config_rule - Fix Idempotency by Ignoring EvaluationModes Parameter (…

…#1757) config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter SUMMARY config_rule module currently always returns changed = True. I believe this is due to EvaluationModes parameter recently added to describe_config_rules method output. ISSUE TYPE Bugfix Pull Request COMPONENT NAME config_rule ADDITIONAL INFORMATION Example configuration: - community.aws.config_rule: name: cloudwatch-log-group-encrypted description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). source: identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED owner: AWS Expected result: first execution returns changed = True, subsequent executions return changed = False. Current behavior: every execution returns changed = True. This is because update_resource method ends up comparing: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE'} with: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE', 'EvaluationModes': [{'Mode': 'DETECTIVE'}]} Reviewed-by: Markus Bergholz <[email protected]>
ansible-collections · Apr 3, 2023 · 3ce5718 · 3ce5718
1 parent 7ef4a6c
commit 3ce5718
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/changelogs/fragments/1757-config_rule-evaluation-mode.yml b/changelogs/fragments/1757-config_rule-evaluation-mode.yml
@@ -0,0 +1,2 @@
+trivial:
+- config_rule - Fix idempotency issues by ignoring `EvaluationModes` attribute
diff --git a/plugins/modules/config_rule.py b/plugins/modules/config_rule.py
@@ -151,6 +151,7 @@ def update_resource(client, module, params, result):
 
     del current_params['ConfigRules'][0]['ConfigRuleArn']
     del current_params['ConfigRules'][0]['ConfigRuleId']
+    del current_params['ConfigRules'][0]['EvaluationModes']
 
     if params != current_params['ConfigRules'][0]:
         try:

diff --git a/tests/integration/targets/config/tasks/main.yaml b/tests/integration/targets/config/tasks/main.yaml
@@ -280,6 +280,23 @@
         that:
           - output.changed
 
+    - name: Update Config Rule - idempotency
+      aws_config_rule:
+        name: '{{ resource_prefix }}-rule'
+        state: present
+        description: 'This AWS Config rule checks for public write access on S3 buckets'
+        scope:
+            compliance_types:
+                - 'AWS::S3::Bucket'
+        source:
+            owner: AWS
+            identifier: 'S3_BUCKET_PUBLIC_READ_PROHIBITED'
+      register: output
+
+    - assert:
+        that:
+          - output is not changed
+
     - name: Update aws_config_aggregator
       aws_config_aggregator:
         name: random_name
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		trivial:
		- config_rule - Fix idempotency issues by ignoring `EvaluationModes` attribute