config_rule - Fix Idempotency by Ignoring EvaluationModes Parameter (…

…ansible-collections#1757)

config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter

SUMMARY
config_rule module currently always returns changed = True.
I believe this is due to EvaluationModes parameter recently added to describe_config_rules method output.

ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME

config_rule
ADDITIONAL INFORMATION


Example configuration:

- community.aws.config_rule:
  name: cloudwatch-log-group-encrypted
  description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
  source:
    identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
    owner: AWS

Expected result: first execution returns changed = True, subsequent executions return changed = False.
Current behavior: every execution returns changed = True.
This is because update_resource method ends up comparing:
{'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE'}

with:
{'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE', 'EvaluationModes': [{'Mode': 'DETECTIVE'}]}

Reviewed-by: Markus Bergholz <[email protected]>

config_rule.py

@@ -151,6 +151,7 @@ def update_resource(client, module, params, result):
 
     del current_params['ConfigRules'][0]['ConfigRuleArn']
     del current_params['ConfigRules'][0]['ConfigRuleId']
+    del current_params['ConfigRules'][0]['EvaluationModes']
 
     if params != current_params['ConfigRules'][0]:
         try: