AWS RDS Cert Replacement Issue

marcstarr00 · June 19, 2024, 2:51pm

Hello there. Posting for the first time.

I’m preparing/testing for the AWS RDS CA cert expiration. I have a script to update the cert (still testing for now) - heres a snippet:

name: Get all RDS instances
community.aws.rds_instance_info:
aws_access_key: “{{ account_item.value.aws_access_key_id }}”
aws_secret_key: “{{ account_item.value.aws_secret_access_key }}”
region: “{{ item }}”
loop: “{{ account_item.value.regions }}”
register: rds_instances
name: change the one cert-test instance
amazon.aws.rds_instance:
db_instance_identifier: “cert-test” # “{{item.key}}”
aws_access_key: “{{ account_item.value.aws_access_key_id }}”
aws_secret_key: “{{ account_item.value.aws_secret_access_key }}”
ca_certificate_identifier: “rds-ca-rsa2048-g1”
loop: “{{ account_instance_certinfo | dict2items }}”
when: item.key == “cert-test”

The scipt finds the rds instance and is green - meaning its already set to the new cert - but its not.

skipping: [localhost] => (item={‘key’: ‘RDS_INSTANCE_1’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1b’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})
ok: [localhost] => (item={‘key’: ‘cert-test’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1c’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})k

It looks like this issue was supposed to be fixed:

