aws_secretsmanager_secret module not idempotent

[piyat]

Summary

Module always reports changed even if secret data/metadata did not change. Shouldn't do anything if nothing needs updating and should ignore last updated time/ASM revisions.

Example playbook is pasted below, for me, this always results in changed=True on running.

Why is this and is there a way I can avoid it?

Issue Type

Bug Report

Component Name

aws_secretsmanager_secret

Ansible Version

$ ansible --version
ansible 2.10.17

Collection Versions

$ ansible-galaxy collection list

Collection        Version
----------------- -------
amazon.aws        8.2.1  
ansible.utils     2.6.1  
cloud.common      2.1.0  
community.aws     8.0.0  
kubernetes.core   2.3.1  
operator_sdk.util 0.4.0  

Collection                Version
------------------------- -------
amazon.aws                1.4.0  
ansible.netcommon         1.5.0  
ansible.posix             1.1.1  
ansible.windows           1.4.0  
arista.eos                1.3.0  
awx.awx                   14.1.0 
azure.azcollection        1.4.0  
check_point.mgmt          1.0.6  
chocolatey.chocolatey     1.0.2  
cisco.aci                 1.1.1  
cisco.asa                 1.0.4  
cisco.intersight          1.0.10 
cisco.ios                 1.3.0  
cisco.iosxr               1.2.1  
cisco.ise                 *      
cisco.meraki              2.2.0  
cisco.mso                 1.1.0  
cisco.nso                 1.0.3  
cisco.nxos                1.4.0  
cisco.ucs                 1.6.0  
cloudscale_ch.cloud       1.3.1  
community.aws             1.3.0  
community.azure           1.0.0  
community.crypto          1.4.0  
community.digitalocean    1.0.0  
community.docker          1.2.2  
community.fortios         1.0.0  
community.general         1.3.6  
community.google          1.0.0  
community.grafana         1.1.0  
community.hashi_vault     1.1.0  
community.hrobot          1.1.0  
community.kubernetes      1.1.1  
community.kubevirt        1.0.0  
community.libvirt         1.0.0  
community.mongodb         1.2.0  
community.mysql           1.2.0  
community.network         1.3.2  
community.okd             1.0.0  
community.postgresql      1.1.1  
community.proxysql        1.0.0  
community.rabbitmq        1.0.1  
community.routeros        1.1.0  
community.skydive         1.0.0  
community.vmware          1.7.0  
community.windows         1.3.0  
community.zabbix          1.2.0  
containers.podman         1.4.1  
cyberark.conjur           1.1.0  
cyberark.pas              1.0.5  
dellemc.os10              1.0.2  
dellemc.os6               1.0.6  
dellemc.os9               1.0.3  
f5networks.f5_modules     1.7.1  
fortinet.fortimanager     1.0.5  
fortinet.fortios          1.1.8  
frr.frr                   1.0.3  
gluster.gluster           1.0.1  
google.cloud              1.0.2  
hetzner.hcloud            1.2.1  
ibm.qradar                1.0.3  
infinidat.infinibox       1.2.4  
junipernetworks.junos     1.3.0  
mellanox.onyx             1.0.0  
netapp.aws                20.9.0 
netapp.elementsw          20.11.0
netapp.ontap              20.12.0
netapp_eseries.santricity 1.1.0  
netbox.netbox             1.2.1  
ngine_io.cloudstack       1.2.0  
ngine_io.exoscale         1.0.0  
ngine_io.vultr            1.1.0  
openstack.cloud           1.2.1  
openvswitch.openvswitch   1.1.0  
ovirt.ovirt               1.3.0  
purestorage.flasharray    1.6.2  
purestorage.flashblade    1.4.0  
servicenow.servicenow     1.0.4  
splunk.es                 1.0.2  
theforeman.foreman        1.5.1  
vyos.vyos                 1.1.1  
wti.remote                1.0.1  

AWS SDK versions

$ pip show boto boto3 botocore
❯ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.34.123
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /opt/homebrew/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: redhat-qe-cloud-tools
---
Name: botocore
Version: 1.34.123
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /opt/homebrew/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

MacOS

Steps to Reproduce

`- connection: local
  hosts: localhost
  gather_facts: no
  vars:
    aws_region: "eu-west-1"
    user_obj:
    - name: appuser1
      password: password1
    - name: appuser2
      password: password2
  tasks:
  - name: "Add credentials to AWS Secrets Manager for {{ item.name }} - standard app user"
    community.aws.secretsmanager_secret:
      name:  "{{ item.name }}"
      state: present
      overwrite: false
      secret_type: 'string'
      description: "Credentials for applcation user {{ item.name | replace('-', '_') }}"
      resource_policy: "{{ lookup('template', 'templates/resource_policy.json.j2', convert_data=False) | string  }}"
      json_secret: {
            "APPLICATION_USERNAME": "{{ item.name }}",
            "APPLICATION_PASSWORD": "{{ item.password }}"
        }
    loop: user_obj
`

Expected Results

I expect module to report changed=True when data has changed (i.e. update username or password) and changed=False when data has not changed, ignoring update timestamps and other metadata unrelated to the data being stored in the ASM secret.

Actual Results

Code of Conduct

• I agree to follow the Ansible Code of Conduct