Skip to content

Adding certificate id to primary and replica RDS instances #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: v3-updates
Choose a base branch
from
+14 −0
Open

Adding certificate id to primary and replica RDS instances #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions rds-postgres/primary-instance/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ resource "aws_db_instance" "this" {
auto_minor_version_upgrade = var.auto_minor_version_upgrade
backup_retention_period = var.backup_retention_period
backup_window = var.backup_window
ca_cert_identifier = var.ca_cert_id
db_subnet_group_name = local.subnet_group_name
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
engine = var.engine
Expand Down
6 changes: 6 additions & 0 deletions rds-postgres/primary-instance/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ variable "backup_window" {
default = null
}

variable "ca_cert_id" {
type = string
description = "Certificate authority for RDS database"
default = "rds-ca-rsa2048-g1"
}

variable "create_default_db" {
type = bool
description = "Set to false to disable creating a default database"
Expand Down
1 change: 1 addition & 0 deletions rds-postgres/replica/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
resource "aws_db_instance" "this" {
allocated_storage = var.allocated_storage
apply_immediately = var.apply_immediately
ca_cert_identifier = var.ca_cert_id
db_subnet_group_name = var.subnet_group_name
identifier = var.identifier
instance_class = var.instance_class
Expand Down
6 changes: 6 additions & 0 deletions rds-postgres/replica/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ variable "apply_immediately" {
default = false
}

variable "ca_cert_id" {
type = string
description = "Certificate authority for RDS database"
default = "rds-ca-rsa2048-g1"
Copy link
Contributor

@clarissalimab clarissalimab Aug 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When a new database is created on RDS, AWS already defines a default certificate authority. The default certificate currently is the same as we're defining here. However, if AWS changes that default certificate to something else, we will accidentally override the recommended default.

I think this is a rare case where we would just manually make the change on the console and not worry about reflecting that change on Terraform. Or, if we want to be able to override the certificate, I would think it would be better to not set a default here (what happens if we set the default to "null"? Would it pick RDS' default?).

What do you think, @OlamideOl1 @WilliamAvila?

Copy link
Contributor

@clarissalimab clarissalimab Aug 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I raised #29 for that, but I didn't have a chance to test what happens when creating a new database

}

variable "engine_version" {
type = string
description = "Version for RDS database engine"
Expand Down