Fix IAM enforcement endpoint: use /_aws/iam/config with state payload

The correct LocalStack endpoint is POST /_aws/iam/config with
{"state":"ENFORCED"} / {"state":"ALLOW_ALL"}, not /_localstack/config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: whummer

01-serverless-app/website/index.html

@@ -820,25 +820,25 @@ <h2>API Endpoint</h2>
 
   async function checkIAM() {
     try {
-      const res  = await fetch(`${window.location.origin}/_localstack/config`);
+      const res  = await fetch(`${window.location.origin}/_aws/iam/config`);
       const data = await res.json();
-      const on   = !!(data.ENFORCE_IAM && data.ENFORCE_IAM !== "0" && data.ENFORCE_IAM !== false);
+      const on   = data.state === "ENFORCED";
       const toggle = document.getElementById("iam-toggle");
       const label  = document.getElementById("iam-status-label");
       const hint   = document.getElementById("iam-hint");
-      toggle.checked    = on;
-      label.textContent = on ? "On" : "Off";
-      label.className   = "chaos-status " + (on ? "on" : "off");
+      toggle.checked     = on;
+      label.textContent  = on ? "On" : "Off";
+      label.className    = "chaos-status " + (on ? "on" : "off");
       hint.style.display = on ? "block" : "none";
     } catch (_) {}
   }
 
   document.getElementById("iam-toggle").addEventListener("change", async function () {
     try {
-      await fetch(`${window.location.origin}/_localstack/config`, {
+      await fetch(`${window.location.origin}/_aws/iam/config`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ ENFORCE_IAM: this.checked ? "1" : "0" }),
+        body: JSON.stringify({ state: this.checked ? "ENFORCED" : "ALLOW_ALL" }),
       });
       await checkIAM();
     } catch (e) {

Makefile

@@ -84,14 +84,14 @@ replay-dlq: ## Replay messages from the DLQ back to the main queue
 # ── IAM enforcement ───────────────────────────────────────────────────────────
 
 iam-enforce: ## Enable IAM policy enforcement — order creation now fails (missing PutItem)
-	curl -s -X POST http://localhost:4566/_localstack/config \
+	curl -s -X POST http://localhost:4566/_aws/iam/config \
 	  -H "Content-Type: application/json" \
-	  -d '{"ENFORCE_IAM": "1"}' | python3 -m json.tool
+	  -d '{"state":"ENFORCED"}' | python3 -m json.tool
 
 iam-off: ## Disable IAM enforcement (permissive mode, default)
-	curl -s -X POST http://localhost:4566/_localstack/config \
+	curl -s -X POST http://localhost:4566/_aws/iam/config \
 	  -H "Content-Type: application/json" \
-	  -d '{"ENFORCE_IAM": "0"}' | python3 -m json.tool
+	  -d '{"state":"ALLOW_ALL"}' | python3 -m json.tool
 
 iam-fix: ## Grant missing dynamodb:PutItem to the Lambda role — fixes order creation
 	awslocal iam put-role-policy \
@@ -102,8 +102,7 @@ iam-fix: ## Grant missing dynamodb:PutItem to the Lambda role — fixes order cr
 
 iam-status: ## Show current IAM enforcement state and Lambda role policies
 	@echo "=== IAM enforcement ===" && \
-	  curl -s http://localhost:4566/_localstack/config | \
-	  python3 -c "import sys,json; c=json.load(sys.stdin); print('ENFORCE_IAM:', c.get('ENFORCE_IAM', False))"
+	  curl -s http://localhost:4566/_aws/iam/config | python3 -m json.tool
 	@echo "=== Lambda role policies ===" && \
 	  awslocal iam list-role-policies --role-name lambda-exec-role