Name of the resource

AWS::RDS::DBInstance

Resource Name

No response

Issue Description

AWS::RDS::DBInstance cannot be modified with replacing updates when CACertificateIdentifier and CertificateRotationRestart properties are implemented.

For example: Modifying instance class fails with:

Resource handler returned message: "CACertificateIdentifier is required to use the NoCertificateRotationRestart option.

Expected Behavior

Replacing updates to AWS::RDS::DBInstance should succeed, even with CACertificateIdentifier and CertificateRotationRestart properties defined.

Observed Behavior

Resource handler returned message: "CACertificateIdentifier is required to use the NoCertificateRotationRestart option.

ModifyDBInstance

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "xxxxxxxxxxxxxxx",
        "arn": "arn:aws:iam::000000000000:user/bob",
        "accountId": "000000000000",
        "accessKeyId": "xxxxxxxxxxxxxxx",
        "userName": "bob",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-07-10T06:22:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2023-07-10T06:22:47Z",
    "eventSource": "rds.amazonaws.com",
    "eventName": "ModifyDBInstance",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "InvalidParameterCombinationException",
    "errorMessage": "CACertificateIdentifier is required to use the NoCertificateRotationRestart option.",
    "requestParameters": {
        "dBInstanceIdentifier": "rds-instancec1063a87-xxxxxxxxxxxxxxx",
        "dBInstanceClass": "db.t3.medium",
        "applyImmediately": true,
        "allowMajorVersionUpgrade": false,
        "certificateRotationRestart": false
    },
    "responseElements": null,
    "requestID": "8de0ba93-04ea-4704-ba60-xxxxxxxxxxxxxxx",
    "eventID": "3fc7aa35-91e7-4267-9df6-xxxxxxxxxxxxxxx",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "000000000000",
    "eventCategory": "Management"
}

Test Cases

Create stack


# aws cloudformation deploy --stack-name rds --template-file template.yaml

Resources: ParameterGroup5E32DECB: Type: AWS::RDS::DBParameterGroup Properties: Description: Testing drift Family: postgres15 Parameters: shared_preload_libraries: pg_stat_statements track_activity_query_size: "4097" InstanceSubnetGroupF2CBA54F: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: Subnet group for Instance database SubnetIds:

Fn::ImportValue: NetworkingStack:ExportsOutputRefMyVpcPrivateSubnet1SubnetA
Fn::ImportValue: NetworkingStack:ExportsOutputRefMyVpcPrivateSubnet1SubnetB
Fn::ImportValue: NetworkingStack:ExportsOutputRefMyVpcPrivateSubnet1SubnetC InstanceSecurityGroupB4E5FA83: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Instance database SecurityGroupEgress:
CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" VpcId: Fn::ImportValue: NetworkingStack:ExportsOutputRefMyVpc RdsStackInstanceSecretB66363C13fdaad7efa858a3daf9490cf0a702aeb: Type: AWS::SecretsManager::Secret Properties: Description: Fn::Join:
- ""
- - "Generated by the CDK for stack: "
    - Ref: AWS::StackName GenerateSecretString: ExcludeCharacters: " %+~`#$&*()|[]{}:;<>?!'/@\"\" GenerateStringKey: password PasswordLength: 30 SecretStringTemplate: '{"username":"syscdk"}' UpdateReplacePolicy: Delete DeletionPolicy: Delete InstanceSecretAttachment83BEE581: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: Ref: RdsStackInstanceSecretB66363C13fdaad7efa858a3daf9490cf0a702aeb TargetId: Ref: InstanceC1063A87 TargetType: AWS::RDS::DBInstance InstanceC1063A87: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: "100" CopyTagsToSnapshot: true DBInstanceClass: db.t3.medium
      DBInstanceClass: db.r5.large
      
      DBParameterGroupName: Ref: ParameterGroup5E32DECB DBSubnetGroupName: Ref: InstanceSubnetGroupF2CBA54F Engine: postgres EngineVersion: "15.3" MasterUsername: syscdk CertificateRotationRestart: false CACertificateIdentifier: "rds-ca-rsa2048-g1" MasterUserPassword: Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
    - Ref: RdsStackInstanceSecretB66363C13fdaad7efa858a3daf9490cf0a702aeb
    - :SecretString:password::}} PubliclyAccessible: false StorageType: gp2 VPCSecurityGroups:
Fn::GetAtt:
- InstanceSecurityGroupB4E5FA83
- GroupId UpdateReplacePolicy: Delete DeletionPolicy: Delete Outputs: DbInstanceIdentifier: Description: The instance identifier. Value: Ref: InstanceC1063A87 DbInstanceArn: Description: The instance arn. Value: Fn::Join:
""
- "arn:aws:rds:eu-west-1:595470990922:db:"
  - Ref: InstanceC1063A87 DbInstanceEndpointAddress: Description: The instance endpoint address. Value: Fn::GetAtt:
InstanceC1063A87
Endpoint.Address DbInstanceEndpointPort: Description: The instance endpoint port. Value: Fn::GetAtt:
InstanceC1063A87
Endpoint.Port


2. Change instance class.

```DBInstanceClass: db.t3.medium``` -> ```db.r5.large```

3. Update stack

BOOM.

### Other Details

### Workaround

1. Continue Rollback

First, we'll need to bring the stack out of the UPDATE_ROLLBACK_FAILED state and back into an actionable state. We do this by executing a continue-update-rollback command, skipping the RDS Instance resource. An example of what such command might look for you is as follows:

    aws cloudformation continue-update-rollback --stack-name rds-stack --resources-to-skip RdsInstance

2) Update instance class

We can now update the instance class once more. But to do so we will need to temporarily delete or comment-out the CACertificateIdentifier and CertificateRotationRestart properties! This allows the instance to modify its instance class, whilst avoiding the conflict that is currently blocking us. It is interesting to note that the actual Certificate authority value of the instance doesn't change during this process.

RdsInstance: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: "100" CopyTagsToSnapshot: true DBInstanceClass: db.t3.medium

DBInstanceClass: db.r5.large <--- Change

  DBParameterGroupName:
    Ref: ParameterGroup5EXXX
  DBSubnetGroupName:
    Ref: InstanceSubnetGroupF2CXXXX
  Engine: postgres
  EngineVersion: "15.3"
  MasterUsername: syscdk
  # CertificateRotationRestart: false               <--- Remove
  # CACertificateIdentifier: "rds-ca-rsa2048-g1"    <--- Remove



3) Replace Certificate authority properties

Once the stack has updated the instance class, we will now perform another update to replace the CACertificateIdentifier and CertificateRotationRestart properties, bringing the stack into the desired state.

aws-cloudformation / cloudformation-coverage-roadmap

(AWS::RDS::DBInstance) Cannot replace instance when using CACertificateIdentifier/CertificateRotationRestart #1742