diff --git a/iam-saml/README.md b/iam-saml/README.md
index 34f2226..85d2582 100644
--- a/iam-saml/README.md
+++ b/iam-saml/README.md
@@ -39,7 +39,7 @@ No requirements.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_external"></a> [external](#provider\_external) | n/a |
 
 ## Modules
 
@@ -50,11 +50,11 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_saml_provider.saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
-| [null_resource.saml_metadata](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.saml_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [external_external.saml_metadata](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
 ## Inputs
 
diff --git a/iam-saml/bin/external_get-saml-metadata.sh b/iam-saml/bin/external_get-saml-metadata.sh
new file mode 100755
index 0000000..21a3986
--- /dev/null
+++ b/iam-saml/bin/external_get-saml-metadata.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+#set -e
+eval "$(jq -r '@sh "AWS_ENVIRONMENT=\(.aws_environment) OUTPUT=\(.output_file) URL_PREFIX=\(.url_prefix)"')"
+
+if [ -z $AWS_ENVIRONMENT ]
+then
+  AWS_ENVIRONMENT="east-west"
+fi
+
+if [ -z $URL_PREFIX ]
+then
+  URL_PREFIX="https://id-provider.tco.census.gov/nidp/saml2/metadata?PID="
+fi
+
+if [[ $AWS_ENVIRONMENT == "east-west" ]] || [[ $AWS_ENVIRONMENT == "ew" ]]
+then
+  SELECT="urn:amazon:webservices"
+fi
+if [[ $AWS_ENVIRONMENT == "govcloud" ]]  || [[ $AWS_ENVIRONMENT == "gov" ]]
+then
+  SELECT="urn:amazon:webservices:govcloud"
+fi
+
+if [ -z $SELECT ]
+then
+  echo "* no URL available for AWS_ENVIRONMENT=$AWS_ENVIRONMENT"
+  exit 1
+fi
+
+if [ -z $OUTPUT ]
+then
+  OUTPUT="metadata.$(date +%s).xml"
+fi
+
+URL="${URL_PREFIX}${SELECT}"
+curl -q -k $URL > $OUTPUT
+status=$?
+result=$(cat $OUTPUT)
+
+jq -n --arg output_file "$OUTPUT" --arg value "$result" --arg status "$status" '{"output_file":$output_file,"value":$value,"status":$status}'
diff --git a/iam-saml/bin/get-saml-metadata.sh b/iam-saml/bin/get-saml-metadata.sh
index 993c49f..a73ca2f 100755
--- a/iam-saml/bin/get-saml-metadata.sh
+++ b/iam-saml/bin/get-saml-metadata.sh
@@ -30,8 +30,7 @@ then
 fi
 
 URL="${URL_PREFIX}${SELECT}"
-#OUTFILE="metadata.xml"
-echo "# environment=$AWS_ENVIRONMENT command=curl -q -k $URL" >&2
+# echo "# environment=$AWS_ENVIRONMENT command=curl -q -k $URL" >&2
 curl -q -k $URL 
 status=$?
 exit $status
diff --git a/iam-saml/main.tf b/iam-saml/main.tf
index e82bf1f..2d10719 100644
--- a/iam-saml/main.tf
+++ b/iam-saml/main.tf
@@ -47,25 +47,37 @@ locals {
   }
 }
 
-resource "null_resource" "saml_metadata" {
-  provisioner "local-exec" {
-    command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
-  }
+# resource "null_resource" "saml_metadata" {
+#   provisioner "local-exec" {
+#     command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
+#   }
+# 
+#   provisioner "local-exec" {
+#     command = "bash ${path.module}/bin/get-saml-metadata.sh > ${path.root}/setup/metadata.xml"
+#     environment = {
+#       #      AWS_ENVIRONMENT = var.aws_environment
+#       AWS_ENVIRONMENT = local.account_environment
+#     }
+#   }
+# }
 
-  provisioner "local-exec" {
-    command = "bash ${path.module}/bin/get-saml-metadata.sh > ${path.root}/setup/metadata.xml"
-    environment = {
-      #      AWS_ENVIRONMENT = var.aws_environment
-      AWS_ENVIRONMENT = local.account_environment
-    }
+data "external" "saml_metadata" {
+  program = ["bash", "${path.module}/bin/external_get_saml_metadata.sh"]
+  # output {object}.results.{output_file,status,value}
+  query = {
+    "aws_environment" = local.account_environment
+    "output_file"     = local.saml_metadata_file
+    #    "url_prefix" = ""
   }
+  #  depends_on             = [null_resource.saml_metadata]
 }
 
 resource "aws_iam_saml_provider" "saml" {
   #  count                  = fileexists(local.saml_metadata_file) ? 1 : 0
-  name                   = var.saml_provider_name
-  saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : file("${path.module}/empty_metadata.xml")
-  depends_on             = [null_resource.saml_metadata]
+  name = var.saml_provider_name
+  #  saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : file("${path.module}/empty_metadata.xml")
+  saml_metadata_document = data.external.saml_metadata.result.value
+  #  depends_on             = [null_resource.saml_metadata]
 
   # when the provider supports tags, enable this section
   #  tags = merge(