feat: Add aws_identity_store support to meshstack_platform AWS replication config

[Copilot]

Adds aws_identity_store as an optional replication block for AWS platforms, using the AWS Identity Store API directly instead of SCIM. Unlike aws_sso, it requires no SCIM token and is compatible with Workload Identity Federation.

Changes

• client/platform_config_aws.go: New AwsIdentityStoreConfig, AwsIdentityStoreRoleMapping, and AwsIdentityStoreProjectRoleRef structs; AwsIdentityStore field added to AwsReplicationConfig
• platform_resource_schema_aws.go: New aws_identity_store block with ConflictsWith validators on both aws_sso and aws_identity_store to enforce mutual exclusivity
• resource_02_aws.tf: Updated existing AWS example to showcase aws_identity_store instead of aws_sso
• platform_resource_test.go: Updated checkAwsPlatformConfig to assert aws_identity_store fields and aws_sso: null

Notable design decision

Per explicit requirement, project_role_ref in aws_identity_store.aws_role_mappings exposes only name — kind is omitted from the schema entirely (always implicitly meshProjectRole), unlike the aws_sso pattern which uses a computed kind field.

aws_identity_store = {
  identity_store_id  = "d-1234567890"
  arn                = "arn:aws:sso:::instance/ssoins-1234567890abcdef"
  group_name_pattern = "#{workspaceIdentifier}.#{projectIdentifier}-#{platformGroupAlias}"
  sign_in_url        = "https://d-1234567890.awsapps.com/start"

  aws_role_mappings = [
    {
      project_role_ref    = { name = "admin" }
      aws_role            = "admin"
      permission_set_arns = ["arn:aws:sso:::permissionSet/ssoins-1234567890abcdef/ps-1234567890abcdef"]
    }
  ]
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>feat: Add awsIdentityStore support to meshstack_meshplatform resource (AWS Identity Store API integration)</issue_title>
<issue_description>## Summary

meshfed-release PR meshcloud/terraform-provider-meshstack#9582 introduces a new optional configuration block for AWS platforms: awsIdentityStore — an alternative to the existing SCIM-based awsSso integration that uses the AWS Identity Store API directly.

The provider currently supports the aws_sso block in meshstack_meshplatform. This issue requests adding an aws_identity_store block alongside it.

---

meshObject API Changes

A new optional field awsIdentityStore (of type MeshPlatformAWSIdentityStoreConfigurationV2) was added to spec.config.aws.replication in the meshPlatformConfig meshObject. Only one of awsSso or awsIdentityStore may be set at a time.

New fields under spec.config.aws.replication.awsIdentityStore

Field	Type	Required	Description
identityStoreId	string	✅	The ID of the AWS IAM Identity Center Identity Store, e.g. d-1234567890
arn	string	✅	The ARN of the AWS IAM Identity Center Instance, e.g. arn:aws:sso:::instance/ssoins-123456789abc
groupNamePattern	string	✅	Pattern for managed group names. Supports platformGroupAlias replacement. Groups are prefixed with mst-.
awsRoleMappings[].projectRoleRef.name	string	✅	Identifier of the meshProjectRole, e.g. admin, user, reader
awsRoleMappings[].projectRoleRef.kind	string	✅	Must be meshProjectRole
awsRoleMappings[].awsRole	string	✅	AWS role alias used as suffix in the group name pattern
awsRoleMappings[].permissionSetArns	list(string)	✅	ARNs of IAM Identity Center permission sets to assign to the group (at least one required)
signInUrl	string	✅	AWS IAM Identity Center sign-in URL for end-users

Note: Unlike awsSso, there is no SCIM token field — authentication reuses the existing replicator IAM role, making this compatible with Workload Identity Federation (WIF).

---

Requested Provider Changes

Add an aws_identity_store optional SingleNestedAttribute block to the replication section of platform_resource_schema_aws.go, parallel to the existing aws_sso block:

resource meshstack_meshplatform example {
  metadata = { ... }
  spec = {
    ...
    aws = {
      replication = {
        ...
        # New: alternative to aws_sso, no SCIM token needed
        aws_identity_store = {
          identity_store_id   = d-1234567890
          arn                 = arn:aws:sso:::instance/ssoins-123456789abc
          group_name_pattern  = ${platformGroupAlias}
          sign_in_url         = https://d-1234567890.awsapps.com/start
          aws_role_mappings = [
            {
              project_role_ref = { name = admin, kind = meshProjectRole }
              aws_role         = admin
              permission_set_arns = [arn:aws:sso:::permissionSet/ssoins-123456789abc/ps-abc123]
            }
          ]
        }
      }
    }
  }
}

Validation: The provider should enforce that at most one of aws_sso or aws_identity_store is set.

---

Related

• meshfed-release PR: #9582 – feature/aws identity store
• terraform-aws-meshplatform PR: #26 – feat: enable integration with AWS IdentityStore API
• ClickUp task: CU-86c69ck7b – AWS meshPlatform integration excessive SCIM permissions
• Feature tracker: janny#91
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes feat: Add awsIdentityStore support to meshstack_meshplatform resource (AWS Identity Store API integration) #124

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[JohannesRudolph]

@grubmeshi a general question why do we have examples as tf code files and then there's also ## Example Usage in every resource documentation? That seems like a bit of duplication and there's also potential these get out of sync.

Is there some way to verify/validate the examples that go into md files, or maybe even source them from a proper tf file? I'm sure other TF providers must have solved that same problem already.