[Bug]: aws_ssoadmin_application not supporting custom-saml

[MarcHenriot]

Terraform Core Version

1.6.5

AWS Provider Version

5.30.0

Affected Resource(s)

resource "aws_ssoadmin_application" "aws_client_vpn" {}

Expected Behavior

When I use the resource with application_provider_arn = "arn:aws:sso::aws:applicationProvider/custom-saml". I'm expecting the resource to create a custom SAML application with empty Application properties and Application metadata

Actual Behavior

AWS return en error with status code 400. arn:aws:sso::aws:applicationProvider/app-50e590700beb5208' is not supported for this action

Relevant Error/Panic Output Snippet

│ Error: creating AWS SSO Admin Application ("example"): operation error SSO Admin: CreateApplication, https response error StatusCode: 400, RequestID: 84a6ec4e-e1c7-42d9-a297-9ea3c58ee5fc, ValidationException: The application provider with arn 'arn:aws:sso::aws:applicationProvider/app-50e590700beb5208' is not supported for this action.
│ 
│   with module.aws_sso.aws_ssoadmin_application.aws_client_vpn,
│   on ../../main.tf line 62, in resource "aws_ssoadmin_application" "aws_client_vpn":
│   62: resource "aws_ssoadmin_application" "aws_client_vpn" {
│ 
│ operation error SSO Admin: CreateApplication, https response error StatusCode: 400, RequestID: 84a6ec4e-e1c7-42d9-a297-9ea3c58ee5fc, ValidationException: The application provider with arn 'arn:aws:sso::aws:applicationProvider/app-50e590700beb5208' is not supported for this
│ action.

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.30.0"
    }
  }
}

provider "aws" {
  region = "ca-central-1"
}

data "aws_ssoadmin_instances" "current" {}

resource "aws_ssoadmin_application" "aws_client_vpn" {
  instance_arn             = tolist(data.aws_ssoadmin_instances.current.arns)[0]
  name                     = "example"
  application_provider_arn = "arn:aws:sso::aws:applicationProvider/custom-saml"
}

Steps to Reproduce

terraform init
terraform apply

Debug Output

No response

Panic Output

module.aws_sso.aws_ssoadmin_application.aws_client_vpn: Creating...
╷
│ Error: creating AWS SSO Admin Application ("example"): operation error SSO Admin: CreateApplication, https response error StatusCode: 400, RequestID: 2e854c95-ec78-487f-af0e-1661b98f083f, ValidationException: The application provider with arn 'arn:aws:sso::aws:applicationProvider/app-50e590700beb5208' is not supported for this action.
│ 
│   with module.aws_sso.aws_ssoadmin_application.aws_client_vpn,
│   on ../../main.tf line 62, in resource "aws_ssoadmin_application" "aws_client_vpn":
│   62: resource "aws_ssoadmin_application" "aws_client_vpn" {
│ 
│ operation error SSO Admin: CreateApplication, https response error StatusCode: 400, RequestID: 2e854c95-ec78-487f-af0e-1661b98f083f, ValidationException: The application provider with arn 'arn:aws:sso::aws:applicationProvider/app-50e590700beb5208' is not supported for this
│ action.

Important Factoids

I have tried to use the AWS CLI to reproduce my error.

 aws sso-admin create-application \
    --application-provider-arn arn:aws:sso::aws:applicationProvider/custom-saml \
    --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx\
    --name test-cli

And got : An error occurred (ValidationException) when calling the CreateApplication operation: The application provider with arn 'arn:aws:sso::aws:applicationProvider/app-50e590700beb5208' is not supported for this action.

---

I have also used the data aws_ssoadmin_application to get a working custom SAML app to validate the application_provider_arn.

data "aws_ssoadmin_application" "example" {
  application_arn = "arn:aws:sso::xxxxxxxxxxxx:application/ssoins-xxxxxxxxxxxxxxxx/apl-56ca6690dd563a1f"
}

Here is a sample of my state to see the data properties.

{
  ......
  "instances": [
    {
      "schema_version": 0,
      "attributes": {
        "application_account": null,
        "application_arn": "arn:aws:sso::xxxxxxxxxxxx:application/ssoins-xxxxxxxxxxxxxxxx/apl-56ca6690dd563a1f",
        "application_provider_arn": "arn:aws:sso::aws:applicationProvider/custom-saml",
        "description": "Custom SAML 2.0 application",
        "id": "arn:aws:sso::xxxxxxxxxxxx:application/ssoins-xxxxxxxxxxxxxxxx/apl-56ca6690dd563a1f",
        "instance_arn": "arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx",
        "name": "halp",
        "portal_options": [
          {
            "sign_in_options": [
              {
                "application_url": null,
                "origin": "IDENTITY_CENTER"
              }
            ],
            "visibility": "ENABLED"
          }
        ],
        "status": "ENABLED"
      },
      "sensitive_attributes": []
    }
  ]
  .....
}

References

• https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplication.html
• r/aws_ssoadmin_application: new resource #34723
• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso-admin/create-application.html
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_application

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jar-b]

Hey @MarcHenriot 👋 - thanks for the report!

