AWS::RDS::DBInstance-Certificate Authority

[jvanbrunschot]

With the upcoming changes for the RDS CA (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) having the option to change this in CloudFormation would help a lot in migrating.

The same goes from AWS::RDS::Cluster (if applicable)

[rafaljanicki]

I believe that one becomes more and more important once we're getting closer to the end of the 2015 CA. Right now, every database created with CF has a wrong certificate assigned

[setheliot]

It is important now, and will be important every 5 years from now. Right now all new RDS are created with the wrong CA cert, and no means in CloudFormation to correct this

[ghost]

im sure you guys know ... but this is needed by no later than jan 2020 OR you are going to have a very large number of very upset customers.

[mexisd]

IMHO, having to make such change manually is an antipattern. We all know by know that infrastructure as a code is a very good thing and yet we take a step backwards now. In my team only, we have 24 databases across 3 staging and 3 production environments. That means we will have to make 144 manual changes or come up with a script.

AWS as a provider should be providing a way to make this change easy and Cloudformation is probably the best way. This change should not be pushed to the customers to deal with.

[gbonfiglio]

Right now, every database created with CF has a wrong certificate assigned

Agree, the issue of CloudFormation lacking support for RDS CA management is further exacerbated by the fact the default will still be the old CA until mid January.

[luiseduardocolon]

We understand the urgency here. The work is complete and we plan to start deploying it in the coming days.

[csanate]

Any updates on support for this in CF?

[vhadianto]

This blog post: https://aws.amazon.com/blogs/database/amazon-rds-customers-update-your-ssl-tls-certificates-by-february-5-2020/ mentioned that CFN support was added on the 20th of December 2019.

I couldn't find any example or documentation regarding how to incorporate this.

Anyone?

[luiseduardocolon]

Yes, the deployment of this change is complete, but the docs are not updated yet.

To make the change, use the following property in your CFN template: "CACertificateIdentifier" - it accepts a string.

It should have the same effect as this CLI call:

aws rds modify-db-instance --db-instance-identifier mydbinstance --ca-certificate-identifier rds-ca-2019 --apply-immediately

Docs should be updated soon. The full spec for the property, if your curious (again, docs are not updated yet):

"CACertificateIdentifier": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-cacertificateidentifier",
          "PrimitiveType": "String",
          "Required": false,
          "UpdateType": "Mutable"
}

[potibm]

This seems to work. Just we had to set the EngineVersion in Cloudformation for our Aurora MySQL cluster to the explizit version "5.7.12" (originally it was set to "5.7").

Otherwise we had the following error message: "The specified DB Instance is a member of a cluster. Modify the DB engine version for the DB Cluster using the ModifyDbCluster API" (using cloudformation deploy, though)

[PatMyron]

This isn't RDS-specific:

AWS::DocDB::DBInstance
AWS::Neptune::DBInstance

https://aws.amazon.com/blogs/aws/urgent-important-rotate-your-amazon-rds-aurora-and-documentdb-certificates/

[luiseduardocolon]

Update: I checked on docs today and they are still in progress, but things appear to be working. I'm keeping close tabs on this.

[aquam8]

The CFN linter for python will need to also be updated to support that new property.

It throws that error:
E3002 Invalid Property Resources/rdsDbInstance/Properties/CACertificateIdentifier

Thank you

[PatMyron]

@aquam8 @kirkhansen @garrettklatte CloudFormation Resource Specifications lag recent releases. Linter/Troposphere/etc pick up that property after it's added there

[toncid]

Using CACertificateIdentifier in CFN templates works, but it comes with a cost of introducing another drift result:

[rjlohan]

Folks, in case this comes up for anyone, you should be aware that the new CACertificateIdentifier property will not be honored if used in conjunction with DbSecurityGroups. This is documented but there may be different expectations; https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups

The workaround in this case is to make your certificate change through a direct API or Console action.

[jnlkds]

How are these two related? DBSecurityGroups and CACertificateIdentifier such that you can't set/use them at the same time. @rjlohan

[rjlohan]

How are these two related? DBSecurityGroups and CACertificateIdentifier such that you can't set/use them at the same time. @rjlohan

Nothing specifically, but DBSecurityGroups are an older model that's essentially being phased out as EC2-Classic moves to EC2-VPC (SEE: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html)

How it relates here is that support for the older DBSecurityGroups setup and VPCSecurityGroups forks and we don't necessarily add new coverage support for the DBSecurityGroups path, per the documentation. It's an internal limitation of CloudFormation essentially, I'm just highlighting it here as it's relevant to this thread.

[luiseduardocolon]

This functionality is now available, and the docs indicate usage of the CACertificateIdentifier property. From a coverage perspective, this is complete. I will close this issue.