AWS RDS Cert Replacement Issue

Hello there. Posting for the first time.

I’m preparing/testing for the AWS RDS CA cert expiration. I have a script to update the cert (still testing for now) - heres a snippet:

  • name: Get all RDS instances
    community.aws.rds_instance_info:
    aws_access_key: “{{ account_item.value.aws_access_key_id }}”
    aws_secret_key: “{{ account_item.value.aws_secret_access_key }}”
    region: “{{ item }}”
    loop: “{{ account_item.value.regions }}”
    register: rds_instances

  • name: change the one cert-test instance
    amazon.aws.rds_instance:
    db_instance_identifier: “cert-test” # “{{item.key}}”
    aws_access_key: “{{ account_item.value.aws_access_key_id }}”
    aws_secret_key: “{{ account_item.value.aws_secret_access_key }}”
    ca_certificate_identifier: “rds-ca-rsa2048-g1”
    loop: “{{ account_instance_certinfo | dict2items }}”
    when: item.key == “cert-test”

The scipt finds the rds instance and is green - meaning its already set to the new cert - but its not.

skipping: [localhost] => (item={‘key’: ‘RDS_INSTANCE_1’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1b’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})
ok: [localhost] => (item={‘key’: ‘cert-test’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1c’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})k

image

It looks like this issue was supposed to be fixed:
https://github.com/ansible-collections/amazon.aws/issues/1453

Im using the latest:

Collection Version


amazon.aws 8.0.1

Kinda stuck here. Anyone experiencing the same thing or have advice?

Thanks

Playbook:

- name: Get information about AWS Certs
  hosts: localhost
  gather_facts: true
  collections:
    - /root/.ansible/collections/ansible_collections
  tasks:

    - name: Get Creds
      include_vars:
        file: .aws/credentials.yml
        name: aws_credentials

    - name: loop through creds and run again get_cert_info.yml
      include_tasks: rds_replace_test.yml
      loop: "{{ aws_credentials.accounts | dict2items }}"
      loop_control:
        loop_var: account_item

rds_replace_test.yml:

---
- name: Initialize account_instance_certinfo
  set_fact:
    account_instance_certinfo: {}

- name: Get all RDS instances
  community.aws.rds_instance_info:
    aws_access_key: "{{ account_item.value.aws_access_key_id }}"
    aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
    region: "{{ item }}"
  loop: "{{ account_item.value.regions }}"
  register: rds_instances

- name: Extract relevent info
  set_fact:
    account_name: "{{ account_item.key }}"  # Assuming account name is available in account_item.key
    account_instance_certinfo: "{{ account_instance_certinfo | default({}) | combine({item.db_instance_identifier: {'certname': item.ca_certificate_identifier, 'region': item.availability_zone, 'cert_expiration_date': item.certificate_details.valid_till}}) }}"
  loop: "{{ rds_instances.results | json_query('[].instances[*]') | flatten }}"
  loop_control:
    loop_var: item

- name: Remove duplicate entries from account_instance_certinfo
  set_fact:
    account_instance_certinfo: "{{ account_instance_certinfo | combine({}, recursive=True) }}"

- name: debug var
  debug:
    msg: "{{ account_instance_certinfo }}"

- name: change the one cert-test instance
  amazon.aws.rds_instance:
    db_instance_identifier: "cert-test"   # "{{item.key}}"
    aws_access_key: "{{ account_item.value.aws_access_key_id }}"
    aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
#    region: "{{ item.value.region }}"
    ca_certificate_identifier: "rds-ca-rsa2048-g1"
  loop: "{{ account_instance_certinfo | dict2items }}"
  when: item.key == "cert-test" # and item.value.certname == "rds-ca-2019"

I just realized apply_immediately wasnt added. I added it and it still isnt making the change.

Name: botocore
Version: 1.29.59

Name: boto3
Version: 1.26.59

python 3.9

Yes, I think you need apply_immediately: true, otherwise your cert change will be applied in the next maintenance window.

---
- hosts: localhost

  tasks:
    - name: init mariadb rds
      amazon.aws.rds_instance:
        engine: mariadb
        db_instance_identifier: ansible-test-aurora-db-instance
        instance_type: db.t4g.micro
        password: 893rutugidjf9849
        username: username
        allocated_storage: 20
        ca_certificate_identifier: rds-ca-2019

    - name: update ca
      amazon.aws.rds_instance:
        engine: mariadb
        db_instance_identifier: ansible-test-aurora-db-instance
        instance_type: db.t4g.micro
        password: 893rutugidjf9849
        username: username
        allocated_storage: 20
        ca_certificate_identifier: rds-ca-rsa2048-g1
        apply_immediately: true

works for me using amazon.aws 8.0.1

Thanks for checking.

Just FYI - if this is run once without “apply_immediately” i believe it may be scheduled. Once scheduled, i dont think apply_immediately works anymore so it looks broken.

I created a new rds_testing instance and it worked the first time with apply_immediately set.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.