search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.86k stars 9.21k forks source link

[Bug]: "AccessDenied" not handled correctly whilst aws_storagegateway_smb_file_share is in the state "Deleting..." #32768

Open rba1-source opened 1 year ago

rba1-source commented 1 year ago

Terraform Core Version

1.3.5

AWS Provider Version

4.66

Affected Resource(s)

Expected Behavior

aws provider should wait until the resource has finished being deleted before continuing

Actual Behavior

terraform polls AWS after it has sent the "delete SMB share" command to check if it has been deleted yet, but if the share is in the state "Deleting...", AWS returns "AccessDenied" which causes terraform to error out.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_storagegateway_smb_file_share" "smbshare" {

  file_share_name = "share05"
  authentication  = "ActiveDirectory"
  gateway_arn     = var.gateway_arn
  location_arn    = var.bucket_arn
  role_arn        = var.role_arn
  valid_user_list = var.valid_user_list
  smb_acl_enabled = true
  read_only       = true
}

Steps to Reproduce

  1. run a terraform apply to deploy an SMB share
  2. delete the SMB share from your terraform code and then rerun your terraform apply (to delete the share)

Alternatively, perform an action that results in SMB share deletion, such as:

  1. deploy a FileGateway & SMB share
  2. redeploy but with a newer FileGateway AMI, which causes all the SMB shares to be destroyed from the old FileGateway and created on the new FileGateway

Debug Output

2023-04-27T15:39:02.292+0100 [ERROR] vertex "module.smb_share_05.aws_storagegateway_smb_file_share.smbshare (destroy)" error: waiting for Storage Gateway SMB File Share (arn:aws:storagegateway:eu-west-1::share/share-3DED5CE7) to delete: AccessDeniedException: User: arn:aws:sts:::assumed-role/deployer is not authorized to perform: storagegateway:DescribeSMBFileShares on resource: arn:aws:storagegateway:eu-west-1::share/share-3DED5CE7 because no identity-based policy allows the storagegateway:DescribeSMBFileShares action status code: 400, request id: 51e5c638-caab-4d74-8eb5-350fec38364b

Panic Output

No response

Important Factoids

I spoke to AWS Support about this and they said that "Access Denied" is what AWS correctly returns if it is partway through the process of deleting the SMB share (i.e. it's in the "Deleting..." state). "InvalidGatewayRequestException" can be returned if you request/poll after the SMB share is deleted, or whilst it is in the "Deleting..." state. Specifically they said: "If the share status is in the “Deleting” state, or just recently deleted, while the describe call is being made, both of these errors may be thrown as the resource is no longer available to be called or used while being deleted. The accessdenied error is being thrown as the resource is still in the process of being deleted and cannot yet be accessed."

The flow should be: terraform requests the resource be deleted, AWS starts deleting it, terraform polls AWS every few seconds until it returns a "this resource doesn't exist" response, then terraform continues.

But the flow is: terraform requests the resource be deleted, AWS starts deleting it, terraform polls AWS and receives an "Access Denied" response because the resource is in the "Deleting..." state and thus cannot be accessed to retrieve the current state, so terraform errors out.

The issue is intermittent because sometimes the resource gets deleted before the first time that terraform polls for it - in these cases, terraform behaves as expected and the 'apply' continues successfully.

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue