https://github.com/ansible-collections/amazon.aws/issues/2390

1. 1. 1. Summary

I am attempting to enable kerberos authentication and select the domain in which each RDS Cluster will be associated with. When attempting to apply the domain and iam_role for the domain, I receive the 'KeyError: 'Domain'' in the results of the playbook. When I use the rds_instance module, this error is not thrown.

1. 1. 1. Issue Type

Bug Report

1. 1. 1. Component Name

aws.rds_cluster

1. 1. 1. Ansible Version

```console (paste below)
$ ansible --version
ansible [core 2.16.3] config file = /etc/ansible/ansible.cfg configured module search path = ['/home/svcawx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.12/site-packages/ansible ansible collection location = /home/svcawx/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.12.6 (main, Sep 23 2024, 09:58:19) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3.12) jinja version = 3.1.2 libyaml = True
```

1. 1. 1. Collection Versions

```console (paste below)
$ ansible-galaxy collection list

amazon.aws = 8.2.1
```

1. 1. 1. AWS SDK versions

```console (paste below)
$ pip show boto boto3 botocore

pip
Name: boto3Version: 1.35.12Summary: The AWS SDK for PythonHome-page: https://github.com/boto/boto3Author: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: botocore, jmespath, s3transferRequired-by: ---Name: botocoreVersion: 1.35.12Summary: Low-level, data-driven core of boto 3.Home-page: https://github.com/boto/botocoreAuthor: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: jmespath, python-dateutil, urllib3Required-by: boto3, s3transfer

pip3
Name: boto3Version: 1.35.12Summary: The AWS SDK for PythonHome-page: https://github.com/boto/boto3Author: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: botocore, jmespath, s3transferRequired-by: ---Name: botocoreVersion: 1.35.12Summary: Low-level, data-driven core of boto 3.Home-page: https://github.com/boto/botocoreAuthor: Amazon Web ServicesAuthor-email: License: Apache License 2.0Location: /home/svcawx/.local/lib/python3.9/site-packagesRequires: jmespath, python-dateutil, urllib3Required-by: boto3, s3transfer
```

1. 1. 1. Configuration

```console (paste below)
$ ansible-config dump --only-changed
CONFIG_FILE() = /etc/ansible/ansible.cfgHOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
```

1. 1. 1. OS / Environment

RHEL 8

1. 1. 1. Steps to Reproduce

<!--- Paste example playbooks or commands between quotes below -->
```yaml (paste below)

• name: Enable AD for RDS Instances/Clusters
  hosts: all
  tasks:
• name: connect to QA
  amazon.aws.sts_assume_role:
  region: us-east-1
  role_arn: "arn:aws:iam::123456789:role/dba_awx_management"
  role_session_name: "enable_ad_dba"
  register: assumed_role_qa

• name: get QA rds instance details
  amazon.aws.rds_instance_info:
  region: us-east-1
  access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
  secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
  session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
  register: qa_instance

• name: filter out docdb and non_aurora instances in instances
  ansible.builtin.set_fact:
  qa_instances: "{{ qa_instance.instances | selectattr('engine', 'search', '^(?!aurora|docdb)') }}"

• name: filter out stopped instances
  ansible.builtin.set_fact:
  qa_instances_avail: "{{ qa_instances | selectattr('db_instance_status', 'eq', 'available') }}"

• name: get QA rds cluster details
  amazon.aws.rds_cluster_info:
  region: us-east-1
  access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
  secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
  session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
  register: qa_cluster

• name: filter out docdb in clusters
  ansible.builtin.set_fact:
  qa_clusters: "{{ qa_cluster.clusters | selectattr('engine', 'search', 'aurora') }}"

• name: filter out stopped clusters
  ansible.builtin.set_fact:
  qa_clusters_avail: "{{ qa_clusters | selectattr('status', 'eq', 'available') }}"

• name: set var for identifier for qa instances and clusters
  ansible.builtin.set_fact:
  qa_instance_list: "{{ qa_instances_avail | selectattr('db_cluster_identifier', 'undefined') | map(attribute='db_instance_identifier') | list }}"
  qa_cluster_list: "{{ qa_clusters_avail | map(attribute='db_cluster_identifier') | list }}"

• block:
• name: enable AD for qa clusters
  amazon.aws.rds_cluster:
  region: us-east-1
  access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
  secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
  session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
  id: '{{ item }}'
  state: present
  domain: "d-12345689"
  #domain_iam_role_name: rds-directoryservice-kerberos-access-role
  purge_tags: false
  apply_immediately: true
  with_items: "{{ qa_cluster_list }}"
  when: qa_cluster_list is defined
  register: qa_clusters_after
• name: enable AD for qa target instances
  amazon.aws.rds_instance:
  region: us-east-1
  access_key: "{{ assumed_role_qa.sts_creds.access_key }}"
  secret_key: "{{ assumed_role_qa.sts_creds.secret_key }}"
  session_token: "{{ assumed_role_qa.sts_creds.session_token }}"
  id: '{{ item }}'
  state: present
  domain: "d-12345678"
  domain_iam_role_name: rds-directoryservice-kerberos-access-role
  purge_tags: false
  apply_immediately: true
  with_items: "{{ qa_instance_list }}"
  when: qa_instance_list is defined
  register: qa_instances_after
  ```

1. 1. 1. Expected Results

When executed, this should enable kerberos authentication and select the domain to register to.

1. 1. 1. Actual Results

```console (paste below)
"module_stdout": "Traceback (most recent call last):\r\n File \"/home/svcawx/.ansible/tmp/ansible-tmp-1731522736.3445244-107-77016698077163/AnsiballZ_rds_cluster.py\", line 107, in <module>\r\n ansiballz_main()\r\n File \"/home/svcawx/.ansible/tmp/ansible-tmp-1731522736.3445244-107-77016698077163/AnsiballZ_rds_cluster.py\", line 99, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/svcawx/.ansible/tmp/ansible-tmp-1731522736.3445244-107-77016698077163/AnsiballZ_rds_cluster.py\", line 48, in invoke_module\r\n run_name='main_', alter_sys=True)\r\n File \"/usr/lib64/python3.7/runpy.py\", line 205, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/lib64/python3.7/runpy.py\", line 96, in _run_module_code\r\n mod_name, mod_spec, pkg_name, script_name)\r\n File \"/usr/lib64/python3.7/runpy.py\", line 85, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1414, in <module>\r\n File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1392, in main\r\n File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1158, in ensure_present\r\n File \"/tmp/ansible_amazon.aws.rds_cluster_payload_ibeb08h4/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py\", line 1116, in changing_cluster_options\r\nKeyError: 'Domain'\r\n",
```

1. 1. 1. Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct