Hello there. Posting for the first time.
I’m preparing/testing for the AWS RDS CA cert expiration. I have a script to update the cert (still testing for now) - heres a snippet:
name: Get all RDS instances
name: change the one cert-test instance
The scipt finds the rds instance and is green - meaning its already set to the new cert - but its not.
skipping: [localhost] => (item={‘key’: ‘RDS_INSTANCE_1’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1b’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})
It looks like this issue was supposed to be fixed:
opened 05:48AM - 06 Apr 23 UTC
closed 04:36PM - 15 May 23 UTC
### Summary
When I try to create or modify an existing RDS instance ca certific… ate value the rds_instance module ignores the value set for ca_certificate_idenifier and lets AWS use the default value instead.
### Issue Type
Bug Report
### Component Name
rds_instance
### Ansible Version
```console (paste below)
$ ansible --version
ansible [core 2.14.4]
config file = ~/projects/provisioning/ansible.cfg
configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = ~/venv/lib/python3.9/site-packages/ansible
ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections
executable location = ~/venv/bin/ansible
python version = 3.9.14 (main, Oct 16 2022, 22:44:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] (~/venv/bin/python3.9)
jinja version = 3.1.2
libyaml = True
```
### Collection Versions
```console (paste below)
$ $ ansible-galaxy collection list
# ~/.ansible/collections/ansible_collections
Collection Version
----------------- -------
amazon.aws 5.4.0
ansible.windows 1.13.0
community.general 6.5.0
# ~/venv/lib/python3.9/site-packages/ansible_collections
Collection Version
----------------------------- -------
amazon.aws 5.4.0
ansible.netcommon 4.1.0
ansible.posix 1.5.1
ansible.utils 2.9.0
ansible.windows 1.13.0
arista.eos 6.0.0
awx.awx 21.14.0
azure.azcollection 1.15.0
check_point.mgmt 4.0.0
chocolatey.chocolatey 1.4.0
cisco.aci 2.4.0
cisco.asa 4.0.0
cisco.dnac 6.6.4
cisco.intersight 1.0.24
cisco.ios 4.4.0
cisco.iosxr 4.1.0
cisco.ise 2.5.12
cisco.meraki 2.15.1
cisco.mso 2.2.1
cisco.nso 1.0.3
cisco.nxos 4.1.0
cisco.ucs 1.8.0
cloud.common 2.1.3
cloudscale_ch.cloud 2.2.4
community.aws 5.4.0
community.azure 2.0.0
community.ciscosmb 1.0.5
community.crypto 2.11.1
community.digitalocean 1.23.0
community.dns 2.5.2
community.docker 3.4.3
community.fortios 1.0.0
community.general 6.5.0
community.google 1.0.0
community.grafana 1.5.4
community.hashi_vault 4.2.0
community.hrobot 1.8.0
community.libvirt 1.2.0
community.mongodb 1.5.1
community.mysql 3.6.0
community.network 5.0.0
community.okd 2.3.0
community.postgresql 2.3.2
community.proxysql 1.5.1
community.rabbitmq 1.2.3
community.routeros 2.8.0
community.sap 1.0.0
community.sap_libs 1.4.1
community.skydive 1.0.0
community.sops 1.6.1
community.vmware 3.5.0
community.windows 1.12.0
community.zabbix 1.9.2
containers.podman 1.10.1
cyberark.conjur 1.2.0
cyberark.pas 1.0.17
dellemc.enterprise_sonic 2.0.0
dellemc.openmanage 6.3.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
dellemc.powerflex 1.5.0
dellemc.unity 1.5.0
f5networks.f5_modules 1.23.0
fortinet.fortimanager 2.1.7
fortinet.fortios 2.2.3
frr.frr 2.0.0
gluster.gluster 1.0.2
google.cloud 1.1.3
grafana.grafana 1.1.1
hetzner.hcloud 1.10.0
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.11.0
infinidat.infinibox 1.3.12
infoblox.nios_modules 1.4.1
inspur.ispim 1.3.0
inspur.sm 2.3.0
junipernetworks.junos 4.1.0
kubernetes.core 2.4.0
lowlydba.sqlserver 1.3.1
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.22.0
netapp.elementsw 21.7.0
netapp.ontap 22.4.1
netapp.storagegrid 21.11.1
netapp.um_info 21.8.0
netapp_eseries.santricity 1.4.0
netbox.netbox 3.11.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.3
openstack.cloud 1.10.0
openvswitch.openvswitch 2.1.0
ovirt.ovirt 2.4.1
purestorage.flasharray 1.17.2
purestorage.flashblade 1.10.0
purestorage.fusion 1.4.1
sensu.sensu_go 1.13.2
splunk.es 2.1.0
t_systems_mms.icinga_director 1.32.2
theforeman.foreman 3.9.0
vmware.vmware_rest 2.3.1
vultr.cloud 1.7.0
vyos.vyos 4.0.1
wti.remote 1.0.4
```
### AWS SDK versions
```console (paste below)
$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: ~/venv/lib/python3.9/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.26.102
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: ~/venv/lib/python3.9/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.29.102
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: ~/venv/lib/python3.9/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer
```
### Configuration
```console (paste below)
$ ansible-config dump --only-changed
ANSIBLE_PIPELINING(~/projects/provisioning/ansible.cfg) = True
CONFIG_FILE() = ~/projects/provisioning/ansible.cfg
DEFAULT_FORKS(~/projects/provisioning/ansible.cfg) = 1000
DEFAULT_HOST_LIST(~/projects/provisioning/ansible.cfg) = ['~/projects/provisioning/ansible_plugins']
DEFAULT_LOAD_CALLBACK_PLUGINS(~/projects/provisioning/ansible.cfg) = True
DEFAULT_LOG_PATH(~/projects/provisioning/ansible.cfg) = ~/projects/provisioning/log/ansible
DEFAULT_ROLES_PATH(~/projects/provisioning/ansible.cfg) = ['~/projects/provisioning/roles']
DEFAULT_STDOUT_CALLBACK(~/projects/provisioning/ansible.cfg) = yaml
HOST_KEY_CHECKING(~/projects/provisioning/ansible.cfg) = False
```
### OS / Environment
Centos 7
### Steps to Reproduce
```yaml (paste below)
- name: Modify RDS Database
amazon.aws.rds_instance:
apply_immediately: true
region: ap-southeast-2b
db_instance_identifier: my-rds-db
state: present
engine_version: postgres
iops: 3000
ca_certificate_identifier: rds-ca-ecc384-g1
allocated_storage: 2000
copy_tags_to_snapshot: true
backup_retention_period: 0
preferred_backup_window: "13:00-13:30"
preferred_maintenance_window: "mon:14:00-mon:14:30"
allow_major_version_upgrade: true
auto_minor_version_upgrade: true
wait: yes
```
### Expected Results
```
ca_certificate_identifier: rds-ca-ecc384-g1
certificate_details:
ca_identifier: rds-ca-ecc384-g1
valid_till: '2024-04-06T05:43:19+00:00'
```
The CA root certificate for SSL connections should be 'rds-ca-ecc384-g1'.
### Actual Results
```console (paste below)
ca_certificate_identifier: rds-ca-2019
certificate_details:
ca_identifier: rds-ca-2019
valid_till: '2024-08-22T17:08:50+00:00'
```
The CA root certificate for SSL connections is the current AWS default 'rds-ca-2019', not the new one.
### Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
Im using the latest:
Collection Version
amazon.aws 8.0.1
Kinda stuck here. Anyone experiencing the same thing or have advice?
Thanks
Playbook:
- name: Get information about AWS Certs
hosts: localhost
gather_facts: true
collections:
- /root/.ansible/collections/ansible_collections
tasks:
- name: Get Creds
include_vars:
file: .aws/credentials.yml
name: aws_credentials
- name: loop through creds and run again get_cert_info.yml
include_tasks: rds_replace_test.yml
loop: "{{ aws_credentials.accounts | dict2items }}"
loop_control:
loop_var: account_item
rds_replace_test.yml:
---
- name: Initialize account_instance_certinfo
set_fact:
account_instance_certinfo: {}
- name: Get all RDS instances
community.aws.rds_instance_info:
aws_access_key: "{{ account_item.value.aws_access_key_id }}"
aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
region: "{{ item }}"
loop: "{{ account_item.value.regions }}"
register: rds_instances
- name: Extract relevent info
set_fact:
account_name: "{{ account_item.key }}" # Assuming account name is available in account_item.key
account_instance_certinfo: "{{ account_instance_certinfo | default({}) | combine({item.db_instance_identifier: {'certname': item.ca_certificate_identifier, 'region': item.availability_zone, 'cert_expiration_date': item.certificate_details.valid_till}}) }}"
loop: "{{ rds_instances.results | json_query('[].instances[*]') | flatten }}"
loop_control:
loop_var: item
- name: Remove duplicate entries from account_instance_certinfo
set_fact:
account_instance_certinfo: "{{ account_instance_certinfo | combine({}, recursive=True) }}"
- name: debug var
debug:
msg: "{{ account_instance_certinfo }}"
- name: change the one cert-test instance
amazon.aws.rds_instance:
db_instance_identifier: "cert-test" # "{{item.key}}"
aws_access_key: "{{ account_item.value.aws_access_key_id }}"
aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
# region: "{{ item.value.region }}"
ca_certificate_identifier: "rds-ca-rsa2048-g1"
loop: "{{ account_instance_certinfo | dict2items }}"
when: item.key == "cert-test" # and item.value.certname == "rds-ca-2019"
I just realized apply_immediately wasnt added. I added it and it still isnt making the change.
Name: botocore
Name: boto3
python 3.9
markuman
June 19, 2024, 5:17pm
3
Yes, I think you need apply_immediately: true, otherwise your cert change will be applied in the next maintenance window.
---
- hosts: localhost
tasks:
- name: init mariadb rds
amazon.aws.rds_instance:
engine: mariadb
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t4g.micro
password: 893rutugidjf9849
username: username
allocated_storage: 20
ca_certificate_identifier: rds-ca-2019
- name: update ca
amazon.aws.rds_instance:
engine: mariadb
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t4g.micro
password: 893rutugidjf9849
username: username
allocated_storage: 20
ca_certificate_identifier: rds-ca-rsa2048-g1
apply_immediately: true
works for me using amazon.aws 8.0.1
Thanks for checking.
Just FYI - if this is run once without “apply_immediately” i believe it may be scheduled. Once scheduled, i dont think apply_immediately works anymore so it looks broken.
I created a new rds_testing instance and it worked the first time with apply_immediately set.
system
July 19, 2024, 5:36pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
