From 21971a3ced6b718ff107e414997e93bb138c92ef Mon Sep 17 00:00:00 2001 From: Ivan Chekaldin <39010411+ichekaldin@users.noreply.github.com> Date: Mon, 3 Apr 2023 04:17:23 -0400 Subject: [PATCH] config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter (#1757) config_rule - Fix Idempotency by Ignoring `EvaluationModes` Parameter SUMMARY config_rule module currently always returns changed = True. I believe this is due to EvaluationModes parameter recently added to describe_config_rules method output. ISSUE TYPE Bugfix Pull Request COMPONENT NAME config_rule ADDITIONAL INFORMATION Example configuration: - community.aws.config_rule: name: cloudwatch-log-group-encrypted description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). source: identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED owner: AWS Expected result: first execution returns changed = True, subsequent executions return changed = False. Current behavior: every execution returns changed = True. This is because update_resource method ends up comparing: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE'} with: {'ConfigRuleName': 'cloudwatch-log-group-encrypted', 'Description': 'Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK).', 'Source': {'Owner': 'AWS', 'SourceIdentifier': 'CLOUDWATCH_LOG_GROUP_ENCRYPTED'}, 'ConfigRuleState': 'ACTIVE', 'EvaluationModes': [{'Mode': 'DETECTIVE'}]} Reviewed-by: Markus Bergholz --- config_rule.py | 1 + 1 file changed, 1 insertion(+) diff --git a/config_rule.py b/config_rule.py index 4fd3103931f..cae18b2a0a4 100644 --- a/config_rule.py +++ b/config_rule.py @@ -151,6 +151,7 @@ def update_resource(client, module, params, result): del current_params['ConfigRules'][0]['ConfigRuleArn'] del current_params['ConfigRules'][0]['ConfigRuleId'] + del current_params['ConfigRules'][0]['EvaluationModes'] if params != current_params['ConfigRules'][0]: try: