Skip to content

v0.10.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 Apr 13:45
· 2700 commits to main since this release
v0.10.0
8f83f65
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Biggest release yet. fakecloud crosses from "accurate AWS emulator" into "accurate AWS deployment emulator": multiple accounts, organization-wide policy ceilings, production-grade IAM, durable state across restarts, and two new services.

Multi-account

All stateful services now isolate state per AWS account — not a single global scope.

  • New MultiAccountState<T> core primitive; every service refactored onto it across S3, DynamoDB, SQS, SNS, IAM/STS, KMS, Secrets Manager, Kinesis, Bedrock, SSM, CloudFormation, Lambda, EventBridge, CloudWatch Logs, Cognito, SES, RDS, ElastiCache, API Gateway v2, Step Functions, EventBridge Scheduler.
  • Cross-account delivery for SQS/SNS; cross-account resource access evaluated with real AWS semantics (identity policy in caller account + resource policy in owner account).
  • STS trust policies enforced as resource policies — AssumeRole across accounts works like AWS.
  • New /_fakecloud/iam/create-admin endpoint bootstraps an admin user in any account so test suites can provision per-account credentials without chicken-and-egg.
  • Bucket uniqueness, introspection endpoints, and background tasks all multi-account aware.

AWS Organizations + SCPs (new service)

Entire Organizations control plane with service control policy enforcement as a top-of-chain ceiling on every authorization decision.

  • CRUD for organizations, OUs, accounts, and policies; attach/detach across Root/OU/Account targets; target listings.
  • OU tree with account membership and auto-enrollment of accounts created via create-admin.
  • FullAWSAccess seeded on Root and auto-attached to new OUs/accounts (matches AWS default).
  • SCP evaluation: same-target SCPs union, cross-level SCPs intersect, management account and service-linked roles exempted, NotPrincipal supported.
  • Wired into the IAM evaluator so every request is bounded by its org's SCP ceiling.

EventBridge Scheduler (new service)

Full Scheduler control plane plus a real firing loop.

  • Schedule + ScheduleGroup CRUD, flexible time windows, rate/cron/at expressions, dead-letter config, retry policy, KMS-encrypted inputs.
  • Background firing loop delivers to SQS (including FIFO with dedup ID cap), SNS, Lambda, Step Functions, EventBridge buses (including nested).
  • DLQ routing on delivery failure, wired through IAM so target invocations use the schedule's role.
  • Disk persistence via snapshot store; introspection endpoints + a client in every SDK (TS/Python/Go/Java/PHP).

IAM: production-grade policy evaluation

v0.9.2 introduced Phase 1 (identity policy evaluation). v0.10.0 completes Phases 2–6.

  • Condition block framework with context populated at dispatch. Service-specific condition keys shipped for:
    • aws:* global keys (PrincipalTag, RequestTag, ResourceTag, TagKeys)
    • s3:prefix, s3:delimiter, s3:max-keys
    • sqs:MessageAttribute.<Name>
    • sns:Protocol, sns:Endpoint
    • lambda:FunctionArn, lambda:Principal
    • Pluggable per-service via new iam_condition_keys_for hook on AwsService.
  • Resource policies evaluated with real cross-account semantics. Providers for S3 bucket policies, SNS topic policies, Lambda function policies (new AddPermission/RemovePermission/GetPolicy), and KMS key policies.
  • Permission boundaries + session policies under FAKECLOUD_IAM=strict, with an intersection evaluator. Session policies enforced on STS temporary credentials.
  • ABAC everywhere: PrincipalTag conditions on IAM/STS; ResourceTag/RequestTag/TagKeys on S3, SQS, SNS, IAM.
  • NotPrincipal in resource policies, including the tricky exclusion semantics.

Disk persistence (every service)

Opt-in durable state via a snapshot store — set FAKECLOUD_PERSIST_DIR=/path and state survives restarts. Every service is wired:

DynamoDB, SQS, SNS, IAM/STS, Kinesis, Secrets Manager, KMS, SSM, EventBridge, CloudWatch Logs, SES, API Gateway v2, CloudFormation, Cognito, Lambda, Step Functions, RDS, ElastiCache, Bedrock, EventBridge Scheduler, plus S3 from v0.9.0.

Writes are serialized and offloaded to the blocking pool, so persistence doesn't block request handling.

PHP SDK (5th first-party SDK)

Introspection SDK for PHP ≥8.1, published to Packagist via subtree split on release. Joins TypeScript, Python, Go, Java, and Rust. All five SDKs ship a Scheduler introspection client.

Routing

  • Decode real AWS Host headers (<service>.<region>.amazonaws.com, S3 virtual-hosted style, dotted bucket names on the global endpoint).
  • Decode LocalStack-style Host headers so existing LocalStack test setups work unchanged.

DynamoDB

  • OnDemandThroughput on tables and GSIs, propagated through billing-mode changes.
  • Parenthesized KeyCondition clauses and nested-path SET targets — thanks @Bowbaq (#368, #660).
  • StreamSpecification + LatestStream* returned on create/update.
  • Reject unresolvable nested-path SET RHS instead of silently corrupting items.

Stability

  • testkit startup hardened: OS-assigned ports with a stdout handshake eliminate port races; wall-clock deadline on wait_for_port.
  • Panics in spawned Step Functions executions are caught instead of taking the runtime down.
  • Docker container reaper on test-harness startup/shutdown clears orphans from crashed runs.
  • IPv6 endpoint URLs bracketed per RFC 3986.
  • Serialized snapshot writes for DynamoDB/SQS moved off the async runtime onto the blocking pool.

Full Changelog: v0.9.2...v0.10.0

Contributors

Bowbaq
Assets 10
Loading