localstack
diff --git a/‎.github/workflows/asf-updates.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/asf-updates.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.test_durations‎
Lines changed: 4919 additions & 4813 deletions b/‎.test_durations‎
Lines changed: 4919 additions & 4813 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 1 deletion b/‎Makefile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎localstack-core/localstack/aws/api/ec2/__init__.py‎
Lines changed: 3 additions & 0 deletions b/‎localstack-core/localstack/aws/api/ec2/__init__.py‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎localstack-core/localstack/aws/api/opensearch/__init__.py‎
Lines changed: 16 additions & 0 deletions b/‎localstack-core/localstack/aws/api/opensearch/__init__.py‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎localstack-core/localstack/aws/api/s3control/__init__.py‎
Lines changed: 2 additions & 0 deletions b/‎localstack-core/localstack/aws/api/s3control/__init__.py‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py‎
Lines changed: 0 additions & 65 deletions b/‎localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py‎
Lines changed: 0 additions & 65 deletions
diff --git a/‎localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_transform.py‎
Lines changed: 51 additions & 10 deletions b/‎localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_transform.py‎
Lines changed: 51 additions & 10 deletions
diff --git a/‎localstack-core/localstack/testing/pytest/cloudformation/fixtures.py‎
Lines changed: 10 additions & 0 deletions b/‎localstack-core/localstack/testing/pytest/cloudformation/fixtures.py‎
Lines changed: 10 additions & 0 deletions
@@ -93,7 +93,8 @@ jobs:
           bin/release-helper.sh set-dep-ver awscli "==$AWSCLI_VERSION"
 
           # upgrade the requirements files only for the botocore package
-          pip install pip-tools
+          # FIXME remove pin on pip-tools when https://github.com/jazzband/pip-tools/issues/2215 us resolved
+          pip install "pip-tools<7.5.0"
           pip-compile --strip-extras --upgrade-package "botocore==$BOTOCORE_VERSION" --upgrade-package "boto3==$BOTOCORE_VERSION" --extra base-runtime -o requirements-base-runtime.txt pyproject.toml
           pip-compile --strip-extras --upgrade-package "botocore==$BOTOCORE_VERSION" --upgrade-package "boto3==$BOTOCORE_VERSION" --upgrade-package "awscli==$AWSCLI_VERSION" --extra runtime -o requirements-runtime.txt pyproject.toml
           pip-compile --strip-extras --upgrade-package "botocore==$BOTOCORE_VERSION" --upgrade-package "boto3==$BOTOCORE_VERSION" --upgrade-package "awscli==$AWSCLI_VERSION" --extra test -o requirements-test.txt pyproject.toml
 
@@ -3,15 +3,15 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.12.5
+    rev: v0.12.7
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
       # Run the formatter.
       - id: ruff-format
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.17.0
+    rev: v1.17.1
     hooks:
       - id: mypy
         entry: bash -c 'cd localstack-core && mypy --install-types --non-interactive'
 
@@ -36,7 +36,8 @@ freeze:                   ## Run pip freeze -l in the virtual environment
 	@$(VENV_RUN); pip freeze -l
 
 upgrade-pinned-dependencies: venv
-	$(VENV_RUN); $(PIP_CMD) install --upgrade pip-tools pre-commit
+	# FIXME remove pin on pip-tools when https://github.com/jazzband/pip-tools/issues/2215 us resolved
+	$(VENV_RUN); $(PIP_CMD) install --upgrade "pip-tools<7.5.0" pre-commit
 	$(VENV_RUN); pip-compile --strip-extras --upgrade -o requirements-basic.txt pyproject.toml
 	$(VENV_RUN); pip-compile --strip-extras --upgrade --extra runtime -o requirements-runtime.txt pyproject.toml
 	$(VENV_RUN); pip-compile --strip-extras --upgrade --extra test -o requirements-test.txt pyproject.toml
 
@@ -9113,6 +9113,7 @@ class Route(TypedDict, total=False):
     VpcPeeringConnectionId: Optional[String]
     CoreNetworkArn: Optional[CoreNetworkArn]
     OdbNetworkArn: Optional[OdbNetworkArn]
+    IpAddress: Optional[String]
 
 
 RouteList = List[Route]
@@ -20678,6 +20679,7 @@ class TerminateClientVpnConnectionsResult(TypedDict, total=False):
 
 class TerminateInstancesRequest(ServiceRequest):
     InstanceIds: InstanceIdStringList
+    Force: Optional[Boolean]
     SkipOsShutdown: Optional[Boolean]
     DryRun: Optional[Boolean]
 
@@ -29116,6 +29118,7 @@ def terminate_instances(
         self,
         context: RequestContext,
         instance_ids: InstanceIdStringList,
+        force: Boolean | None = None,
         skip_os_shutdown: Boolean | None = None,
         dry_run: Boolean | None = None,
         **kwargs,
 
@@ -39,6 +39,8 @@
 ErrorType = str
 GUID = str
 HostedZoneId = str
+IAMFederationRolesKey = str
+IAMFederationSubjectKey = str
 Id = str
 IdentityCenterApplicationARN = str
 IdentityCenterInstanceARN = str
@@ -836,6 +838,12 @@ class AdvancedOptionsStatus(TypedDict, total=False):
 DisableTimestamp = datetime
 
 
+class IAMFederationOptionsOutput(TypedDict, total=False):
+    Enabled: Optional[Boolean]
+    SubjectKey: Optional[IAMFederationSubjectKey]
+    RolesKey: Optional[IAMFederationRolesKey]
+
+
 class JWTOptionsOutput(TypedDict, total=False):
     Enabled: Optional[Boolean]
     SubjectKey: Optional[String]
@@ -861,10 +869,17 @@ class AdvancedSecurityOptions(TypedDict, total=False):
     InternalUserDatabaseEnabled: Optional[Boolean]
     SAMLOptions: Optional[SAMLOptionsOutput]
     JWTOptions: Optional[JWTOptionsOutput]
+    IAMFederationOptions: Optional[IAMFederationOptionsOutput]
     AnonymousAuthDisableDate: Optional[DisableTimestamp]
     AnonymousAuthEnabled: Optional[Boolean]
 
 
+class IAMFederationOptionsInput(TypedDict, total=False):
+    Enabled: Optional[Boolean]
+    SubjectKey: Optional[IAMFederationSubjectKey]
+    RolesKey: Optional[IAMFederationRolesKey]
+
+
 class JWTOptionsInput(TypedDict, total=False):
     Enabled: Optional[Boolean]
     SubjectKey: Optional[SubjectKey]
@@ -894,6 +909,7 @@ class AdvancedSecurityOptionsInput(TypedDict, total=False):
     MasterUserOptions: Optional[MasterUserOptions]
     SAMLOptions: Optional[SAMLOptionsInput]
     JWTOptions: Optional[JWTOptionsInput]
+    IAMFederationOptions: Optional[IAMFederationOptionsInput]
     AnonymousAuthEnabled: Optional[Boolean]
 
 
 
@@ -857,6 +857,7 @@ class CreateAccessPointRequest(ServiceRequest):
     PublicAccessBlockConfiguration: Optional[PublicAccessBlockConfiguration]
     BucketAccountId: Optional[AccountId]
     Scope: Optional[Scope]
+    Tags: Optional[TagList]
 
 
 class CreateAccessPointResult(TypedDict, total=False):
@@ -2423,6 +2424,7 @@ def create_access_point(
         public_access_block_configuration: PublicAccessBlockConfiguration | None = None,
         bucket_account_id: AccountId | None = None,
         scope: Scope | None = None,
+        tags: TagList | None = None,
         **kwargs,
     ) -> CreateAccessPointResult:
         raise NotImplementedError
 
@@ -10,11 +10,6 @@
 from localstack import config
 from localstack.aws.api.ec2 import AvailabilityZoneList, DescribeAvailabilityZonesResult
 from localstack.aws.connect import connect_to
-from localstack.services.cloudformation.engine.transformers import (
-    Transformer,
-    execute_macro,
-    transformers,
-)
 from localstack.services.cloudformation.engine.v2.change_set_model import (
     ChangeSetEntity,
     ChangeType,
@@ -49,7 +44,6 @@
 )
 from localstack.services.cloudformation.stores import (
     exports_map,
-    get_cloudformation_store,
 )
 from localstack.services.cloudformation.v2.entities import ChangeSet
 from localstack.utils.aws.arns import get_partition
@@ -612,65 +606,6 @@ def _compute_fn_not(arg: bool) -> bool:
         )
         return delta
 
-    def _compute_fn_transform(self, args: dict[str, Any]) -> Any:
-        # TODO: add typing to arguments before this level.
-        # TODO: add schema validation
-        # TODO: add support for other transform types
-
-        account_id = self._change_set.account_id
-        region_name = self._change_set.region_name
-        transform_name: str = args.get("Name")
-        if not isinstance(transform_name, str):
-            raise RuntimeError("Invalid or missing Fn::Transform 'Name' argument")
-        transform_parameters: dict = args.get("Parameters")
-        if not isinstance(transform_parameters, dict):
-            raise RuntimeError("Invalid or missing Fn::Transform 'Parameters' argument")
-
-        if transform_name in transformers:
-            # TODO: port and refactor this 'transformers' logic to this package.
-            builtin_transformer_class = transformers[transform_name]
-            builtin_transformer: Transformer = builtin_transformer_class()
-            transform_output: Any = builtin_transformer.transform(
-                account_id=account_id, region_name=region_name, parameters=transform_parameters
-            )
-            return transform_output
-
-        macros_store = get_cloudformation_store(
-            account_id=account_id, region_name=region_name
-        ).macros
-        if transform_name in macros_store:
-            # TODO: this formatting of stack parameters is odd but required to integrate with v1 execute_macro util.
-            #  consider porting this utils and passing the plain list of parameters instead.
-            stack_parameters = {
-                parameter["ParameterKey"]: parameter
-                for parameter in self._change_set.stack.parameters
-            }
-            transform_output: Any = execute_macro(
-                account_id=account_id,
-                region_name=region_name,
-                parsed_template=dict(),  # TODO: review the requirements for this argument.
-                macro=args,  # TODO: review support for non dict bindings (v1).
-                stack_parameters=stack_parameters,
-                transformation_parameters=transform_parameters,
-                is_intrinsic=True,
-            )
-            return transform_output
-
-        raise RuntimeError(
-            f"Unsupported transform function '{transform_name}' in '{self._change_set.stack.stack_name}'"
-        )
-
-    def visit_node_intrinsic_function_fn_transform(
-        self, node_intrinsic_function: NodeIntrinsicFunction
-    ) -> PreprocEntityDelta:
-        arguments_delta = self.visit(node_intrinsic_function.arguments)
-        delta = self._cached_apply(
-            scope=node_intrinsic_function.scope,
-            arguments_delta=arguments_delta,
-            resolver=self._compute_fn_transform,
-        )
-        return delta
-
     def visit_node_intrinsic_function_fn_sub(
         self, node_intrinsic_function: NodeIntrinsicFunction
     ) -> PreprocEntityDelta:
 
@@ -4,9 +4,12 @@
 from typing import Any, Final, Optional, TypedDict
 
 import boto3
+from botocore.exceptions import ClientError
 from samtranslator.translator.transform import transform as transform_sam
 
+from localstack.aws.connect import connect_to
 from localstack.services.cloudformation.engine.policy_loader import create_policy_loader
+from localstack.services.cloudformation.engine.template_preparer import parse_template
 from localstack.services.cloudformation.engine.transformers import (
     FailedTransformationException,
     execute_macro,
@@ -27,12 +30,14 @@
 )
 from localstack.services.cloudformation.stores import get_cloudformation_store
 from localstack.services.cloudformation.v2.entities import ChangeSet
+from localstack.utils import testutil
 
 LOG = logging.getLogger(__name__)
 
 SERVERLESS_TRANSFORM = "AWS::Serverless-2016-10-31"
 EXTENSIONS_TRANSFORM = "AWS::LanguageExtensions"
 SECRETSMANAGER_TRANSFORM = "AWS::SecretsManager-2020-07-23"
+INCLUDE_TRANSFORM = "AWS::Include"
 
 _SCOPE_TRANSFORM_TEMPLATE_OUTCOME: Final[Scope] = Scope("TRANSFORM_TEMPLATE_OUTCOME")
 
@@ -138,6 +143,32 @@ def _apply_global_serverless_transformation(
             if region_before is not None:
                 os.environ["AWS_DEFAULT_REGION"] = region_before
 
+    @staticmethod
+    def _apply_global_include(
+        global_transform: GlobalTransform, template: dict, parameters: dict, account_id, region_name
+    ) -> dict:
+        location = global_transform.parameters.get("Location")
+        if not location or not location.startswith("s3://"):
+            raise FailedTransformationException(
+                transformation=INCLUDE_TRANSFORM,
+                message="Unexpected Location parameter for AWS::Include transformer: %s" % location,
+            )
+
+        s3_client = connect_to(aws_access_key_id=account_id, region_name=region_name).s3
+        bucket, _, path = location.removeprefix("s3://").partition("/")
+        try:
+            content = testutil.download_s3_object(s3_client, bucket, path)
+        except ClientError:
+            raise FailedTransformationException(
+                transformation=INCLUDE_TRANSFORM,
+                message="Error downloading S3 object '%s/%s'" % (bucket, path),
+            )
+        try:
+            template_to_include = parse_template(content)
+        except Exception as e:
+            raise FailedTransformationException(transformation=INCLUDE_TRANSFORM, message=str(e))
+        return {**template, **template_to_include}
+
     @staticmethod
     def _apply_global_macro_transformation(
         account_id: str,
@@ -182,6 +213,14 @@ def _apply_global_transform(
             # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-secretsmanager.html
             LOG.warning("%s is not yet supported. Ignoring.", SECRETSMANAGER_TRANSFORM)
             transformed_template = template
+        elif transform_name == INCLUDE_TRANSFORM:
+            transformed_template = self._apply_global_include(
+                global_transform=global_transform,
+                region_name=self._change_set.region_name,
+                account_id=self._change_set.account_id,
+                template=template,
+                parameters=parameters,
+            )
         else:
             transformed_template = self._apply_global_macro_transformation(
                 account_id=self._change_set.account_id,
@@ -213,11 +252,12 @@ def transform(self) -> tuple[dict, dict]:
             if not transformed_before_template:
                 transformed_before_template = self._before_template
                 for before_global_transform in transform_before:
-                    transformed_before_template = self._apply_global_transform(
-                        global_transform=before_global_transform,
-                        parameters=parameters_before,
-                        template=transformed_before_template,
-                    )
+                    if not is_nothing(before_global_transform.name):
+                        transformed_before_template = self._apply_global_transform(
+                            global_transform=before_global_transform,
+                            parameters=parameters_before,
+                            template=transformed_before_template,
+                        )
                 self._before_cache[_SCOPE_TRANSFORM_TEMPLATE_OUTCOME] = transformed_before_template
 
         transformed_after_template = self._after_template
@@ -226,11 +266,12 @@ def transform(self) -> tuple[dict, dict]:
             if not transformed_after_template:
                 transformed_after_template = self._after_template
                 for after_global_transform in transform_after:
-                    transformed_after_template = self._apply_global_transform(
-                        global_transform=after_global_transform,
-                        parameters=parameters_after,
-                        template=transformed_after_template,
-                    )
+                    if not is_nothing(after_global_transform.name):
+                        transformed_after_template = self._apply_global_transform(
+                            global_transform=after_global_transform,
+                            parameters=parameters_after,
+                            template=transformed_after_template,
+                        )
                 self._after_cache[_SCOPE_TRANSFORM_TEMPLATE_OUTCOME] = transformed_after_template
 
         self._save_runtime_cache()
 
@@ -131,6 +131,11 @@ def inner(
             ChangeSetName=change_set_name,
             TemplateBody=t1,
             ChangeSetType="CREATE",
+            Capabilities=[
+                "CAPABILITY_IAM",
+                "CAPABILITY_NAMED_IAM",
+                "CAPABILITY_AUTO_EXPAND",
+            ],
             Parameters=[{"ParameterKey": k, "ParameterValue": v} for (k, v) in p1.items()],
         )
         snapshot.match("create-change-set-1", change_set_details)
@@ -189,6 +194,11 @@ def inner(
             TemplateBody=t2,
             ChangeSetType="UPDATE",
             Parameters=[{"ParameterKey": k, "ParameterValue": v} for (k, v) in p2.items()],
+            Capabilities=[
+                "CAPABILITY_IAM",
+                "CAPABILITY_NAMED_IAM",
+                "CAPABILITY_AUTO_EXPAND",
+            ],
         )
         snapshot.match("create-change-set-2", change_set_details)
         stack_id = change_set_details["StackId"]