fix(apigw,apigwv2,cognito,wafv2,ecs): persist dropped params + validate managed rule groups (bug-hunt)#2284
Merged
Conversation
…te managed rule groups (bug-hunt)
Stubs cluster A from the 2026-07-15 bug hunt (1.26-1.30) — five write-then-read
asymmetries where a Create/Update accepted a parameter the corresponding
Get/Describe never reflected, plus one op fabricating data for any input.
- apigateway (1.26): UpdateUsagePlan `remove` op guard was dead code, so
detaching an API stage via {op:remove, /apiStages/<id>:<stage>} silently
no-op'd. Guard now admits replace/add/remove.
- apigatewayv2 (1.27): UpdateRouteResponse / UpdateIntegrationResponse
wholesale-replaced the stored record, dropping any field not in the request.
Now merges incoming fields onto the existing record so partial updates
preserve untouched fields.
- cognito (1.28): CreateUserPoolClient / UpdateUserPoolClient accepted
AnalyticsConfiguration but dropped it; DescribeUserPoolClient showed the
default. Now persisted and echoed.
- wafv2 (1.29): DescribeManagedRuleGroup returned a hardcoded Capacity=50 and a
fabricated "RuleA" for ANY vendor/name. Now validated against a real managed
rule group catalog (Common/KnownBadInputs/SQLi) with real capacities + rule
names; unknown groups return WAFInvalidParameterException. The catalog is the
single source of truth behind ListAvailableManagedRuleGroups and
DescribeAllManagedProducts too.
- ecs (1.30): CreateService / UpdateService dropped
serviceConnectConfiguration; DescribeServices never surfaced it. Now
persisted and echoed on the PRIMARY deployment (AWS's shape).
E2E tests added for each fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stubs cluster A from the 2026-07-15 bug hunt (findings 1.26-1.30). Five
write-then-read asymmetries where a Create/Update accepted a parameter that the
corresponding Get/Describe never reflected, plus one op fabricating data for any
input.
removeop was dead (guard rejected it) → API-stage detach silently no-op'dThe wafv2 catalog (Common/KnownBadInputs/SQLi with their real capacities and
rule names) is now the single source of truth behind
ListAvailableManagedRuleGroups and DescribeAllManagedProducts, so the three ops
can no longer disagree.
No new public API surface (behavior + validation fixes on existing ops), so no
SDK/docs regeneration needed.
Test plan
apigateway::usage_plan_api_stage_add_then_removeapigatewayv2::update_route_response_merges_fieldscognito::cognito_user_pool_client_analytics_configuration_round_tripswafv2::describe_managed_rule_group_returns_real_rules_and_rejects_unknownecs::service_connect_configuration_round_trips_on_describecargo build,cargo clippy --all-targets,cargo fmtclean across the fiveservice crates + fakecloud-e2e.
Summary by cubic
Fixes five write/read mismatches across
apigateway,apigatewayv2,cognito,wafv2, andecs. Parameters accepted on Create/Update now persist to Get/Describe,wafv2validates managed rule groups against a real catalog, andcloudformationprovisioners pass these fields through on create.apigateway:UpdateUsagePlannow honorsremovefor/apiStages/<apiId>:<stage>so detaching an API stage works.apigatewayv2:UpdateRouteResponse/UpdateIntegrationResponsemerge fields on update (partial patch) instead of replacing the record; unspecified fields persist.cognito:AnalyticsConfigurationon user pool clients is stored and returned byDescribeUserPoolClient.wafv2:DescribeManagedRuleGroupchecks vendor/name against a catalog and returns real capacities and rule names; unknown groups raiseWAFInvalidParameterException. The same catalog backsListAvailableManagedRuleGroupsandDescribeAllManagedProducts.ecs:serviceConnectConfigurationis persisted and echoed on the PRIMARY deployment inDescribeServices; updating with an empty object disables it.cloudformation: Cognito and ECS provisioners now persistAnalyticsConfigurationandServiceConnectConfigurationsupplied in templates.Written for commit 74fc063. Summary will update on new commits.