From c2558e3d2a62808caa731ee1731000a73b24655f Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 27 May 2022 13:34:00 -0400
Subject: [PATCH] iam-saml: add tags, update metadata grab

---
 CHANGELOG.md                               | 12 ++++++++++
 common/version.tf                          |  2 +-
 iam-saml/README.md                         |  2 ++
 iam-saml/bin/external_get-saml-metadata.sh | 26 +++++++++++++++++-----
 iam-saml/main.tf                           | 22 +++++++++++-------
 iam-saml/variables.tf                      | 12 ++++++++++
 6 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f1f86b..dd9569a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -159,6 +159,13 @@
   - terraform-state
     -  add r-inf-terraform assumable role for TF operations
 
+* 1.15.4 -- 2022-05-26
+   - remove billing-policies, move into iam-general-policies
+
+* 1.15.5 -- 2022-05-27
+  - iam-saml
+    - add tags
+
 ## Version 2.x
 
 * 2.0.0 -- 2022-05-09
@@ -172,3 +179,8 @@
 
 * 2.0.2 -- 2022-05-24
   - remove billing-policies, move into iam-general-policies
+
+* 2.0.3 -- 2022-05-27
+  - iam-saml
+    - add tags
+
diff --git a/common/version.tf b/common/version.tf
index 4bdd4c1..4ab7a1f 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.0.2"
+  _module_version = "2.0.3"
 }
diff --git a/iam-saml/README.md b/iam-saml/README.md
index 22340fa..30c5729 100644
--- a/iam-saml/README.md
+++ b/iam-saml/README.md
@@ -65,6 +65,8 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_idp_metadata_selector"></a> [idp\_metadata\_selector](#input\_idp\_metadata\_selector) | URL Query parameter for selecting urn:amazon:webservices string for EW or gov | `string` | `"PID="` | no |
+| <a name="input_idp_metadata_url"></a> [idp\_metadata\_url](#input\_idp\_metadata\_url) | ID Provider Metadata URL | `string` | `null` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_saml_provider_name"></a> [saml\_provider\_name](#input\_saml\_provider\_name) | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/iam-saml/bin/external_get-saml-metadata.sh b/iam-saml/bin/external_get-saml-metadata.sh
index 8e15fe4..c8dd96b 100755
--- a/iam-saml/bin/external_get-saml-metadata.sh
+++ b/iam-saml/bin/external_get-saml-metadata.sh
@@ -1,16 +1,18 @@
 #!/bin/bash
 
+VERSION="1.1.0"
+
 #set -e
-eval "$(jq -r '@sh "AWS_ENVIRONMENT=\(.aws_environment) OUTPUT=\(.output_file) URL_PREFIX=\(.url_prefix)"')"
+eval "$(jq -r '@sh "AWS_ENVIRONMENT=\(.aws_environment) OUTPUT=\(.output_file) URL=\(.url) URL_SELECTOR=\(.url_selector)"')"
 
 if [[ -z $AWS_ENVIRONMENT ]] || [[ "$AWS_ENVIRONMENT" == "null" ]]
 then
   AWS_ENVIRONMENT="east-west"
 fi
 
-if [[ -z "$URL_PREFIX" ]] || [[ "$URL_PREFIX" == "null" ]]
+if [[ -z "$URL" ]] || [[ "$URL" == "null" ]]
 then
-  URL_PREFIX="https://id-provider.tco.census.gov/nidp/saml2/metadata?PID="
+  URL="https://id-provider.tco.census.gov/nidp/saml2/metadata"
 fi
 
 if [[ $AWS_ENVIRONMENT == "east-west" ]] || [[ $AWS_ENVIRONMENT == "ew" ]]
@@ -41,14 +43,26 @@ fi
 
 # if output file exists, do not re-run this
 
+if [ "$URL_SELECTOR" = "null" ]
+then
+  URL_SELECTOR=""
+fi
+
+if [ ! -z "$URL_SELECTOR" ]
+then
+  FULL_URL="${URL}?${URL_SELECTOR}${SELECT}"
+else
+  FULL_URL=$URL
+fi
+
 if [ ! -r $OUTPUT ]
 then
-  URL="${URL_PREFIX}${SELECT}"
-  curl -q -k $URL > $OUTPUT
+  curl -q -k ${FULL_URL} > $OUTPUT
   status=$?
 else
   status=0
 fi
 result=$(cat $OUTPUT)
 
-jq -n --arg output_file "$OUTPUT" --arg value "$result" --arg status "$status" '{"output_file":$output_file,"value":$value,"status":$status}'
+jq -n --arg output_file "$OUTPUT" --arg value "$result" --arg status "$status" --arg url "$FULL_URL" --arg version "$VERSION" \
+  '{"output_file":$output_file,"value":$value,"status":$status,"url":$url,"version":$version}'
diff --git a/iam-saml/main.tf b/iam-saml/main.tf
index 1ed4417..dc9e592 100644
--- a/iam-saml/main.tf
+++ b/iam-saml/main.tf
@@ -39,7 +39,7 @@ locals {
   saml_ew_url        = "https://signin.aws.amazon.com/saml"
   saml_gov_url       = "https://signin.amazonaws-us-gov.com/saml"
   saml_url           = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url
-  saml_metadata_file = "${path.root}/setup/metadata.xml"
+  saml_metadata_file = "${path.root}/setup/${var.saml_provider_name}.metadata.xml"
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -47,6 +47,12 @@ locals {
   }
 }
 
+# resource "random_uuid" "saml_metadata_prefix" {}
+#   keepers = {
+#     "saml_provider_name" = var.saml_provider_name
+#   }
+# }
+
 # this creates the directory if it doesn't exist
 
 resource "null_resource" "saml_metadata" {
@@ -74,7 +80,8 @@ data "external" "saml_metadata" {
   query = {
     "aws_environment" = local.account_environment
     "output_file"     = local.saml_metadata_file
-    #    "url_prefix" = ""
+    "url"             = var.idp_metadata_url
+    "url_selector"    = var.idp_metadata_selector
   }
 }
 
@@ -82,10 +89,9 @@ resource "aws_iam_saml_provider" "saml" {
   name                   = var.saml_provider_name
   saml_metadata_document = data.external.saml_metadata.result.value
 
-  # when the provider supports tags, enable this section
-  #  tags = merge(
-  #    var.tags,
-  #    local.base_tags,
-  #    map("Name", local.provider_name),
-  #  )
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    { "Name" = var.saml_provider_name },
+  )
 }
diff --git a/iam-saml/variables.tf b/iam-saml/variables.tf
index e5fc5c7..729ddfa 100644
--- a/iam-saml/variables.tf
+++ b/iam-saml/variables.tf
@@ -9,3 +9,15 @@ variable "component_tags" {
   type        = map(map(string))
   default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
 }
+
+variable "idp_metadata_url" {
+  description = "ID Provider Metadata URL"
+  type        = string
+  default     = null
+}
+
+variable "idp_metadata_selector" {
+  description = "URL Query parameter for selecting urn:amazon:webservices string for EW or gov"
+  type        = string
+  default     = "PID="
+}