search

lgallard / terraform-aws-cognito-user-pool

Terraform module to create Amazon Cognito User Pools, configure its attributes and resources such as app clients, domain, resource servers. Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users.
Apache License 2.0
89 stars 95 forks source link

SAML identity provider shows changes on every run due to ActiveEncryptionCertificate #135

Open liamfit opened 3 months ago

liamfit commented 3 months ago

Great module!

I am using this to create a SAML identity provider in my user pool like this:

  identity_providers = [
    {
      provider_name = "myOrgGoogle"
      provider_type = "SAML"
      provider_details = {
        IDPInit               = false
        IDPSignout            = false
        EncryptedResponses    = false
        SSORedirectBindingURI = "https://accounts.google.com/o/saml2/idp?idpid=xxxx"
        MetadataFile          = file("../../files/google_saml_metadata.xml")
      }
  ]

When running terraform plan I always see changes to provider_details. If I change identity_providers variable to sensitive = false then I can see that ActiveEncryptionCertificate is being changed from null to the encryption cert generated for my user pool:

  # module.cognito.aws_cognito_identity_provider.identity_provider[0] will be updated in-place
  ~ resource "aws_cognito_identity_provider" "identity_provider" {
        id                = "eu-west-2_hrcJfpRjv:ThriveGoogle"
      ~ provider_details  = {
          - "ActiveEncryptionCertificate" = "MIICvDCCAaSgAwIBAgII....." -> null
            # (5 unchanged elements hidden)
        }
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

If I add this value to provider_details then the plan shows no changes but as it's different value for every user pool it's a bit of a pain to add this to every environment. Also, according to the docs these signing and encryption certs get regenerated every year so it's gonna be a bit of a pain to maintain: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html

Looks like I can get the current signing certificate with this data source but not the encryption cert: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pool_signing_certificate

I'm wondering if the best thing to do is add provider_details to the ignore_changes lifecycle block as was done with schemas here: https://github.com/lgallard/terraform-aws-cognito-user-pool/pull/130