diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5f30ea9..9d9d4ef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -59,3 +59,7 @@
* v1.8.1 -- 20210329
- ses-domain
- add code for setting up sns event notification for bounce, complaint
+
+* v1.8.2 -- 20210401
+ - iam-saml
+ - use empty_metadata.xml in saml resource until real one is built by null_resource
diff --git a/common/version.tf b/common/version.tf
index 1f44b67..8e768cd 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.8.1"
+ _module_version = "1.8.2"
}
diff --git a/iam-saml/README.md b/iam-saml/README.md
index bc53b08..34f2226 100644
--- a/iam-saml/README.md
+++ b/iam-saml/README.md
@@ -1,12 +1,12 @@
# aws-inf-setup :: iam-saml
-This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov.
-The appropriate metadata and URL are selected from the environment either East/West (ew)
+This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov.
+The appropriate metadata and URL are selected from the environment either East/West (ew)
or GovCloud (gov).
The resulting metadata XML is saved in `setup/metdata.xml`.
-# Usage
+# Usage
Here is a simple example, the one most commonly expected to be used.
```hcl
@@ -38,38 +38,38 @@ No requirements.
| Name | Version |
|------|---------|
-| aws | n/a |
-| null | n/a |
+| [aws](#provider\_aws) | n/a |
+| [null](#provider\_null) | n/a |
## Modules
-No Modules.
+No modules.
## Resources
-| Name |
-|------|
-| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
-| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
-| [aws_iam_saml_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) |
-| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
-| [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) |
+| Name | Type |
+|------|------|
+| [aws_iam_saml_provider.saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
+| [null_resource.saml_metadata](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.saml_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| account\_alias | AWS Account Alias | `string` | `""` | no |
-| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | {
"ddb": {},
"kms": {},
"s3": {}
} | no |
-| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| saml\_provider\_name | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no |
-| tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | {
"ddb": {},
"kms": {},
"s3": {}
} | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [saml\_provider\_name](#input\_saml\_provider\_name) | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
-| saml\_assume\_policy | SAML Assume Policy document JSON |
-| saml\_provider | SAML Provider ARN |
+| [saml\_assume\_policy](#output\_saml\_assume\_policy) | SAML Assume Policy document JSON |
+| [saml\_provider](#output\_saml\_provider) | SAML Provider ARN |
diff --git a/iam-saml/empty_metadata.xml b/iam-saml/empty_metadata.xml
new file mode 100644
index 0000000..97ebe7d
--- /dev/null
+++ b/iam-saml/empty_metadata.xml
@@ -0,0 +1,113 @@
+
+
+
+
+
+
+
+
+
+
+XNFBnil3dwXs/O9clK1eGTgXVTVBknWk4DS1kXEteTM=
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
+
+
+
+
+TCO
+U.S. Census Bureau - TCO
+www.census.gov
+
+
+U.S. Census Bureau
+eregistration@census.gov
+
+
diff --git a/iam-saml/main.tf b/iam-saml/main.tf
index e4ed5e6..3d8bb57 100644
--- a/iam-saml/main.tf
+++ b/iam-saml/main.tf
@@ -62,8 +62,9 @@ resource "null_resource" "saml_metadata" {
}
resource "aws_iam_saml_provider" "saml" {
+ count = fileexists(local.saml_metadata_file) ? 1 : 0
name = var.saml_provider_name
- saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : ""
+ saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : file("${path.module}/empty_metadata.xml")
depends_on = [null_resource.saml_metadata]
# when the provider supports tags, enable this section
diff --git a/iam-saml/outputs.tf b/iam-saml/outputs.tf
index 0ec4f5e..5d383b4 100644
--- a/iam-saml/outputs.tf
+++ b/iam-saml/outputs.tf
@@ -1,6 +1,6 @@
output "saml_provider" {
description = "SAML Provider ARN"
- value = aws_iam_saml_provider.saml.arn
+ value = aws_iam_saml_provider.saml[0].arn
}
output "saml_assume_policy" {