Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(integ): use new RDS CA certificate for DocDB instances #1182

Closed
wants to merge 1 commit into from
Closed

chore(integ): use new RDS CA certificate for DocDB instances #1182

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions integ/lib/storage-struct.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,10 @@ import {
RemovalPolicy,
Stack,
} from 'aws-cdk-lib';
import { DatabaseCluster } from 'aws-cdk-lib/aws-docdb';
import {
CfnDBInstance,
DatabaseCluster,
} from 'aws-cdk-lib/aws-docdb';
import {
InstanceClass,
InstanceSize,
Expand Down Expand Up @@ -107,8 +110,8 @@ export class StorageStruct extends Construct {
});

let cacert;
let database;
let databaseConnection;
let database: DatabaseCluster | MongoDbInstance | undefined;
let databaseConnection: DatabaseConnection | undefined;
let databaseSecret: ISecret;

// Check if the test requires a DocDB or MongoDB to be created. If neither is provided, the Repository construct will create a DocDB itself.
Expand All @@ -133,6 +136,11 @@ export class StorageStruct extends Construct {
});
databaseSecret = database.secret!;

// Use new CA certificate on DB instances, expiring in 2121
// See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html
const dbInstances = database.instanceIdentifiers.map((_, i) => database!.node.findChild(`Instance${i+1}`) as CfnDBInstance);
applyNewRdsCaCertificate(dbInstances);

// Create a database connection for the DocDB
databaseConnection = DatabaseConnection.forDocDB({
database: database,
Expand Down Expand Up @@ -244,6 +252,22 @@ export class StorageStruct extends Construct {
},
});

if (database === undefined && databaseConnection === undefined) {
// Repository should have created a DocDB for us, so apply the new RDS CA cert to its instances
const dbConstruct = this.repo.databaseConnection.databaseConstruct;
if (!(dbConstruct instanceof DatabaseCluster)) {
throw new Error(
'Cannot apply new RDS CA certificates to DocDB instances created by Repository construct. Expected DatabaseConnection.databaseConstruct' +
` to be a DatabaseCluster construct, but got ${dbConstruct} (${typeof dbConstruct})`,
);
}

// Use new CA certificate on DB instances, expiring in 2121
// See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html
const dbInstances = dbConstruct.instanceIdentifiers.map((_, i) => dbConstruct.node.findChild(`Instance${i+1}`) as CfnDBInstance);
applyNewRdsCaCertificate(dbInstances);
}

if( !database ) {
database = this.repo.node.findChild('DocumentDatabase') as DatabaseCluster;
databaseSecret = database.secret!;
Expand All @@ -256,3 +280,7 @@ export class StorageStruct extends Construct {
this.efs = ( deadlineEfs || this.repo.node.findChild('FileSystem') as FileSystem );
}
}

function applyNewRdsCaCertificate(instances: CfnDBInstance[]): void {
instances.forEach(instance => instance.caCertificateIdentifier = 'rds-ca-rsa4096-g1');
}