AWS Storage Gateway SMB security settings

[ghost]

This issue was originally opened by @thorvats as hashicorp/terraform#22084. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Current Terraform Version

Terraform v0.11.10

Use-cases

Create terraform Storage Gateway resources for storage_gw account

resource "aws_s3_bucket" "storage_gw" {
  bucket        = "${var.target_infra}-storage_gw-share"
  acl           = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.data.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  lifecycle_rule {
    id          = "storage_gw"
    enabled     = true
    transition {
      days          = 30
      storage_class = "ONEZONE_IA"
    }

    transition {
      days          = 90
      storage_class = "GLACIER"
    }

    expiration {
      days          = 180
    }
  }
  tags = "${merge(
    local.common_tags,
    map(
      "Name", "${var.target_infra}-storage_gw-share"
    )
  )}"
}

data "template_file" "s3-storage_gw" {
  template = "${file("${path.module}/templates/stg-gw-bucket-policy.json")}"

  vars {
    account_id       = "${data.aws_caller_identity.this.account_id}"
    bucket_name      = "${aws_s3_bucket.storage_gw.id}"
    app_account_id   = "${accountId}"
    data_kms_arn     = "${aws_kms_key.data.arn}"
    assumed_role_id  = "${element(split(":",data.aws_caller_identity.this.user_id),0)}"
  }
}

resource "aws_s3_bucket_policy" "storage_gw" {
  bucket   = "${aws_s3_bucket.storage_gw.id}"
  policy   = "${data.template_file.s3-storage_gw.rendered}"
}

data "template_file" "sgw-storage_gw" {
  template = "${file("${path.module}/templates/stg-gw-policy.json")}"

  vars {
    bucket_name  = "${aws_s3_bucket.storage_gw.id}"
    data_kms_arn = "${aws_kms_key.data.arn}"
  }
}

resource "aws_iam_role" "storage_gw" {
  name_prefix        = "${var.target_infra}-storage_gw-stg-gw-"
  description        = "Allow storage gateway to write to s3"
  assume_role_policy = "${file("${path.module}/templates/assume-stg-gw.json")}"

  tags = "${merge(
    local.common_tags,
    map(
      "Name", "${var.target_infra}-storage_gw-storage-gateway-role"
    )
  )}"
}

resource "aws_iam_role_policy" "storage_gw" {
  name_prefix = "${var.target_infra}-storage_gw-stg-gw-policy-"
  role        = "${aws_iam_role.storage_gw.id}"
  policy      = "${data.template_file.sgw-storage_gw.rendered}"
}

resource "aws_storagegateway_smb_file_share" "storage_gw" {
  authentication  = "ActiveDirectory"
  gateway_arn     = "${aws_storagegateway_gateway.storage_gateway.arn}"
  location_arn    = "${aws_s3_bucket.storage_gw.arn}"
  role_arn        = "${aws_iam_role.storage_gw.arn}"
  kms_encrypted   = true
  kms_key_arn     = "${aws_kms_key.data.arn}"
  valid_user_list = ["@AWS-${var.target_infra}-storage-gw-share"]
  depends_on      = ["aws_iam_role_policy.storage_gw"]

}

resource "aws_storagegateway_gateway" "storage_gateway" {
  activation_key     = "${local.sgw_activation_key[var.target_infra]}"
  gateway_name       = "${var.target_infra}-${local.app_name}-storagagateway"
  gateway_timezone   = "GMT"
  gateway_type       = "FILE_S3"
  
  smb_active_directory_settings {
    domain_name        = "domain.local"
    username           = "${local.sgw_domain_username}"
    password           = "${var.sgw_domain_password}"
  }
}

data "aws_storagegateway_local_disk" "sgw_disk" {
  disk_path   = "/dev/sdb"
  gateway_arn = "${aws_storagegateway_gateway.storage_gateway.arn}"
}

resource "aws_storagegateway_cache" "sgw_cache" {
  disk_id     = "${data.aws_storagegateway_local_disk.sgw_disk.id}"
  gateway_arn = "${aws_storagegateway_gateway.storage_gateway.arn}"
}

Attempted Solutions

These settings were manually updated on console after deploying AWS Storage Gateway : File Gateway as per AWS article mentioned below.

https://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#security-strategy

Proposal

Add property smb_sec_settings in AWS Storage Gateway resource like in terrafom module - https://www.terraform.io/docs/providers/aws/r/storagegateway_gateway.html

with vaules like,

values: " ", "encrypted" , "signed" , "negotiated"

References

https://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#security-strategy
https://www.terraform.io/docs/providers/aws/r/storagegateway_gateway.html
Storage Gateway Manual Settings.docx

[pintbrewer]

This became an issue for me once AWS change the default setting for new Gateways.

excerpt from: https://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#security-strategy

Note
For gateways activated before June 20, 2019, the default security level is Client negotiated.
For gateways activated on June 20, 2019 and later, the default security level is Enforce encryption.

I agree with the proposal above.

[DrFaust92]

addressed in #13563

[bflad]

Support for the smb_security_strategy argument has been merged and will be released with version 3.4.0 of the Terraform AWS Provider, late next week. Thanks to @DrFaust92 for the implementation. 👍

[ghost]

This has been released in version 3.4.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!