Closed eRadical closed 3 weeks ago
I looked in CloudTrail on the CreateDBInstance instance and I found out that AWS does not see Ansible sending a different performance_insights_kms_key_id
.
Actually in the event record in "requestParameters" I do not have at all "performanceInsightsKMSKeyId". I do see "kmsKeyId" set to the same key.
In the "responseElements" I can see the "kmsKeyId" applied correctly and I also can see the wrong
"performanceInsightsKMSKeyId": "arn:aws:kms:eu-west-1:565656565656:key/4063-870a-6da5c69cedff-6f2d4e3e-0635",
which is actually the default "aws/rds".
I suspect that the issue is with capitalization of parameters:
Note that in the second KMS is all caps.
I have tried to create an instance via AWS console and it works ok - I get the custom key in performance insights. I'll try tomorrow via aws cli to see if this is a boto issue.
I'm willing to debug this if anyone can hint me on how to get started.
aws rds create-db-instance --db-instance-identifier=db-prod-59 \
--db-instance-class=db.m6i.large --engine=mariadb \
--enable-performance-insights \
--performance-insights-kms-key-id="mrk-b9a9d5be4a8ade74957e62af13954599" \
... --storage-encrypted --kms-key-id="mrk-b9a9d5be4a8ade74957e62af13954599"
I just tried w/ the above and it creates the DB w/ correct keys. So 99% the problem is in Ansible -> rds_instance.
I might have a confirmation that it is an issue with capitalization of parameters.
I added KMS:
for old, new in (("Db", "DB"), ("Iam", "IAM"), ("Az", "AZ"), ("Ca", "CA"), ("Kms", "KMS")):
But this time the DB instance was created w/ the correct key for performance-insights but w/ the wrong key for kms_key_id (it used the default "aws/rds").
Summary
When creating a new rds_instance with a custom "performance_insights_kms_key_id" (not the default one "aws/rds") the KMS key is not applied but the default one is.
Issue Type
Bug Report
Component Name
rds_instance
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
Fedora release 40 (Forty)
Steps to Reproduce
Expected Results
I expect to see the key declared not the default "aws/rds"
Actual Results
in response we have:
Code of Conduct