localstack-core 4.10.1.dev42__py3-none-any.whl → 4.12.1.dev18__py3-none-any.whl

localstack/aws/connect.py

@@ -7,6 +7,7 @@ LocalStack providers.
 
 import json
 import logging
+import os
 import re
 import threading
 from abc import ABC, abstractmethod
@@ -250,9 +251,10 @@ class ClientFactory(ABC):
     def __init__(
         self,
         use_ssl: bool = False,
-        verify: bool = False,
+        verify: bool | str = False,
         session: Session = None,
         config: Config = None,
+        endpoint: str = None,
     ):
         """
         :param use_ssl: Whether to use SSL
@@ -268,6 +270,7 @@ class ClientFactory(ABC):
         self._verify = verify
         self._config: Config = config or Config(max_pool_connections=MAX_POOL_CONNECTIONS)
         self._session: Session = session or Session()
+        self._endpoint = endpoint
 
         # make sure we consider our custom data paths for legacy specs (like SQS query protocol)
         if LOCALSTACK_BUILTIN_DATA_PATH not in self._session._loader.search_paths:
@@ -514,10 +517,13 @@ class InternalClientFactory(ClientFactory):
         else:
             config = self._config.merge(config)
 
-        endpoint_url = endpoint_url or get_service_endpoint()
-        if service_name == "s3" and endpoint_url:
-            if re.match(r"https?://localhost(:[0-9]+)?", endpoint_url):
-                endpoint_url = endpoint_url.replace("://localhost", f"://{get_s3_hostname()}")
+        endpoint_url = endpoint_url or self._endpoint or get_service_endpoint()
+        if (
+            endpoint_url
+            and service_name == "s3"
+            and re.match(r"https?://localhost(:[0-9]+)?", endpoint_url)
+        ):
+            endpoint_url = endpoint_url.replace("://localhost", f"://{get_s3_hostname()}")
 
         return self._get_client(
             service_name=service_name,
@@ -574,14 +580,20 @@ class ExternalClientFactory(ClientFactory):
         # If the region in arg is non-default, it gives the arg the precedence
         # But if the region in arg is default (us-east-1), it gives precedence to one in config
         # Below: always give precedence to arg region
-        if config and config.region_name != AWS_REGION_US_EAST_1:
-            if region_name == AWS_REGION_US_EAST_1:
-                config = config.merge(Config(region_name=region_name))
-
-        endpoint_url = endpoint_url or get_service_endpoint()
-        if service_name == "s3":
-            if re.match(r"https?://localhost(:[0-9]+)?", endpoint_url):
-                endpoint_url = endpoint_url.replace("://localhost", f"://{get_s3_hostname()}")
+        if (
+            config
+            and config.region_name != AWS_REGION_US_EAST_1
+            and region_name == AWS_REGION_US_EAST_1
+        ):
+            config = config.merge(Config(region_name=region_name))
+
+        endpoint_url = endpoint_url or self._endpoint or get_service_endpoint()
+        if (
+            endpoint_url
+            and service_name == "s3"
+            and re.match(r"https?://localhost(:[0-9]+)?", endpoint_url)
+        ):
+            endpoint_url = endpoint_url.replace("://localhost", f"://{get_s3_hostname()}")
 
         # Prevent `PartialCredentialsError` when only access key ID is provided
         # The value of secret access key is insignificant and can be set to anything
@@ -683,11 +695,19 @@ class ExternalBypassDnsClientFactory(ExternalAwsClientFactory):
         session: Session = None,
         config: Config = None,
     ):
-        super().__init__(use_ssl=True, verify=True, session=session, config=config)
+        if ca_cert := os.getenv("REQUESTS_CA_BUNDLE"):
+            LOG.debug("Creating External AWS Client with REQUESTS_CA_BUNDLE=%s", ca_cert)
+
+        super().__init__(
+            use_ssl=localstack_config.is_env_not_false("USE_SSL"),
+            verify=ca_cert or True,
+            session=session,
+            config=config,
+        )
 
     def _get_client_post_hook(self, client: BaseClient) -> BaseClient:
         client = super()._get_client_post_hook(client)
-        client._endpoint.http_session = ExternalBypassDnsSession()
+        client._endpoint.http_session = ExternalBypassDnsSession(verify=self._verify)
         return client
 
 

localstack/aws/handlers/logging.py

@@ -1,7 +1,6 @@
 """Handlers for logging."""
 
 import logging
-import types
 from functools import cached_property
 
 from localstack.aws.api import RequestContext, ServiceException
@@ -25,10 +24,14 @@ class ExceptionLogger(ExceptionHandler):
         try:
             import moto.core.exceptions
 
-            self._moto_service_exception = moto.core.exceptions.ServiceException
+            self._skip_exceptions(
+                ServiceException,
+                moto.core.exceptions.ServiceException,
+                moto.core.exceptions.RESTError,
+            )
         except (ModuleNotFoundError, AttributeError):
             # Moto may not be available in stripped-down versions of LocalStack, like LocalStack S3 image.
-            self._moto_service_exception = types.EllipsisType
+            self._skip_exceptions = (ServiceException,)
 
     def __call__(
         self,
@@ -37,11 +40,12 @@ class ExceptionLogger(ExceptionHandler):
         context: RequestContext,
         response: Response,
     ):
-        if isinstance(exception, (ServiceException, self._moto_service_exception)):
+        if isinstance(exception, self._skip_exceptions):
             # We do not want to log an error/stacktrace if the handler is working as expected, but chooses to throw
             # a service exception. It may also throw a Moto ServiceException, which should not be logged either
             # because ServiceExceptionHandler understands it.
             return
+
         if self.logger.isEnabledFor(level=logging.DEBUG):
             self.logger.exception("exception during call chain", exc_info=exception)
         else:

localstack/aws/handlers/service.py

@@ -158,14 +158,17 @@ class ServiceExceptionSerializer(ExceptionHandler):
     def __init__(self):
         self.handle_internal_failures = True
 
+        self._moto_service_exception = types.EllipsisType
+        self._moto_rest_error = types.EllipsisType
+
         try:
             import moto.core.exceptions
 
             self._moto_service_exception = moto.core.exceptions.ServiceException
+            self._moto_rest_error = moto.core.exceptions.RESTError
         except (ModuleNotFoundError, AttributeError) as exc:
             # Moto may not be available in stripped-down versions of LocalStack, like LocalStack S3 image.
-            LOG.debug("Unable to set up Moto ServiceException translation: %s", exc)
-            self._moto_service_exception = types.EllipsisType
+            LOG.debug("Unable to set up Moto exception translation: %s", exc)
 
     def __call__(
         self,
@@ -200,6 +203,12 @@ class ServiceExceptionSerializer(ExceptionHandler):
                 code=exception.code,
                 message=exception.message,
             )
+        elif isinstance(exception, self._moto_rest_error):
+            # Some Moto exceptions (like ones raised by EC2) are of type RESTError.
+            error = CommonServiceException(
+                code=exception.error_type,
+                message=exception.message,
+            )
 
         elif not isinstance(exception, ServiceException):
             if not self.handle_internal_failures:

localstack/aws/protocol/serializer.py

@@ -2192,7 +2192,7 @@ class S3ResponseSerializer(RestXMLResponseSerializer):
 
     def _prepare_additional_traits_in_xml(self, root: ETree.Element | None, request_id: str):
         # some tools (Serverless) require a newline after the "<?xml ...>\n" preamble line, e.g., for LocationConstraint
-        if root and not root.tail:
+        if root is not None and not root.tail:
             root.tail = "\n"
 
         root.attrib["xmlns"] = self.XML_NAMESPACE

localstack/config.py

@@ -225,6 +225,11 @@ def parse_boolean_env(env_var_name: str) -> bool | None:
     return None
 
 
+def parse_comma_separated_list(env_var_name: str) -> list[str]:
+    """Parse a comma separated list from the given environment variable."""
+    return os.environ.get(env_var_name, "").strip().split(",")
+
+
 def is_env_true(env_var_name: str) -> bool:
     """Whether the given environment variable has a truthy value."""
     return os.environ.get(env_var_name, "").lower().strip() in TRUE_STRINGS
@@ -1211,6 +1216,9 @@ CFN_PER_RESOURCE_TIMEOUT = int(os.environ.get("CFN_PER_RESOURCE_TIMEOUT") or 300
 # EXPERIMENTAL
 CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES = is_env_not_false("CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES")
 
