DocsAWS 101BlogServices

CloudFormation engine

MiniStack ships its own CloudFormation engine — not a template-to-SDK translator. Templates are parsed, intrinsics are evaluated, and resources are provisioned by calling each service's internal create-path directly. This page is the reference for what the engine supports.

85 resource types 15 intrinsics change sets cross-stack exports

Stack lifecycle

Stacks move through the standard CloudFormation states. All transitions are synchronous from the API's perspective — the create call returns when the stack reaches a terminal state.

TransitionStates visited
CreateCREATE_IN_PROGRESSCREATE_COMPLETE / CREATE_FAILED / ROLLBACK_COMPLETE
UpdateUPDATE_IN_PROGRESSUPDATE_COMPLETE / UPDATE_FAILED / UPDATE_ROLLBACK_COMPLETE
DeleteDELETE_IN_PROGRESSDELETE_COMPLETE / DELETE_FAILED

Resources are provisioned in dependency order (parameters → conditions → resources by DependsOn / Ref / Fn::GetAtt edges). On failure, provisioned resources are rolled back in reverse order.

Stack events are emitted per resource transition and retrievable via DescribeStackEvents. Termination protection is honored — UpdateTerminationProtection prevents DeleteStack while set.

Intrinsics

All 15 CloudFormation intrinsics plus the standard pseudo-parameters are supported. Evaluation is recursive and order-independent within a template.

IntrinsicNotes
RefParameters → default/override; resources → physical ID.
Fn::GetAttScalar Resource.Attribute or list form. Split on first dot for nested attrs.
Fn::Sub${Var} and ${Resource.Attr} substitution, including explicit variable map.
Fn::JoinDelimiter + list.
Fn::SplitDelimiter split into a list.
Fn::SelectZero-indexed element from a list.
Fn::FindInMapThree-level Mappings lookup.
Fn::If / Fn::Equals / Fn::And / Fn::Or / Fn::NotFull conditional evaluation. Resources/outputs can be gated by a Condition.
Fn::Base64UTF-8 → base64.
Fn::CidrCIDR subnet calculator.
Fn::GetAZsReturns four pseudo-AZs per region (a, b, c, d).
Fn::ImportValueCross-stack import (by Outputs[].Export.Name).

Pseudo-parameters

  • AWS::Region — from the caller's SigV4 scope; not a server-wide value.
  • AWS::AccountId — from the request's account.
  • AWS::StackName, AWS::StackId — from the stack being provisioned.
  • AWS::Partition — hardcoded to aws.
  • AWS::NotificationARNs — parsed; SNS notifications are not dispatched.
  • AWS::NoValue — drops properties at substitution time.

Resource types

85 resource types across 22 AWS services. Each type has a provisioner in ministack/services/cloudformation/provisioners.py that knows how to call the target service's internal create/update/delete.

Compute & containers

AWS::Lambda::Function AWS::Lambda::Version AWS::Lambda::Alias AWS::Lambda::Permission AWS::Lambda::Layer AWS::Lambda::EventSourceMapping AWS::ECS::Cluster AWS::ECS::TaskDefinition AWS::ECS::Service AWS::EC2::Instance AWS::EC2::LaunchTemplate AWS::EKS::Cluster AWS::EKS::Nodegroup AWS::AutoScaling::AutoScalingGroup AWS::AutoScaling::LaunchConfiguration AWS::AutoScaling::ScalingPolicy AWS::AutoScaling::LifecycleHook AWS::AutoScaling::ScheduledAction

Networking

AWS::EC2::VPC AWS::EC2::Subnet AWS::EC2::SecurityGroup AWS::EC2::InternetGateway AWS::EC2::VPCGatewayAttachment AWS::EC2::RouteTable AWS::EC2::Route AWS::EC2::SubnetRouteTableAssociation AWS::ElasticLoadBalancingV2::LoadBalancer AWS::ElasticLoadBalancingV2::Listener AWS::ElasticLoadBalancingV2::TargetGroup AWS::Route53::HostedZone AWS::Route53::RecordSet AWS::CloudFront::Distribution

Storage & data

AWS::S3::Bucket AWS::S3::BucketPolicy AWS::DynamoDB::Table AWS::RDS::DBCluster AWS::Kinesis::Stream AWS::ECR::Repository

Messaging & events

AWS::SQS::Queue AWS::SQS::QueuePolicy AWS::SNS::Topic AWS::SNS::Subscription AWS::SNS::TopicPolicy AWS::Events::EventBus AWS::Events::Rule AWS::StepFunctions::StateMachine AWS::Pipes::Pipe AWS::Scheduler::Schedule AWS::Scheduler::ScheduleGroup

APIs

AWS::ApiGateway::RestApi AWS::ApiGateway::Resource AWS::ApiGateway::Method AWS::ApiGateway::Deployment AWS::ApiGateway::Stage AWS::ApiGatewayV2::Api AWS::ApiGatewayV2::Stage AWS::AppSync::GraphQLApi AWS::AppSync::GraphQLSchema AWS::AppSync::DataSource AWS::AppSync::Resolver AWS::AppSync::ApiKey

Security, identity, logging

AWS::IAM::Role AWS::IAM::Policy AWS::IAM::ManagedPolicy AWS::IAM::InstanceProfile AWS::KMS::Key AWS::KMS::Alias AWS::SecretsManager::Secret AWS::Cognito::UserPool AWS::Cognito::UserPoolClient AWS::Cognito::UserPoolDomain AWS::Cognito::IdentityPool AWS::Logs::LogGroup AWS::CloudWatch::Alarm AWS::WAFv2::WebACL AWS::SES::EmailIdentity AWS::CodeBuild::Project

Utility

AWS::CloudFormation::WaitCondition AWS::CloudFormation::WaitConditionHandle AWS::CDK::Metadata

Any resource type not in this list fails stack creation with UnsupportedResource. File an issue if you need one added — many are a few hours of work.

Change sets

CreateChangeSet, DescribeChangeSet, ExecuteChangeSet, DeleteChangeSet, and ListChangeSets are fully wired. The engine diffs the current stack against the proposed template and emits a set of ResourceChange entries — your IaC tool can preview before applying.

Outputs & exports

Outputs are computed after all resources settle. Outputs[].Export.Name publishes a value into a global export table that downstream stacks import with Fn::ImportValue. ListExports and ListImports work as expected.

Gaps

  • Stack policy is stored but not enforced. SetStackPolicy / GetStackPolicy round-trip; updates succeed regardless.
  • AWS::NotificationARNs SNS fan-out is not dispatched. The ARN list is accepted but no notifications flow out.
  • Drift detection is not implemented. DetectStackDrift will report no drift.
  • Nested stacks — supported via AWS::CloudFormation::Stack (if not listed above, treat as not yet).
  • Third-party resource types / modules — not supported.
Inspecting unsupported resources: when a stack fails with UnsupportedResource, the event includes the type name. Cross-reference against the lists above to know if it's a gap or a typo.