(RDS): Support RDS certificate authority

[HaaLeo]

Latest Update from CDK Team:

Still missing support for reader/writers on cluster. See:
#26865 (comment)

Describe the feature

Since cloudformation supports changing the rds certificate authority CDK should do so as well. aws-cloudformation/cloudformation-coverage-roadmap#211.

Use Case

My current CA is rds-ca-2019 and I need to change it. All our AWS resources are scripted as IaC. Therfore, I do not want to change that via the AWS Console but use CDK instead.

Proposed Solution

Add a property supporting the CA

Other Information

To contribute a PR for this I probably would need some guidance since I this would be my first contribution to the CDK repository

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.91.0

Environment details (OS name and version, etc.)

macOS 13.5.1

[pahud]

Awesome! Looks like cfnspec already supports CACertificateIdentifier. We can create a PR to expose this to the surface or just addPropertyOverride before that.

[robertd]

@HaaLeo Perfect timing... I just received an email from AWS on this topic this morning...

Hello,

You are receiving this message because your AWS Account has one or more Amazon RDS, or Amazon Aurora database instances in the US-WEST-2 Region using an SSL/TLS Certificate that is expiring on August 22, 2024.

If your applications connect to these instances using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol, you will need to take action before August 22, 2024 to prevent connectivity failures to your existing database instances.

To protect your communications with your database instances, a Certificate Authority (CA) generates time-bound certificates that are checked by your database client software to authenticate any database instance before exchanging information. Following industry best practices, AWS renews the CA and creates new certificates on a routine basis to ensure customer connections are properly protected for years to come. The current CA in US-WEST-2 will expire on August 22, 2024. Before this date you will need to first add new CA certificates to the trust stores in your client applications and then update the certificates on your database instances to the latest issued version.

For detailed instructions on how to perform these updates please see the Amazon RDS instances [1] and Amazon Aurora instances [2] documentation.

The ca-certificate-identifier option on the create-db-instance API is available for you to create a DB instance with a specific CA. For more information, see the create-db-instance API documentation [3].

A modify-certificates API is also available that will allow you to temporarily override the default CA on newly created database instances to either the old or new CA. This override will only apply while the CA you are overriding to is valid. To use this API you will need to be running the AWS CLI version 1.17 or later. For more information see the modify-certificates API documentation [4].
Hello,

You are receiving this message because your AWS Account has one or more Amazon RDS, or Amazon Aurora database instances in the US-WEST-2 Region using an SSL/TLS Certificate that is expiring on August 22, 2024.

If your applications connect to these instances using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol, you will need to take action before August 22, 2024 to prevent connectivity failures to your existing database instances.

To protect your communications with your database instances, a Certificate Authority (CA) generates time-bound certificates that are checked by your database client software to authenticate any database instance before exchanging information. Following industry best practices, AWS renews the CA and creates new certificates on a routine basis to ensure customer connections are properly protected for years to come. The current CA in US-WEST-2 will expire on August 22, 2024. Before this date you will need to first add new CA certificates to the trust stores in your client applications and then update the certificates on your database instances to the latest issued version.

For detailed instructions on how to perform these updates please see the Amazon RDS instances [1] and Amazon Aurora instances [2] documentation.

The ca-certificate-identifier option on the create-db-instance API is available for you to create a DB instance with a specific CA. For more information, see the create-db-instance API documentation [3].

A modify-certificates API is also available that will allow you to temporarily override the default CA on newly created database instances to either the old or new CA. This override will only apply while the CA you are overriding to is valid. To use this API you will need to be running the AWS CLI version 1.17 or later. For more information see the modify-certificates API documentation [4].

I was about to whip up a PR for it but @lpizzinidev is already on top of it. Gotta love open source <3 :D

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[amine-mf]

This does not seem to take into account DBClusters, or am I wrong? Any plans on supporting it?

[gabrielbryk]

This does not seem to take into account DBClusters, or am I wrong? Any plans on supporting it?

Why was this issue closed? I'm having the same issue, does the above "solution" have a way to be implemented using DBClusters?

[mrgrain]

This does not seem to take into account DBClusters, or am I wrong? Any plans on supporting it?

Why was this issue closed? I'm having the same issue, does the above "solution" have a way to be implemented using DBClusters?

Just got missed that this needs adding to two resources! Thanks for the call out!

[kabo]

So once clusters are supported this should work?

    const db = new DatabaseCluster(this, 'DB', {
      vpc,
      engine: DatabaseClusterEngine.auroraMysql({ version: AuroraMysqlEngineVersion.VER_3_02_0 }),
      defaultDatabaseName: 'mydb',
      ...
      serverlessV2MinCapacity: 0.5,
      serverlessV2MaxCapacity: 2,
      writer: ClusterInstance.serverlessV2('writer', {
        autoMinorVersionUpgrade: true,
        publiclyAccessible: false,
        caCertificate: CaCertificate.RDS_CA_ECC384_G1,
      }),
    })

[gabrielbryk]

For now is there a way to edit the CFN template directly using CDK? Something like:

// Directly access the underlying CloudFormation resource const cfnCluster = this.cluster.node.defaultChild as CfnDBCluster; cfnCluster.addOverride('Properties.CAIdentifier', 'rds-ca-rsa4096-g1');

[lpizzinidev]

@mrgrain I don't see CaCertificateIdentifier as a supported property for AWS::RDS::DBCluster.
It probably needs to be exposed at the CFN level first to allow the CDK implementation.

[mrgrain]

@gabrielbryk @kabo @amine-mf I've checked the API docs for RDS Cluster [1] and the RDS user guide for Certificate authorities [2] and it appears this feature is not supported by RDS Clusters at the moment. Can you confirm if this is actually possible at the moment?

The AWS CDK relies on availability of features in AWS CloudFormation, so if the feature is not listed on the RDS::Cluster resource page [3], we won't be able to support it.

PS: Thanks @lpizzinidev !

[1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html
[2] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities
[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html

[mrgrain]

Updated the title of the issue to make it more clear this is only about RDS Instances.
If you need support for any other resources, please open a new issue once the feature is available in CloudFormation.

[azatoth]

Updated the title of the issue to make it more clear this is only about RDS Instances. If you need support for any other resources, please open a new issue once the feature is available in CloudFormation.

Do you know how we can induce relevant entities to add the feature to CloudFormation?

[robertd]

The best thing is to submit an issue here https://github.com/aws-cloudformation/cloudformation-coverage-roadmap, but their backlog is huge.

…

On Mon, Sep 11, 2023 at 7:24 AM Carl Fürstenberg ***@***.***> wrote: Updated the title of the issue to make it more clear this is only about RDS Instances. If you need support for any other resources, please open a new issue once the feature is available in CloudFormation. Do you know how we can induce relevant entities to add the feature to CloudFormation? — Reply to this email directly, view it on GitHub <#26865 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAHWN3PIV2YR2BUXD5W4YTXZ4GJ7ANCNFSM6AAAAAA34T2XQU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[mrgrain]

So I guess a cluster itself doesn't really need that prop, but it needs to be passed through to the instances it creates. Like it does for DBClusterInstanceClass. I've asked the internal team what their recommendation is. Other than that, there's the CFN Roadmap and if you have account managers, you can talk to them.

[mrgrain]

Figured it out. Thanks all for being persistent!

We have to add it to ClusterInstanceOptions and pipe it through to here
Usage would then look like this #26865 (comment)

Keeping this issue open.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.