feat(docdb): support CA certificate for cluster instances

[brokad]

Exposes the CaCertificateIdentifier property of AWS::DocDB::DBInstance in the L2 constructs DatabaseCluster and DatabaseInstance of aws_docdb. This allows specifying a custom CA identifier using the CaCertificate class.

Usage with DatabaseCluster:

new DatabaseCluster(stack, 'Database', {
  // ...
  instanceType: InstanceType.of(InstanceClass.R5, InstanceSize.LARGE),
  instanceCaCertificate: CaCertificate.RDS_CA_RSA4096_G1,
  // ...
});

Usage with DatabaseInstance:

new DatabaseInstance(stack, 'Instance', {
  cluster: databaseCluster,
  instanceType: InstanceType.of(InstanceClass.R5, InstanceSize.LARGE),
  caCertificate: CaCertificate.RDS_CA_RSA4096_G1,
});

This is modelled on #27138.

Closes #28356.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[msambol]

I see RDS has the following:

  /**
   * Custom CA certificate
   *
   * @param identifier - CA certificate identifier
   */
  public static of(identifier: string) {
    return new CaCertificate(identifier);
  }

Do we need to support this? If not, this could be an enum.

[brokad]

That's a good question!

#27138 allows for it, so we probably should too for consistency. Anyway, in case a new CA gets added, it is probably better to have this instead of relying on a property override?

I've added the method.

[msambol]

Possible to add a unit and integration test for this?

[msambol]

Great stuff! See inline comments.

[brokad]

Great stuff! See inline comments.

Thanks for the review!

[msambol]

LGTM

[scanlonp]

Hey @brokad, thanks for this PR! I think this looks good overall, but I was wondering if we can just use the CaCertificate class defined in RDS. It looks like the two classes are identical, and the class seems more tied to RDS than anything.

I am not an expert on certificates, but unless there is a reason not to, I think we can import CaCertificate from RDS, and use it the same. This will keep the certificate list in one place for updates and maintainability.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[vumdao]

Hope this ticket will be released soon, we'd like to update the CaCertificate through CDK instead of customizing or manually before Aug

Pull request has been modified.

[brokad]

Hey @brokad, thanks for this PR! I think this looks good overall, but I was wondering if we can just use the CaCertificate class defined in RDS. It looks like the two classes are identical, and the class seems more tied to RDS than anything.

I am not an expert on certificates, but unless there is a reason not to, I think we can import CaCertificate from RDS, and use it the same. This will keep the certificate list in one place for updates and maintainability.

Thanks for the review!

I have updated this PR to import CaCertificate from RDS (and re-export it from aws_docdb for convenience). I noticed there probably is a typo in the variants introduced by f5a5a08. The RSA CAs are labeled RDS_CA_RDS*_G1, but I'm guessing the intention was RDS_CA_RSA*_G1. I elected to not change this in RDS as I am assuming it would be a breaking change for folks already using it.

The update otherwise introduces no change to the previous state of this PR.

[scanlonp]

This looks great. I think the re-export is very nice for ease of use!

Looks like you are exactly right on the typo in the certificate enum, but probably does not need to be included in this PR. I can do a small change to update the name.

Thanks!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: fa006d3
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[scanlonp]

@brokad, enum values updated with #30135, good catch.

[scanlonp]

@vumdao, should be out in the next release 2.142.0, hopefully mid-next week.