AWS Service name
AWS Config
Operations needed
PutConfigurationRecorder, DescribeConfigurationRecorders, DescribeConfigurationRecorderStatus (added — recorder-status Read), StartConfigurationRecorder, PutDeliveryChannel, DescribeDeliveryChannels (added — aws_config_delivery_channel Read), PutConfigRule, DescribeConfigRules (added — aws_config_config_rule Read), DeleteConfigRule (added — destroy), PutOrganizationConfigRule, DescribeOrganizationConfigRules (added — org-rule Read), PutConfigurationAggregator, DescribeConfigurationAggregators, TagResource / UntagResource / ListTagsForResource (added). Store + list; no rule evaluation.
Use case
Why. A landing-zone governance baseline turns on AWS Config org-wide: start the configuration recorder (PutConfigurationRecorder + StartConfigurationRecorder), point a delivery channel at a central S3 bucket (PutDeliveryChannel), enable managed Config rules (PutConfigRule), roll out an organization Config rule across accounts (PutOrganizationConfigRule), and stand up a configuration aggregator in the Security OU that aggregates all accounts/regions (PutConfigurationAggregator). A user validating that IaC locally needs the Config control-plane to apply and read back — confirm the recorder, delivery channel, rules, org rule, and aggregator exist and are wired — without a real AWS organization.
Out of scope (important for an emulator). Store + list only — no rule evaluation, no compliance results, no configuration snapshots. A simulator can't evaluate resources against rules, and that is explicitly not the goal. This proves the IaC configures Config correctly (recorder running, channel wired, rules + org rule + aggregator created, tags applied), not that compliance is assessed. Config / API-shape / RBAC validation, not behavior.
Pairs with #993 + #989. The organization Config rule and the aggregator are administered from the delegated-admin Security-OU account (#993), which is vended by #989. AWS Config's own ops are independently absent (proof below).
Parity note. Ship each mutation with its paired Read so apply round-trips without drift: PutConfigurationRecorder→DescribeConfigurationRecorders/DescribeConfigurationRecorderStatus; PutDeliveryChannel→DescribeDeliveryChannels; PutConfigRule→DescribeConfigRules; PutOrganizationConfigRule→DescribeOrganizationConfigRules; PutConfigurationAggregator→DescribeConfigurationAggregators; TagResource→ListTagsForResource. StartConfigurationRecorder flips recorder status; DeleteConfigRule for destroy symmetry.
Proof
Verified against a clean MiniStack v1.3.69 (Terraform 1.5.7 + hashicorp/aws ~> 5.0, provider endpoints { config = "http://localhost:4566" }). There is no AWS Config emulator — no config (StarlingDove) handler in the service registry/router — so even though AWS Config is a JSON-RPC service, the unknown X-Amz-Target falls through to the default (S3-style XML) handler and the Config SDK cannot decode the response.
resource "aws_config_configuration_recorder" "this" {
name = "default"
role_arn = "arn:aws:iam::000000000000:role/config-role"
}
Error: putting ConfigService Configuration Recorder (default): operation error Config Service:
PutConfigurationRecorder, https response error StatusCode: 405, deserialization failed,
failed to decode response body, invalid character '<' looking for beginning of value
The raw response confirms the misroute — XML, not the JSON the Config SDK expects:
HTTP/1.1 405
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>MethodNotAllowed</Code><Message>The specified method is not allowed against this resource.</Message></Error>
So none of aws_config_configuration_recorder, aws_config_delivery_channel, aws_config_config_rule, aws_config_organization_managed_rule, or aws_config_configuration_aggregator can be created against MiniStack today — the org-wide config-governance baseline is entirely unrunnable, not even plan-stable past the provider's response decode.
Would you like to contribute this?
AWS Service name
AWS Config
Operations needed
PutConfigurationRecorder,DescribeConfigurationRecorders,DescribeConfigurationRecorderStatus(added — recorder-status Read),StartConfigurationRecorder,PutDeliveryChannel,DescribeDeliveryChannels(added —aws_config_delivery_channelRead),PutConfigRule,DescribeConfigRules(added —aws_config_config_ruleRead),DeleteConfigRule(added — destroy),PutOrganizationConfigRule,DescribeOrganizationConfigRules(added — org-rule Read),PutConfigurationAggregator,DescribeConfigurationAggregators,TagResource/UntagResource/ListTagsForResource(added). Store + list; no rule evaluation.Use case
Why. A landing-zone governance baseline turns on AWS Config org-wide: start the configuration recorder (
PutConfigurationRecorder+StartConfigurationRecorder), point a delivery channel at a central S3 bucket (PutDeliveryChannel), enable managed Config rules (PutConfigRule), roll out an organization Config rule across accounts (PutOrganizationConfigRule), and stand up a configuration aggregator in the Security OU that aggregates all accounts/regions (PutConfigurationAggregator). A user validating that IaC locally needs the Config control-plane toapplyand read back — confirm the recorder, delivery channel, rules, org rule, and aggregator exist and are wired — without a real AWS organization.Out of scope (important for an emulator). Store + list only — no rule evaluation, no compliance results, no configuration snapshots. A simulator can't evaluate resources against rules, and that is explicitly not the goal. This proves the IaC configures Config correctly (recorder running, channel wired, rules + org rule + aggregator created, tags applied), not that compliance is assessed. Config / API-shape / RBAC validation, not behavior.
Pairs with #993 + #989. The organization Config rule and the aggregator are administered from the delegated-admin Security-OU account (#993), which is vended by #989. AWS Config's own ops are independently absent (proof below).
Parity note. Ship each mutation with its paired Read so
applyround-trips without drift:PutConfigurationRecorder→DescribeConfigurationRecorders/DescribeConfigurationRecorderStatus;PutDeliveryChannel→DescribeDeliveryChannels;PutConfigRule→DescribeConfigRules;PutOrganizationConfigRule→DescribeOrganizationConfigRules;PutConfigurationAggregator→DescribeConfigurationAggregators;TagResource→ListTagsForResource.StartConfigurationRecorderflips recorder status;DeleteConfigRulefor destroy symmetry.Proof
Verified against a clean MiniStack v1.3.69 (Terraform 1.5.7 +
hashicorp/aws ~> 5.0, providerendpoints { config = "http://localhost:4566" }). There is no AWS Config emulator — noconfig(StarlingDove) handler in the service registry/router — so even though AWS Config is a JSON-RPC service, the unknownX-Amz-Targetfalls through to the default (S3-style XML) handler and the Config SDK cannot decode the response.The raw response confirms the misroute — XML, not the JSON the Config SDK expects:
So none of
aws_config_configuration_recorder,aws_config_delivery_channel,aws_config_config_rule,aws_config_organization_managed_rule, oraws_config_configuration_aggregatorcan be created against MiniStack today — the org-wide config-governance baseline is entirely unrunnable, not evenplan-stable past the provider's response decode.Would you like to contribute this?