From 8174374a978d3c54a5822379aa84aaf47c141d6f Mon Sep 17 00:00:00 2001
From: Jericho Tolentino <68654047+jericht@users.noreply.github.com>
Date: Wed, 17 Jan 2024 23:01:12 +0000
Subject: [PATCH] chore(integ): use new RDS CA certificate for DocDB instances

---
 integ/lib/storage-struct.ts | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/integ/lib/storage-struct.ts b/integ/lib/storage-struct.ts
index 91ffe81d6..5c60db057 100644
--- a/integ/lib/storage-struct.ts
+++ b/integ/lib/storage-struct.ts
@@ -8,7 +8,10 @@ import {
   RemovalPolicy,
   Stack,
 } from 'aws-cdk-lib';
-import { DatabaseCluster } from 'aws-cdk-lib/aws-docdb';
+import {
+  CfnDBInstance,
+  DatabaseCluster,
+} from 'aws-cdk-lib/aws-docdb';
 import {
   InstanceClass,
   InstanceSize,
@@ -107,8 +110,8 @@ export class StorageStruct extends Construct {
     });
 
     let cacert;
-    let database;
-    let databaseConnection;
+    let database: DatabaseCluster | MongoDbInstance | undefined;
+    let databaseConnection: DatabaseConnection | undefined;
     let databaseSecret: ISecret;
 
     // Check if the test requires a DocDB or MongoDB to be created. If neither is provided, the Repository construct will create a DocDB itself.
@@ -133,6 +136,11 @@ export class StorageStruct extends Construct {
       });
       databaseSecret = database.secret!;
 
+      // Use new CA certificate on DB instances, expiring in 2121
+      // See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html
+      const dbInstances = database.instanceIdentifiers.map((_, i) => database!.node.findChild(`Instance${i+1}`) as CfnDBInstance);
+      applyNewRdsCaCertificate(dbInstances);
+
       // Create a database connection for the DocDB
       databaseConnection = DatabaseConnection.forDocDB({
         database: database,
@@ -244,6 +252,22 @@ export class StorageStruct extends Construct {
       },
     });
 
+    if (database === undefined && databaseConnection === undefined) {
+      // Repository should have created a DocDB for us, so apply the new RDS CA cert to its instances
+      const dbConstruct = this.repo.databaseConnection.databaseConstruct;
+      if (!(dbConstruct instanceof DatabaseCluster)) {
+        throw new Error(
+          'Cannot apply new RDS CA certificates to DocDB instances created by Repository construct. Expected DatabaseConnection.databaseConstruct' +
+          ` to be a DatabaseCluster construct, but got ${dbConstruct} (${typeof dbConstruct})`,
+        );
+      }
+
+      // Use new CA certificate on DB instances, expiring in 2121
+      // See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html
+      const dbInstances = dbConstruct.instanceIdentifiers.map((_, i) => dbConstruct.node.findChild(`Instance${i+1}`) as CfnDBInstance);
+      applyNewRdsCaCertificate(dbInstances);
+    }
+
     if( !database ) {
       database = this.repo.node.findChild('DocumentDatabase') as DatabaseCluster;
       databaseSecret = database.secret!;
@@ -256,3 +280,7 @@ export class StorageStruct extends Construct {
     this.efs = ( deadlineEfs || this.repo.node.findChild('FileSystem') as FileSystem );
   }
 }
+
+function applyNewRdsCaCertificate(instances: CfnDBInstance[]): void {
+  instances.forEach(instance => instance.caCertificateIdentifier = 'rds-ca-rsa4096-g1');
+}
\ No newline at end of file