Hello there. Posting for the first time.
I’m preparing/testing for the AWS RDS CA cert expiration. I have a script to update the cert (still testing for now) - heres a snippet:
-
name: Get all RDS instances
community.aws.rds_instance_info:
aws_access_key: “{{ account_item.value.aws_access_key_id }}”
aws_secret_key: “{{ account_item.value.aws_secret_access_key }}”
region: “{{ item }}”
loop: “{{ account_item.value.regions }}”
register: rds_instances -
name: change the one cert-test instance
amazon.aws.rds_instance:
db_instance_identifier: “cert-test” # “{{item.key}}”
aws_access_key: “{{ account_item.value.aws_access_key_id }}”
aws_secret_key: “{{ account_item.value.aws_secret_access_key }}”
ca_certificate_identifier: “rds-ca-rsa2048-g1”
loop: “{{ account_instance_certinfo | dict2items }}”
when: item.key == “cert-test”
The scipt finds the rds instance and is green - meaning its already set to the new cert - but its not.
skipping: [localhost] => (item={‘key’: ‘RDS_INSTANCE_1’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1b’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})
ok: [localhost] => (item={‘key’: ‘cert-test’, ‘value’: {‘certname’: ‘rds-ca-2019’, ‘region’: ‘us-east-1c’, ‘cert_expiration_date’: ‘2024-08-22T17:08:50+00:00’}})k
It looks like this issue was supposed to be fixed:
https://github.com/ansible-collections/amazon.aws/issues/1453
Im using the latest:
Collection Version
amazon.aws 8.0.1
Kinda stuck here. Anyone experiencing the same thing or have advice?
Thanks
Playbook:
- name: Get information about AWS Certs
hosts: localhost
gather_facts: true
collections:
- /root/.ansible/collections/ansible_collections
tasks:
- name: Get Creds
include_vars:
file: .aws/credentials.yml
name: aws_credentials
- name: loop through creds and run again get_cert_info.yml
include_tasks: rds_replace_test.yml
loop: "{{ aws_credentials.accounts | dict2items }}"
loop_control:
loop_var: account_item
rds_replace_test.yml:
---
- name: Initialize account_instance_certinfo
set_fact:
account_instance_certinfo: {}
- name: Get all RDS instances
community.aws.rds_instance_info:
aws_access_key: "{{ account_item.value.aws_access_key_id }}"
aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
region: "{{ item }}"
loop: "{{ account_item.value.regions }}"
register: rds_instances
- name: Extract relevent info
set_fact:
account_name: "{{ account_item.key }}" # Assuming account name is available in account_item.key
account_instance_certinfo: "{{ account_instance_certinfo | default({}) | combine({item.db_instance_identifier: {'certname': item.ca_certificate_identifier, 'region': item.availability_zone, 'cert_expiration_date': item.certificate_details.valid_till}}) }}"
loop: "{{ rds_instances.results | json_query('[].instances[*]') | flatten }}"
loop_control:
loop_var: item
- name: Remove duplicate entries from account_instance_certinfo
set_fact:
account_instance_certinfo: "{{ account_instance_certinfo | combine({}, recursive=True) }}"
- name: debug var
debug:
msg: "{{ account_instance_certinfo }}"
- name: change the one cert-test instance
amazon.aws.rds_instance:
db_instance_identifier: "cert-test" # "{{item.key}}"
aws_access_key: "{{ account_item.value.aws_access_key_id }}"
aws_secret_key: "{{ account_item.value.aws_secret_access_key }}"
# region: "{{ item.value.region }}"
ca_certificate_identifier: "rds-ca-rsa2048-g1"
loop: "{{ account_instance_certinfo | dict2items }}"
when: item.key == "cert-test" # and item.value.certname == "rds-ca-2019"