"KMSEncrypted is set to true, but KMSKey is missing." when updating aws_storagegateway_smb_file_share

[sebastiaf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

3.47.0, 3.56.0

Affected Resource(s)

• aws_storagegateway_smb_file_share

Debug Output

aws_storagegateway_smb_file_share.smb: Modifying... [id=arn:aws:storagegateway:eu-central-1:721109342954:share/share-923A2BEE]
2021/09/02 14:26:23 [DEBUG] EvalApply: ProviderMeta config value set
2021/09/02 14:26:23 [DEBUG] aws_storagegateway_smb_file_share.smb: applying the planned Update change
2021-09-02T14:26:23.914+0200 [INFO]  plugin.terraform-provider-aws_v3.56.0_x5: 2021/09/02 14:26:23 [DEBUG] Updating Storage Gateway SMB File Share: {
  AccessBasedEnumeration: false,
  FileShareARN: "arn:aws:storagegateway:eu-central-1:721109342954:share/share-923A2BEE",
  GuessMIMETypeEnabled: true,
  KMSEncrypted: true,
  ReadOnly: true,
  RequesterPays: false,
  SMBACLEnabled: false
}: timestamp=2021-09-02T14:26:23.913+0200
2021-09-02T14:26:23.914+0200 [INFO]  plugin.terraform-provider-aws_v3.56.0_x5: 2021/09/02 14:26:23 [DEBUG] [aws-sdk-go] DEBUG: Request storagegateway/UpdateSMBFileShare Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: storagegateway.eu-central-1.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/0.14.11 (+https://www.terraform.io) terraform-provider-aws/3.56.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.40.29 (go1.16; linux; amd64)
Content-Length: 227
Authorization: AWS4-HMAC-SHA256 Credential={REDACTED}/20210902/eu-central-1/storagegateway/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=c8f067ce750ab11370e342189382442116f0a54b029dbaaa91890bff038f0a75
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20210902T122623Z
X-Amz-Security-Token: {REDACTED}
X-Amz-Target: StorageGateway_20130630.UpdateSMBFileShare
Accept-Encoding: gzip

{"AccessBasedEnumeration":false,"FileShareARN":"arn:aws:storagegateway:eu-central-1:721109342954:share/share-923A2BEE","GuessMIMETypeEnabled":true,"KMSEncrypted":true,"ReadOnly":true,"RequesterPays":false,"SMBACLEnabled":false}
--------------------: timestamp=2021-09-02T14:26:23.913+0200
2021-09-02T14:26:24.080+0200 [INFO]  plugin.terraform-provider-aws_v3.56.0_x5: 2021/09/02 14:26:24 [DEBUG] [aws-sdk-go] DEBUG: Response storagegateway/UpdateSMBFileShare Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 149
Content-Type: application/x-amz-json-1.1
Date: Thu, 02 Sep 2021 12:26:24 GMT
X-Amzn-Requestid: b127e10d-91bd-4835-8d66-cf75031597cf


-----------------------------------------------------: timestamp=2021-09-02T14:26:24.079+0200
2021-09-02T14:26:24.080+0200 [INFO]  plugin.terraform-provider-aws_v3.56.0_x5: 2021/09/02 14:26:24 [DEBUG] [aws-sdk-go] {"__type":"InvalidGatewayRequestException","error":{"errorCode":"InvalidParameters"},"message":"KMSEncrypted is set to true, but KMSKey is missing."}: timestamp=2021-09-02T14:26:24.079+0200
2021-09-02T14:26:24.080+0200 [INFO]  plugin.terraform-provider-aws_v3.56.0_x5: 2021/09/02 14:26:24 [DEBUG] [aws-sdk-go] DEBUG: Validate Response storagegateway/UpdateSMBFileShare failed, attempt 0/25, error InvalidGatewayRequestException: KMSEncrypted is set to true, but KMSKey is missing.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "b127e10d-91bd-4835-8d66-cf75031597cf"
  },
  Error_: {
    ErrorCode: "InvalidParameters"
  },
  Message_: "KMSEncrypted is set to true, but KMSKey is missing."
}: timestamp=2021-09-02T14:26:24.079+0200
2021/09/02 14:26:24 [DEBUG] aws_storagegateway_smb_file_share.smb: apply errored, but we're indicating that via the Error pointer rather than returning it: error updating Storage Gateway SMB File Share (arn:aws:storagegateway:eu-central-1:721109342954:share/share-923A2BEE): InvalidGatewayRequestException: KMSEncrypted is set to true, but KMSKey is missing.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "b127e10d-91bd-4835-8d66-cf75031597cf"
  },
  Error_: {
    ErrorCode: "InvalidParameters"
  },
  Message_: "KMSEncrypted is set to true, but KMSKey is missing."
}

Error: error updating Storage Gateway SMB File Share (arn:aws:storagegateway:eu-central-1:721109342954:share/share-923A2BEE): InvalidGatewayRequestException: KMSEncrypted is set to true, but KMSKey is missing.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "b127e10d-91bd-4835-8d66-cf75031597cf"
  },
  Error_: {
    ErrorCode: "InvalidParameters"
  },
  Message_: "KMSEncrypted is set to true, but KMSKey is missing."
}

  on main.tf line 303, in resource "aws_storagegateway_smb_file_share" "smb":
 303: resource "aws_storagegateway_smb_file_share" "smb" {


2021-09-02T14:26:27.006+0200 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-09-02T14:26:27.012+0200 [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.56.0/linux_amd64/terraform-provider-aws_v3.56.0_x5 pid=149241
2021-09-02T14:26:27.013+0200 [DEBUG] plugin: plugin exited

Expected Behavior

The SMB share changes "File access settings > Export as" -> Read-write/Read-only.

Actual Behavior

The SMB share is not changed.
Terraform shows

Error: error updating Storage Gateway SMB File Share (arn:aws:storagegateway:eu-central-1:721109342954:share/share-923A2BEE): InvalidGatewayRequestException: KMSEncrypted is set to true, but KMSKey is missing.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "b127e10d-91bd-4835-8d66-cf75031597cf"
  },
  Error_: {
    ErrorCode: "InvalidParameters"
  },
  Message_: "KMSEncrypted is set to true, but KMSKey is missing."
}

Steps to Reproduce

1. Create aws_storagegateway_smb_file_share (read_only = false) with terraform apply

resource "aws_storagegateway_smb_file_share" "smb" {
  file_share_name        = "share"
  default_storage_class  = "S3_STANDARD"
  gateway_arn            = var.gateway.arn
  location_arn           = var.s3_bucket.arn
  role_arn               = var.role.arn
  kms_key_arn            = var.kmskey.arn
  kms_encrypted          = true
  read_only              = false
}

2. Change resource definition to read_only = true and terraform apply

resource "aws_storagegateway_smb_file_share" "smb" {
  file_share_name        = "share"
  default_storage_class  = "S3_STANDARD"
  gateway_arn            = var.gateway.arn
  location_arn           = var.s3_bucket.arn
  role_arn               = var.role.arn
  kms_key_arn            = var.kmskey.arn
  kms_encrypted          = true
  read_only              = true
}

Important Factoids

The SMB Share can be changed using the AWS webconsole ("File access settings > Export as" ) without entering KMS Key ID.

References

aws/resource_aws_storagegateway_smb_file_share.go (around lines 410-413)

		// This value can only be set when KMSEncrypted is true.
		if d.HasChange("kms_key_arn") && d.Get("kms_encrypted").(bool) {
			input.KMSKey = aws.String(d.Get("kms_key_arn").(string))
		}

As the debug output shows there is no reference to the KMS key in request body.
Could the unchanged kms_key_arn explain the missing property?

• #0000

[sysfsss]

I've noticed I'm able to correct this issue by manually going to "Edit file share encryption" on the share, manually changing the KMS key to the full id (not an alias), and then re-applying.

I've also noticed I'm able to reproduce this issue by applying a cache configuration (refresh seconds) where I didn't have it before.

Using provider version 3.69.0 and on Terraform 1.1.0

[jimmyak91]

I am facing the same issue when updating the SMB file share's admin user list and valid user list.

I am using provider version 3.74.1.

Error: error updating Storage Gateway SMB File Share (arn:aws:storagegateway:ap-southeast-2:875250343506:share/share-6F6E5117): InvalidGatewayRequestException: KMSEncrypted is set to true, but KMSKey is missing.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "68a1728d-4a89-4f6e-a8fa-626399e726b9"
│   },
│   Error_: {
│     ErrorCode: "InvalidParameters"
│   },
│   Message_: "KMSEncrypted is set to true, but KMSKey is missing."
│ }

[microbioticajon]

Hi Guys,

We have also just bumped into this issue.

AWS provider version 4.59.0

[github-actions]

This functionality has been released in v5.5.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.