IAM AWS-managed policies, Cost & Usage Reports, Lambda Ruby 4.0

May 11, 2026 · v1.3.36

Three additions, four correctness fixes.

IAM AWS-managed policies resolve from any session

Real AWS hosts AWS-managed policies under a virtual aws account that every customer can read regardless of their own session account. MiniStack used to key every policy by the calling account, so GetPolicy(arn:aws:iam::aws:policy/AdministratorAccess) returned NoSuchEntity — breaking the most common Terraform pattern:

data "aws_iam_policy" "admin" {
  arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

AWS-managed policies now live in a separate non-account-scoped store, pre-seeded with 20 of the most commonly referenced policies (AdministratorAccess, PowerUserAccess, ReadOnlyAccess, SecurityAudit, AWSLambdaBasicExecutionRole, the AmazonS3/EC2/DynamoDB/SQS/SNS Full and ReadOnly variants, AmazonSSMManagedInstanceCore, AmazonECSTaskExecutionRolePolicy, CloudWatchAgentServerPolicy, CloudWatchLogsFullAccess, AWSCloudFormationFullAccess) carrying their canonical AWS documents verbatim from the AWS Managed Policy Reference.

Unknown AWS-managed ARNs return NoSuchEntity by default — matching real AWS, so typos like AdminstratorAccess (missing the i) surface locally the same way they would in production. Opt in to permissive autovivify with MINISTACK_AUTOCREATE_AWS_MANAGED=1 when running Terraform against stacks that reference less common managed policies.

AttachmentCount is tracked per-(session-account, arn), matching real AWS where the counter reports the calling account's own attachments. ListPolicies respects Scope=All/AWS/Local; attach/detach work against any AWS-managed ARN; mutation operations (CreatePolicy into the aws namespace, DeletePolicy, TagPolicy, CreatePolicyVersion, etc.) return AccessDenied / InvalidInput to match real AWS. Contributed by @spicykay.

Cost and Usage Reports (CUR)

Full 7-operation surface: PutReportDefinition, DescribeReportDefinitions, ModifyReportDefinition, DeleteReportDefinition, TagResource, UntagResource, ListTagsForResource.

Report definitions persist; report file generation is intentionally not emulated (MiniStack doesn't track usage or compute costs). This targets IaC validation — Terraform / CDK / Bash automation that manages aws_cur_report_definition resources can now plan and apply against MiniStack without hitting real AWS billing. Contributed by @staranto.

Lambda Ruby 4.0 runtime

ruby4.0 is now wired to AWS's official public.ecr.aws/lambda/ruby:4.0 base image, tracking the runtime AWS added in May 2026 (botocore 1.42.94).

RDS DescribeDBClusters serialization fixes

Three independent shape bugs on the same code path:

• DatabaseName was stored as "" and always emitted, so botocore parsed it as the empty string instead of null. Now stored as None when unset and only emitted when truthy, matching real-AWS XML elision.
• NetworkType was never stored or serialized. Now accepted from the request and emitted with the AWS-documented default IPV4.
• EngineLifecycleSupport was never stored or serialized. Now accepted from the request and emitted with the AWS-documented default open-source-rds-extended-support.

Surfaced by brownfield-import diffing against a real-AWS captured Aurora cluster. Contributed by @jayjanssen.

RDS DescribeDBClusterParameters emits <Source>

The cluster-parameter response XML omitted the <Source> element entirely, so botocore materialized Parameters[].Source as None for every entry. Each emitted <Parameter> now includes <Source>user</Source>, matching the existing instance-level path. (MiniStack only stores user-modified parameters today; the user source is correct for that slice and will become conditional once engine-defaults are modelled.) Contributed by @jayjanssen.

Two warm-boot persistence gaps closed

CUR report definitions were silently dropped on container restart — the module declared get_state() and restore_state() but never invoked load_state("cur") at import. Standard import-time block added; PERSIST_STATE=1 now correctly survives restarts for CUR.

IAM AttachmentCount on AWS-managed policies reset to zero on every restart — the per-(session-account, arn) sidecar that backs the counter was missing from get_state / restore_state. Customer-managed AttachmentCount already persisted via the policy record itself; only the AWS-managed-policy sidecar was dropped. Now wired in.

Upgrade

docker pull ministackorg/ministack:1.3.36
docker run -d -p 4566:4566 ministackorg/ministack:1.3.36

Or pin in compose.yaml:

services:
  ministack:
    image: ministackorg/ministack:1.3.36
    ports:
      - "4566:4566"