+# Decrease the waiting time for resource deployment
+CFN_NO_WAIT_ITERATIONS: str | int | None = os.environ.get("CFN_NO_WAIT_ITERATIONS")
+
 # bind address of local DNS server
 DNS_ADDRESS = os.environ.get("DNS_ADDRESS") or "0.0.0.0"
 # port of the local DNS server

localstack/constants.py

@@ -117,6 +117,9 @@ LOCALSTACK_INFRA_PROCESS = "LOCALSTACK_INFRA_PROCESS"
 # AWS region us-east-1
 AWS_REGION_US_EAST_1 = "us-east-1"
 
+# AWS region eu-west-1
+AWS_REGION_EU_WEST_1 = "eu-west-1"
+
 # environment variable to override max pool connections
 try:
     MAX_POOL_CONNECTIONS = int(os.environ["MAX_POOL_CONNECTIONS"])

localstack/deprecations.py

@@ -35,12 +35,6 @@ class EnvVarDeprecation:
 # Please make sure this is in-sync with https://docs.localstack.cloud/references/configuration/
 #
 DEPRECATIONS = [
-    # Since 0.11.3 - HTTP / HTTPS multiplexing
-    EnvVarDeprecation(
-        "USE_SSL",
-        "0.11.3",
-        "Each endpoint now supports multiplexing HTTP/HTTPS traffic over the same port. Please remove this environment variable.",  # noqa
-    ),
     # Since 0.12.8 - PORT_UI was removed
     EnvVarDeprecation(
         "PORT_WEB_UI",

localstack/dev/kubernetes/__main__.py

@@ -1,5 +1,7 @@
 import dataclasses
 import os
+import shlex
+import subprocess as sp
 from typing import Literal
 
 import click
@@ -315,12 +317,11 @@ def generate_k8s_helm_overrides(
     return overrides
 
 
-def write_file(content: dict, output_path: str, file_name: str):
-    path = os.path.join(output_path, file_name)
-    with open(path, "w") as f:
+def write_file(content: dict, output_path: str):
+    with open(output_path, "w") as f:
         f.write(yaml.dump(content))
         f.close()
-        print(f"Generated file at {path}")
+        print(f"Generated file at {output_path}")
 
 
 def print_file(content: dict, file_name: str):
@@ -330,6 +331,22 @@ def print_file(content: dict, file_name: str):
     print("=====================================")
 
 
+def generate_k3d_command(config_file_path: str) -> str:
+    return f"k3d cluster create --config {config_file_path}"
+
+
+def generate_helm_command(overrides_file_path: str) -> str:
+    return f"helm upgrade --install localstack localstack/localstack -f {overrides_file_path}"
+
+
+def execute_deployment(config_file_path: str, overrides_file_path: str):
+    """
+    Use the k3d and helm commands to create a cluster and deploy LocalStack in one command
+    """
+    sp.check_call(shlex.split(generate_k3d_command(config_file_path)))
+    sp.check_call(shlex.split(generate_helm_command(overrides_file_path)))
+
+
 @click.command("run")
 @click.option(
     "--pro", is_flag=True, default=None, help="Mount the localstack-pro code into the cluster."
@@ -386,6 +403,13 @@ def print_file(content: dict, file_name: str):
     help="DNS port to expose from the kubernetes node. It is applied only if --expose-dns is set.",
     type=click.IntRange(0, 65535),
 )
+@click.option(
+    "--execute",
+    "-x",
+    is_flag=True,
+    default=False,
+    help="Execute deployment from generated config files. Implies -w/--write.",
+)
 @click.argument("command", nargs=-1, required=False)
 def run(
     pro: bool = None,
@@ -400,6 +424,7 @@ def run(
     port: int = None,
     expose_dns: bool = False,
     dns_port: int = 53,
+    execute: bool = False,
 ):
     """
     A tool for localstack developers to generate the kubernetes cluster configuration file and the overrides to mount the localstack code into the cluster.
@@ -416,25 +441,25 @@ def run(
     overrides_file = overrides_file or "overrides.yml"
     config_file = config_file or "configuration.yml"
 