github.com/ansible-collections/amazon.aws

rds_instance module ignores 'ca_certificate_identifier' Parameter value

opened 05:48AM - 06 Apr 23 UTC

closed 04:36PM - 15 May 23 UTC

RonneGisun

### Summary When I try to create or modify an existing RDS instance ca certific…ate value the rds_instance module ignores the value set for ca_certificate_idenifier and lets AWS use the default value instead. ### Issue Type Bug Report ### Component Name rds_instance ### Ansible Version ```console (paste below) $ ansible --version ansible [core 2.14.4] config file = ~/projects/provisioning/ansible.cfg configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = ~/venv/lib/python3.9/site-packages/ansible ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections executable location = ~/venv/bin/ansible python version = 3.9.14 (main, Oct 16 2022, 22:44:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] (~/venv/bin/python3.9) jinja version = 3.1.2 libyaml = True ``` ### Collection Versions ```console (paste below) $ $ ansible-galaxy collection list # ~/.ansible/collections/ansible_collections Collection Version ----------------- ------- amazon.aws 5.4.0 ansible.windows 1.13.0 community.general 6.5.0 # ~/venv/lib/python3.9/site-packages/ansible_collections Collection Version ----------------------------- ------- amazon.aws 5.4.0 ansible.netcommon 4.1.0 ansible.posix 1.5.1 ansible.utils 2.9.0 ansible.windows 1.13.0 arista.eos 6.0.0 awx.awx 21.14.0 azure.azcollection 1.15.0 check_point.mgmt 4.0.0 chocolatey.chocolatey 1.4.0 cisco.aci 2.4.0 cisco.asa 4.0.0 cisco.dnac 6.6.4 cisco.intersight 1.0.24 cisco.ios 4.4.0 cisco.iosxr 4.1.0 cisco.ise 2.5.12 cisco.meraki 2.15.1 cisco.mso 2.2.1 cisco.nso 1.0.3 cisco.nxos 4.1.0 cisco.ucs 1.8.0 cloud.common 2.1.3 cloudscale_ch.cloud 2.2.4 community.aws 5.4.0 community.azure 2.0.0 community.ciscosmb 1.0.5 community.crypto 2.11.1 community.digitalocean 1.23.0 community.dns 2.5.2 community.docker 3.4.3 community.fortios 1.0.0 community.general 6.5.0 community.google 1.0.0 community.grafana 1.5.4 community.hashi_vault 4.2.0 community.hrobot 1.8.0 community.libvirt 1.2.0 community.mongodb 1.5.1 community.mysql 3.6.0 community.network 5.0.0 community.okd 2.3.0 community.postgresql 2.3.2 community.proxysql 1.5.1 community.rabbitmq 1.2.3 community.routeros 2.8.0 community.sap 1.0.0 community.sap_libs 1.4.1 community.skydive 1.0.0 community.sops 1.6.1 community.vmware 3.5.0 community.windows 1.12.0 community.zabbix 1.9.2 containers.podman 1.10.1 cyberark.conjur 1.2.0 cyberark.pas 1.0.17 dellemc.enterprise_sonic 2.0.0 dellemc.openmanage 6.3.0 dellemc.os10 1.1.1 dellemc.os6 1.0.7 dellemc.os9 1.0.4 dellemc.powerflex 1.5.0 dellemc.unity 1.5.0 f5networks.f5_modules 1.23.0 fortinet.fortimanager 2.1.7 fortinet.fortios 2.2.3 frr.frr 2.0.0 gluster.gluster 1.0.2 google.cloud 1.1.3 grafana.grafana 1.1.1 hetzner.hcloud 1.10.0 hpe.nimble 1.1.4 ibm.qradar 2.1.0 ibm.spectrum_virtualize 1.11.0 infinidat.infinibox 1.3.12 infoblox.nios_modules 1.4.1 inspur.ispim 1.3.0 inspur.sm 2.3.0 junipernetworks.junos 4.1.0 kubernetes.core 2.4.0 lowlydba.sqlserver 1.3.1 mellanox.onyx 1.0.0 netapp.aws 21.7.0 netapp.azure 21.10.0 netapp.cloudmanager 21.22.0 netapp.elementsw 21.7.0 netapp.ontap 22.4.1 netapp.storagegrid 21.11.1 netapp.um_info 21.8.0 netapp_eseries.santricity 1.4.0 netbox.netbox 3.11.0 ngine_io.cloudstack 2.3.0 ngine_io.exoscale 1.0.0 ngine_io.vultr 1.1.3 openstack.cloud 1.10.0 openvswitch.openvswitch 2.1.0 ovirt.ovirt 2.4.1 purestorage.flasharray 1.17.2 purestorage.flashblade 1.10.0 purestorage.fusion 1.4.1 sensu.sensu_go 1.13.2 splunk.es 2.1.0 t_systems_mms.icinga_director 1.32.2 theforeman.foreman 3.9.0 vmware.vmware_rest 2.3.1 vultr.cloud 1.7.0 vyos.vyos 4.0.1 wti.remote 1.0.4 ``` ### AWS SDK versions ```console (paste below) $ pip show boto boto3 botocore Name: boto Version: 2.49.0 Summary: Amazon Web Services Library Home-page: https://github.com/boto/boto/ Author: Mitch Garnaat Author-email: mitch@garnaat.com License: MIT Location: ~/venv/lib/python3.9/site-packages Requires: Required-by: --- Name: boto3 Version: 1.26.102 Summary: The AWS SDK for Python Home-page: https://github.com/boto/boto3 Author: Amazon Web Services Author-email: License: Apache License 2.0 Location: ~/venv/lib/python3.9/site-packages Requires: botocore, jmespath, s3transfer Required-by: --- Name: botocore Version: 1.29.102 Summary: Low-level, data-driven core of boto 3. Home-page: https://github.com/boto/botocore Author: Amazon Web Services Author-email: License: Apache License 2.0 Location: ~/venv/lib/python3.9/site-packages Requires: jmespath, python-dateutil, urllib3 Required-by: awscli, boto3, s3transfer ``` ### Configuration ```console (paste below) $ ansible-config dump --only-changed ANSIBLE_PIPELINING(~/projects/provisioning/ansible.cfg) = True CONFIG_FILE() = ~/projects/provisioning/ansible.cfg DEFAULT_FORKS(~/projects/provisioning/ansible.cfg) = 1000 DEFAULT_HOST_LIST(~/projects/provisioning/ansible.cfg) = ['~/projects/provisioning/ansible_plugins'] DEFAULT_LOAD_CALLBACK_PLUGINS(~/projects/provisioning/ansible.cfg) = True DEFAULT_LOG_PATH(~/projects/provisioning/ansible.cfg) = ~/projects/provisioning/log/ansible DEFAULT_ROLES_PATH(~/projects/provisioning/ansible.cfg) = ['~/projects/provisioning/roles'] DEFAULT_STDOUT_CALLBACK(~/projects/provisioning/ansible.cfg) = yaml HOST_KEY_CHECKING(~/projects/provisioning/ansible.cfg) = False ``` ### OS / Environment Centos 7 ### Steps to Reproduce ```yaml (paste below) - name: Modify RDS Database amazon.aws.rds_instance: apply_immediately: true region: ap-southeast-2b db_instance_identifier: my-rds-db state: present engine_version: postgres iops: 3000 ca_certificate_identifier: rds-ca-ecc384-g1 allocated_storage: 2000 copy_tags_to_snapshot: true backup_retention_period: 0 preferred_backup_window: "13:00-13:30" preferred_maintenance_window: "mon:14:00-mon:14:30" allow_major_version_upgrade: true auto_minor_version_upgrade: true wait: yes ``` ### Expected Results ``` ca_certificate_identifier: rds-ca-ecc384-g1 certificate_details: ca_identifier: rds-ca-ecc384-g1 valid_till: '2024-04-06T05:43:19+00:00' ``` The CA root certificate for SSL connections should be 'rds-ca-ecc384-g1'. ### Actual Results ```console (paste below) ca_certificate_identifier: rds-ca-2019 certificate_details: ca_identifier: rds-ca-2019 valid_till: '2024-08-22T17:08:50+00:00' ``` The CA root certificate for SSL connections is the current AWS default 'rds-ca-2019', not the new one. ### Code of Conduct - [X] I agree to follow the Ansible Code of Conduct

