localstack-core 4.10.1.dev42__py3-none-any.whl → 4.12.1.dev18__py3-none-any.whl

localstack/services/s3/utils.py

@@ -34,6 +34,7 @@ from localstack.aws.api.s3 import (
     Grantee,
     HeadObjectRequest,
     InvalidArgument,
+    InvalidLocationConstraint,
     InvalidRange,
     InvalidTag,
     LifecycleExpiration,
@@ -57,18 +58,25 @@ from localstack.aws.api.s3 import (
 from localstack.aws.api.s3 import Type as GranteeType
 from localstack.aws.chain import HandlerChain
 from localstack.aws.connect import connect_to
+from localstack.constants import AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1
 from localstack.http import Response
 from localstack.services.s3 import checksums
 from localstack.services.s3.constants import (
     ALL_USERS_ACL_GRANTEE,
     AUTHENTICATED_USERS_ACL_GRANTEE,
+    BUCKET_LOCATION_CONSTRAINTS,
     CHECKSUM_ALGORITHMS,
+    EU_WEST_1_LOCATION_CONSTRAINTS,
     LOG_DELIVERY_ACL_GRANTEE,
     SIGNATURE_V2_PARAMS,
     SIGNATURE_V4_PARAMS,
     SYSTEM_METADATA_SETTABLE_HEADERS,
 )
-from localstack.services.s3.exceptions import InvalidRequest, MalformedXML
+from localstack.services.s3.exceptions import (
+    IllegalLocationConstraintException,
+    InvalidRequest,
+    MalformedXML,
+)
 from localstack.utils.aws import arns
 from localstack.utils.aws.arns import parse_arn
 from localstack.utils.objects import singleton_factory
@@ -421,6 +429,7 @@ def get_failed_upload_part_copy_source_preconditions(
     if_none_match = request.get("CopySourceIfNoneMatch")
     if_unmodified_since = request.get("CopySourceIfUnmodifiedSince")
     if_modified_since = request.get("CopySourceIfModifiedSince")
+    last_modified = second_resolution_datetime(last_modified)
 
     if if_match:
         if if_match.strip('"') != etag.strip('"'):
@@ -431,15 +440,15 @@ def get_failed_upload_part_copy_source_preconditions(
         if if_unmodified_since:
             return None
 
-    if if_unmodified_since and if_unmodified_since < last_modified:
+    if if_unmodified_since and second_resolution_datetime(if_unmodified_since) < last_modified:
         return "x-amz-copy-source-If-Unmodified-Since"
 
     if if_none_match and if_none_match.strip('"') == etag.strip('"'):
         return "x-amz-copy-source-If-None-Match"
 
-    if if_modified_since and last_modified < if_modified_since < datetime.datetime.now(
-        tz=_gmt_zone_info
-    ):
+    if if_modified_since and last_modified <= second_resolution_datetime(
+        if_modified_since
+    ) < datetime.datetime.now(tz=_gmt_zone_info):
         return "x-amz-copy-source-If-Modified-Since"
 
 
@@ -701,6 +710,10 @@ def str_to_rfc_1123_datetime(value: str) -> datetime.datetime:
     return datetime.datetime.strptime(value, RFC1123).replace(tzinfo=_gmt_zone_info)
 
 
+def second_resolution_datetime(src: datetime.datetime) -> datetime.datetime:
+    return src.replace(microsecond=0)
+
+
 def add_expiration_days_to_datetime(user_datatime: datetime.datetime, exp_days: int) -> str:
     """
     This adds expiration days to a datetime, rounding to the next day at midnight UTC.
@@ -836,13 +849,20 @@ def parse_tagging_header(tagging_header: TaggingHeader) -> dict:
         )
 
