From bcdde29ad0b321b2971e2ae3c83e2bdfa46c5bf5 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Mon, 3 Apr 2023 09:46:00 +0000 Subject: [PATCH] config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter (#1757) (#1766) [PR #1757/3ce57189 backport][stable-5] config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter This is a backport of PR #1757 as merged into main (3ce5718). SUMMARY config_rule module currently always returns changed = True. I believe this is due to EvaluationModes parameter recently added to describe_config_rules method output. ISSUE TYPE Bugfix Pull Request COMPONENT NAME config_rule ADDITIONAL INFORMATION Example configuration: - community.aws.config_rule: name: cloudwatch-log-group-encrypted description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). source: identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED owner: AWS Expected result: first execution returns changed = True, subsequent executions return changed = False. Current behavior: every execution returns changed = True. This is because update_resource method ends up comparing: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE'} with: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE', 'EvaluationModes': [{'Mode': 'DETECTIVE'}]} Reviewed-by: Markus Bergholz --- .../1757-config_rule-evaluation-mode.yml | 2 ++ plugins/modules/config_rule.py | 1 + .../integration/targets/config/tasks/main.yaml | 17 +++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 changelogs/fragments/1757-config_rule-evaluation-mode.yml diff --git a/changelogs/fragments/1757-config_rule-evaluation-mode.yml b/changelogs/fragments/1757-config_rule-evaluation-mode.yml new file mode 100644 index 00000000000..fc51efa0adb --- /dev/null +++ b/changelogs/fragments/1757-config_rule-evaluation-mode.yml @@ -0,0 +1,2 @@ +trivial: +- config_rule - Fix idempotency issues by ignoring `EvaluationModes` attribute diff --git a/plugins/modules/config_rule.py b/plugins/modules/config_rule.py index d14f4d16ca9..d5cb717fdd1 100644 --- a/plugins/modules/config_rule.py +++ b/plugins/modules/config_rule.py @@ -153,6 +153,7 @@ def update_resource(client, module, params, result): del current_params['ConfigRules'][0]['ConfigRuleArn'] del current_params['ConfigRules'][0]['ConfigRuleId'] + del current_params['ConfigRules'][0]['EvaluationModes'] if params != current_params['ConfigRules'][0]: try: diff --git a/tests/integration/targets/config/tasks/main.yaml b/tests/integration/targets/config/tasks/main.yaml index b4c1bf4ab3e..313f9f6770e 100644 --- a/tests/integration/targets/config/tasks/main.yaml +++ b/tests/integration/targets/config/tasks/main.yaml @@ -280,6 +280,23 @@ that: - output.changed + - name: Update Config Rule - idempotency + aws_config_rule: + name: '{{ resource_prefix }}-rule' + state: present + description: 'This AWS Config rule checks for public write access on S3 buckets' + scope: + compliance_types: + - 'AWS::S3::Bucket' + source: + owner: AWS + identifier: 'S3_BUCKET_PUBLIC_READ_PROHIBITED' + register: output + + - assert: + that: + - output is not changed + - name: Update aws_config_aggregator aws_config_aggregator: name: random_name