🧹 Restore enabledStandards and permissionSetArn as deprecated fields

Adds back aws.securityhub.hub.enabledStandards and
aws.identitycenter.accountAssignment.permissionSetArn with deprecation
comments pointing to their typed replacements (standardSubscriptions
and permissionSet respectively). This preserves backwards compatibility
for existing consumers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

providers/aws/resources/aws.lr

@@ -3082,6 +3082,9 @@ private aws.securityhub.hub @defaults("arn region") {
   subscribedAt string
   // Region where the Security Hub is enabled
   region string
+  // List of enabled security standards (CIS, PCI-DSS, AWS Foundational, etc.)
+  // Deprecated: use standardSubscriptions() instead
+  enabledStandards() []dict
   // Typed standard subscriptions with control details
   standardSubscriptions() []aws.securityhub.standardSubscription
   // Active findings (non-archived) in this hub
@@ -11970,6 +11973,9 @@ private aws.identitycenter.accountAssignment @defaults("accountId principalType
   id string
   // AWS account ID
   accountId string
+  // ARN of the permission set
+  // Deprecated: use permissionSet() instead
+  permissionSetArn string
   // Permission set for this assignment
   permissionSet() aws.identitycenter.permissionSet
   // Type of principal: USER or GROUP

providers/aws/resources/aws.lr.go

@@ -2875,6 +2875,7 @@ aws.identitycenter.accountAssignment 13.6.3
 aws.identitycenter.accountAssignment.accountId 13.6.3
 aws.identitycenter.accountAssignment.id 13.6.3
 aws.identitycenter.accountAssignment.permissionSet 13.12.1
+aws.identitycenter.accountAssignment.permissionSetArn 13.12.1
 aws.identitycenter.accountAssignment.principalId 13.6.3
 aws.identitycenter.accountAssignment.principalType 13.6.3
 aws.identitycenter.group 13.12.1
@@ -4686,6 +4687,7 @@ aws.securityhub.hub 11.15.2
 aws.securityhub.hub.arn 11.15.2
 aws.securityhub.hub.automationRules 13.12.1
 aws.securityhub.hub.enabledProducts 13.12.1
+aws.securityhub.hub.enabledStandards 13.12.1
 aws.securityhub.hub.findings 13.12.1
 aws.securityhub.hub.insights 13.12.1
 aws.securityhub.hub.members 13.12.1

providers/aws/resources/aws.lr.versions

@@ -335,11 +335,12 @@ func (a *mqlAwsIdentitycenterInstance) accountAssignments() ([]any, error) {
 
 						mqlAssignment, err := CreateResource(a.MqlRuntime, "aws.identitycenter.accountAssignment",
 							map[string]*llx.RawData{
-								"__id":          llx.StringData(assignId),
-								"id":            llx.StringData(assignId),
-								"accountId":     llx.StringDataPtr(assignment.AccountId),
-								"principalType": llx.StringData(string(assignment.PrincipalType)),
-								"principalId":   llx.StringDataPtr(assignment.PrincipalId),
+								"__id":             llx.StringData(assignId),
+								"id":               llx.StringData(assignId),
+								"accountId":        llx.StringDataPtr(assignment.AccountId),
+								"permissionSetArn": llx.StringDataPtr(assignment.PermissionSetArn),
+								"principalType":    llx.StringData(string(assignment.PrincipalType)),
+								"principalId":      llx.StringDataPtr(assignment.PrincipalId),
 							})
 						if err != nil {
 							return nil, err

providers/aws/resources/aws_identitycenter.go

@@ -90,6 +90,33 @@ func (a *mqlAwsSecurityhubHub) id() (string, error) {
 	return a.Arn.Data, nil
 }
 
+func (a *mqlAwsSecurityhubHub) enabledStandards() ([]any, error) {
+	region := a.Region.Data
+	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
+	svc := conn.Securityhub(region)
+	ctx := context.Background()
+
+	res := []any{}
+	paginator := securityhub.NewGetEnabledStandardsPaginator(svc, &securityhub.GetEnabledStandardsInput{})
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			if Is400AccessDeniedError(err) {
+				return res, nil
+			}
+			return nil, err
+		}
+		for _, std := range page.StandardsSubscriptions {
+			d, err := convert.JsonToDict(std)
+			if err != nil {
+				return nil, err
+			}
+			res = append(res, d)
+		}
+	}
+	return res, nil
+}
+
 func (a *mqlAwsSecurityhubHub) standardSubscriptions() ([]any, error) {
 	region := a.Region.Data
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)