Im using the latest:

Collection Version

amazon.aws 8.0.1

Kinda stuck here. Anyone experiencing the same thing or have advice?

Thanks

Playbook:

- name: Get information about AWS Certs
  hosts: localhost
  gather_facts: true
  collections:
    - /root/.ansible/collections/ansible_collections
  tasks:

    - name: Get Creds
      include_vars:
        file: .aws/credentials.yml
        name: aws_credentials

    - name: loop through creds and run again get_cert_info.yml
      include_tasks: rds_replace_test.yml
      loop: "{{ aws_credentials.accounts | dict2items }}"
      loop_control:
        loop_var: account_item

rds_replace_test.yml:

---
- name: Initialize account_instance_certinfo
  set_fact:
    account_instance_certinfo: {}

- name: Get all RDS instances
  community.aws.rds_instance_info:
    aws_access_key: "{{ account_item.value.aws_access_key_id }}"
    aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
    region: "{{ item }}"
  loop: "{{ account_item.value.regions }}"
  register: rds_instances

- name: Extract relevent info
  set_fact:
    account_name: "{{ account_item.key }}"  # Assuming account name is available in account_item.key
    account_instance_certinfo: "{{ account_instance_certinfo | default({}) | combine({item.db_instance_identifier: {'certname': item.ca_certificate_identifier, 'region': item.availability_zone, 'cert_expiration_date': item.certificate_details.valid_till}}) }}"
  loop: "{{ rds_instances.results | json_query('[].instances[*]') | flatten }}"
  loop_control:
    loop_var: item

- name: Remove duplicate entries from account_instance_certinfo
  set_fact:
    account_instance_certinfo: "{{ account_instance_certinfo | combine({}, recursive=True) }}"

- name: debug var
  debug:
    msg: "{{ account_instance_certinfo }}"

- name: change the one cert-test instance
  amazon.aws.rds_instance:
    db_instance_identifier: "cert-test"   # "{{item.key}}"
    aws_access_key: "{{ account_item.value.aws_access_key_id }}"
    aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
#    region: "{{ item.value.region }}"
    ca_certificate_identifier: "rds-ca-rsa2048-g1"
  loop: "{{ account_instance_certinfo | dict2items }}"
  when: item.key == "cert-test" # and item.value.certname == "rds-ca-2019"

marcstarr00 · June 19, 2024, 5:03pm

I just realized apply_immediately wasnt added. I added it and it still isnt making the change.

Name: botocore
Version: 1.29.59

Name: boto3
Version: 1.26.59

python 3.9

markuman · June 19, 2024, 5:17pm

Yes, I think you need apply_immediately: true, otherwise your cert change will be applied in the next maintenance window.

---
- hosts: localhost

  tasks:
    - name: init mariadb rds
      amazon.aws.rds_instance:
        engine: mariadb
        db_instance_identifier: ansible-test-aurora-db-instance
        instance_type: db.t4g.micro
        password: 893rutugidjf9849
        username: username
        allocated_storage: 20
        ca_certificate_identifier: rds-ca-2019

    - name: update ca
      amazon.aws.rds_instance:
        engine: mariadb
        db_instance_identifier: ansible-test-aurora-db-instance
        instance_type: db.t4g.micro
        password: 893rutugidjf9849
        username: username
        allocated_storage: 20
        ca_certificate_identifier: rds-ca-rsa2048-g1
        apply_immediately: true

works for me using amazon.aws 8.0.1

marcstarr00 · June 19, 2024, 5:36pm

Thanks for checking.

Just FYI - if this is run once without “apply_immediately” i believe it may be scheduled. Once scheduled, i dont think apply_immediately works anymore so it looks broken.

I created a new rds_testing instance and it worked the first time with apply_immediately set.

system · July 19, 2024, 5:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.