Terraform RDS - Does not support updating - ca_cert_identifier

[mchhatani]

Hello Team,

We recently received communication from AWS to change the RDS SSL/TLS certificate from "rds-ca-2015" to "rds-ca-2019" and this value is exported in parameter "ca_cert_identifier" in TF.

While setting/overriding this parameter in TF , we get below error
"module.ci.aws_db_instance.postgres-rds: "ca_cert_identifier": this field cannot be set"

We are using TF - 2.31.0 version for aws provider.

We can change this value using awscli, aws console and via boto3.

Please confirm if this is supported by TF or not.

Any help/answer would be greatly appreciated.

Regards,
Mukesh

[simonmaass]

same problem!

[VitaliiH]

The same here, using version v0.11.11

[fhambrec]

Same problem here, using Terraform aws provider v.2.26

[kppullin]

There's a PR for this feature here: #10100

[zboni-gpsw]

Our AWS account will start provisioning the new CA on Nov 1, 2019. Need to get ahead of that :)

[martinssipenko]

Another PR: #10490

[ckuehl]

I believe a similar change is also needed to the aws_rds_cluster_instance resource for Aurora users.

[luisrussi1]

I have the same issue using the resource "aws_rds_cluster_instance". I'm using Terraform 0.11.14.

[jjs100]

Any update regarding this, as I have same requirement?

[wbotelhos]

Same problem with Terraform v0.12.11:

Error: "ca_cert_identifier": this field cannot be set

[bish0polis]

It can't be as easy as dropping an 'Optional: true,' into resource_aws_db_instance.go near line 426 , can it?

[martinssipenko]

For non-aurora RDS (aws_db_instance resources) we need to wait till #10490 gets merged and released, in the mean time this setting can be manually updates in AWS RDS without causing any issues with Terraform state.

For Aurora (aws_rds_cluster resources) similar change needs to implemented in different pull request.

[sathish-shettyc]

@mchhatani @luisrussi1 You can use the below snippet it may help you.
Note Set aws profile in shell export AWS_PROFILE=your profile
#!/bin/bash

declare -a arr=( "loyalty" "marketing" "customer" )
for i in "${arr[@]}"
do
print $i
aws rds modify-db-instance --db-instance-identifier $i --ca-certificate-identifier rds-ca-2019 --apply-immediately
done

[sparkcodeuk]

declare -a arr=( "loyalty_uat" "loyalty_dev" "loyalty_preprod" )
...

In practice, you wouldn't want to apply this change to all environments at the same time as you seem to be doing above. Apply and test each environment in turn to ensure you don't have an expected outage.

Also for clusters you care about with multiple instances you'll want to upgrade & manage them accordingly to ensure no production site outages.

This change shouldn't matter, but it's always worth performing a DB snapshot before making any changes as well.

[sathish-shettyc]

declare -a arr=( "loyalty_uat" "loyalty_dev" "loyalty_preprod" )
...

In practice, you wouldn't want to apply this change to all environments at the same time as you seem to be doing above. Apply and test each environment in turn to ensure you don't have an expected outage.

Also for clusters you care about with multiple instances you'll want to upgrade & manage them accordingly to ensure no production site outages.

This change shouldn't matter, but it's always worth performing a DB snapshot before making any changes as well.

yes. i was just trying to hide my rds name that's why i put name with environenment. this onw wont work with cluster. since i used it my non prod env. I thought it would help some one

[musha68k]

Who is maintaining this provider? It's time for AMZN to finally embrace the fact that they have competition now. I'm not even mad at hashicorp - 2020 won't be the year of CloudFormation either.

So my message to the AMZN RDS team: Thanks for making us update our infrastructure to enhance security. Please also secure some of those sweet corporate profit$ in order to put more people on contributing and maintaining your AWS (RDS) terraform providers.

Every systems person I know is talking about alternative cloud providers already. Disregarding the significance of terraform actually exacerbates this dynamic. 💩🙈

[bflad]

Support for the new ca_cert_identifier argument in the aws_db_instance resource has been merged and will release in version 2.37.0 of the Terraform AWS Provider by Thursday next week. Thanks to @sunilkumarmohanty for the implementation. 👍

[ghost]

This has been released in version 2.37.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[WarrEagle]

Who is maintaining this provider? It's time for AMZN to finally embrace the fact that they have competition now. I'm not even mad at hashicorp - 2020 won't be the year of CloudFormation either.

So my message to the AMZN RDS team: Thanks for making us update our infrastructure to enhance security. Please also secure some of those sweet corporate profit$ in order to put more people on contributing and maintaining your AWS (RDS) terraform providers.

Every systems person I know is talking about alternative cloud providers already. Disregarding the significance of terraform actually exacerbates this dynamic. 💩🙈

Pretty sure AWS does NOT maintain the Terraform AWS provider.

[nhnicwaller]

PSA: Acceptable values for ca_cert_identifier seem to be:

• rds-ca-2015
• rds-ca-2019

Also I had to set apply_immediately = true otherwise Terraform just kept attempting to make a change without ever really accomplishing anything. The stack stayed dirty after running apply unless I turned on apply_immediately.

I had trouble finding this in the Terraform provider documentation but found my answer in the RDS certificate rotation guide.

[bish0polis]

I had to set apply_immediately = true otherwise Terraform just kept attempting to make a change

Your hard work can save so many people time, but you need to store it somewhere they'll look for it in 1, 3, 9 months from now.

Can you update the documentation and clean up the parts where you got stuck?

[musha68k]

Pretty sure AWS does NOT maintain the Terraform AWS provider.

Which was exactly my point - one of the richest companies in the world - the largest cloud provider really, is also an open-source leech.

Thanks to the Hashicorp/Terraform community for fixing this though 👍

[sparkcodeuk]

You could argue that Hashicorp/Terraform is a direct competitor to tech like Cloudformation; so why would they put time & resource into helping the project?

[drpebcak]

Because it's a super popular tool that helps people use AWS?

[lyenliang]

I'm using Terraform v0.12.17, and provider.aws v2.40.0. But I still can't create a MySQL RDS with certificate authority set to rds-ca-2019. Does Anyone know why?

Here's my terraform script:

provider "aws" {
  region     = "ap-northeast-1"
  version    = "~> 2.40"    
}

resource "aws_db_instance" "test-ca-db" {
  instance_class       = "db.t3.micro"
  identifier           = "test-ca-db"
  snapshot_identifier  = "arn:aws:rds:ap-northeast-1:123456789123:snapshot:rds:my-snapshot"
  vpc_security_group_ids = ["sg-c98ejaq1","sg-06fue8sa4301cd064"]
  parameter_group_name = "my_group"
  publicly_accessible  = false
  password             = "1234abcd"
  skip_final_snapshot  = true
  storage_encrypted    = true
  ca_cert_identifier   = "rds-ca-2019"
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!