route53 module in v1.4.0 incorrectly flags alias record changes

[mvermaes]

SUMMARY

After updating to community.aws v1.4.0, using the route53 module to check an alias record that points to an S3 bucket results in changes being flagged that weren't previously.

ISSUE TYPE

• Bug Report

COMPONENT NAME

route53

ANSIBLE VERSION

ansible 2.10.5
  config file = /rw/data/repos/infra/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/share/virtualenvs/infra-tUXqHdZz/lib/python3.8/site-packages/ansible
  executable location = /home/user/.local/share/virtualenvs/infra-tUXqHdZz/bin/ansible
  python version = 3.8.7 (default, Jan 20 2021, 00:00:00) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)]

CONFIGURATION

DEFAULT_GATHER_TIMEOUT(/rw/data/repos/infra/ansible/ansible.cfg) = 60
DEFAULT_HOST_LIST(/rw/data/repos/infra/ansible/ansible.cfg) = ['/rw/data/repos/infra/ansible/hosts']
DEFAULT_MANAGED_STR(/rw/data/repos/infra/ansible/ansible.cfg) = Ansible managed file, manual changes will be overwritten
INVENTORY_ENABLED(/rw/data/repos/infra/ansible/ansible.cfg) = ['aws_ec2', 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml']

OS / ENVIRONMENT

• Ansible host: Fedora 32
• boto: 2.49.0
• boto3: 1.16.49
• botocore: 1.19.49

STEPS TO REPRODUCE

• Create these three files:

  
  # Pipfile
  [[source]]
  url = "https://pypi.org/simple"
  verify_ssl = true
  name = "pypi"

[packages] ansible-base = "" boto3 = "" boto = "*"

```yaml
# requirements.yml 
---
collections:
  - name: amazon.aws
  - name: community.aws
  - name: community.general

# route53_alias_ansible.yml 
---
- hosts: 127.0.0.1
  connection: local
  become: no

  tasks:
    - community.aws.route53:
        state: present
        zone: <our domain>
        record: <our domain>
        type: A
        value: s3-website-ap-southeast-1.amazonaws.com.
        alias: yes
        alias_hosted_zone_id: Z3O0J2DXBE1FTB
        overwrite: yes

• With a pre-existing domain (<our domain> in example above) configured with an alias record at apex, pointing to an S3 bucket (per AWS docs), and files as per above, run these commands:

  pipenv install
  pipenv run ansible-galaxy collection install -r requirements.yml -f
  pipenv run ansible-playbook route53_alias_ansible.yml --check --diff

EXPECTED RESULTS

TASK [community.aws.route53] ************************************************************
ok: [127.0.0.1]

ACTUAL RESULTS

TASK [community.aws.route53] *************************************************************
--- before
+++ after
@@ -5,5 +5,11 @@
         "HostedZoneId": "Z3O0J2DXBE1FTB"
     },
     "Name": "<our domain>.",
+    "ResourceRecords": [
+        {
+            "Value": "s3-website-ap-southeast-1.amazonaws.com."
+        }
+    ],
+    "TTL": 3600,
     "Type": "A"
 }

changed: [127.0.0.1]

Reverting to community.aws 1.3.0 (leaving amazon.aws on 1.4.0) gets the expected results again.

(Edit 20210302: Add boto to Pipfile - inadvertently removed when trying to create minimal Pipfile. Boto is required to run the listed playbook under version 1.3.0)

[ansibullbot]

Files identified in the description:

• [plugins/modules/route53.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/route53.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @jimbydamonk @s-hertel @tremble @wimnat click here for bot help

[tremble]

@pjrm Would you be willing to take a look at this one too?

[mvermaes]

I think the problem is due to list_resource_record_sets() not returning TTL or ResourceRecords in the response when called here. I guess this is due to TTL/ResourceRecords not being relevant for alias resource record sets. From boto3 docs on list_resource_record_sets():

If you're creating or updating an alias resource record set, omit TTL . Amazon Route 53 uses the value of TTL for the alias target. ... If you're creating an alias resource record set, omit ResourceRecords

As a result, aws_record does not contain TTL/RR here. Then, when resource_record_set is created in the next line, it includes the TTL/RR values, which causes the comparison with aws_record to fail.

Removing the TTL/RR keys in the alias_in conditional seems to resolve the issue:

    if alias_in:
        ...
        resource_record_set.pop('TTL', None)
        resource_record_set.pop('ResourceRecords', None)

[mvermaes]

This was resolved by https://github.com/ansible-collections/community.aws/commit/8a2a138dac1b9552b5db7c2a9f888bd75a6effe9 :+1: