Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(integ): use new RDS CA certificate for DocDB instances #1182

Closed
wants to merge 1 commit into from
Closed

chore(integ): use new RDS CA certificate for DocDB instances #1182

wants to merge 1 commit into from

Conversation

jericht
Copy link
Contributor

@jericht jericht commented Jan 17, 2024
edited
Loading

Notes

The RDS CA certificate used by DocDB instances deployed by RFDK is expiring in August 2024. See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html

This PR changes the DocDB instances deployed by our integration tests to use the newer RDS CA certificate. We still need to do this for RFDK itself in a future PR.

Testing

  • Ran the integration tests in my account and verified the CFN templates had the AWS::DocDB::DBInstance.CACertificateIdentifier property set to the newer certificate ID rds-ca-rsa4096-g1
  • Also verified in the AWS console that the DB instance was using the newer RDS CA certificate.

Example CFN template snippet:

  "StorageStruct1RepositoryDocumentDatabaseInstance1670329EE": {
   "Type": "AWS::DocDB::DBInstance",
   "Properties": {
    "AutoMinorVersionUpgrade": true,
    "CACertificateIdentifier": "rds-ca-rsa4096-g1",
    "DBClusterIdentifier": {
     "Ref": "StorageStruct1RepositoryDocumentDatabase8BA714C4"
    },
    "DBInstanceClass": "db.r5.large",
    "Tags": [
     {
      "Key": "aws-rfdk",
      "Value": "1.3.0:Repository"
     }
    ]
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "RFDKInteg-DL-ComponentTier1705531747651705277/StorageStruct1/Repository/DocumentDatabase/Instance1"
   }
  }

AWS Console screenshot showing CA cert is applied:
image

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@jericht jericht force-pushed the jericht/integ_rds_ca branch from e2456b1 to d1e1956 Compare January 17, 2024 23:08
@jericht jericht marked this pull request as ready for review January 17, 2024 23:13
@jericht jericht changed the title chore(integ): use new RDS CA ceritifacate for DocDB instances chore(integ): use new RDS CA certificate for DocDB instances Jan 17, 2024
@jericht jericht force-pushed the jericht/integ_rds_ca branch from d1e1956 to 8174374 Compare January 17, 2024 23:15
ddneilson
ddneilson approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@ddneilson ddneilson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checked that this change doesn't force instance replacement -- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbinstance.html#cfn-docdb-dbinstance-cacertificateidentifier

LGTM. Thanks!

@jusiskin
Copy link
Contributor

Have you tried running the integration tests with this change? I'd expect any of them using DocumentDB to fail because Deadline 10 does not provide a CA trust store with the new CA certificate yet.

@jericht
Copy link
Contributor Author

jericht commented Jan 29, 2024

Have you tried running the integration tests with this change? I'd expect any of them using DocumentDB to fail because Deadline 10 does not provide a CA trust store with the new CA certificate yet.

Yes, the repository tests failed due to this. We'll need to wait until a new Deadline release is made with the new CA certificate before merging this.

@jericht jericht changed the title chore(integ): use new RDS CA certificate for DocDB instances Draft: chore(integ): use new RDS CA certificate for DocDB instances Jan 29, 2024
@jericht jericht changed the title Draft: chore(integ): use new RDS CA certificate for DocDB instances chore(integ): use new RDS CA certificate for DocDB instances Jan 29, 2024
@jericht jericht marked this pull request as draft January 29, 2024 18:03
@jericht jericht closed this Dec 10, 2024
@jericht jericht deleted the jericht/integ_rds_ca branch December 10, 2024 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ddneilson ddneilson ddneilson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jericht @jusiskin @ddneilson