From 3ce57189b348dbebad51a9cd66954cf5b0d294f5 Mon Sep 17 00:00:00 2001 From: Ivan Chekaldin <39010411+ichekaldin@users.noreply.github.com> Date: Mon, 3 Apr 2023 04:17:23 -0400 Subject: [PATCH] config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter (#1757) config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter SUMMARY config_rule module currently always returns changed = True. I believe this is due to EvaluationModes parameter recently added to describe_config_rules method output. ISSUE TYPE Bugfix Pull Request COMPONENT NAME config_rule ADDITIONAL INFORMATION Example configuration: - community.aws.config_rule: name: cloudwatch-log-group-encrypted description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). source: identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED owner: AWS Expected result: first execution returns changed = True, subsequent executions return changed = False. Current behavior: every execution returns changed = True. This is because update_resource method ends up comparing: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE'} with: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE', 'EvaluationModes': [{'Mode': 'DETECTIVE'}]} Reviewed-by: Markus Bergholz --- .../1757-config_rule-evaluation-mode.yml | 2 ++ plugins/modules/config_rule.py | 1 + .../integration/targets/config/tasks/main.yaml | 17 +++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 changelogs/fragments/1757-config_rule-evaluation-mode.yml diff --git a/changelogs/fragments/1757-config_rule-evaluation-mode.yml b/changelogs/fragments/1757-config_rule-evaluation-mode.yml new file mode 100644 index 00000000000..fc51efa0adb --- /dev/null +++ b/changelogs/fragments/1757-config_rule-evaluation-mode.yml @@ -0,0 +1,2 @@ +trivial: +- config_rule - Fix idempotency issues by ignoring `EvaluationModes` attribute diff --git a/plugins/modules/config_rule.py b/plugins/modules/config_rule.py index 4fd3103931f..cae18b2a0a4 100644 --- a/plugins/modules/config_rule.py +++ b/plugins/modules/config_rule.py @@ -151,6 +151,7 @@ def update_resource(client, module, params, result): del current_params['ConfigRules'][0]['ConfigRuleArn'] del current_params['ConfigRules'][0]['ConfigRuleId'] + del current_params['ConfigRules'][0]['EvaluationModes'] if params != current_params['ConfigRules'][0]: try: diff --git a/tests/integration/targets/config/tasks/main.yaml b/tests/integration/targets/config/tasks/main.yaml index b4c1bf4ab3e..313f9f6770e 100644 --- a/tests/integration/targets/config/tasks/main.yaml +++ b/tests/integration/targets/config/tasks/main.yaml @@ -280,6 +280,23 @@ that: - output.changed + - name: Update Config Rule - idempotency + aws_config_rule: + name: '{{ resource_prefix }}-rule' + state: present + description: 'This AWS Config rule checks for public write access on S3 buckets' + scope: + compliance_types: + - 'AWS::S3::Bucket' + source: + owner: AWS + identifier: 'S3_BUCKET_PUBLIC_READ_PROHIBITED' + register: output + + - assert: + that: + - output is not changed + - name: Update aws_config_aggregator aws_config_aggregator: name: random_name