 
-def validate_tag_set(tag_set: TagSet, type_set: Literal["bucket", "object"] = "bucket"):
+def validate_tag_set(
+    tag_set: TagSet, type_set: Literal["bucket", "object", "create-bucket"] = "bucket"
+):
     keys = set()
     for tag in tag_set:
         if set(tag) != {"Key", "Value"}:
             raise MalformedXML()
 
         key = tag["Key"]
+        value = tag["Value"]
+
+        if key is None or value is None:
+            raise MalformedXML()
+
         if key in keys:
             raise InvalidTag(
                 "Cannot provide multiple Tags with the same key",
@@ -852,11 +872,15 @@ def validate_tag_set(tag_set: TagSet, type_set: Literal["bucket", "object"] = "b
         if key.startswith("aws:"):
             if type_set == "bucket":
                 message = "System tags cannot be added/updated by requester"
-            else:
+            elif type_set == "object":
                 message = "Your TagKey cannot be prefixed with aws:"
+            else:
+                message = 'User-defined tag keys can\'t start with "aws:". This prefix is reserved for system tags. Remove "aws:" from your tag keys and try again.'
             raise InvalidTag(
                 message,
-                TagKey=key,
+                # weirdly, AWS does not return the `TagKey` field here, but it does if the TagKey does not match the
+                # regex in the next step
+                TagKey=key if type_set != "create-bucket" else None,
             )
 
         if not TAG_REGEX.match(key):
@@ -864,14 +888,35 @@ def validate_tag_set(tag_set: TagSet, type_set: Literal["bucket", "object"] = "b
                 "The TagKey you have provided is invalid",
                 TagKey=key,
             )
-        elif not TAG_REGEX.match(tag["Value"]):
+        elif not TAG_REGEX.match(value):
             raise InvalidTag(
-                "The TagValue you have provided is invalid", TagKey=key, TagValue=tag["Value"]
+                "The TagValue you have provided is invalid", TagKey=key, TagValue=value
             )
 
         keys.add(key)
 
 
+def validate_location_constraint(context_region: str, location_constraint: str) -> None:
+    if location_constraint:
+        if context_region == AWS_REGION_US_EAST_1:
+            if (
+                not config.ALLOW_NONSTANDARD_REGIONS
+                and location_constraint not in BUCKET_LOCATION_CONSTRAINTS
+            ):
+                raise InvalidLocationConstraint(
+                    "The specified location-constraint is not valid",
+                    LocationConstraint=location_constraint,
+                )
+        elif context_region == AWS_REGION_EU_WEST_1:
+            if location_constraint not in EU_WEST_1_LOCATION_CONSTRAINTS:
+                raise IllegalLocationConstraintException(location_constraint)
+        elif context_region != location_constraint:
+            raise IllegalLocationConstraintException(location_constraint)
+    else:
+        if context_region != AWS_REGION_US_EAST_1:
+            raise IllegalLocationConstraintException("unspecified")
+
+
 def get_unique_key_id(
     bucket: BucketName, object_key: ObjectKey, version_id: ObjectVersionId
 ) -> str:
@@ -908,6 +953,7 @@ def get_failed_precondition_copy_source(
     :param etag: source object ETag
     :return str: the failed precondition to raise
     """
+    last_modified = second_resolution_datetime(last_modified)
     if (cs_if_match := request.get("CopySourceIfMatch")) and etag.strip('"') != cs_if_match.strip(
         '"'
     ):
@@ -915,7 +961,7 @@ def get_failed_precondition_copy_source(
 
     elif (
         cs_if_unmodified_since := request.get("CopySourceIfUnmodifiedSince")
-    ) and last_modified > cs_if_unmodified_since:
+    ) and last_modified > second_resolution_datetime(cs_if_unmodified_since):
         return "x-amz-copy-source-If-Unmodified-Since"
 
     elif (cs_if_none_match := request.get("CopySourceIfNoneMatch")) and etag.strip(
@@ -925,7 +971,9 @@ def get_failed_precondition_copy_source(
 
     elif (
         cs_if_modified_since := request.get("CopySourceIfModifiedSince")
-    ) and last_modified < cs_if_modified_since < datetime.datetime.now(tz=_gmt_zone_info):
+    ) and last_modified <= second_resolution_datetime(cs_if_modified_since) < datetime.datetime.now(
+        tz=_gmt_zone_info
+    ):
         return "x-amz-copy-source-If-Modified-Since"
 
 
@@ -943,13 +991,13 @@ def validate_failed_precondition(
     """
     precondition_failed = None
     # last_modified needs to be rounded to a second so that strict equality can be enforced from a RFC1123 header
-    last_modified = last_modified.replace(microsecond=0)
+    last_modified = second_resolution_datetime(last_modified)
     if (if_match := request.get("IfMatch")) and etag != if_match.strip('"'):
         precondition_failed = "If-Match"
 
     elif (
         if_unmodified_since := request.get("IfUnmodifiedSince")
-    ) and last_modified > if_unmodified_since:
+    ) and last_modified > second_resolution_datetime(if_unmodified_since):
         precondition_failed = "If-Unmodified-Since"
 
     if precondition_failed:
@@ -960,7 +1008,9 @@ def validate_failed_precondition(
 
     if ((if_none_match := request.get("IfNoneMatch")) and etag == if_none_match.strip('"')) or (
         (if_modified_since := request.get("IfModifiedSince"))
-        and last_modified <= if_modified_since < datetime.datetime.now(tz=_gmt_zone_info)
+        and last_modified
+        <= second_resolution_datetime(if_modified_since)
+        < datetime.datetime.now(tz=_gmt_zone_info)
     ):
         raise CommonServiceException(
             message="Not Modified",
@@ -1084,3 +1134,19 @@ def is_version_older_than_other(version_id: str, other: str):
     See `generate_safe_version_id`
     """
     return base64.b64decode(version_id, altchars=b"._") < base64.b64decode(other, altchars=b"._")
+
+
+def get_bucket_location_xml(location_constraint: str) -> str:
+    """
+    Returns the formatted XML for the GetBucketLocation operation.
+
+    :param location_constraint: The location constraint to return in the XML. It can be an empty string when
+    it's not specified in the bucket configuration.
+    :return: The XML response.
+    """
+
+    return (
+        '<?xml version="1.0" encoding="UTF-8"?>\n'
+        '<LocationConstraint xmlns="http://s3.amazonaws.com/doc/2006-03-01/"'
+        + ("/>" if not location_constraint else f">{location_constraint}</LocationConstraint>")
+    )

localstack/services/s3control/provider.py

@@ -1,5 +1,110 @@
-from localstack.aws.api.s3control import S3ControlApi
+from localstack.aws.api import CommonServiceException, RequestContext
+from localstack.aws.api.s3control import (
+    AccountId,
+    ListTagsForResourceResult,
+    S3ControlApi,
+    S3ResourceArn,
+    TagKeyList,
+    TagList,
+    TagResourceResult,
+    UntagResourceResult,
+)
+from localstack.aws.forwarder import NotImplementedAvoidFallbackError
+from localstack.services.s3.models import s3_stores
+from localstack.services.s3control.validation import validate_tags
+from localstack.state import StateVisitor
+from localstack.utils.tagging import TaggingService
+
+
+class NoSuchResource(CommonServiceException):
+    def __init__(self, message=None):
+        super().__init__("NoSuchResource", status_code=404, message=message)
 
 
 class S3ControlProvider(S3ControlApi):
-    pass
+    def accept_state_visitor(self, visitor: StateVisitor):
+        from moto.s3control.models import s3control_backends
+
+        visitor.visit(s3control_backends)
+
+    """
+    S3Control is a management interface for S3, and can access some of its internals with no public API
+    This requires us to access the s3 stores directly
+    """
+
+    @staticmethod
+    def _get_tagging_service_for_bucket(
+        resource_arn: S3ResourceArn,
+        partition: str,
+        region: str,
+        account_id: str,
+    ) -> TaggingService:
+        s3_prefix = f"arn:{partition}:s3:::"
+        if not resource_arn.startswith(s3_prefix):
+            # Moto does not support Tagging operations for S3 Control, so we should not forward those operations back
+            # to it
+            raise NotImplementedAvoidFallbackError(
+                "LocalStack only support Bucket tagging operations for S3Control"
+            )
+
+        store = s3_stores[account_id][region]
+        bucket_name = resource_arn.removeprefix(s3_prefix)
+        if bucket_name not in store.global_bucket_map:
+            raise NoSuchResource("The specified resource doesn't exist.")
+
+        return store.TAGS
+
+    def tag_resource(
+        self,
+        context: RequestContext,
+        account_id: AccountId,
+        resource_arn: S3ResourceArn,
+        tags: TagList,
+        **kwargs,
+    ) -> TagResourceResult:
+        # currently S3Control only supports tagging buckets
+        tagging_service = self._get_tagging_service_for_bucket(
+            resource_arn=resource_arn,
+            partition=context.partition,
+            region=context.region,
+            account_id=account_id,
+        )
+
+        validate_tags(tags=tags)
+        tagging_service.tag_resource(resource_arn, tags)
+
+        return TagResourceResult()
+
+    def untag_resource(
+        self,
+        context: RequestContext,
+        account_id: AccountId,
+        resource_arn: S3ResourceArn,
+        tag_keys: TagKeyList,
+        **kwargs,
+    ) -> UntagResourceResult:
+        # currently S3Control only supports tagging buckets
+        tagging_service = self._get_tagging_service_for_bucket(
+            resource_arn=resource_arn,
+            partition=context.partition,
+            region=context.region,
+            account_id=account_id,
+        )
+
+        tagging_service.untag_resource(resource_arn, tag_keys)
+
+        return TagResourceResult()
+
+    def list_tags_for_resource(
+        self, context: RequestContext, account_id: AccountId, resource_arn: S3ResourceArn, **kwargs
+    ) -> ListTagsForResourceResult:
+        # currently S3Control only supports tagging buckets
+        tagging_service = self._get_tagging_service_for_bucket(
+            resource_arn=resource_arn,
+            partition=context.partition,
+            region=context.region,
+            account_id=account_id,
+        )
+
+        tags = tagging_service.list_tags_for_resource(resource_arn)
+        return ListTagsForResourceResult(Tags=tags["Tags"])

localstack/services/s3control/validation.py

@@ -0,0 +1,50 @@
+from localstack.aws.api.s3 import InvalidTag
+from localstack.aws.api.s3control import Tag, TagList
+from localstack.services.s3.exceptions import MalformedXML
+from localstack.services.s3.utils import TAG_REGEX
+
+
+def validate_tags(tags: TagList):
+    """
+    Validate the tags provided. This is the same function as S3, but with different error messages
+    :param tags: a TagList object
+    :raises MalformedXML if the object does not conform to the schema
+    :raises InvalidTag if the tag key or value are outside the set of validations defined by S3 and S3Control
+    :return: None
+    """
+    keys = set()
+    for tag in tags:
+        tag: Tag
+        if set(tag) != {"Key", "Value"}:
+            raise MalformedXML()
+
+        key = tag["Key"]
+        value = tag["Value"]
+
+        if key is None or value is None:
+            raise MalformedXML()
+
+        if key in keys:
+            raise InvalidTag(
+                "There are duplicate tag keys in your request. Remove the duplicate tag keys and try again.",
+                TagKey=key,
+            )
+
+        if key.startswith("aws:"):
+            raise InvalidTag(
+                'User-defined tag keys can\'t start with "aws:". This prefix is reserved for system tags. Remove "aws:" from your tag keys and try again.',
+            )
+
+        if not TAG_REGEX.match(key):
+            raise InvalidTag(
+                "This request contains a tag key or value that isn't valid. Valid characters include the following: [a-zA-Z+-=._:/]. Tag keys can contain up to 128 characters. Tag values can contain up to 256 characters.",
+                TagKey=key,
+            )
+        elif not TAG_REGEX.match(value):
+            raise InvalidTag(
+                "This request contains a tag key or value that isn't valid. Valid characters include the following: [a-zA-Z+-=._:/]. Tag keys can contain up to 128 characters. Tag values can contain up to 256 characters.",
+                TagKey=key,
+                TagValue=value,
+            )
+
+        keys.add(key)

localstack/services/scheduler/provider.py

@@ -1,11 +1,12 @@
 import logging
 import re
 
-from moto.scheduler.models import EventBridgeSchedulerBackend
+from moto.scheduler.models import EventBridgeSchedulerBackend, scheduler_backends
 
 from localstack.aws.api.scheduler import SchedulerApi, ValidationException
 from localstack.services.events.rule import RULE_SCHEDULE_CRON_REGEX, RULE_SCHEDULE_RATE_REGEX
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.patch import patch
 
 LOG = logging.getLogger(__name__)
@@ -17,7 +18,8 @@ RULE_SCHEDULE_AT_REGEX = re.compile(AT_REGEX)
 
 
 class SchedulerProvider(SchedulerApi, ServiceLifecycleHook):
-    pass
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(scheduler_backends)
 
 
 def _validate_schedule_expression(schedule_expression: str) -> None:

localstack/services/secretsmanager/provider.py

@@ -65,6 +65,7 @@ from localstack.aws.api.secretsmanager import (
 )
 from localstack.aws.connect import connect_to
 from localstack.services.moto import call_moto
+from localstack.state import StateVisitor
 from localstack.utils.aws import arns
 from localstack.utils.patch import patch
 from localstack.utils.time import today_no_time
@@ -105,6 +106,9 @@ class SecretsmanagerProvider(SecretsmanagerApi):
         super().__init__()
         apply_patches()
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(secretsmanager_backends)
+
     @staticmethod
     def get_moto_backend_for_resource(
         name_or_arn: str, context: RequestContext

localstack/services/ses/provider.py

@@ -62,6 +62,7 @@ from localstack.http import Resource, Response
 from localstack.services.moto import call_moto
 from localstack.services.plugins import ServiceLifecycleHook
 from localstack.services.ses.models import EmailType, SentEmail, SentEmailBody
+from localstack.state import StateVisitor
 from localstack.utils.aws import arns
 from localstack.utils.files import mkdir
 from localstack.utils.strings import long_uid, to_str
@@ -177,6 +178,9 @@ def register_ses_api_resource():
 
 
 class SesProvider(SesApi, ServiceLifecycleHook):
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(ses_backends)
+
     #
     # Lifecycle Hooks
     #

localstack/services/sns/constants.py

@@ -25,9 +25,23 @@ VALID_SUBSCRIPTION_ATTR_NAME: list[str] = [
     "SubscriptionRoleArn",
 ]
 
+
+VALID_POLICY_ACTIONS = [
+    "GetTopicAttributes",
+    "SetTopicAttributes",
+    "AddPermission",
+    "RemovePermission",
+    "DeleteTopic",
+    "Subscribe",
+    "ListSubscriptionsByTopic",
+    "Publish",
+    "Receive",
+]
+
 MSG_ATTR_NAME_REGEX = re.compile(r"^(?!\.)(?!.*\.$)(?!.*\.\.)[a-zA-Z0-9_\-.]+$")
 ATTR_TYPE_REGEX = re.compile(r"^(String|Number|Binary)\..+$")
 VALID_MSG_ATTR_NAME_CHARS = set(ascii_letters + digits + "." + "-" + "_")
+E164_REGEX = re.compile(r"^\+?[1-9]\d{1,14}$")
 
 
 GCM_URL = "https://fcm.googleapis.com/fcm/send"
@@ -42,6 +56,7 @@ SUBSCRIPTION_TOKENS_ENDPOINT = "/_aws/sns/subscription-tokens"
 SNS_CERT_ENDPOINT = "/_aws/sns/SimpleNotificationService-6c6f63616c737461636b69736e696365.pem"
 
 DUMMY_SUBSCRIPTION_PRINCIPAL = "arn:{partition}:iam::{account_id}:user/DummySNSPrincipal"
-E164_REGEX = re.compile(r"^\+?[1-9]\d{1,14}$")
 
 VALID_APPLICATION_PLATFORMS = list(get_args(SnsApplicationPlatforms))
+
+MAXIMUM_MESSAGE_LENGTH = 262144

localstack/services/sns/provider.py

@@ -86,6 +86,7 @@ from localstack.utils.aws.arns import (
 from localstack.utils.collections import PaginatedList, select_from_typed_dict
 from localstack.utils.strings import short_uid, to_bytes, to_str
 
+from ...state import StateVisitor
 from .analytics import internal_api_calls
 
 # set up logger
@@ -118,6 +119,10 @@ class SnsProvider(SnsApi, ServiceLifecycleHook):
         self._publisher = PublishDispatcher()
         self._signature_cert_pem: str = SNS_SERVER_CERT
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(sns_backends)
+        visitor.visit(sns_stores)
+
     def on_before_stop(self):
         self._publisher.shutdown()
 

localstack/services/sns/publisher.py

@@ -30,6 +30,7 @@ from localstack.services.sns.models import (
     SnsStore,
     SnsSubscription,
 )
+from localstack.services.sns.v2.utils import get_topic_subscriptions
 from localstack.utils.aws.arns import (
     PARTITION_NAMES,
     extract_account_id_from_arn,
@@ -254,9 +255,11 @@ class LambdaTopicPublisher(TopicPublisher):
             "UnsubscribeUrl": unsubscribe_url,
             "MessageAttributes": message_attributes,
         }
-
+        # TODO: remove v1 "signature_version" access once v1 is retired
         signature_version = (
-            topic_attributes.get("signature_version", "1") if topic_attributes else "1"
+            topic_attributes.get("signature_version", topic_attributes.get("SignatureVersion", "1"))
+            if topic_attributes
+            else "1"
         )
         canonical_string = compute_canonical_string(event_payload, message_context.type)
         signature = get_message_signature(canonical_string, signature_version=signature_version)
@@ -558,7 +561,10 @@ class HttpTopicPublisher(TopicPublisher):
             ):
                 return sub_content_type
 
-        if json_topic_delivery_policy := topic_attributes.get("delivery_policy"):
+        # TODO: remove lower case access once legacy v1 provider is removed
+        if json_topic_delivery_policy := topic_attributes.get(
+            "delivery_policy", topic_attributes.get("DeliveryPolicy")
+        ):
             topic_delivery_policy = json.loads(json_topic_delivery_policy)
             if not (
                 topic_content_type := topic_delivery_policy.get(subscriber["Protocol"].lower())
@@ -1009,7 +1015,10 @@ def create_sns_message_body(
     # FIFO topics do not add the signature in the message
     if not subscriber.get("TopicArn", "").endswith(".fifo"):
         signature_version = (
-            topic_attributes.get("signature_version", "1") if topic_attributes else "1"
+            # we allow for both casings, depending on v1 or v2 provider
+            topic_attributes.get("signature_version", topic_attributes.get("SignatureVersion", "1"))
+            if topic_attributes
+            else "1"
         )
         canonical_string = compute_canonical_string(data, message_type)
         signature = get_message_signature(canonical_string, signature_version=signature_version)
@@ -1234,7 +1243,7 @@ class PublishDispatcher:
                 )
 
     def publish_to_topic(self, ctx: SnsPublishContext, topic_arn: str) -> None:
-        subscriptions = ctx.store.get_topic_subscriptions(topic_arn)
+        subscriptions = get_topic_subscriptions(ctx.store, topic_arn)
         for subscriber in subscriptions:
             if self._should_publish(ctx.store.subscription_filter_policy, ctx.message, subscriber):
                 notifier = self.topic_notifiers[subscriber["Protocol"]]
@@ -1249,7 +1258,7 @@ class PublishDispatcher:
                 self._submit_notification(notifier, ctx, subscriber)
 
     def publish_batch_to_topic(self, ctx: SnsBatchPublishContext, topic_arn: str) -> None:
-        subscriptions = ctx.store.get_topic_subscriptions(topic_arn)
+        subscriptions = get_topic_subscriptions(ctx.store, topic_arn)
         for subscriber in subscriptions:
             protocol = subscriber["Protocol"]
             notifier = self.batch_topic_notifiers.get(protocol)

localstack/services/sns/v2/models.py

@@ -7,6 +7,7 @@ from typing import Literal, TypedDict
 from localstack.aws.api.sns import (
     Endpoint,
     MessageAttributeMap,
+    PhoneNumber,
     PlatformApplication,
     PublishBatchRequestEntry,
     TopicAttributesMap,
@@ -181,10 +182,18 @@ class SnsStore(BaseStore):
     # maps endpoint arns to platform endpoints
     platform_endpoints: dict[str, PlatformEndpoint] = LocalAttribute(default=dict)
 
+    # cache of topic ARN to platform endpoint messages (used primarily for testing)
+    platform_endpoint_messages: dict[str, list[dict]] = LocalAttribute(default=dict)
+
     # topic/subscription independent default values for sending sms messages
     sms_attributes: dict[str, str] = LocalAttribute(default=dict)
 
+    # list of sent SMS messages
+    sms_messages: list[dict] = LocalAttribute(default=list)
+
     TAGS: TaggingService = CrossRegionAttribute(default=TaggingService)
 
+    PHONE_NUMBERS_OPTED_OUT: list[PhoneNumber] = CrossRegionAttribute(default=list)
+
 
 sns_stores = AccountRegionBundle("sns", SnsStore)