	Full conditional evaluation. Resources/outputs can be gated by a `Condition`.
`Fn::Base64`	UTF-8 → base64.
`Fn::Cidr`	CIDR subnet calculator.
`Fn::GetAZs`	Returns four pseudo-AZs per region (`a`, `b`, `c`, `d`).
`Fn::ImportValue`	Cross-stack import (by `Outputs[].Export.Name`).

Pseudo-parameters

AWS::Region — from the caller's SigV4 scope; not a server-wide value.
AWS::AccountId — from the request's account.
AWS::StackName, AWS::StackId — from the stack being provisioned.
AWS::Partition — hardcoded to aws.
AWS::NotificationARNs — parsed; SNS notifications are not dispatched.
AWS::NoValue — drops properties at substitution time.

Resource types

85 resource types across 22 AWS services. Each type has a provisioner in ministack/services/cloudformation/provisioners.py that knows how to call the target service's internal create/update/delete.

Compute & containers

AWS::Lambda::Function AWS::Lambda::Version AWS::Lambda::Alias AWS::Lambda::Permission AWS::Lambda::Layer AWS::Lambda::EventSourceMapping AWS::ECS::Cluster AWS::ECS::TaskDefinition AWS::ECS::Service AWS::EC2::Instance AWS::EC2::LaunchTemplate AWS::EKS::Cluster AWS::EKS::Nodegroup AWS::AutoScaling::AutoScalingGroup AWS::AutoScaling::LaunchConfiguration AWS::AutoScaling::ScalingPolicy AWS::AutoScaling::LifecycleHook AWS::AutoScaling::ScheduledAction

Networking

AWS::EC2::VPC AWS::EC2::Subnet AWS::EC2::SecurityGroup AWS::EC2::InternetGateway AWS::EC2::VPCGatewayAttachment AWS::EC2::RouteTable AWS::EC2::Route AWS::EC2::SubnetRouteTableAssociation AWS::ElasticLoadBalancingV2::LoadBalancer AWS::ElasticLoadBalancingV2::Listener AWS::ElasticLoadBalancingV2::TargetGroup AWS::Route53::HostedZone AWS::Route53::RecordSet AWS::CloudFront::Distribution

Storage & data

AWS::S3::Bucket AWS::S3::BucketPolicy AWS::DynamoDB::Table AWS::RDS::DBCluster AWS::Kinesis::Stream AWS::ECR::Repository

Messaging & events

AWS::SQS::Queue AWS::SQS::QueuePolicy AWS::SNS::Topic AWS::SNS::Subscription AWS::SNS::TopicPolicy AWS::Events::EventBus AWS::Events::Rule AWS::StepFunctions::StateMachine AWS::Pipes::Pipe AWS::Scheduler::Schedule AWS::Scheduler::ScheduleGroup

APIs

AWS::ApiGateway::RestApi AWS::ApiGateway::Resource AWS::ApiGateway::Method AWS::ApiGateway::Deployment AWS::ApiGateway::Stage AWS::ApiGatewayV2::Api AWS::ApiGatewayV2::Stage AWS::AppSync::GraphQLApi AWS::AppSync::GraphQLSchema AWS::AppSync::DataSource AWS::AppSync::Resolver AWS::AppSync::ApiKey

Security, identity, logging

AWS::IAM::Role AWS::IAM::Policy AWS::IAM::ManagedPolicy AWS::IAM::InstanceProfile AWS::KMS::Key AWS::KMS::Alias AWS::SecretsManager::Secret AWS::Cognito::UserPool AWS::Cognito::UserPoolClient AWS::Cognito::UserPoolDomain AWS::Cognito::IdentityPool AWS::Logs::LogGroup AWS::CloudWatch::Alarm AWS::WAFv2::WebACL AWS::SES::EmailIdentity AWS::CodeBuild::Project

Utility

AWS::CloudFormation::WaitCondition AWS::CloudFormation::WaitConditionHandle AWS::CDK::Metadata

Any resource type not in this list fails stack creation with UnsupportedResource. File an issue if you need one added — many are a few hours of work.

Change sets

CreateChangeSet, DescribeChangeSet, ExecuteChangeSet, DeleteChangeSet, and ListChangeSets are fully wired. The engine diffs the current stack against the proposed template and emits a set of ResourceChange entries — your IaC tool can preview before applying.

Outputs & exports

Outputs are computed after all resources settle. Outputs[].Export.Name publishes a value into a global export table that downstream stacks import with Fn::ImportValue. ListExports and ListImports work as expected.

Gaps

Stack policy is stored but not enforced. SetStackPolicy / GetStackPolicy round-trip; updates succeed regardless.
AWS::NotificationARNs SNS fan-out is not dispatched. The ARN list is accepted but no notifications flow out.
Drift detection is not implemented. DetectStackDrift will report no drift.
Nested stacks — supported via AWS::CloudFormation::Stack (if not listed above, treat as not yet).
Third-party resource types / modules — not supported.

Inspecting unsupported resources: when a stack fails with UnsupportedResource, the event includes the type name. Cross-reference against the lists above to know if it's a gap or a typo.