-    if write:
-        write_file(config, output_dir, config_file)
-        write_file(overrides, output_dir, overrides_file)
+    overrides_file_path = os.path.join(output_dir, overrides_file)
+    config_file_path = os.path.join(output_dir, config_file)
+
+    if write or execute:
+        write_file(config, config_file_path)
+        write_file(overrides, overrides_file_path)
+        if execute:
+            execute_deployment(config_file, overrides_file)
     else:
         print_file(config, config_file)
         print_file(overrides, overrides_file)
 
-    overrides_file_path = os.path.join(output_dir, overrides_file)
-    config_file_path = os.path.join(output_dir, config_file)
-
     print("\nTo create a k3d cluster with the generated configuration, follow these steps:")
     print("1. Run the following command to create the cluster:")
-    print(f"\n    k3d cluster create --config {config_file_path}\n")
+    print(f"\n    {generate_k3d_command(config_file_path)}\n")
 
     print("2. Once the cluster is created, start LocalStack with the generated overrides:")
     print("\n    helm repo add localstack https://localstack.github.io/helm-charts # (if required)")
-    print(
-        f"\n    helm upgrade --install localstack localstack/localstack -f {overrides_file_path}\n"
-    )
+    print(f"\n    {generate_helm_command(overrides_file_path)}\n")
 
 
 def main():

localstack/runtime/analytics.py

@@ -7,10 +7,14 @@ from localstack.utils.analytics import log
 
 LOG = logging.getLogger(__name__)
 
+# Config options for which both usage and values are reported in analytics.
+# Important: This list must only contain options whose values do not contain PII or sensitive data.
 TRACKED_ENV_VAR = [
     "ACTIVATE_PRO",
     "ALLOW_NONSTANDARD_REGIONS",
     "BEDROCK_PREWARM",
+    "CFN_IGNORE_UNSUPPORTED_TYPE_CREATE",
+    "CFN_IGNORE_UNSUPPORTED_TYPE_UPDATE",
     "CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES",
     "CLOUDFRONT_LAMBDA_EDGE",
     "CONTAINER_RUNTIME",
@@ -26,6 +30,7 @@ TRACKED_ENV_VAR = [
     "DYNAMODB_IN_MEMORY",
     "DYNAMODB_REMOVE_EXPIRED_ITEMS",
     "EAGER_SERVICE_LOADING",
+    "EC2_DOCKER_INIT",
     "EC2_VM_MANAGER",
     "ECS_TASK_EXECUTOR",
     "EDGE_PORT",
@@ -71,9 +76,15 @@ TRACKED_ENV_VAR = [
     "USE_SSL",
 ]
 
+# Config options for which only the usage is reported in analytics.
+# Use this for options which may hold sensitive data or PII.
 PRESENCE_ENV_VAR = [
     "DATA_DIR",
     "EDGE_FORWARD_URL",  # Not functional; deprecated in 1.4.0, removed in 3.0.0
+    "EC2_HYPERVISOR_URI",
+    "EC2_REFERENCE_DOMAIN",
+    "EC2_LIBVIRT_NETWORK",
+    "EC2_LIBVIRT_POOL",
     "GATEWAY_LISTEN",
     "HOSTNAME",
     "HOSTNAME_EXTERNAL",

localstack/services/acm/provider.py

@@ -10,12 +10,23 @@ from localstack.aws.api.acm import (
     RequestCertificateResponse,
 )
 from localstack.services import moto
+from localstack.state import StateVisitor
 from localstack.utils.patch import patch
 
 # reduce the validation wait time from 60 (default) to 10 seconds
 moto_settings.ACM_VALIDATION_WAIT = min(10, moto_settings.ACM_VALIDATION_WAIT)
 
 
+@patch(acm_models.AWSCertificateManagerBackend.list_certificates)
+def list_certificates(list_certificates_orig, self, statuses, includes):
+    # Normalize keyTypes filter to match our describe() output format (hyphens)
+    if includes and "keyTypes" in includes:
+        includes["keyTypes"] = [
+            kt.replace("RSA_", "RSA-").replace("EC_", "EC-") for kt in includes["keyTypes"]
+        ]
+    return list_certificates_orig(self, statuses, includes)
+
+
 @patch(acm_models.CertBundle.describe)
 def describe(describe_orig, self):
     # TODO fix! Terrible hack (for parity). Moto adds certain required fields only if status is PENDING_VALIDATION.
@@ -70,8 +81,10 @@ def describe(describe_orig, self):
             cert[key] = value
     cert["Serial"] = str(cert.get("Serial") or "")
 
-    if cert.get("KeyAlgorithm") in ["RSA_1024", "RSA_2048"]:
+    if cert.get("KeyAlgorithm") in ["RSA_1024", "RSA_2048", "RSA_3072", "RSA_4096"]:
         cert["KeyAlgorithm"] = cert["KeyAlgorithm"].replace("RSA_", "RSA-")
+    if cert.get("KeyAlgorithm") in ["EC_prime256v1", "EC_secp384r1", "EC_secp521r1"]:
+        cert["KeyAlgorithm"] = cert["KeyAlgorithm"].replace("EC_", "EC-")
 
     # add subject alternative names
     if cert["DomainName"] not in sans:
@@ -100,6 +113,9 @@ def describe(describe_orig, self):
 
 
 class AcmProvider(AcmApi):
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(acm_models.acm_backends)
+
     @handler("RequestCertificate", expand=False)
     def request_certificate(
         self,

localstack/services/apigateway/legacy/provider.py

@@ -42,6 +42,7 @@ from localstack.aws.api.apigateway import (
     DomainName,
     DomainNames,
     DomainNameStatus,
+    EndpointAccessMode,
     EndpointConfiguration,
     EndpointType,
     ExportResponse,
@@ -117,7 +118,11 @@ from localstack.services.apigateway.helpers import (
 from localstack.services.apigateway.legacy.helpers import multi_value_dict_for_list
 from localstack.services.apigateway.legacy.invocations import invoke_rest_api_from_request
 from localstack.services.apigateway.legacy.router_asf import ApigatewayRouter, to_invocation_context
-from localstack.services.apigateway.models import ApiGatewayStore, RestApiContainer
+from localstack.services.apigateway.models import (
+    ApiGatewayStore,
+    RestApiContainer,
+    apigateway_stores,
+)
 from localstack.services.apigateway.next_gen.execute_api.router import (
     ApiGatewayRouter as ApiGatewayRouterNextGen,
 )
@@ -125,6 +130,7 @@ from localstack.services.apigateway.patches import apply_patches
 from localstack.services.edge import ROUTER
 from localstack.services.moto import call_moto, call_moto_with_request
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import InvalidArnException, get_partition, parse_arn
 from localstack.utils.collections import (
     DelSafeDict,
@@ -191,6 +197,12 @@ class ApigatewayProvider(ApigatewayApi, ServiceLifecycleHook):
         apply_patches()
         self.router.register_routes()
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        from moto.apigateway import apigateway_backends
+
+        visitor.visit(apigateway_backends)
+        visitor.visit(apigateway_stores)
+
     @handler("TestInvokeMethod", expand=False)
     def test_invoke_method(
         self, context: RequestContext, request: TestInvokeMethodRequest
@@ -511,20 +523,21 @@ class ApigatewayProvider(ApigatewayApi, ServiceLifecycleHook):
         self,
         context: RequestContext,
         domain_name: String,
-        certificate_name: String = None,
-        certificate_body: String = None,
-        certificate_private_key: String = None,
-        certificate_chain: String = None,
-        certificate_arn: String = None,
-        regional_certificate_name: String = None,
-        regional_certificate_arn: String = None,
-        endpoint_configuration: EndpointConfiguration = None,
-        tags: MapOfStringToString = None,
-        security_policy: SecurityPolicy = None,
-        mutual_tls_authentication: MutualTlsAuthenticationInput = None,
-        ownership_verification_certificate_arn: String = None,
-        policy: String = None,
-        routing_mode: RoutingMode = None,
+        certificate_name: String | None = None,
+        certificate_body: String | None = None,
+        certificate_private_key: String | None = None,
+        certificate_chain: String | None = None,
+        certificate_arn: String | None = None,
+        regional_certificate_name: String | None = None,
+        regional_certificate_arn: String | None = None,
+        endpoint_configuration: EndpointConfiguration | None = None,
+        tags: MapOfStringToString | None = None,
+        security_policy: SecurityPolicy | None = None,
+        endpoint_access_mode: EndpointAccessMode | None = None,
+        mutual_tls_authentication: MutualTlsAuthenticationInput | None = None,
+        ownership_verification_certificate_arn: String | None = None,
+        policy: String | None = None,
+        routing_mode: RoutingMode | None = None,
         **kwargs,
     ) -> DomainName:
         if not domain_name:

localstack/services/cloudformation/engine/template_preparer.py

@@ -6,6 +6,7 @@ from localstack.services.cloudformation.engine.transformers import (
     apply_global_transformations,
     apply_intrinsic_transformations,
 )
+from localstack.services.cloudformation.engine.validations import ValidationError
 from localstack.utils.json import clone_safe
 
 LOG = logging.getLogger(__name__)
@@ -17,9 +18,12 @@ def parse_template(template: str) -> dict:
     except Exception:
         try:
             return clone_safe(yaml_parser.parse_yaml(template))
-        except Exception as e:
-            LOG.debug("Unable to parse CloudFormation template (%s): %s", e, template)
+        except ValidationError:
+            # The error is handled in the yaml parsing helper
             raise
+        except Exception:
+            # TODO: present the user with a better error message including error location
+            raise ValidationError("Template format error: YAML not well-formed.")
 
 
 def template_to_json(template: str) -> str:

localstack/services/cloudformation/engine/v2/change_set_model.py

@@ -1169,6 +1169,15 @@ class ChangeSetModel:
                 fn_transform,
             ],
         )
+
+        # special case of where either the before or after state does not specify properties but
+        # the resource was in the previous template
+        if (
+            terminal_value_type.change_type == ChangeType.UNCHANGED
+            and properties.change_type != ChangeType.UNCHANGED
+        ):
+            change_type = ChangeType.MODIFIED
+
         requires_replacement = self._resolve_requires_replacement(
             node_properties=properties, resource_type=terminal_value_type
         )

localstack/services/cloudformation/engine/v2/change_set_model_preproc.py

@@ -677,6 +677,13 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             node_condition = self._get_node_condition_if_exists(
                 condition_name=condition_delta.before
             )
+            if is_nothing(node_condition):
+                # TODO: I don't think this is a possible state since for us to be evaluating the before state,
+                #  we must have successfully deployed the stack and as such this case was not reached before
+                raise ValidationError(
+                    f"Template error: unresolved condition dependency {condition_delta.before} in Fn::If"
+                )
+
             condition_value = self.visit(node_condition).before
             if condition_value:
                 arg_delta = self.visit(node_intrinsic_function.arguments.array[1])
@@ -688,6 +695,11 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             node_condition = self._get_node_condition_if_exists(
                 condition_name=condition_delta.after
             )
+            if is_nothing(node_condition):
+                raise ValidationError(
+                    f"Template error: unresolved condition dependency {condition_delta.after} in Fn::If"
+                )
+
             condition_value = self.visit(node_condition).after
             if condition_value:
                 arg_delta = self.visit(node_intrinsic_function.arguments.array[1])
@@ -1057,7 +1069,9 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
 
         def _resolve_parameter_type(value: str, type_: str) -> Any:
             match type_:
-                case "List<String>" | "CommaDelimitedList":
+                case s if re.match(r"List<[^>]+>", s):
+                    return [item.strip() for item in value.split(",")]
+                case "CommaDelimitedList":
                     return [item.strip() for item in value.split(",")]
                 case "Number":
                     # TODO: validate the parameter type at template parse time (or whatever is in parity with AWS) so we know this cannot fail