I have some smb file share resources deployed in s3 Filegateway using IAM role through terraform. I am getting an error:and unable to destroy/re-create share getting following error.
Use cases :
-
If I change the location ARN of SMB share terraform will destroy and recreate the share.
-
I want to run the terraform apply when there is a new AMI of storage gateway.
-
To delete particular share from gateway.
Error: waiting for Storage Gateway SMB File Share (arn:aws:storagegateway:::share/)
to delete: AccessDeniedException: User: arn:aws:sts:::assumed-role// is not
authorized to perform: storagegateway:DescribeSMBFileShares on resource: arn:aws:storagegateway:::share/* because no identity-based policy allows the storagegateway:DescribeSMBFileShares action
status code: 400, request id: 2e8346d2-f6f2-4d28-8515-xxxxxxxxx
I’m using Terraform v1.3.5 and aws provider v4.66.0
I have verified that IAM role has full permission to describe and delete shares. The iam role gives the correct access, and we can successfully run the change if we are changing the share “allowed groups”. I would say issue is intermittent(Deletion was successful 2 times out of 20).
When I try to delete share terraform apply will get error out(above error message) and failed to update statefile. Parallelly shares have been deleted from AWS console however I am unable to run terraform plan post this terraform apply because statefile is inconsistence it will try to describe the deleted share reference in statefile and same error(share doesn’t exist in console and already deleted with previous terraform apply).
I have observed that terraform is keeps on polling describe share action every 5 sections when the shares are still in deleting state in AWS console and getting access denied error.
code :
resource "aws_storagegateway_smb_file_share" "smbshare" {
file_share_name = var.share_name
authentication = "ActiveDirectory"
gateway_arn = var.gateway_arn
location_arn = var.bucket_arn
role_arn = var.role_arn
valid_user_list = var.valid_user_list
smb_acl_enabled = true
read_only = true
cache_attributes {
cache_stale_timeout_in_seconds = "300"
}
tags = var.common_tags
}
module "smb_share" {
source = "./s3SMBshare"
share_name = "share-poc"
gateway_arn = module.compute.s3filegateway
bucket_arn = module.s3.s3filegateway_bucket
bucket_arn = var.bucket_arn
role_arn = var.role_arn
common_tags = local.common_tags
valid_user_list = var.valid_user_list
}
I did raise aws support case and got below response.
I see, you are expecting error code InvalidGatewayRequestException when describing the share right after deletion. But you are getting access denied when recreating or deleting the share and are not able to proceed.
You would like to know why you are getting access denied instead InvalidGatewayRequestException while deleting/recreating.
I see these DescribeSMBFileShares are happening moments after the DeleteFileShare action is occurring.
If the share status is in the “Deleting” state, or just recently deleted, while the describe call is being made, both of these errors may be thrown as the resource is no longer available to be called or used while being deleted.
The access denied error is being thrown as the resource is still in the process of being deleted and cannot yet be accessed.
How can I refresh AMI successfully and remove share that is no longer needed?