search

aws / aws-rfdk

The Render Farm Deployment Kit on AWS is a library for use with the AWS Cloud Development Kit that helps you define your render farm cloud infrastructure as code.
https://docs.aws.amazon.com/rfdk/index.html
Apache License 2.0
105 stars 38 forks source link

chore(integ): use new RDS CA certificate for DocDB instances #1182

Open jericht opened 5 months ago

jericht commented 5 months ago

Notes

The RDS CA certificate used by DocDB instances deployed by RFDK is expiring in August 2024. See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html

This PR changes the DocDB instances deployed by our integration tests to use the newer RDS CA certificate. We still need to do this for RFDK itself in a future PR.

Testing

Example CFN template snippet:

  "StorageStruct1RepositoryDocumentDatabaseInstance1670329EE": {
   "Type": "AWS::DocDB::DBInstance",
   "Properties": {
    "AutoMinorVersionUpgrade": true,
    "CACertificateIdentifier": "rds-ca-rsa4096-g1",
    "DBClusterIdentifier": {
     "Ref": "StorageStruct1RepositoryDocumentDatabase8BA714C4"
    },
    "DBInstanceClass": "db.r5.large",
    "Tags": [
     {
      "Key": "aws-rfdk",
      "Value": "1.3.0:Repository"
     }
    ]
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "RFDKInteg-DL-ComponentTier1705531747651705277/StorageStruct1/Repository/DocumentDatabase/Instance1"
   }
  }

AWS Console screenshot showing CA cert is applied: image

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

jusiskin commented 5 months ago

Have you tried running the integration tests with this change? I'd expect any of them using DocumentDB to fail because Deadline 10 does not provide a CA trust store with the new CA certificate yet.

jericht commented 5 months ago

Have you tried running the integration tests with this change? I'd expect any of them using DocumentDB to fail because Deadline 10 does not provide a CA trust store with the new CA certificate yet.

Yes, the repository tests failed due to this. We'll need to wait until a new Deadline release is made with the new CA certificate before merging this.