Given the AWS CLI returns the same ValidationException, this is likely an upstream issue with the AWS API. A support case with AWS would be a good starting point to understand if this API should support a custom SAML provider, or if that is a known limitation that should be documented. For now we're a bit limited in what we can do in the AWS provider and can only really relay the AWS error message as you've already observed.

[MarcHenriot]

Hey @jar-b !

Thank you for getting back to me. I was also looking into this matter. Unfortunately, I haven't come across any resources that specify where I can raise an issue for the AWS API. Do you happen to have any information or a link that could help me contact them regarding this question?

[jar-b]

In the AWS console for your account, you can search Support and after selecting the Support service there should be a button to Create case.

[kamalika-majumder]

For me, the resource has successfully created the application, however there is no metadata configuration option available on the console.
So not sure how aws expects us to even use this application if we cannot download the metadata file or even add/edit it.

[MarcHenriot]

Could you share the applied resource's HCL code ?

[jorhett]

I get the same error for

Error: creating AWS SSO Admin Application ("example"):
  operation error SSO Admin: CreateApplication,
   https response error StatusCode: 400, RequestID: 75ba6e89-d232-4c5c-aabc-ddab6e5b4203,
   ValidationException: The application provider with arn 'arn:aws:sso::aws:applicationProvider/app-872d35937b9c1ed9' is not supported for this action.

My creation example is:

resource "aws_ssoadmin_application" "example" {
  name                     = "example"
  description              = "example"
  application_provider_arn = "arn:aws:sso::aws:applicationProvider/catalog/ExternalAWSAccount"
  instance_arn             = tolist(data.aws_ssoadmin_instances.example.arns)[0]

  portal_options {
    visibility = "ENABLED"
    sign_in_options {
      origin = "IDENTITY_CENTER"
       application_url = "https://signin.aws.amazon.com/saml"
    }
  }
}

[kamalika-majumder]

@MarcHenriot here is the code:

data "aws_ssoadmin_instances" "primary" {}

resource "aws_ssoadmin_application" "custom_saml" {
  name                     = var.custom_application_name
  description              = "Custon SAML 2.0 app for ${var.custom_application_name}."
  application_provider_arn = "arn:aws:sso::aws:applicationProvider/custom"
  instance_arn             = tolist(data.aws_ssoadmin_instances.primary.arns)[0]
}

resource "aws_ssoadmin_application_assignment_configuration" "this" {
  application_arn     = aws_ssoadmin_application.custom_saml.application_arn
  assignment_required = true
}

resource "aws_ssoadmin_application_assignment" "group_assignment" {
  application_arn = aws_ssoadmin_application.custom_saml.application_arn
  principal_id    = aws_identitystore_group.default.group_id
  principal_type  = "GROUP"
}

P.S: var.custom_application_name should be without spaces or it gives validation error. I used "AWSClientVPN"

[kamalika-majumder]

I think I know why the application created from this resource is not having metadata configuration option. According to AWS Identity Center User guide :
https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-applications.html

AWS managed applications are configured directly from within the relevant application consoles or through the application APIs. Customer managed applications must be added to the IAM Identity Center console and configured with the appropriate metadata for both IAM Identity Center and the service provider.

So looks like CreateApplication api which is used in this resource is only for AWS managed application type and not customer managed applications which is used for saml2.0.
However it creates the application under the customer managed tab, but does not have the metadata option.

[MarcHenriot]

HI @kamalika-majumder appreciate you sharing your code.

In the code snippet provided:

resource "aws_ssoadmin_application" "custom_saml" {
name = var.custom_application_name
description = "Custon SAML 2.0 app for ${var.custom_application_name}."
application_provider_arn = "arn:aws:sso::aws:applicationProvider/custom"
instance_arn = tolist(data.aws_ssoadmin_instances.primary.arns)[0]
}

There's an issue with the application_provider_arn being used. Instead of arn:aws:sso::aws:applicationProvider/custom, the correct value should be arn:aws:sso::aws:applicationProvider/custom-saml to reproduce the problem.

[moodwrench]

Replying to save others like me from wasting too much time on this. I contacted Amazon about the issue and got the following reply:

Please allow me to explain that, CreateApplication, is currently limited to usage only for Custom Oauth2.0 Application creation/configuration.

This API is not currently useable for creation of 3rd party SAML Applications (which can currently only be configured through console), or for Oauth2.0 Applications, where setup should be performed through the associated App Service/Console.

If possible, a note in the terraform documentation may save other people from confusion.

[jar-b]

Thanks for sharing, @moodwrench! I've opened #35667 to add this clarification to the top of the aws_ssoadmin_application registry documentation.

I will leave this issue open for visibility into the upstream limitation. Should AWS address this in the API and SDK in the future we can remove the note and close this as completed.