Summary
meshfed-release PR #9582 introduces a new optional configuration block for AWS platforms: awsIdentityStore — an alternative to the existing SCIM-based awsSso integration that uses the AWS Identity Store API directly.
The provider currently supports the aws_sso block in meshstack_meshplatform. This issue requests adding an aws_identity_store block alongside it.
meshObject API Changes
A new optional field awsIdentityStore (of type MeshPlatformAWSIdentityStoreConfigurationV2) was added to spec.config.aws.replication in the meshPlatformConfig meshObject. Only one of awsSso or awsIdentityStore may be set at a time.
New fields under spec.config.aws.replication.awsIdentityStore
| Field |
Type |
Required |
Description |
identityStoreId |
string |
✅ |
The ID of the AWS IAM Identity Center Identity Store, e.g. d-1234567890 |
arn |
string |
✅ |
The ARN of the AWS IAM Identity Center Instance, e.g. arn:aws:sso:::instance/ssoins-123456789abc |
groupNamePattern |
string |
✅ |
Pattern for managed group names. Supports platformGroupAlias replacement. Groups are prefixed with mst-. |
awsRoleMappings[].projectRoleRef.name |
string |
✅ |
Identifier of the meshProjectRole, e.g. admin, user, reader |
awsRoleMappings[].projectRoleRef.kind |
string |
✅ |
Must be meshProjectRole |
awsRoleMappings[].awsRole |
string |
✅ |
AWS role alias used as suffix in the group name pattern |
awsRoleMappings[].permissionSetArns |
list(string) |
✅ |
ARNs of IAM Identity Center permission sets to assign to the group (at least one required) |
signInUrl |
string |
✅ |
AWS IAM Identity Center sign-in URL for end-users |
Note: Unlike awsSso, there is no SCIM token field — authentication reuses the existing replicator IAM role, making this compatible with Workload Identity Federation (WIF).
Requested Provider Changes
Add an aws_identity_store optional SingleNestedAttribute block to the replication section of platform_resource_schema_aws.go, parallel to the existing aws_sso block:
resource meshstack_meshplatform example {
metadata = { ... }
spec = {
...
aws = {
replication = {
...
# New: alternative to aws_sso, no SCIM token needed
aws_identity_store = {
identity_store_id = d-1234567890
arn = arn:aws:sso:::instance/ssoins-123456789abc
group_name_pattern = ${platformGroupAlias}
sign_in_url = https://d-1234567890.awsapps.com/start
aws_role_mappings = [
{
project_role_ref = { name = admin, kind = meshProjectRole }
aws_role = admin
permission_set_arns = [arn:aws:sso:::permissionSet/ssoins-123456789abc/ps-abc123]
}
]
}
}
}
}
}Validation: The provider should enforce that at most one of aws_sso or aws_identity_store is set.
Related
Summary
meshfed-release PR #9582 introduces a new optional configuration block for AWS platforms:
awsIdentityStore— an alternative to the existing SCIM-basedawsSsointegration that uses the AWS Identity Store API directly.The provider currently supports the
aws_ssoblock inmeshstack_meshplatform. This issue requests adding anaws_identity_storeblock alongside it.meshObject API Changes
A new optional field
awsIdentityStore(of typeMeshPlatformAWSIdentityStoreConfigurationV2) was added tospec.config.aws.replicationin themeshPlatformConfigmeshObject. Only one ofawsSsoorawsIdentityStoremay be set at a time.New fields under
spec.config.aws.replication.awsIdentityStoreidentityStoreIdd-1234567890arnarn:aws:sso:::instance/ssoins-123456789abcgroupNamePatternplatformGroupAliasreplacement. Groups are prefixed withmst-.awsRoleMappings[].projectRoleRef.nameadmin,user,readerawsRoleMappings[].projectRoleRef.kindmeshProjectRoleawsRoleMappings[].awsRoleawsRoleMappings[].permissionSetArnssignInUrlNote: Unlike
awsSso, there is no SCIM token field — authentication reuses the existing replicator IAM role, making this compatible with Workload Identity Federation (WIF).Requested Provider Changes
Add an
aws_identity_storeoptionalSingleNestedAttributeblock to thereplicationsection ofplatform_resource_schema_aws.go, parallel to the existingaws_ssoblock:Validation: The provider should enforce that at most one of
aws_ssooraws_identity_storeis set.Related