meshcloud
diff --git a/‎docs/data-sources/platform.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/data-sources/platform.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/resources/platform.md‎
Lines changed: 10 additions & 10 deletions b/‎docs/resources/platform.md‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎internal/provider/platform_data_source.go‎
Lines changed: 1 addition & 2 deletions b/‎internal/provider/platform_data_source.go‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎internal/provider/platform_resource_schema_aws.go‎
Lines changed: 1 addition & 26 deletions b/‎internal/provider/platform_resource_schema_aws.go‎
Lines changed: 1 addition & 26 deletions
diff --git a/‎internal/provider/platform_resource_schema_azure.go‎
Lines changed: 33 additions & 80 deletions b/‎internal/provider/platform_resource_schema_azure.go‎
Lines changed: 33 additions & 80 deletions
@@ -648,7 +648,7 @@ Read-Only:
 - `subscription` (String) The Subscription that will contain all the created Resource Groups. Once you set the Subscription, you must not change it.
 - `tenant_tags` (Attributes) Tenant tags configuration (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--tenant_tags))
 - `user_group_name_pattern` (String) Configures the pattern that defines the desired name of AAD groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix. This suffix is configurable via Role Mappings in this platform config.
-- `user_lookup_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) User lookup strategy (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
 
 <a id="nestedatt--spec--config--azurerg--replication--b2b_user_invitation"></a>
 ### Nested Schema for `spec.config.azurerg.replication.b2b_user_invitation`
 
@@ -237,11 +237,11 @@ Read-Only:
 
 Required:
 
-- `base_url` (String) Base URL of the AKS cluster
+- `base_url` (String) This is the base URL to your AKS cluster, which is used to call the APIs to create new AKS tenants, get raw data for metering the AKS tenants, etc. An example base URL is: https://myaks-dns.westeurope.azmk8s.io:443
 
 Optional:
 
-- `disable_ssl_validation` (Boolean) Flag to disable SSL validation for the AKS cluster. (SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.)
+- `disable_ssl_validation` (Boolean) Flag to disable SSL validation for the AKS cluster. SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.
 - `metering` (Attributes) Metering configuration for AKS (optional, but required for metering) (see [below for nested schema](#nestedatt--spec--config--aks--metering))
 - `replication` (Attributes) Replication configuration for AKS (optional, but required for replication) (see [below for nested schema](#nestedatt--spec--config--aks--replication))
 
@@ -292,7 +292,7 @@ Required:
 - `namespace_name_pattern` (String) Pattern for naming namespaces in AKS
 - `send_azure_invitation_mail` (Boolean) Flag to send Azure invitation emails. When true, meshStack instructs Azure to send out Invitation mails to invited users.
 - `service_principal` (Attributes) Service principal configuration for AKS (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal))
-- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`userPrincipalName` or `email`)
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`UserByEmailLookupStrategy` or `UserByUsernameLookupStrategy`)
 
 Optional:
 
@@ -558,7 +558,7 @@ Required:
 
 Required:
 
-- `namespace_prefix` (String) Namespace prefix for tenant tags
+- `namespace_prefix` (String) This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.
 
 Optional:
 
@@ -648,15 +648,15 @@ Required:
 - `service_principal` (Attributes) Service principal configuration for Azure (see [below for nested schema](#nestedatt--spec--config--azure--replication--service_principal))
 - `skip_user_group_permission_cleanup` (Boolean) Flag to skip user group permission cleanup. For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
 - `subscription_name_pattern` (String) Configures the pattern that defines the desired name of Azure Subscriptions managed by meshStack.
-- `user_lookup_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`UserByEmailLookupStrategy` or `UserByUsernameLookupStrategy`)
 
 Optional:
 
 - `administrative_unit_id` (String) If you enter an administrative unit ID the replicated (and potentially existing) groups will be put into this AU. This can be used to limit the permission scopes which are required for the replicator principal. If you remove the AU ID again or change it, the groups will not be removed from the old AU.
 - `b2b_user_invitation` (Attributes) Optional B2B user invitation configuration. When configured, instructs the replicator to create AAD B2B guest invitations for users missing in the AAD tenant managed by this meshPlatform. (see [below for nested schema](#nestedatt--spec--config--azure--replication--b2b_user_invitation))
 - `blueprint_location` (String) The Azure location where replication creates and updates Blueprint Assignments. Note that it's still possible that the Blueprint creates resources in other locations, this is merely the location where the Blueprint Assignment is managed.
 - `provisioning` (Attributes) To provide Azure Subscription for your organization's meshProjects, meshcloud supports using Enterprise Enrollment or allocating from a pool of pre-provisioned subscriptions. One of the subFields enterpriseEnrollment, customerAgreement or preProvisioned must be provided! (see [below for nested schema](#nestedatt--spec--config--azure--replication--provisioning))
-- `tenant_tags` (Attributes) Tenant tagging configuration. (see [below for nested schema](#nestedatt--spec--config--azure--replication--tenant_tags))
+- `tenant_tags` (Attributes) Tenant tags configuration (see [below for nested schema](#nestedatt--spec--config--azure--replication--tenant_tags))
 
 <a id="nestedatt--spec--config--azure--replication--azure_role_mappings"></a>
 ### Nested Schema for `spec.config.azure.replication.azure_role_mappings`
@@ -849,7 +849,7 @@ Required:
 - `skip_user_group_permission_cleanup` (Boolean) For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
 - `subscription` (String) The Subscription that will contain all the created Resource Groups. Once you set the Subscription, you must not change it.
 - `user_group_name_pattern` (String) Configures the pattern that defines the desired name of AAD groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix. This suffix is configurable via Role Mappings in this platform config.
-- `user_lookup_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`UserByEmailLookupStrategy` or `UserByUsernameLookupStrategy`)
 
 Optional:
 
@@ -1061,7 +1061,7 @@ Required:
 
 Required:
 
-- `namespace_prefix` (String) Namespace prefix for tenant tags
+- `namespace_prefix` (String) This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.
 
 Optional:
 
@@ -1084,7 +1084,7 @@ Required:
 
 Required:
 
-- `base_url` (String) This URL is the base URL to your Kubernetes Cluster, which is used to call the APIs to create new Kubernetes projects, get raw data for metering the Kubernetes projects, etc. An example base URL is: https://k8s.dev.eu-de-central.msh.host:6443
+- `base_url` (String) This is the base URL to your Kubernetes cluster, which is used to call the APIs to create new Kubernetes tenants, get raw data for metering the Kubernetes tenants, etc. An example base URL is: https://k8s.dev.eu-de-central.msh.host:6443
 
 Optional:
 
@@ -1157,7 +1157,7 @@ Required:
 
 Required:
 
-- `base_url` (String) This URL is the base URL to your OpenShift Cluster, which is used to call the APIs to create new OpenShift projects, get raw data for metering the OpenShift projects, etc. An example base URL is: https://api.okd4.dev.eu-de-central.msh.host:6443
+- `base_url` (String) This is the base URL to your OpenShift cluster, which is used to call the APIs to create new OpenShift tenants, get raw data for metering the OpenShift tenants, etc. An example base URL is: https://api.okd4.dev.eu-de-central.msh.host:6443
 
 Optional:
 
 
@@ -982,9 +982,8 @@ func azureRgReplicationConfigDataSourceSchema() schema.Attribute {
 					},
 				},
 			},
-			// TODO: enforce correct value
 			"user_lookup_strategy": schema.StringAttribute{
-				MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
+				MarkdownDescription: "User lookup strategy (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
 				Computed:            true,
 			},
 			"tenant_tags": schema.SingleNestedAttribute{
 
@@ -127,32 +127,7 @@ func awsReplicationConfigSchema() schema.Attribute {
 				MarkdownDescription: "With a String Pattern you can define how the account email address of the created AWS account will be set. E.g. `aws+#{workspaceIdentifier}.#{projectIdentifier}@yourcompany.com`. Please consider that this email address is limited to 64 characters! Also have a look at our docs for more information.",
 				Required:            true,
 			},
-			"tenant_tags": schema.SingleNestedAttribute{
-				MarkdownDescription: "Tenant tags configuration",
-				Optional:            true,
-				Attributes: map[string]schema.Attribute{
-					"namespace_prefix": schema.StringAttribute{
-						MarkdownDescription: "Namespace prefix for tenant tags",
-						Required:            true,
-					},
-					"tag_mappers": schema.ListNestedAttribute{
-						MarkdownDescription: "List of tag mappers for tenant tags",
-						Optional:            true,
-						NestedObject: schema.NestedAttributeObject{
-							Attributes: map[string]schema.Attribute{
-								"key": schema.StringAttribute{
-									MarkdownDescription: "Key for the tag mapper",
-									Required:            true,
-								},
-								"value_pattern": schema.StringAttribute{
-									MarkdownDescription: "Value pattern for the tag mapper",
-									Required:            true,
-								},
-							},
-						},
-					},
-				},
-			},
+			"tenant_tags": tenantTagsAttribute(),
 			"aws_sso": schema.SingleNestedAttribute{
 				MarkdownDescription: "AWS SSO configuration",
 				Optional:            true,
 
@@ -1,8 +1,10 @@
 package provider
 
 import (
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
@@ -86,7 +88,7 @@ func azureReplicationConfigSchema() schema.Attribute {
 										MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the \"Enterprise Application\" but can also be retrieved via the \"App Registration\" object as \"Application (Client) ID\".",
 										Required:            true,
 									},
-									"auth": azureAuthConfigSchema(),
+									"auth": azureAuthSchema(),
 								},
 							},
 							"destination_entra_id": schema.StringAttribute{
@@ -172,37 +174,8 @@ func azureReplicationConfigSchema() schema.Attribute {
 					},
 				},
 			},
-			"tenant_tags": schema.SingleNestedAttribute{
-				MarkdownDescription: "Tenant tagging configuration.",
-				Optional:            true,
-				Attributes: map[string]schema.Attribute{
-					"namespace_prefix": schema.StringAttribute{
-						MarkdownDescription: "This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.",
-						Required:            true,
-					},
-					"tag_mappers": schema.ListNestedAttribute{
-						MarkdownDescription: "List of tag mappers for tenant tags",
-						Optional:            true,
-						NestedObject: schema.NestedAttributeObject{
-							Attributes: map[string]schema.Attribute{
-								"key": schema.StringAttribute{
-									MarkdownDescription: "Key for the tag mapper",
-									Required:            true,
-								},
-								"value_pattern": schema.StringAttribute{
-									MarkdownDescription: "Value pattern for the tag mapper",
-									Required:            true,
-								},
-							},
-						},
-					},
-				},
-			},
-			// TODO: enforce correct value
-			"user_lookup_strategy": schema.StringAttribute{
-				MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
-				Required:            true,
-			},
+			"tenant_tags":          tenantTagsAttribute(),
+			"user_lookup_strategy": azureUserLookupStrategySchema(),
 			"skip_user_group_permission_cleanup": schema.BoolAttribute{
 				MarkdownDescription: "Flag to skip user group permission cleanup. For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.",
 				Required:            true,
@@ -219,21 +192,6 @@ func azureReplicationConfigSchema() schema.Attribute {
 	}
 }
 
-func azureAuthConfigSchema() schema.Attribute {
-	return schema.SingleNestedAttribute{
-		MarkdownDescription: "Authentication configuration",
-		Required:            true,
-		Attributes: map[string]schema.Attribute{
-			"type": schema.StringAttribute{
-				MarkdownDescription: "Authentication type (credential or workloadIdentity)",
-				Computed:            true,
-				PlanModifiers:       []planmodifier.String{authTypeDefault()},
-			},
-			"credential": secretEmbeddedSchema("Client secret (if type is credential)", true),
-		},
-	}
-}
-
 func azureMeteringConfigSchema() schema.Attribute {
 	return schema.SingleNestedAttribute{
 		MarkdownDescription: "Metering configuration for Azure (optional, but required for metering)",
@@ -251,7 +209,7 @@ func azureMeteringConfigSchema() schema.Attribute {
 						MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
 						Required:            true,
 					},
-					"auth": azureAuthConfigSchema(),
+					"auth": azureAuthSchema(),
 				},
 			},
 			"processing": meteringProcessingConfigSchema(),
@@ -292,7 +250,7 @@ func azureRgReplicationConfigSchema() schema.Attribute {
 						MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
 						Required:            true,
 					},
-					"auth": azureAuthConfigSchema(),
+					"auth": azureAuthSchema(),
 				},
 			},
 			"subscription": schema.StringAttribute{
@@ -321,37 +279,8 @@ func azureRgReplicationConfigSchema() schema.Attribute {
 					},
 				},
 			},
-			// TODO: enforce correct value
-			"user_lookup_strategy": schema.StringAttribute{
-				MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
-				Required:            true,
-			},
-			"tenant_tags": schema.SingleNestedAttribute{
-				MarkdownDescription: "Tenant tags configuration",
-				Optional:            true,
-				Attributes: map[string]schema.Attribute{
-					"namespace_prefix": schema.StringAttribute{
-						MarkdownDescription: "This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.",
-						Required:            true,
-					},
-					"tag_mappers": schema.ListNestedAttribute{
-						MarkdownDescription: "List of tag mappers for tenant tags",
-						Optional:            true,
-						NestedObject: schema.NestedAttributeObject{
-							Attributes: map[string]schema.Attribute{
-								"key": schema.StringAttribute{
-									MarkdownDescription: "Key for the tag mapper",
-									Required:            true,
-								},
-								"value_pattern": schema.StringAttribute{
-									MarkdownDescription: "Value pattern for the tag mapper",
-									Required:            true,
-								},
-							},
-						},
-					},
-				},
-			},
+			"user_lookup_strategy": azureUserLookupStrategySchema(),
+			"tenant_tags":          tenantTagsAttribute(),
 			"skip_user_group_permission_cleanup": schema.BoolAttribute{
 				MarkdownDescription: "For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.",
 				Required:            true,
@@ -367,3 +296,27 @@ func azureRgReplicationConfigSchema() schema.Attribute {
 		},
 	}
 }
+func azureUserLookupStrategySchema() schema.Attribute {
+	return schema.StringAttribute{
+		MarkdownDescription: "Strategy for user lookup in Azure (`UserByEmailLookupStrategy` or `UserByUsernameLookupStrategy`)",
+		Required:            true,
+		Validators: []validator.String{
+			stringvalidator.OneOf([]string{"UserByMailLookupStrategy", "UserByUsernameLookupStrategy"}...),
+		},
+	}
+}
+
+func azureAuthSchema() schema.Attribute {
+	return schema.SingleNestedAttribute{
+		MarkdownDescription: "Authentication configuration",
+		Required:            true,
+		Attributes: map[string]schema.Attribute{
+			"type": schema.StringAttribute{
+				MarkdownDescription: "Authentication type (credential or workloadIdentity)",
+				Computed:            true,
+				PlanModifiers:       []planmodifier.String{authTypeDefault()},
+			},
+			"credential": secretEmbeddedSchema("Client secret (if type is credential)", true),
+		},
+	}
+}