sso_url_redirect and sso_url_post are read-only/computed

docs/resources/saml2_identity_provider.md

@@ -18,11 +18,10 @@ resource "splitsecure_saml2_identity_provider" "aws_console" {
 
   name        = "platform-engineering/aws-123456789012"
   description = "SAML IdP fronting AWS account 123456789012."
-  # provider_id (SAML EntityID), sso_url, sso_url_post all default
-  # server-side: the EntityID becomes a six-BIP39-word URL (matches
-  # the web UI) and the SSO URLs anchor on the deployment's
-  # frontend host. Set explicitly only for a stable URN-form EntityID
-  # or a non-default SSO host.
+  # provider_id (SAML EntityID) defaults to a six-BIP39-word URL
+  # (matches the web UI). Set explicitly for a stable URN-form
+  # EntityID. sso_url_redirect and sso_url_post are server-assigned
+  # (read-only) and anchor on the deployment's frontend host.
 }
 ```
 
@@ -42,8 +41,6 @@ resource "splitsecure_saml2_identity_provider" "aws_console" {
 - `justification` (String, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Justification text rendered to voters during the create proposal. Write-only -- never persisted to state. The delete proposal sends a generated 'terraform destroy' justification, so callers don't need to keep this set after the resource exists.
 - `notification_policy` (String) Notification policy for proposals against this IdP. One of: notify_everyone, allow_selective_notifications. Defaults to "notify_everyone".
 - `provider_id` (String) SAML EntityID stamped into the cert subject, the assertion <Issuer>, and the metadata entityID. Leave unset to get a server-generated https://<frontend-host>/saml/idp/<six-bip39-words> identifier (matches the web UI). Set explicitly for a stable URN-form EntityID.
-- `sso_url` (String) Single sign-on URL (HTTP-Redirect binding). Server assigns the default when unset.
-- `sso_url_post` (String) Single sign-on URL (HTTP-POST binding).
 
 ### Read-Only
 
@@ -53,3 +50,5 @@ resource "splitsecure_saml2_identity_provider" "aws_console" {
 - `signing_certificate_pem` (String) PEM-encoded X.509 signing certificate the IdP attaches to assertions. Suitable for SPs that take the raw certificate (e.g. tls_certificate-style consumers, custom SAML stacks).
 - `signing_public_key_der` (String) Base64-encoded SubjectPublicKeyInfo DER -- the bytes between the BEGIN/END markers of `signing_public_key_pem`.
 - `signing_public_key_pem` (String) PEM-encoded SubjectPublicKeyInfo extracted from the signing certificate. Suitable for SPs that pin a bare public key rather than the wrapping certificate.
+- `sso_url_post` (String) Single sign-on URL (HTTP-POST binding). Server-assigned; not user-configurable.
+- `sso_url_redirect` (String) Single sign-on URL (HTTP-Redirect binding). Server-assigned; not user-configurable.

examples/resources/splitsecure_saml2_identity_provider/resource.tf

@@ -3,9 +3,8 @@ resource "splitsecure_saml2_identity_provider" "aws_console" {
 
   name        = "platform-engineering/aws-123456789012"
   description = "SAML IdP fronting AWS account 123456789012."
-  # provider_id (SAML EntityID), sso_url, sso_url_post all default
-  # server-side: the EntityID becomes a six-BIP39-word URL (matches
-  # the web UI) and the SSO URLs anchor on the deployment's
-  # frontend host. Set explicitly only for a stable URN-form EntityID
-  # or a non-default SSO host.
+  # provider_id (SAML EntityID) defaults to a six-BIP39-word URL
+  # (matches the web UI). Set explicitly for a stable URN-form
+  # EntityID. sso_url_redirect and sso_url_post are server-assigned
