Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML identity provider shows changes on every run due to ActiveEncryptionCertificate #135

Open
liamfit opened this issue Mar 26, 2024 · 0 comments
Open

SAML identity provider shows changes on every run due to ActiveEncryptionCertificate #135

liamfit opened this issue Mar 26, 2024 · 0 comments

Comments

@liamfit
Copy link

liamfit commented Mar 26, 2024

Great module!

I am using this to create a SAML identity provider in my user pool like this:

  identity_providers = [
    {
      provider_name = "myOrgGoogle"
      provider_type = "SAML"
      provider_details = {
        IDPInit               = false
        IDPSignout            = false
        EncryptedResponses    = false
        SSORedirectBindingURI = "https://accounts.google.com/o/saml2/idp?idpid=xxxx"
        MetadataFile          = file("../../files/google_saml_metadata.xml")
      }
  ]

When running terraform plan I always see changes to provider_details. If I change identity_providers variable to sensitive = false then I can see that ActiveEncryptionCertificate is being changed from null to the encryption cert generated for my user pool:

  # module.cognito.aws_cognito_identity_provider.identity_provider[0] will be updated in-place
  ~ resource "aws_cognito_identity_provider" "identity_provider" {
        id                = "eu-west-2_hrcJfpRjv:ThriveGoogle"
      ~ provider_details  = {
          - "ActiveEncryptionCertificate" = "MIICvDCCAaSgAwIBAgII....." -> null
            # (5 unchanged elements hidden)
        }
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

If I add this value to provider_details then the plan shows no changes but as it's different value for every user pool it's a bit of a pain to add this to every environment. Also, according to the docs these signing and encryption certs get regenerated every year so it's gonna be a bit of a pain to maintain:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html

Looks like I can get the current signing certificate with this data source but not the encryption cert:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pool_signing_certificate

I'm wondering if the best thing to do is add provider_details to the ignore_changes lifecycle block as was done with schemas here:
#130
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@liamfit