Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Storage Gateway SMB security settings #22084

Closed
thorvats opened this issue Jul 16, 2019 · 2 comments
Closed

AWS Storage Gateway SMB security settings #22084

thorvats opened this issue Jul 16, 2019 · 2 comments
Labels
enhancement provider/aws

Comments

@thorvats
Copy link

thorvats commented Jul 16, 2019
edited by teamterraform
Loading

Current Terraform Version

Terraform v0.11.10

Use-cases

Create terraform Storage Gateway resources for storage_gw account

resource "aws_s3_bucket" "storage_gw" {
  bucket        = "${var.target_infra}-storage_gw-share"
  acl           = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.data.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  lifecycle_rule {
    id          = "storage_gw"
    enabled     = true
    transition {
      days          = 30
      storage_class = "ONEZONE_IA"
    }

    transition {
      days          = 90
      storage_class = "GLACIER"
    }

    expiration {
      days          = 180
    }
  }
  tags = "${merge(
    local.common_tags,
    map(
      "Name", "${var.target_infra}-storage_gw-share"
    )
  )}"
}

data "template_file" "s3-storage_gw" {
  template = "${file("${path.module}/templates/stg-gw-bucket-policy.json")}"

  vars {
    account_id       = "${data.aws_caller_identity.this.account_id}"
    bucket_name      = "${aws_s3_bucket.storage_gw.id}"
    app_account_id   = "${accountId}"
    data_kms_arn     = "${aws_kms_key.data.arn}"
    assumed_role_id  = "${element(split(":",data.aws_caller_identity.this.user_id),0)}"
  }
}

resource "aws_s3_bucket_policy" "storage_gw" {
  bucket   = "${aws_s3_bucket.storage_gw.id}"
  policy   = "${data.template_file.s3-storage_gw.rendered}"
}

data "template_file" "sgw-storage_gw" {
  template = "${file("${path.module}/templates/stg-gw-policy.json")}"

  vars {
    bucket_name  = "${aws_s3_bucket.storage_gw.id}"
    data_kms_arn = "${aws_kms_key.data.arn}"
  }
}

resource "aws_iam_role" "storage_gw" {
  name_prefix        = "${var.target_infra}-storage_gw-stg-gw-"
  description        = "Allow storage gateway to write to s3"
  assume_role_policy = "${file("${path.module}/templates/assume-stg-gw.json")}"

  tags = "${merge(
    local.common_tags,
    map(
      "Name", "${var.target_infra}-storage_gw-storage-gateway-role"
    )
  )}"
}

resource "aws_iam_role_policy" "storage_gw" {
  name_prefix = "${var.target_infra}-storage_gw-stg-gw-policy-"
  role        = "${aws_iam_role.storage_gw.id}"
  policy      = "${data.template_file.sgw-storage_gw.rendered}"
}

resource "aws_storagegateway_smb_file_share" "storage_gw" {
  authentication  = "ActiveDirectory"
  gateway_arn     = "${aws_storagegateway_gateway.storage_gateway.arn}"
  location_arn    = "${aws_s3_bucket.storage_gw.arn}"
  role_arn        = "${aws_iam_role.storage_gw.arn}"
  kms_encrypted   = true
  kms_key_arn     = "${aws_kms_key.data.arn}"
  valid_user_list = ["@AWS-${var.target_infra}-storage-gw-share"]
  depends_on      = ["aws_iam_role_policy.storage_gw"]

}

resource "aws_storagegateway_gateway" "storage_gateway" {
  activation_key     = "${local.sgw_activation_key[var.target_infra]}"
  gateway_name       = "${var.target_infra}-${local.app_name}-storagagateway"
  gateway_timezone   = "GMT"
  gateway_type       = "FILE_S3"
  
  smb_active_directory_settings {
    domain_name        = "domain.local"
    username           = "${local.sgw_domain_username}"
    password           = "${var.sgw_domain_password}"
  }
}

data "aws_storagegateway_local_disk" "sgw_disk" {
  disk_path   = "/dev/sdb"
  gateway_arn = "${aws_storagegateway_gateway.storage_gateway.arn}"
}

resource "aws_storagegateway_cache" "sgw_cache" {
  disk_id     = "${data.aws_storagegateway_local_disk.sgw_disk.id}"
  gateway_arn = "${aws_storagegateway_gateway.storage_gateway.arn}"
}

Attempted Solutions

These settings were manually updated on console after deploying AWS Storage Gateway : File Gateway as per AWS article mentioned below.

https://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#security-strategy

Proposal

Add property smb_sec_settings in AWS Storage Gateway resource like in terrafom module - https://www.terraform.io/docs/providers/aws/r/storagegateway_gateway.html

with vaules like,

values: " ", "encrypted" , "signed" , "negotiated"

References

https://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#security-strategy
https://www.terraform.io/docs/providers/aws/r/storagegateway_gateway.html
Storage Gateway Manual Settings.docx
@ghost ghost mentioned this issue Jul 17, 2019
Closed
@ghost
Copy link

ghost commented Jul 17, 2019

This issue has been automatically migrated to hashicorp/terraform-provider-aws#9382 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#9382.

@ghost ghost closed this as completed Jul 17, 2019
@ghost
Copy link

ghost commented Aug 17, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Aug 17, 2019
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thorvats @teamterraform