Problem
AWS currently passes strict manifest validation and has a legacy host-load conformance gate, but it still serves sdk.Serve(internal.NewAWSPlugin()). New wfctl plugin conformance --mode typed-iac rejects that boundary because typed-IaC compatibility requires sdk.ServeIaCPlugin + pb.IaCProviderRequiredServer registration.
Observed from origin/main on 2026-05-11:
/tmp/wfctl-conformance plugin conformance --mode typed-iac --build-package ./cmd/workflow-plugin-aws --engine-version v0.51.3-0.20260511092920-8e4247812e6d --format json --output conformance-evidence.json .
Result:
error: iac: plugin uses legacy InvokeService dispatch removed in workflow v1.0.0
Required migration
- replace legacy
sdk.Serve entrypoint with sdk.ServeIaCPlugin
- add an AWS typed-IaC server wrapper that satisfies
pb.IaCProviderRequiredServer and delegates to the existing provider
- keep cloud-mutating RPCs out of conformance smoke; metadata-only conformance must not require AWS credentials
- update
go.mod to a Workflow engine that includes typed-IaC server support
- run
wfctl plugin validate --file plugin.json --strict-contracts
- add push-only
wfctl plugin conformance --mode typed-iac --build-package ./cmd/workflow-plugin-aws once the migration passes locally
Notes
Existing PR #6 validates the shipped legacy boundary and should remain useful until this cutover lands. This issue tracks the stricter provider contract needed for registry compatibility evidence and future wfctl plugin install enforcement.
Problem
AWS currently passes strict manifest validation and has a legacy host-load conformance gate, but it still serves
sdk.Serve(internal.NewAWSPlugin()). Newwfctl plugin conformance --mode typed-iacrejects that boundary because typed-IaC compatibility requiressdk.ServeIaCPlugin+pb.IaCProviderRequiredServerregistration.Observed from
origin/mainon 2026-05-11:/tmp/wfctl-conformance plugin conformance --mode typed-iac --build-package ./cmd/workflow-plugin-aws --engine-version v0.51.3-0.20260511092920-8e4247812e6d --format json --output conformance-evidence.json .Result:
Required migration
sdk.Serveentrypoint withsdk.ServeIaCPluginpb.IaCProviderRequiredServerand delegates to the existing providergo.modto a Workflow engine that includes typed-IaC server supportwfctl plugin validate --file plugin.json --strict-contractswfctl plugin conformance --mode typed-iac --build-package ./cmd/workflow-plugin-awsonce the migration passes locallyNotes
Existing PR #6 validates the shipped legacy boundary and should remain useful until this cutover lands. This issue tracks the stricter provider contract needed for registry compatibility evidence and future
wfctl plugin installenforcement.