RDS root certificates must be updated by 3/5/2020

[gramidt]

Problem: RDS root certificates will be required to be updated from rds-ca-2015 to rds-ca-2019 by 3/5/2020.

Solution: Update the root certificate used for spinning up RDS via Terraform and update the root certificate located in

control-tower/db/rds_root_cert.go

Line 5 in a615978

const RDSRootCert = `-----BEGIN CERTIFICATE-----

Note: I will be happy to implement this change once we agree on the process for doing so.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

[irbekrm]

Hey @gramidt, thank you very much for raising this issue, this is much appreciated.

At the moment we are creating the RDS database using Terraform here and by default AWS RDS instances are still created with the old cert (as described in the docs you linked).
I see that there is some work in progress towards adding an extra argument to the aws_db_instance Terraform resource that will allow to specify which AWS certificate to use hashicorp/terraform-provider-aws#10490. Using this argument seems like a good way to test creation of databases with the new certificate before it becomes default.

Then we will probably need to have a discussion about how to test this, especially on existing control-tower deployments with the old certificate.

[irbekrm]

I have added a story in our backlog to update the cert.

[DanielJonesEB]

Thanks for raising this @gramidt, I'd been dutifully ignoring the many emails from AWS :)

Fixed in ee3dbde, now working on cutting a release.

[gramidt]

Thank you so much, @irbekrm and @DanielJonesEB!

I apologize for the delayed response, but I am very glad you two were able to get this resolved.

Have a great rest of your weekend!

[irbekrm]

Closing this as it has now been resolved.

Thanks for your help, @gramidt !