+  # (read-only) and anchor on the deployment's frontend host.
 }

splitsecure/services/saml2/identity_provider.go

@@ -42,7 +42,7 @@ type saml2IdentityProviderModel struct {
 	Name                  types.String `tfsdk:"name"`
 	Description           types.String `tfsdk:"description"`
 	NotificationPolicy    types.String `tfsdk:"notification_policy"`
-	SSOURL                types.String `tfsdk:"sso_url"`
+	SSOURLRedirect        types.String `tfsdk:"sso_url_redirect"`
 	SSOURLPost            types.String `tfsdk:"sso_url_post"`
 	Justification         types.String `tfsdk:"justification"`
 	MetadataXML           types.String `tfsdk:"metadata_xml"`
@@ -133,19 +133,15 @@ func (r *saml2IdentityProvider) Schema(_ context.Context, _ resource.SchemaReque
 					stringvalidator.OneOf(notificationPolicyValues()...),
 				},
 			},
-			"sso_url": schema.StringAttribute{
-				Optional:      true,
+			"sso_url_redirect": schema.StringAttribute{
 				Computed:      true,
-				Description:   "Single sign-on URL (HTTP-Redirect binding). Server assigns the default when unset.",
-				PlanModifiers: forceNewString(),
-				Validators:    []validator.String{httpsURLValidator()},
+				Description:   "Single sign-on URL (HTTP-Redirect binding). Server-assigned; not user-configurable.",
+				PlanModifiers: []planmodifier.String{stringplanmodifier.UseStateForUnknown()},
 			},
 			"sso_url_post": schema.StringAttribute{
-				Optional:      true,
 				Computed:      true,
-				Description:   "Single sign-on URL (HTTP-POST binding).",
-				PlanModifiers: forceNewString(),
-				Validators:    []validator.String{httpsURLValidator()},
+				Description:   "Single sign-on URL (HTTP-POST binding). Server-assigned; not user-configurable.",
+				PlanModifiers: []planmodifier.String{stringplanmodifier.UseStateForUnknown()},
 			},
 			"justification": schema.StringAttribute{
 				Optional:  true,
@@ -204,8 +200,6 @@ func (r *saml2IdentityProvider) Create(ctx context.Context, req resource.CreateR
 			TeamS2R: plan.TeamS2R.ValueString(),
 			Idp: &saml2v2.IdPState{
 				ProviderId: plan.ProviderID.ValueString(),
-				SsoUrl:     plan.SSOURL.ValueString(),
-				SsoUrlPost: plan.SSOURLPost.ValueString(),
 				BaseResourceAttributes: &teamresourcev1.BaseResourceAttributes{
 					Name:               plan.Name.ValueString(),
 					Description:        plan.Description.ValueString(),
@@ -353,7 +347,7 @@ func populateIDPModel(m *saml2IdentityProviderModel, resourceS2R string, rec *co
 	m.Name = types.StringValue(bra.GetName())
 	m.Description = types.StringValue(bra.GetDescription())
 	m.NotificationPolicy = types.StringValue(notificationPolicyToString(bra.GetNotificationPolicy()))
-	m.SSOURL = types.StringValue(idp.GetSsoUrl())
+	m.SSOURLRedirect = types.StringValue(idp.GetSsoUrl())
 	m.SSOURLPost = types.StringValue(idp.GetSsoUrlPost())
 
 	// Render metadata_xml from the structured fields. validUntil is

splitsecure/services/saml2/schema_test.go

@@ -45,7 +45,16 @@ func TestIDPSchema_ComputedAttributes(t *testing.T) {
 
 	s := schemaForResource(t, &saml2IdentityProvider{})
 
-	for _, name := range []string{"id", "metadata_xml", "signing_certificate_pem", "signing_certificate_der", "signing_public_key_pem", "signing_public_key_der"} {
+	for _, name := range []string{
+		"id",
+		"metadata_xml",
+		"sso_url_redirect",
+		"sso_url_post",
+		"signing_certificate_pem",
+		"signing_certificate_der",
+		"signing_public_key_pem",
+		"signing_public_key_der",
+	} {
 		attr, ok := s.Attributes[name]
 		if !ok {
 			t.Fatalf("computed attribute %q missing from IdP schema", name)