feat(ecs+ecr): account-setting ARN format + scan findings synthetic flag#730
Merged
vieiralucas merged 1 commit intomainfrom Apr 24, 2026
Merged
feat(ecs+ecr): account-setting ARN format + scan findings synthetic flag#730vieiralucas merged 1 commit intomainfrom
vieiralucas merged 1 commit intomainfrom
Conversation
… synthetic flag
Two small ECR+ECS correctness fixes shipped together. Both had been
silently no-opping since the services first landed.
- ECS: `serviceLongArnFormat`, `taskLongArnFormat`, and
`containerInstanceLongArnFormat` account settings now actually
influence ARN generation. When any is `disabled` (via
`PutAccountSettingDefault` or `PutAccountSetting`), new service /
task / container-instance ARNs drop the cluster segment — matching
AWS's pre-Nov-2018 short form. Default is long, matching AWS.
New helpers on `EcsState`:
- `container_instance_arn(cluster, id)` — mirrors the existing
`task_arn` / `service_arn` shape so all three ARN sites go
through one format-switch.
- `effective_account_setting(name, principal_arn)` — resolves
principal-level overrides on top of the account default.
Principal overrides win over defaults, matching AWS's
PutAccountSetting vs PutAccountSettingDefault layering.
- ECR: `DescribeImageScanFindings` now returns `isSynthetic: true`
inside the `imageScanFindings` object. Callers inspecting scan
results via raw HTTP / introspection can cleanly tell fakecloud's
stub scanner output from real Inspector findings. AWS SDKs using
Smithy codegen drop unknown fields during decode, so downstream
consumers aren't affected.
- Tests: 5 new state unit tests covering long/short ARN round-trip
and principal-override precedence; 4 new ECS E2E tests driving
`PutAccountSettingDefault` via the AWS SDK + asserting ARN shape
on RunTask / CreateService; 1 ECR E2E test asserting
`isSynthetic=true` via raw HTTP.
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch 1 of the scoped-out tightening pass. Two small correctness fixes that had been silently no-opping since both services first landed.
serviceLongArnFormat/taskLongArnFormat/containerInstanceLongArnFormatset todisablednow actually emits short-form ARNs. NewEcsState::effective_account_settinghelper resolves principal overrides over account defaults (matching AWS).isSynthetic: true—DescribeImageScanFindingsresponse now flags fakecloud's stub scanner output so introspection callers can tell it from real Inspector findings. AWS SDKs ignore unknown fields; no downstream impact.Test plan
fakecloud-ecs::stateecs_account_settings_arnecr_scan_synthetic_flag(raw HTTP since Smithy decode drops unknown fields)cargo clippy --workspace --all-targets -- -D warningscleancargo fmt --all -- --checkcleanSummary by cubic
Enforces ECS ARN format account settings and flags ECR scan findings as synthetic to match AWS behavior and aid introspection.
serviceLongArnFormat,taskLongArnFormat, andcontainerInstanceLongArnFormatnow control ARN shape. When set todisabled, short-form ARNs are emitted; default is long-form. AddedEcsState::effective_account_setting(principal overrides beat account defaults) andEcsState::container_instance_arn(...)to unify ARN generation.DescribeImageScanFindingsnow includesisSynthetic: trueinsideimageScanFindingsso tooling can spot fakecloud data. AWS SDKs ignore unknown fields, so no downstream impact.Written for commit fcad2c6. Summary will update on new commits.