Breaking Changes and Deprecations

meshStack 2026.23.0 introduces backwards-incompatible changes to the meshBuildingBlock v2-preview API . As a preview API, breaking changes are expected. If you only use the GA v1 API or do not interact with meshBuildingBlocks programmatically, no action is required. Breaking changes in the v2-preview API spec.inputs and status.outputs changed from JSON arrays to keyed maps. The key field is removed from each entry; the input/output identifier is now the map key. Sensitive inputs use an embedded secret format. On POST, provide {"plaintext": "..."} instead of a plain string value. On PUT, provide {"plaintext": "..."} to update or {"hash": "sha256:..."} to confirm the existing value unchanged (drift detection). Impact on the Terraform provider Users of meshstack_building_block_v2 must upgrade to Terraform provider v0.21.0 alongside this meshStack upgrade. For any input marked as sensitive in the building block definition, replace value_string or value_code with the new value_string_sensitive or value_code_sensitive attributes. These transmit the value as an embedded secret and store it masked in Terraform state. This config is only necessary when applying new meshstack_building_block_v2 resources . Already applied resources must not be touched as they would be forced to be replaced otherwise, risking potential data loss. Users of meshstack_buildingblock (v1 resource): No provider upgrade or configuration changes are needed. Note that both meshstack_building_block_v2 and meshstack_buildingblock are going to be deprecated soon in favor of a better designed meshstack_building_block resource. Migration from those resources will be provided.

We are deprecating the AWS SSO SCIM-based integration for meshStack's AWS IAM Identity Center connectivity. This integration method will be removed on October 1, 2026 . Why We're Deprecating This The SCIM token approach has several drawbacks: Over-privileged: The SCIM token grants more permissions than meshStack needs Requires manual rotation of long-lived secrets Reduced auditability in AWS CloudTrail (shared token with other systems like Entra ID) What Replaces It The AWS Identity Store API integration (available since meshStack v2026.10.0) is the recommended replacement: Uses an IAM role with least-privilege Identity Store permissions Compatible with Workload Identity Federation — fully secret-less operation possible Better CloudTrail auditability per action Supports locally managed IAM Identity Center users Timeline Now: AWS Identity Store API integration is available and recommended for all new AWS platform setups October 1, 2026: AWS SSO SCIM integration will be removed from meshStack Migration To migrate, follow our in-place upgrade guide: Apply the updated terraform-aws-meshplatform v0.7.0 module to add Identity Store IAM permissions to your AWS integrations in addition to existing AWS SSO SCIM permissions. Switch the IAM integration type to "AWS Identity Store API" in your AWS platform configuration. You can do this via meshPanel or you use this opportunity to start managing your meshPlatform via terraform Remove the old SCIM token and permissions after successful validation Full migration documentation is available at https://docs.meshcloud.io/docs/integrations/aws/sso-setup.html If you need help migrating, contact us at support@meshcloud.io or reach out to your Customer Success contact.

meshStack's Location concept is being deprecated. Locations were introduced as a way to group platforms by geography or organizational unit. However, they have proven to create unnecessary complexity. What is changing For existing meshStacks, nothing changes at the moment. However, for new meshStack (or if opted-in for existing ones) you can use the newly introduced autoSelectGlobalLocation configuration. If enabled: New platform instances will automatically be placed in the built-in global location . You no longer need to create or manage custom locations. Location creation via the meshStack panel and meshObject API will be disabled. Existing locations remain readable and operational during the migration window. API integrations using meshLocation as a meshObject (e.g. POST /api/meshobjects with kind: meshLocation ) will need to be updated to reference the global location identifier or remove the location reference entirely. Timeline Now : The autoSelectGlobalLocation config flag is available. New meshStack instances already have locations fully disabled. For existing instances, your platform engineering team can opt in by enabling this flag (ask your Customer Success team) Upcoming : meshcloud will enable this flag by default for all new meshStack instances. End-state : Locations will be fully removed from meshStack. An exact removal date will be communicated with at least 3 months' notice. What you need to do At the moment you don't have to do anything. We will communicate again when there are next steps in the deprecation of meshStack locations for existing meshStacks. Questions or concerns? Please reach out to your customer success manager or contact us at support@meshcloud.io . We are happy to help assess the impact on your specific setup.

Google Cloud Deployment Manager has been deprecated by Google and will be removed from meshStack landing zone support by April 1, 2026. No active tenants rely on this mechanism, but unused landing zones may still reference it and can be cleaned up safely. Please migrate to Building Blocks attached to landing zones for a modern, flexible, and provider-agnostic alternative.

The use of AWS CloudFormation StackSets within meshStack landing zones is planned for deprecation. These setups will be deprecated no earlier than April 1, 2026. StackSets can still be used at the AWS Organization or OU level, as supported by AWS. For landing zone automation in meshStack, we recommend transitioning to Building Blocks, which offer better control and a consistent experience across cloud providers.

Deprecation Announcement: Chargeback Endpoint meshcloud has decided to deprecate the Chargeback endpoint in October 2025. Moving forward, all financial data will be accessible via the Tenant Usage Report endpoint. Please migrate to meshTenantUsageReport.v3which now contains usage and chargeback data for every report. The meshChargeback object as an aggregation of different usage reports will be removed from the meshObject API.Just like the meshChargeback object, the meshTenantUsageReport.v3contains line item data at seller-product-group level aggregation. Additionally, we plan to migrate all financial endpoints currently hosted by the kraken service to meshfed. This transition will enable improved functionality, including the ability to restrict endpoint access to specific workspaces and workspace data. We appreciate your understanding and will provide further updates as we approach the migration.