Response body for GET /_fakecloud/acm/certificates/{arn-or-id}/chain-info.
Reports PEM block/byte counts and a status / cert_type snapshot
so tests can verify that uploaded chains round-trip intact. The
external_ca_validated flag is always false to document that
fakecloud does not run real X.509 verification.
Body for POST /_fakecloud/acm/certificates/{arn-or-id}/status. The
admin endpoint flips a stored ACM certificate’s status (and
optionally records a failure reason) so tests can synchronously
drive a cert to ISSUED, FAILED, or VALIDATION_TIMED_OUT
without waiting on the auto-issue tick.
One row in the Athena named-query introspection list returned by
GET /_fakecloud/athena/named-queries. Mirrors the underlying named
query record plus a last_used_at timestamp the server bumps every
time StartQueryExecution resolves the query by id.
Body for POST /_fakecloud/cloudfront/distributions/{id}/status. The
admin endpoint flips a stored CloudFront Distribution’s status so
tests can synchronously force it into Deployed or InProgress
without waiting on the propagation tick.
One alarm (metric or composite) as exposed by
GET /_fakecloud/cloudwatch/alarms. Metric-only fields
(namespace/metricName/threshold/comparisonOperator) are
omitted for composite alarms; alarmRule is present only for
composite alarms.
Admin payload for /_fakecloud/cognito/compromised-passwords.
Plaintext passwords are hashed (sha256) and added to the
compromised-credentials set consulted by InitiateAuth /
AdminInitiateAuth when the pool’s
CompromisedCredentialsRiskConfiguration.Actions.EventAction is
BLOCK.
Response from POST /_fakecloud/cognito/compromised-passwords. Echoes
the count of new password hashes added to the compromised-credentials
set on this call.
Request to bootstrap an IAM admin user in a specific account.
Used by /_fakecloud/iam/create-admin to solve the multi-account
bootstrap problem: there’s no per-account root credential, so this
endpoint creates a user with full admin access in any account.
A single EC2 instance as surfaced by GET /_fakecloud/ec2/instances.
Instances are metadata-faithful today (Docker-backed execution is a
roadmap follow-up), so this mirrors the control-plane view without
leaking runtime-internal fields.
Response shape for GET /_fakecloud/ecs/creds/{task_id}. Matches the
real ECS task metadata credential endpoint field casing (PascalCase),
so this type is Deserialize only — fakecloud writes the keys
already capitalized.
Response body for GET /_fakecloud/elbv2/waf-counts. The exact
shape of counts is service-internal and intentionally left as
free-form JSON so we don’t have to track every new dimension in
the SDK.
One delivery stream as exposed by
GET /_fakecloud/firehose/delivery-streams. One entry per stream
across every account, mirroring what CreateDeliveryStream recorded
plus its lifecycle and encryption state.
Server-side encryption summary for a Firehose delivery stream as
exposed by GET /_fakecloud/firehose/delivery-streams. status is
ENABLED/DISABLED; keyType/keyArn are present only when a
customer-managed key is configured.
Curated row for GET /_fakecloud/glue/crawlers. One entry per
crawler across every account, mirroring what CreateCrawler
recorded plus its lifecycle state.
Curated row for GET /_fakecloud/glue/jobs. Mirrors the
configured Glue Job state so tests can assert what CreateJob
recorded without re-listing through the AWS surface.
Curated row for GET /_fakecloud/glue/job-runs. Includes the
full state machine of a JobRun (StartJobRun ledger). Filter by
?job_name=foo to scope to a single job.
Body shape for POST /_fakecloud/ssm/sessions/inject. Drops a fake
session record into state without going through StartSession (which
returns the Smithy-declared TargetNotConnected unless
FAKECLOUD_SSM_SESSION_ECHO=1). Lets tests assert
DescribeSessions/TerminateSession paths work end-to-end.
Admin payload for /_fakecloud/logs/anomalies/inject. Lets tests
seed synthetic CloudWatch Logs anomalies so they can exercise
ListAnomalies / UpdateAnomaly deterministically.
One entry in the /_fakecloud/logs/delivery-config introspection
response. Combines a Delivery with the log_type from its
associated DeliverySource so test code can assert end-to-end
configuration without joining state manually.
Request body for the /_fakecloud/cognito/authorization-codes admin
mint endpoint. Lets test harnesses (and any caller that wants to
drive the authorization_code grant before the Y4 hosted-UI lands)
pre-allocate the same (client_id, redirect_uri, scopes, PKCE)
binding the real /oauth2/authorize endpoint will eventually
produce.
A single member account as exposed by
GET /_fakecloud/organizations/accounts. Mirrors the AWS
Organizations Account shape but adds two fakecloud-only fields
useful for test assertions: parentOuId (resolved parent OU or
root) and scpAttached (the set of SCP IDs directly attached to
the account — does not walk up the hierarchy).
One billing-responsibility transfer as exposed by
GET /_fakecloud/organizations/responsibility-transfers. Mirrors the
AWS ResponsibilityTransfer shape: direction is INBOUND/OUTBOUND,
status walks the transfer lifecycle, and activeHandshakeId points
at the handshake the invited org accepts/declines (or null).
One PreTokenGeneration Lambda trigger invocation captured for
introspection at /_fakecloud/cognito/pretokengen/invocations.
claims_added / claims_overridden / group_overrides are
pre-parsed from the Lambda response so test callers don’t have to
walk the raw claimsAndScopeOverrideDetails shape themselves.
Request body for POST /_fakecloud/rds/lambda-invoke. The endpoint is
the bridge that the PostgreSQL aws_lambda extension calls into from
inside an RDS DB instance container — it’s normally not driven by
user code directly.
Request body for POST /_fakecloud/rds/s3-import. The endpoint is
the bridge that the PostgreSQL aws_s3 extension calls into to
fetch an object from a fakecloud bucket. Body is returned base64
encoded so JSON transport stays text-only.
Response body for GET /_fakecloud/route53/zones/{id}/dnssec. Surfaces
the deterministic ECDSA P-256 DNSSEC chain-of-trust material for a
hosted zone with at least one ACTIVE Key Signing Key. Real Route 53
keeps this material inside KMS; fakecloud derives it from the
(zone_id, ksk_name) pair so persistence reloads, multiple test
runs, and verifier code see stable values.
Body for POST /_fakecloud/route53/zones/{id}/dnssec/sign. Signs an
RRset under the zone’s first ACTIVE KSK and returns the raw RRSIG
fields so tests can verify the signature against
dnskey_public_key_b64 from Route53DnssecMaterialResponse.
Body for POST /_fakecloud/route53/health-checks/{id}/status. The
admin endpoint flips a stored Route 53 health check’s reported
status (and optionally the last-failure-reason observation) so
tests can simulate failover scenarios without a live checker.
Response from GET /_fakecloud/ses/metrics. fakecloud surfaces a
running suppressedDropsTotal counter so test code can verify that
the suppression list short-circuits sends.
Admin payload to flip the SES account-level production_access_enabled
flag. fakecloud defaults to production_access_enabled=true so users
don’t have to verify recipients to send mail; flip this to false to
exercise sandbox-mode semantics (verified-recipient gate, send quotas,
etc.).
One registered WebAuthn credential surfaced by
GET /_fakecloud/cognito/webauthn-credentials. attestation_info is
kept as raw JSON because its shape depends on the attestation format.
Discriminator for the admin status field. Mirrors the variants of
fakecloud_route53::HealthCheckStatus without forcing the SDK crate
to depend on the route53 crate.