aws-rfdk icon indicating copy to clipboard operation
aws-rfdk copied to clipboard

Published 20 hours ago verified publisher icon aws

chore(integ): use new RDS CA certificate for DocDB instances

Open jericht opened this issue 5 months ago • 2 comments

Notes

The RDS CA certificate used by DocDB instances deployed by RFDK is expiring in August 2024. See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html

This PR changes the DocDB instances deployed by our integration tests to use the newer RDS CA certificate. We still need to do this for RFDK itself in a future PR.

Testing

  • Ran the integration tests in my account and verified the CFN templates had the AWS::DocDB::DBInstance.CACertificateIdentifier property set to the newer certificate ID rds-ca-rsa4096-g1
  • Also verified in the AWS console that the DB instance was using the newer RDS CA certificate.

Example CFN template snippet:

  "StorageStruct1RepositoryDocumentDatabaseInstance1670329EE": {
   "Type": "AWS::DocDB::DBInstance",
   "Properties": {
    "AutoMinorVersionUpgrade": true,
    "CACertificateIdentifier": "rds-ca-rsa4096-g1",
    "DBClusterIdentifier": {
     "Ref": "StorageStruct1RepositoryDocumentDatabase8BA714C4"
    },
    "DBInstanceClass": "db.r5.large",
    "Tags": [
     {
      "Key": "aws-rfdk",
      "Value": "1.3.0:Repository"
     }
    ]
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "RFDKInteg-DL-ComponentTier1705531747651705277/StorageStruct1/Repository/DocumentDatabase/Instance1"
   }
  }

AWS Console screenshot showing CA cert is applied: image

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

jericht avatar Jan 17 '24 23:01 jericht