Terraform aws_storagegateway_gateway not finding VPC Endpoint

Question

I'm trying to launch an S3 File Gateway (AWS Storage Gateway) via Terraform, with EC2 hosting and a VPC endpoint for Storage Gateway.

I've been able to launch the Storage Gateway EC2 into a private su.net, then launch a second EC2 instance into the public su.net so that I can retrieve the gateway's activation key ( https://docs.aws.amazon.com/storagegateway/latest/userguide/get-activation-key.html ).

Unfortunately, when I provide a value for the activation_key in Terraform, it seems to be ignoring the gateway_vpc_endpoint, and just creates the Storage Gateway with a Public endpoint instead.

Code used:

resource "aws_storagegateway_gateway" "s3_file_gateway" {
  gateway_vpc_endpoint      = aws_vpc_endpoint.storage_gateway.dns_entry[0].dns_name
  activation_key            = "XXXX-XXXX-XXXX-XXXX-XXXX"
  gateway_name              = "Storage-Gateway"
  gateway_timezone          = var.gateway_timezone
  gateway_type              = var.gateway_type
  cloudwatch_log_group_arn  = aws_cloudwatch_log_group.storage_gateway.arn
  tags                      = var.tags

  lifecycle {
    ignore_changes = [smb_active_directory_settings, gateway_ip_address]
  }
}

Has anyone come across this and been able to resolve it?

Answer 1

This question is a few months old now, but when you connect onto the second EC2 to retrieve the activation key from the Gateway EC2, you're probably curling the incorrect URL.

You may have been following the instructions in this documentation: https://docs.aws.amazon.com/storagegateway/latest/userguide/get-activation-key.html

When actually, this is the documentation that is more useful for what you're trying to achieve: https://docs.aws.amazon.com/filegateway/latest/files3/gateway-private-link.html

This states that the format of the URL you should curl to get the activation key is:

http:// VM IP ADDRESS /?gatewayType=FILE_S3&activationRegion= REGION &vpcEndpoint= VPCEndpointDNSname &no_redirect