aws.rds_cluster usage of "domain" parameter fails due to "KeyError: 'Domain'"

[randoneering]

Summary

I am attempting to enable kerberos authentication and select the domain in which each RDS Cluster will be associated with. When attempting to apply the domain and iam_role for the domain, I receive the 'KeyError: 'Domain'' in the results of the playbook. When I use the rds_instance module, this error is not thrown.

Issue Type

Bug Report

Component Name

aws.rds_cluster

Ansible Version

$ ansible --version
ansible [core 2.16.3]  config file = /etc/ansible/ansible.cfg  configured module search path = ['/home/svcawx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']  ansible python module location = /usr/lib/python3.12/site-packages/ansible  ansible collection location = /home/svcawx/.ansible/collections:/usr/share/ansible/collections  executable location = /usr/bin/ansible  python version = 3.12.6 (main, Sep 23 2024, 09:58:19) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3.12)  jinja version = 3.1.2  libyaml = True

Collection Versions

$ ansible-galaxy collection list

amazon.aws = 8.2.1

AWS SDK versions

$ pip show boto boto3 botocore

pip
Name: boto3Version: 1.35.12Summary: The AWS SDK for PythonHome-page: https://github.com/boto/boto3Author: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: botocore, jmespath, s3transferRequired-by: ---Name: botocoreVersion: 1.35.12Summary: Low-level, data-driven core of boto 3.Home-page: https://github.com/boto/botocoreAuthor: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: jmespath, python-dateutil, urllib3Required-by: boto3, s3transfer

pip3
Name: boto3Version: 1.35.12Summary: The AWS SDK for PythonHome-page: https://github.com/boto/boto3Author: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: botocore, jmespath, s3transferRequired-by: ---Name: botocoreVersion: 1.35.12Summary: Low-level, data-driven core of boto 3.Home-page: https://github.com/boto/botocoreAuthor: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: jmespath, python-dateutil, urllib3Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = /etc/ansible/ansible.cfgHOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False

OS / Environment

RHEL 8

Steps to Reproduce

- name: Enable AD for RDS Instances/Clusters
  hosts: all
  tasks:
    - name: connect to QA
      amazon.aws.sts_assume_role:
        region: us-east-1
        role_arn: "arn:aws:iam::123456789:role/dba_awx_management"
        role_session_name: "enable_ad_dba"
      register: assumed_role_qa

    - name: get QA rds instance details
      amazon.aws.rds_instance_info:
        region: us-east-1
        access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
        secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
        session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
      register: qa_instance


    - name: filter out docdb and non_aurora instances in instances
      ansible.builtin.set_fact:
        qa_instances: "{{ qa_instance.instances | selectattr('engine', 'search', '^(?!aurora|docdb)') }}"

    - name: filter out stopped instances
      ansible.builtin.set_fact:
        qa_instances_avail: "{{ qa_instances | selectattr('db_instance_status', 'eq', 'available') }}"

    - name: get QA rds cluster details
      amazon.aws.rds_cluster_info:
        region: us-east-1
        access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
        secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
        session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
      register: qa_cluster

    - name: filter out docdb in clusters
      ansible.builtin.set_fact:
        qa_clusters: "{{ qa_cluster.clusters | selectattr('engine', 'search', 'aurora') }}"

    - name: filter out stopped clusters
      ansible.builtin.set_fact:
        qa_clusters_avail: "{{ qa_clusters | selectattr('status', 'eq', 'available') }}"

    - name: set var for identifier for qa instances and clusters
      ansible.builtin.set_fact:
        qa_instance_list: "{{ qa_instances_avail | selectattr('db_cluster_identifier', 'undefined') | map(attribute='db_instance_identifier') | list }}"
        qa_cluster_list: "{{ qa_clusters_avail | map(attribute='db_cluster_identifier') | list }}"

    - block:
      - name: enable AD for qa clusters
        amazon.aws.rds_cluster:
          region: us-east-1
          access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
          secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
          session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
          id: '{{ item }}'
          state: present
          domain: "d-12345689"
          #domain_iam_role_name: rds-directoryservice-kerberos-access-role
          purge_tags: false
          apply_immediately: true
        with_items: "{{ qa_cluster_list }}"
        when: qa_cluster_list is defined
        register: qa_clusters_after
      - name: enable AD for qa target instances
        amazon.aws.rds_instance:
          region: us-east-1
          access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
          secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
          session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
          id: '{{ item }}'
          state: present
          domain: "d-12345678"
          domain_iam_role_name: rds-directoryservice-kerberos-access-role
          purge_tags: false
          apply_immediately: true
        with_items: "{{ qa_instance_list }}"
        when: qa_instance_list is defined
        register: qa_instances_after

Expected Results

When executed, this should enable kerberos authentication and select the domain to register to.

Actual Results

  "module_stdout": "Traceback (most recent call last):\r\n  File \"/home/svcawx/.ansible/tmp/ansible-tmp-1731522736.3445244-107-77016698077163/AnsiballZ_rds_cluster.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/svcawx/.ansible/tmp/ansible-tmp-1731522736.3445244-107-77016698077163/AnsiballZ_rds_cluster.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/home/svcawx/.ansible/tmp/ansible-tmp-1731522736.3445244-107-77016698077163/AnsiballZ_rds_cluster.py\", line 48, in invoke_module\r\n    run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib64/python3.7/runpy.py\", line 205, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File \"/usr/lib64/python3.7/runpy.py\", line 96, in _run_module_code\r\n    mod_name, mod_spec, pkg_name, script_name)\r\n  File \"/usr/lib64/python3.7/runpy.py\", line 85, in _run_code\r\n    exec(code, run_globals)\r\n  File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1414, in <module>\r\n  File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1392, in main\r\n  File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1158, in ensure_present\r\n  File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1116, in changing_cluster_options\r\nKeyError: 'Domain'\r\n",

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[randoneering]

Please let me know if I need to provide any further details. Thank you!

[abikouo]

@randoneering Thanks for filling this issue. Could you please test using #2401?