feat(LocalStack): Require auth token for 4.15 and onwards

[HofmeisterAn]

What does this PR do?

The LocalStack team reached out and let us know that starting from version 4.15, LocalStack requires the LOCALSTACK_AUTH_TOKEN environment variable to be set. This PR updates the LocalStack module to enforce that requirement. If the variable isn't provided, it throws an exception and directs the developer to the LocalStack blog/documentation. /cc @HarshCasper

Why is it important?

Make it more visible to users that the LocalStack module requires the environment variable.

Related issues

• Closes localstack/localstack:latest will require auth token from March 23 — LocalStack module docs & examples need updating #1663

Summary by CodeRabbit

Release Notes

• New Features

  • LocalStack builder now enforces LOCALSTACK_AUTH_TOKEN environment variable requirement for LocalStack 4.15 and later versions.

• Tests

  • Added validation tests for LocalStack authentication token requirement across different versions.

• Chores

  • Updated test infrastructure and refactored internal validation code for consistency.

[coderabbitai]

Walkthrough

Multiple builders across the Testcontainers library now use concrete DockerResourceConfiguration member names in validation guard calls instead of interface member names, and exception messages reference guarded argument values rather than builder state. Additionally, LocalStackBuilder adds validation requiring LOCALSTACK_AUTH_TOKEN environment variable for LocalStack 4.15+ images, with corresponding test coverage and updated test image version.

Changes

Cohort / File(s)	Summary
Guard Argument Parameter Name Updates src/Testcontainers/Builders/AbstractBuilder\4.cs, src/Testcontainers/Builders/ContainerBuilder`3.cs, src/Testcontainers/Builders/ImageFromDockerfileBuilder.cs, src/Testcontainers/Builders/NetworkBuilder.cs, src/Testcontainers/Builders/VolumeBuilder.cs`	Changed Guard.Argument parameter names from interface member references (e.g., IResourceConfiguration.Logger) to concrete DockerResourceConfiguration member names for more accurate exception reporting.
Exception Message Source Fixes src/Testcontainers.Neo4j/Neo4jBuilder.cs, src/Testcontainers.Oracle/OracleBuilder.cs, src/Testcontainers/Builders/ContainerBuilder\3.cs`	Modified exception messages to use argument.Value.Image.FullName (from guarded value) instead of DockerResourceConfiguration.Image.FullName (from builder state), ensuring correct image name is reported.
LocalStack Auth Token Validation src/Testcontainers.LocalStack/LocalStackBuilder.cs, src/Testcontainers.LocalStack/Usings.cs	Added Validate() override in LocalStackBuilder that requires LOCALSTACK_AUTH_TOKEN environment variable for LocalStack 4.15+ and nightly images. Added global using directive for DotNet.Testcontainers.
Test Updates tests/Testcontainers.LocalStack.Tests/Dockerfile, tests/Testcontainers.LocalStack.Tests/LocalStackBuilderTest.cs	Updated test image from localstack/localstack:2.0.2 to 4.14.0. Added new LocalStackBuilderTest class with five xUnit tests validating auth token requirement enforcement for different image versions.
Validation Logic Formatting src/Testcontainers.Kafka/KafkaBuilder.cs	Reformatted vendorNotFound predicate from single-line to multi-line lambda; logic unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

breaking change

Poem

🐰 With LocalStack's march toward March, we've made it clear—
Auth tokens now required when newer versions appear!
Guard names now faithful to concrete types so true,
Exception messages speak from values, not from builder's view.
Tests are bright and validation tight! 🌟

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Most changes align with the PR's core objective. However, multiple unrelated refactorings of guard argument names across builder classes appear to be out of scope.	The guard argument name changes in AbstractBuilder, ContainerBuilder, ImageFromDockerfileBuilder, NetworkBuilder, VolumeBuilder, Neo4jBuilder, OracleBuilder, and KafkaBuilder should be separated into a distinct PR titled 'chore: Align guard usage' to keep this PR focused on the LocalStack auth token enforcement.
Docstring Coverage	⚠️ Warning	Docstring coverage is 70.59% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: enforcing LocalStack auth token requirement for version 4.15 and onwards.
Description check	✅ Passed	The description includes all mandatory sections (What and Why) and relevant optional sections (Related issues). It clearly explains the change, rationale, and links issue #1663.
Linked Issues check	✅ Passed	The PR successfully implements the coding requirement from #1663: enforcing LOCALSTACK_AUTH_TOKEN validation in LocalStackBuilder for versions 4.15+, with comprehensive test coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/require-localstack-auth-token

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

[netlify]

✅ Deploy Preview for testcontainers-dotnet ready!

Name	Link
🔨 Latest commit	6815de9
🔍 Latest deploy log	https://app.netlify.com/projects/testcontainers-dotnet/deploys/69bc14bf2636a20008c4ccb6
😎 Deploy Preview	https://deploy-preview-1667--testcontainers-dotnet.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

🧹 Nitpick comments (2)

tests/Testcontainers.LocalStack.Tests/LocalStackBuilderTest.cs (1)

3-31: Consider adding test coverage for latest and nightly tags.

The validation logic in LocalStackBuilder.Validate() uses MatchLatestOrNightly() to require auth tokens for these tags, which aligns with the PR objective that localstack/localstack:latest will require authentication after March 23, 2026. However, there's no test coverage for this path.

💡 Suggested additional tests

[Fact]
public void LocalStackLatestWithoutAuthTokenThrowsArgumentException()
{
    const string message = "The image 'localstack/localstack:latest' requires the LOCALSTACK_AUTH_TOKEN environment variable for LocalStack 4.15 and onwards.";
    ExpectArgEx(message, () => new LocalStackBuilder("localstack/localstack:latest").Build());
}

[Fact]
public void LocalStackLatestWithAuthTokenDoesNotThrowArgumentException()
{
    var exception = Xunit.Record.Exception(() => new LocalStackBuilder("localstack/localstack:latest").WithEnvironment("LOCALSTACK_AUTH_TOKEN", "<auth-token>").Build());
    Assert.Null(exception);
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Testcontainers.LocalStack.Tests/LocalStackBuilderTest.cs` around lines
3 - 31, Add unit tests in LocalStackBuilderTest to cover the "latest" and
"nightly" image tags similar to existing tests: add tests that assert
LocalStackBuilder("localstack/localstack:latest") and
("localstack/localstack:nightly") throw the same ArgumentException message when
built without LOCALSTACK_AUTH_TOKEN (use ExpectArgEx), and add companion tests
that call WithEnvironment("LOCALSTACK_AUTH_TOKEN", "<auth-token>") and assert no
exception (use Xunit.Record.Exception and Assert.Null). These tests exercise the
validation path in LocalStackBuilder.Validate() that uses MatchLatestOrNightly()
to require auth tokens.

src/Testcontainers.LocalStack/LocalStackBuilder.cs (1)

90-91: Consider adding parentheses for clarity.

While operator precedence is correct (&& binds tighter than ||), explicit parentheses would improve readability:

-            !value.Environments.TryGetValue("LOCALSTACK_AUTH_TOKEN", out _) && (value.Image.MatchLatestOrNightly() || value.Image.MatchVersion(v => v.Major > 4 || v.Major == 4 && v.Minor > 14));
+            !value.Environments.TryGetValue("LOCALSTACK_AUTH_TOKEN", out _) && (value.Image.MatchLatestOrNightly() || value.Image.MatchVersion(v => v.Major > 4 || (v.Major == 4 && v.Minor > 14)));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Testcontainers.LocalStack/LocalStackBuilder.cs` around lines 90 - 91, The
predicate requiresAuthToken expression is correct but unclear; update the lambda
in Predicate<LocalStackConfiguration> requiresAuthToken to add explicit
parentheses around the OR portion so the intent is obvious (e.g. parenthesize
the Image.MatchLatestOrNightly() || Image.MatchVersion(... ) part) while keeping
the logic the same; this touches the lambda that reads value =>
!value.Environments.TryGetValue("LOCALSTACK_AUTH_TOKEN", out _) &&
(value.Image.MatchLatestOrNightly() || value.Image.MatchVersion(v => v.Major > 4
|| v.Major == 4 && v.Minor > 14)) referencing LocalStackConfiguration,
Environments, LOCALSTACK_AUTH_TOKEN, Image.MatchLatestOrNightly and
Image.MatchVersion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/Testcontainers.LocalStack/LocalStackBuilder.cs`:
- Around line 90-91: The predicate requiresAuthToken expression is correct but
unclear; update the lambda in Predicate<LocalStackConfiguration>
requiresAuthToken to add explicit parentheses around the OR portion so the
intent is obvious (e.g. parenthesize the Image.MatchLatestOrNightly() ||
Image.MatchVersion(... ) part) while keeping the logic the same; this touches
the lambda that reads value =>
!value.Environments.TryGetValue("LOCALSTACK_AUTH_TOKEN", out _) &&
(value.Image.MatchLatestOrNightly() || value.Image.MatchVersion(v => v.Major > 4
|| v.Major == 4 && v.Minor > 14)) referencing LocalStackConfiguration,
Environments, LOCALSTACK_AUTH_TOKEN, Image.MatchLatestOrNightly and
Image.MatchVersion.

In `@tests/Testcontainers.LocalStack.Tests/LocalStackBuilderTest.cs`:
- Around line 3-31: Add unit tests in LocalStackBuilderTest to cover the
"latest" and "nightly" image tags similar to existing tests: add tests that
assert LocalStackBuilder("localstack/localstack:latest") and
("localstack/localstack:nightly") throw the same ArgumentException message when
built without LOCALSTACK_AUTH_TOKEN (use ExpectArgEx), and add companion tests
that call WithEnvironment("LOCALSTACK_AUTH_TOKEN", "<auth-token>") and assert no
exception (use Xunit.Record.Exception and Assert.Null). These tests exercise the
validation path in LocalStackBuilder.Validate() that uses MatchLatestOrNightly()
to require auth tokens.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 26b1294e-49a4-4b70-b66a-ecec79309e93

📥 Commits

Reviewing files that changed from the base of the PR and between 0aa181b and d2abdc1.

📒 Files selected for processing (12)

• src/Testcontainers.Kafka/KafkaBuilder.cs
• src/Testcontainers.LocalStack/LocalStackBuilder.cs
• src/Testcontainers.LocalStack/Usings.cs
• src/Testcontainers.Neo4j/Neo4jBuilder.cs
• src/Testcontainers.Oracle/OracleBuilder.cs
• src/Testcontainers/Builders/AbstractBuilder4.cs`
• src/Testcontainers/Builders/ContainerBuilder3.cs`
• src/Testcontainers/Builders/ImageFromDockerfileBuilder.cs
• src/Testcontainers/Builders/NetworkBuilder.cs
• src/Testcontainers/Builders/VolumeBuilder.cs
• tests/Testcontainers.LocalStack.Tests/Dockerfile
• tests/Testcontainers.LocalStack.Tests/LocalStackBuilderTest.cs