Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

feat(docdb): support CA certificate for cluster instances #28791

Merged
merged 2 commits into from
May 9, 2024

Conversation

brokad
Copy link
Contributor

@brokad brokad commented Jan 20, 2024

Exposes the CaCertificateIdentifier property of AWS::DocDB::DBInstance in the L2 constructs DatabaseCluster and DatabaseInstance of aws_docdb. This allows specifying a custom CA identifier using the CaCertificate class.

Usage with DatabaseCluster:

new DatabaseCluster(stack, 'Database', {
  // ...
  instanceType: InstanceType.of(InstanceClass.R5, InstanceSize.LARGE),
  instanceCaCertificate: CaCertificate.RDS_CA_RSA4096_G1,
  // ...
});

Usage with DatabaseInstance:

new DatabaseInstance(stack, 'Instance', {
  cluster: databaseCluster,
  instanceType: InstanceType.of(InstanceClass.R5, InstanceSize.LARGE),
  caCertificate: CaCertificate.RDS_CA_RSA4096_G1,
});

This is modelled on #27138.

Closes #28356.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Jan 20, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team January 20, 2024 10:59
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Jan 20, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review January 20, 2024 11:13

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 20, 2024
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

* @param identifier - CA certificate identifier
*/
private constructor(private readonly identifier: string) { }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see RDS has the following:

  /**
   * Custom CA certificate
   *
   * @param identifier - CA certificate identifier
   */
  public static of(identifier: string) {
    return new CaCertificate(identifier);
  }

Do we need to support this? If not, this could be an enum.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good question!

#27138 allows for it, so we probably should too for consistency. Anyway, in case a new CA gets added, it is probably better to have this instead of relying on a property override?

I've added the method.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possible to add a unit and integration test for this?

Copy link
Contributor

@msambol msambol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff! See inline comments.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Mar 25, 2024
@brokad brokad force-pushed the gh-28356 branch 2 times, most recently from 694a662 to 670845e Compare March 25, 2024 15:54
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Mar 25, 2024
@brokad
Copy link
Contributor Author

brokad commented Mar 25, 2024

Great stuff! See inline comments.

Thanks for the review!

Copy link
Contributor

@msambol msambol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Apr 7, 2024
Copy link
Contributor

@scanlonp scanlonp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @brokad, thanks for this PR! I think this looks good overall, but I was wondering if we can just use the CaCertificate class defined in RDS. It looks like the two classes are identical, and the class seems more tied to RDS than anything.

I am not an expert on certificates, but unless there is a reason not to, I think we can import CaCertificate from RDS, and use it the same. This will keep the certificate list in one place for updates and maintainability.

@scanlonp scanlonp self-assigned this Apr 11, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 11, 2024
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@vumdao
Copy link

vumdao commented May 9, 2024

Hope this ticket will be released soon, we'd like to update the CaCertificate through CDK instead of customizing or manually before Aug

@mergify mergify bot dismissed scanlonp’s stale review May 9, 2024 09:28

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 9, 2024
@brokad
Copy link
Contributor Author

brokad commented May 9, 2024

Hey @brokad, thanks for this PR! I think this looks good overall, but I was wondering if we can just use the CaCertificate class defined in RDS. It looks like the two classes are identical, and the class seems more tied to RDS than anything.

I am not an expert on certificates, but unless there is a reason not to, I think we can import CaCertificate from RDS, and use it the same. This will keep the certificate list in one place for updates and maintainability.

Thanks for the review!

I have updated this PR to import CaCertificate from RDS (and re-export it from aws_docdb for convenience). I noticed there probably is a typo in the variants introduced by f5a5a08. The RSA CAs are labeled RDS_CA_RDS*_G1, but I'm guessing the intention was RDS_CA_RSA*_G1. I elected to not change this in RDS as I am assuming it would be a breaking change for folks already using it.

The update otherwise introduces no change to the previous state of this PR.

Copy link
Contributor

@scanlonp scanlonp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. I think the re-export is very nice for ease of use!

Looks like you are exactly right on the typo in the certificate enum, but probably does not need to be included in this PR. I can do a small change to update the name.

Thanks!

Copy link
Contributor

mergify bot commented May 9, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 9, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: fa006d3
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit e87f25e into aws:main May 9, 2024
12 checks passed
Copy link
Contributor

mergify bot commented May 9, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@scanlonp
Copy link
Contributor

scanlonp commented May 9, 2024

@brokad, enum values updated with #30135, good catch.

@scanlonp
Copy link
Contributor

scanlonp commented May 9, 2024

@vumdao, should be out in the next release 2.142.0, hopefully mid-next week.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(documentDB): (Expose CACertificateIdentifier in L2 Construct)
5 participants