-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(RDS): Support RDS certificate authority #26865
Comments
Awesome! Looks like cfnspec already supports CACertificateIdentifier. We can create a PR to expose this to the surface or just addPropertyOverride before that. |
@HaaLeo Perfect timing... I just received an email from AWS on this topic this morning...
I was about to whip up a PR for it but @lpizzinidev is already on top of it. Gotta love open source <3 :D |
Exposes the `caCertificateIdentifier` property for an RDS instance to allow specifying a custom CA identifier using the `CertificateIdentifier` enum. Usage: ``` newDatabaseInstance(stack, 'Instance', { engine:DatabaseInstanceEngine.mysql({ version: rds.MysqlEngineVersion.VER_8_0_30 }), instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL), vpc, caCertificate: CaCertificate.RDS_CA_RSA2048_G1, }); ``` Closes #26865. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This does not seem to take into account DBClusters, or am I wrong? Any plans on supporting it? |
Why was this issue closed? I'm having the same issue, does the above "solution" have a way to be implemented using DBClusters? |
Just got missed that this needs adding to two resources! Thanks for the call out! |
So once clusters are supported this should work? const db = new DatabaseCluster(this, 'DB', {
vpc,
engine: DatabaseClusterEngine.auroraMysql({ version: AuroraMysqlEngineVersion.VER_3_02_0 }),
defaultDatabaseName: 'mydb',
...
serverlessV2MinCapacity: 0.5,
serverlessV2MaxCapacity: 2,
writer: ClusterInstance.serverlessV2('writer', {
autoMinorVersionUpgrade: true,
publiclyAccessible: false,
caCertificate: CaCertificate.RDS_CA_ECC384_G1,
}),
}) |
For now is there a way to edit the CFN template directly using CDK? Something like:
|
@mrgrain I don't see |
@gabrielbryk @kabo @amine-mf I've checked the API docs for RDS Cluster [1] and the RDS user guide for Certificate authorities [2] and it appears this feature is not supported by RDS Clusters at the moment. Can you confirm if this is actually possible at the moment? The AWS CDK relies on availability of features in AWS CloudFormation, so if the feature is not listed on the RDS::Cluster resource page [3], we won't be able to support it. PS: Thanks @lpizzinidev ! [1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html |
Updated the title of the issue to make it more clear this is only about RDS Instances. |
Do you know how we can induce relevant entities to add the feature to CloudFormation? |
The best thing is to submit an issue here
https://github.com/aws-cloudformation/cloudformation-coverage-roadmap, but
their backlog is huge.
…On Mon, Sep 11, 2023 at 7:24 AM Carl Fürstenberg ***@***.***> wrote:
Updated the title of the issue to make it more clear this is only about
RDS Instances. If you need support for any other resources, please open a
new issue once the feature is available in CloudFormation.
Do you know how we can induce relevant entities to add the feature to
CloudFormation?
—
Reply to this email directly, view it on GitHub
<#26865 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAHWN3PIV2YR2BUXD5W4YTXZ4GJ7ANCNFSM6AAAAAA34T2XQU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
So I guess a cluster itself doesn't really need that prop, but it needs to be passed through to the instances it creates. Like it does for |
Figured it out. Thanks all for being persistent! We have to add it to ClusterInstanceOptions and pipe it through to here Keeping this issue open. |
Exposes the `caCertificate` property for an RDS cluster instance to allow specifying a custom CA identifier using the `CaCertificate` class. Usage: ``` new DatabaseCluster(this, 'Database', { engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_01_0 }), writer: rds.ClusterInstance.provisioned('writer', { caCertificate: rds.CaCertificate.RDS_CA_RDS2048_G1, }), readers: [ rds.ClusterInstance.serverlessV2('reader', { caCertificate: rds.CaCertificate.of('custom-ca'), }), ], vpc, }); ``` Closes #26865. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Exposes the `caCertificate` property for an RDS cluster instance to allow specifying a custom CA identifier using the `CaCertificate` class. Usage: ``` new DatabaseCluster(this, 'Database', { engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_01_0 }), writer: rds.ClusterInstance.provisioned('writer', { caCertificate: rds.CaCertificate.RDS_CA_RDS2048_G1, }), readers: [ rds.ClusterInstance.serverlessV2('reader', { caCertificate: rds.CaCertificate.of('custom-ca'), }), ], vpc, }); ``` Closes #26865. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Latest Update from CDK Team:
Still missing support for reader/writers on cluster. See:
#26865 (comment)
Describe the feature
Since cloudformation supports changing the rds certificate authority CDK should do so as well. aws-cloudformation/cloudformation-coverage-roadmap#211.
Use Case
My current CA is rds-ca-2019 and I need to change it. All our AWS resources are scripted as IaC. Therfore, I do not want to change that via the AWS Console but use CDK instead.
Proposed Solution
Add a property supporting the CA
Other Information
To contribute a PR for this I probably would need some guidance since I this would be my first contribution to the CDK repository
Acknowledgements
CDK version used
2.91.0
Environment details (OS name and version, etc.)
macOS 13.5.1
The text was updated successfully, but these errors were encountered: