v1.8.2: iam-saml: use empty_metadata.xml in saml resource until real …

…one is built by null_resource
terraform-modules · Apr 1, 2021 · 5fce398 · 5fce398
1 parent 6bc2b1d
commit 5fce398
Show file tree

Hide file tree

Showing 6 changed files with 143 additions and 25 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -59,3 +59,7 @@
 * v1.8.1 -- 20210329
   - ses-domain
     - add code for setting up sns event notification for bounce, complaint
+
+* v1.8.2 -- 20210401
+  - iam-saml
+    - use empty_metadata.xml in saml resource until real one is built by null_resource
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.8.1"
+  _module_version = "1.8.2"
 }
diff --git a/iam-saml/README.md b/iam-saml/README.md
@@ -1,12 +1,12 @@
 # aws-inf-setup :: iam-saml
 
-This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov.  
-The appropriate metadata and URL are selected from the environment either East/West (ew)  
+This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov.
+The appropriate metadata and URL are selected from the environment either East/West (ew)
 or GovCloud (gov).
 
 The resulting metadata XML is saved in `setup/metdata.xml`.
 
-# Usage  
+# Usage
 Here is a simple example, the one most commonly expected to be used.
 
 ```hcl
@@ -38,38 +38,38 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
-| null | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
 
 ## Modules
 
-No Modules.
+No modules.
 
 ## Resources
 
-| Name |
-|------|
-| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
-| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
-| [aws_iam_saml_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) |
-| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
-| [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) |
+| Name | Type |
+|------|------|
+| [aws_iam_saml_provider.saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
+| [null_resource.saml_metadata](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.saml_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| account\_alias | AWS Account Alias | `string` | `""` | no |
-| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
-| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| saml\_provider\_name | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no |
-| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_saml_provider_name"></a> [saml\_provider\_name](#input\_saml\_provider\_name) | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| saml\_assume\_policy | SAML Assume Policy document JSON |
-| saml\_provider | SAML Provider ARN |
+| <a name="output_saml_assume_policy"></a> [saml\_assume\_policy](#output\_saml\_assume\_policy) | SAML Assume Policy document JSON |
+| <a name="output_saml_provider"></a> [saml\_provider](#output\_saml\_provider) | SAML Provider ARN |
diff --git a/iam-saml/empty_metadata.xml b/iam-saml/empty_metadata.xml
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8" ?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id3R8t4tUWJTLXJXWYzIRBjSu2RA8" entityID="https://id-provider.tco.census.gov/nidp/saml2/metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:SignedInfo>
+<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<ds:Reference URI="#id3R8t4tUWJTLXJXWYzIRBjSu2RA8">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<ds:DigestValue>XNFBnil3dwXs/O9clK1eGTgXVTVBknWk4DS1kXEteTM=</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>
+</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature>
+<md:AttributeAuthorityDescriptor ID="id7I-qkJBd_GJvWuibqPjMIY0hbEg" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+</md:KeyDescriptor>
+<md:KeyDescriptor use="encryption">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+</md:KeyDescriptor>
+<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://id-provider.tco.census.gov/nidp/saml2/soap"/>
+<md:AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://id-provider.tco.census.gov/nidp/saml2/assertion"/>
+<md:AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://id-provider.tco.census.gov/nidp/saml2/soap"/>
+</md:AttributeAuthorityDescriptor>
+<md:IDPSSODescriptor ID="idmwFtA6i3hDs1mNaHiiQND3USav0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+</md:KeyDescriptor>
+<md:KeyDescriptor use="encryption">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+</md:KeyDescriptor>
+<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://id-provider.tco.census.gov/nidp/saml2/soap" index="0" isDefault="true"/>
+<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id-provider.tco.census.gov/nidp/saml2/slo" ResponseLocation="https://id-provider.tco.census.gov/nidp/saml2/slo_return"/>
+<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id-provider.tco.census.gov/nidp/saml2/rni" ResponseLocation="https://id-provider.tco.census.gov/nidp/saml2/rni_return"/>
+<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id-provider.tco.census.gov/nidp/saml2/rni" ResponseLocation="https://id-provider.tco.census.gov/nidp/saml2/rni_return"/>
+<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id-provider.tco.census.gov/nidp/saml2/sso"/>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id-provider.tco.census.gov/nidp/saml2/sso"/>
+<md:NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://id-provider.tco.census.gov/nidp/saml2/soap"/>
+</md:IDPSSODescriptor>
+<md:SPSSODescriptor ID="idEzojHWyNOz1kLMMUN_RjOPWHNTM" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+</md:KeyDescriptor>
+<md:KeyDescriptor use="encryption">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+</md:KeyDescriptor>
+<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://id-provider.tco.census.gov/nidp/saml2/spsoap" index="0" isDefault="true"/>
+<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id-provider.tco.census.gov/nidp/saml2/spslo" ResponseLocation="https://id-provider.tco.census.gov/nidp/saml2/spslo_return"/>
+<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id-provider.tco.census.gov/nidp/saml2/sprni" ResponseLocation="https://id-provider.tco.census.gov/nidp/saml2/sprni_return"/>
+<md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id-provider.tco.census.gov/nidp/saml2/sprni" ResponseLocation="https://id-provider.tco.census.gov/nidp/saml2/sprni_return"/>
+<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id-provider.tco.census.gov/nidp/saml2/spassertion_consumer" index="0" isDefault="true"/>
+<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id-provider.tco.census.gov/nidp/saml2/spassertion_consumer" index="1"/>
+<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://id-provider.tco.census.gov/nidp/saml2/spassertion_consumer" index="2"/>
+</md:SPSSODescriptor>
+<md:Organization>
+<md:OrganizationName xml:lang="en">TCO</md:OrganizationName>
+<md:OrganizationDisplayName xml:lang="en">U.S. Census Bureau - TCO</md:OrganizationDisplayName>
+<md:OrganizationURL xml:lang="en">www.census.gov</md:OrganizationURL>
+</md:Organization>
+<md:ContactPerson contactType="other">
+<md:Company>U.S. Census Bureau</md:Company>
+<md:EmailAddress>eregistration@census.gov</md:EmailAddress>
+</md:ContactPerson>
+</md:EntityDescriptor>
diff --git a/iam-saml/main.tf b/iam-saml/main.tf
@@ -62,8 +62,9 @@ resource "null_resource" "saml_metadata" {
 }
 
 resource "aws_iam_saml_provider" "saml" {
+  count                  = fileexists(local.saml_metadata_file) ? 1 : 0
   name                   = var.saml_provider_name
-  saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : ""
+  saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : file("${path.module}/empty_metadata.xml")
   depends_on             = [null_resource.saml_metadata]
 
   # when the provider supports tags, enable this section

diff --git a/iam-saml/outputs.tf b/iam-saml/outputs.tf
@@ -1,6 +1,6 @@
 output "saml_provider" {
   description = "SAML Provider ARN"
-  value       = aws_iam_saml_provider.saml.arn
+  value       = aws_iam_saml_provider.saml[0].arn
 }
 
 output "saml_assume_policy" {