This PR updates the aws_rds_root_cert_ca to support new rds certificates which come in bundles instead of single files.
Looking at the documentation on using ssl in RDS it looks like now instead of a single certificate there's bundles. The current code assumes the file that it gets from AWS contains a single certificate so if we try to use the new urls it would only load the first one.
A good side effect of loading the certificate in bundles is that it includes the deprecated certificate as well so applications that use it would work with either, which makes migrating with minimal downtime easier.
How to test
For a first test we can sign in to an instance that uses this role and find the generated trust store file (by default /usr/lib/ssl/certs/java/aws-rds-cacerts) and list the certificates in it with something like the keytool cli command `keytool -list -keystore ./[FILE_NAME_HERE]-rfc. This should list the certificates from the selected bundle.
Of course the real test is to just redeploy an instance using this role and being able to connect to rds database using any of the certificates in the bundle.
What is the value of this?
RDS is deprecating a certificate soon which is still in use in databases, so we need to change it.
What does this change?
This PR updates the aws_rds_root_cert_ca to support new rds certificates which come in bundles instead of single files.
Looking at the documentation on using ssl in RDS it looks like now instead of a single certificate there's bundles. The current code assumes the file that it gets from AWS contains a single certificate so if we try to use the new urls it would only load the first one.
A good side effect of loading the certificate in bundles is that it includes the deprecated certificate as well so applications that use it would work with either, which makes migrating with minimal downtime easier.
How to test
For a first test we can sign in to an instance that uses this role and find the generated trust store file (by default
/usr/lib/ssl/certs/java/aws-rds-cacerts) and list the certificates in it with something like the keytool cli command `keytool -list -keystore ./[FILE_NAME_HERE]-rfc. This should list the certificates from the selected bundle.Of course the real test is to just redeploy an instance using this role and being able to connect to rds database using any of the certificates in the bundle.
What is the value of this?
RDS is deprecating a certificate soon which is still in use in databases, so we need to change it.