From 4fb41a120feacc286f5600512b6405e9a7347207 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Tremblay?= <1619947+marctrem@users.noreply.github.com> Date: Thu, 14 May 2026 12:19:41 -0400 Subject: [PATCH] sso_url_redirect and sso_url_post are read-only/computed --- docs/resources/saml2_identity_provider.md | 13 ++++++------ .../resource.tf | 9 ++++----- .../services/saml2/identity_provider.go | 20 +++++++------------ splitsecure/services/saml2/schema_test.go | 11 +++++++++- 4 files changed, 27 insertions(+), 26 deletions(-) diff --git a/docs/resources/saml2_identity_provider.md b/docs/resources/saml2_identity_provider.md index fe01d7d..d3abcec 100644 --- a/docs/resources/saml2_identity_provider.md +++ b/docs/resources/saml2_identity_provider.md @@ -18,11 +18,10 @@ resource "splitsecure_saml2_identity_provider" "aws_console" { name = "platform-engineering/aws-123456789012" description = "SAML IdP fronting AWS account 123456789012." - # provider_id (SAML EntityID), sso_url, sso_url_post all default - # server-side: the EntityID becomes a six-BIP39-word URL (matches - # the web UI) and the SSO URLs anchor on the deployment's - # frontend host. Set explicitly only for a stable URN-form EntityID - # or a non-default SSO host. + # provider_id (SAML EntityID) defaults to a six-BIP39-word URL + # (matches the web UI). Set explicitly for a stable URN-form + # EntityID. sso_url_redirect and sso_url_post are server-assigned + # (read-only) and anchor on the deployment's frontend host. } ``` @@ -42,8 +41,6 @@ resource "splitsecure_saml2_identity_provider" "aws_console" { - `justification` (String, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Justification text rendered to voters during the create proposal. Write-only -- never persisted to state. The delete proposal sends a generated 'terraform destroy' justification, so callers don't need to keep this set after the resource exists. - `notification_policy` (String) Notification policy for proposals against this IdP. One of: notify_everyone, allow_selective_notifications. Defaults to "notify_everyone". - `provider_id` (String) SAML EntityID stamped into the cert subject, the assertion , and the metadata entityID. Leave unset to get a server-generated https:///saml/idp/ identifier (matches the web UI). Set explicitly for a stable URN-form EntityID. -- `sso_url` (String) Single sign-on URL (HTTP-Redirect binding). Server assigns the default when unset. -- `sso_url_post` (String) Single sign-on URL (HTTP-POST binding). ### Read-Only @@ -53,3 +50,5 @@ resource "splitsecure_saml2_identity_provider" "aws_console" { - `signing_certificate_pem` (String) PEM-encoded X.509 signing certificate the IdP attaches to assertions. Suitable for SPs that take the raw certificate (e.g. tls_certificate-style consumers, custom SAML stacks). - `signing_public_key_der` (String) Base64-encoded SubjectPublicKeyInfo DER -- the bytes between the BEGIN/END markers of `signing_public_key_pem`. - `signing_public_key_pem` (String) PEM-encoded SubjectPublicKeyInfo extracted from the signing certificate. Suitable for SPs that pin a bare public key rather than the wrapping certificate. +- `sso_url_post` (String) Single sign-on URL (HTTP-POST binding). Server-assigned; not user-configurable. +- `sso_url_redirect` (String) Single sign-on URL (HTTP-Redirect binding). Server-assigned; not user-configurable. diff --git a/examples/resources/splitsecure_saml2_identity_provider/resource.tf b/examples/resources/splitsecure_saml2_identity_provider/resource.tf index e413ccf..a775509 100644 --- a/examples/resources/splitsecure_saml2_identity_provider/resource.tf +++ b/examples/resources/splitsecure_saml2_identity_provider/resource.tf @@ -3,9 +3,8 @@ resource "splitsecure_saml2_identity_provider" "aws_console" { name = "platform-engineering/aws-123456789012" description = "SAML IdP fronting AWS account 123456789012." - # provider_id (SAML EntityID), sso_url, sso_url_post all default - # server-side: the EntityID becomes a six-BIP39-word URL (matches - # the web UI) and the SSO URLs anchor on the deployment's - # frontend host. Set explicitly only for a stable URN-form EntityID - # or a non-default SSO host. + # provider_id (SAML EntityID) defaults to a six-BIP39-word URL + # (matches the web UI). Set explicitly for a stable URN-form + # EntityID. sso_url_redirect and sso_url_post are server-assigned + # (read-only) and anchor on the deployment's frontend host. } diff --git a/splitsecure/services/saml2/identity_provider.go b/splitsecure/services/saml2/identity_provider.go index 9f33ffb..ec5a06f 100644 --- a/splitsecure/services/saml2/identity_provider.go +++ b/splitsecure/services/saml2/identity_provider.go @@ -42,7 +42,7 @@ type saml2IdentityProviderModel struct { Name types.String `tfsdk:"name"` Description types.String `tfsdk:"description"` NotificationPolicy types.String `tfsdk:"notification_policy"` - SSOURL types.String `tfsdk:"sso_url"` + SSOURLRedirect types.String `tfsdk:"sso_url_redirect"` SSOURLPost types.String `tfsdk:"sso_url_post"` Justification types.String `tfsdk:"justification"` MetadataXML types.String `tfsdk:"metadata_xml"` @@ -133,19 +133,15 @@ func (r *saml2IdentityProvider) Schema(_ context.Context, _ resource.SchemaReque stringvalidator.OneOf(notificationPolicyValues()...), }, }, - "sso_url": schema.StringAttribute{ - Optional: true, + "sso_url_redirect": schema.StringAttribute{ Computed: true, - Description: "Single sign-on URL (HTTP-Redirect binding). Server assigns the default when unset.", - PlanModifiers: forceNewString(), - Validators: []validator.String{httpsURLValidator()}, + Description: "Single sign-on URL (HTTP-Redirect binding). Server-assigned; not user-configurable.", + PlanModifiers: []planmodifier.String{stringplanmodifier.UseStateForUnknown()}, }, "sso_url_post": schema.StringAttribute{ - Optional: true, Computed: true, - Description: "Single sign-on URL (HTTP-POST binding).", - PlanModifiers: forceNewString(), - Validators: []validator.String{httpsURLValidator()}, + Description: "Single sign-on URL (HTTP-POST binding). Server-assigned; not user-configurable.", + PlanModifiers: []planmodifier.String{stringplanmodifier.UseStateForUnknown()}, }, "justification": schema.StringAttribute{ Optional: true, @@ -204,8 +200,6 @@ func (r *saml2IdentityProvider) Create(ctx context.Context, req resource.CreateR TeamS2R: plan.TeamS2R.ValueString(), Idp: &saml2v2.IdPState{ ProviderId: plan.ProviderID.ValueString(), - SsoUrl: plan.SSOURL.ValueString(), - SsoUrlPost: plan.SSOURLPost.ValueString(), BaseResourceAttributes: &teamresourcev1.BaseResourceAttributes{ Name: plan.Name.ValueString(), Description: plan.Description.ValueString(), @@ -353,7 +347,7 @@ func populateIDPModel(m *saml2IdentityProviderModel, resourceS2R string, rec *co m.Name = types.StringValue(bra.GetName()) m.Description = types.StringValue(bra.GetDescription()) m.NotificationPolicy = types.StringValue(notificationPolicyToString(bra.GetNotificationPolicy())) - m.SSOURL = types.StringValue(idp.GetSsoUrl()) + m.SSOURLRedirect = types.StringValue(idp.GetSsoUrl()) m.SSOURLPost = types.StringValue(idp.GetSsoUrlPost()) // Render metadata_xml from the structured fields. validUntil is diff --git a/splitsecure/services/saml2/schema_test.go b/splitsecure/services/saml2/schema_test.go index 23bb22a..b6fc752 100644 --- a/splitsecure/services/saml2/schema_test.go +++ b/splitsecure/services/saml2/schema_test.go @@ -45,7 +45,16 @@ func TestIDPSchema_ComputedAttributes(t *testing.T) { s := schemaForResource(t, &saml2IdentityProvider{}) - for _, name := range []string{"id", "metadata_xml", "signing_certificate_pem", "signing_certificate_der", "signing_public_key_pem", "signing_public_key_der"} { + for _, name := range []string{ + "id", + "metadata_xml", + "sso_url_redirect", + "sso_url_post", + "signing_certificate_pem", + "signing_certificate_der", + "signing_public_key_pem", + "signing_public_key_der", + } { attr, ok := s.Attributes[name] if !ok { t.Fatalf("computed attribute %q missing from IdP schema", name)