Sample of Application Metadata file.

[ZiadMansourM]

Good evening Mr. Heard,
Hope you are enjoying your evening ^^

I came across this amazing repo, thank you for your efforts, while trying to use terraform to configure AWS client VPN using AWS IAM Identity Center as the IdP.

I have been through the hole process using ClickOps or the Console.

My Question

I used to add the Application Metadata manually, as the docs mentioned If you don’t have a metadata file, you can manually type your metadata values and enter the following values:

E.g. for aws-client-vpn

• Application ACS URL: http://127.0.0.1:35001
• Application SAML audience: urn:amazon:webservices:clientvpn

E.g. for aws-client-vpn-self-service

• Application ACS URL: https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml
• Application SAML audience: urn:amazon:webservices:clientvpn

But the terraform code is:

resource "aws_iam_saml_provider" "aws-client-vpn" {
  name                   = "aws-client-vpn"
  saml_metadata_document = file("${path.module}/metadata/aws-client-vpn.xml")
}

resource "aws_iam_saml_provider" "aws-client-vpn-self-service" {
  name                   = "aws-client-vpn-self-service"
  saml_metadata_document = file("${path.module}/metadata/aws-client-vpn-self-service.xml")
}

You mentioned in the repo You will need to add the AWS SSO SAML Application metadata files to the terraform/metadata directory.

How can I generate the aws-client-vpn.xml or aws-client-vpn-self-service.xml ? Or are there any sample or docs referring to the structure of the file ? Would I need to create the files manually of I should get them from somewhere ?

Thank you in advance ^^

[ZiadMansourM]

Updates

1. Used this tool to generate the metadata for the two SAML provider.
   • For aws-client-vpn gen aws-client-vpn.xml:
     • EntityId: urn:amazon:webservices:clientvpn.
     • Attribute Consume Service Endpoint (HTTP-POST): http://127.0.0.1:35001.
   • For aws-client-vpn-self-service gen aws-client-vpn-self-service.xml:
     • EntityId: urn:amazon:webservices:clientvpn.
     • Attribute Consume Service Endpoint (HTTP-POST): https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml.
2. Use aws_iam_saml_provider terraform resource to create the two SAML providers.
3. Add attributes mappings according to the following table:

User attribute in the application	Maps to this string value or user attribute in AWS IAM Identity Center	Format
Subject	${user:email}	emailAddress
Name	${user:email}	unspecified
FirstName	${user:givenName}	unspecified
LastName	${user:familyName}	unspecified
memberOf	${user:groups}	unspecified

Currently trying to figure out how to make the attributes mappings with terraform, as it is a required step as mentioned here.

[patheard]

Hi Zaid, you can download the metadata file for the IAM Identity Center applications you create from the AWS console by doing the following:

1. View your application and select Edit configuration
2. About midway down the page, there's an IAM Identity Center metadata section and the Download link is in there:

In my case, since Terraform isn't able to manage SAML applications yet (at least that I could find), I just did all the mapping manually in the AWS console.

Hope this helps and glad you found the repo useful!

[intel352]

In my case, since Terraform isn't able to manage SAML applications yet (at least that I could find), I just did all the mapping manually in the AWS console.

@patheard Can you clarify regarding what you're saying Terraform doesn't support just yet?
I'm seeing that IAM Identity Center can be managed from Terraform, I'm also seeing Terraform examples showing SSO/SAML usage. Is it just the app management itself (guessing a custom app, rather than an AWS managed app) that you're referencing isn't manageable from terraform?

[patheard]

Yup, exactly - there isn't a way to create and configure the custom app via Terraform:

• [Bug]: aws_ssoadmin_application not supporting custom-saml hashicorp/terraform-provider-aws#34813