feat: Multi-az rds cluster ca cert identifier (#458)

magreenbaum · web-flow · commit d320348984db · 2024-07-12T08:32:09.000-04:00
* multi-az rds cluster ca cert identifier

* update variable description

* remove param for testing
diff --git a/README.md b/README.md
@@ -224,13 +224,13 @@ Terraform documentation is generated automatically using [pre-commit hooks](http
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 
 ## Modules
 
@@ -283,6 +283,7 @@ No modules.
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
+| <a name="input_cluster_ca_cert_identifier"></a> [cluster\_ca\_cert\_identifier](#input\_cluster\_ca\_cert\_identifier) | The CA certificate identifier to use for the DB cluster's server certificate. Currently only supported for multi-az DB clusters | `string` | `null` | no |
 | <a name="input_cluster_members"></a> [cluster\_members](#input\_cluster\_members) | List of RDS Instances that are a part of this cluster | `list(string)` | `null` | no |
 | <a name="input_cluster_tags"></a> [cluster\_tags](#input\_cluster\_tags) | A map of tags to add to only the cluster. Used for AWS Instance Scheduler tagging | `map(string)` | `{}` | no |
 | <a name="input_cluster_timeouts"></a> [cluster\_timeouts](#input\_cluster\_timeouts) | Create, update, and delete timeout configurations for the cluster | `map(string)` | `{}` | no |
@@ -392,6 +393,8 @@ No modules.
 |------|-------------|
 | <a name="output_additional_cluster_endpoints"></a> [additional\_cluster\_endpoints](#output\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes |
 | <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | Amazon Resource Name (ARN) of cluster |
+| <a name="output_cluster_ca_certificate_identifier"></a> [cluster\_ca\_certificate\_identifier](#output\_cluster\_ca\_certificate\_identifier) | CA identifier of the CA certificate used for the DB instance's server certificate |
+| <a name="output_cluster_ca_certificate_valid_till"></a> [cluster\_ca\_certificate\_valid\_till](#output\_cluster\_ca\_certificate\_valid\_till) | Expiration date of the DB instance’s server certificate |
 | <a name="output_cluster_database_name"></a> [cluster\_database\_name](#output\_cluster\_database\_name) | Name for an automatically created database on cluster creation |
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Writer endpoint for the cluster |
 | <a name="output_cluster_engine_version_actual"></a> [cluster\_engine\_version\_actual](#output\_cluster\_engine\_version\_actual) | The running version of the cluster database |
diff --git a/examples/autoscaling/README.md b/examples/autoscaling/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 
 ## Modules
 
diff --git a/examples/autoscaling/versions.tf b/examples/autoscaling/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
   }
 }
diff --git a/examples/global-cluster/README.md b/examples/global-cluster/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
-| <a name="provider_aws.secondary"></a> [aws.secondary](#provider\_aws.secondary) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
+| <a name="provider_aws.secondary"></a> [aws.secondary](#provider\_aws.secondary) | >= 5.58 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
 
 ## Modules
diff --git a/examples/global-cluster/versions.tf b/examples/global-cluster/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
 
     random = {
diff --git a/examples/multi-az/README.md b/examples/multi-az/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 
 ## Modules
 
@@ -51,6 +51,8 @@ No inputs.
 |------|-------------|
 | <a name="output_additional_cluster_endpoints"></a> [additional\_cluster\_endpoints](#output\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes |
 | <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | Amazon Resource Name (ARN) of cluster |
+| <a name="output_cluster_ca_certificate_identifier"></a> [cluster\_ca\_certificate\_identifier](#output\_cluster\_ca\_certificate\_identifier) | CA identifier of the CA certificate used for the DB instance's server certificate |
+| <a name="output_cluster_ca_certificate_valid_till"></a> [cluster\_ca\_certificate\_valid\_till](#output\_cluster\_ca\_certificate\_valid\_till) | Expiration date of the DB instance’s server certificate |
 | <a name="output_cluster_database_name"></a> [cluster\_database\_name](#output\_cluster\_database\_name) | Name for an automatically created database on cluster creation |
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Writer endpoint for the cluster |
 | <a name="output_cluster_engine_version_actual"></a> [cluster\_engine\_version\_actual](#output\_cluster\_engine\_version\_actual) | The running version of the cluster database |
diff --git a/examples/multi-az/main.tf b/examples/multi-az/main.tf
@@ -27,7 +27,7 @@ module "aurora" {
 
   name            = local.name
   engine          = "postgres" # This uses RDS engine, not Aurora
-  engine_version  = "14.5"
+  engine_version  = "15.7"
   master_username = "root"
 
   vpc_id               = module.vpc.vpc_id
@@ -45,6 +45,8 @@ module "aurora" {
   iops                      = 2500
   storage_type              = "io1"
 
+  cluster_ca_cert_identifier = "rds-ca-rsa4096-g1"
+
   skip_final_snapshot = true
 
   tags = local.tags
diff --git a/examples/multi-az/outputs.tf b/examples/multi-az/outputs.tf
@@ -66,6 +66,16 @@ output "cluster_hosted_zone_id" {
   value       = module.aurora.cluster_hosted_zone_id
 }
 
+output "cluster_ca_certificate_identifier" {
+  description = "CA identifier of the CA certificate used for the DB instance's server certificate"
+  value       = module.aurora.cluster_ca_certificate_identifier
+}
+
+output "cluster_ca_certificate_valid_till" {
+  description = "Expiration date of the DB instance’s server certificate"
+  value       = module.aurora.cluster_ca_certificate_valid_till
+}
+
 ################################################################################
 # Cluster Instance(s)
 ################################################################################
diff --git a/examples/multi-az/versions.tf b/examples/multi-az/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
   }
 }
diff --git a/examples/mysql/README.md b/examples/mysql/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 
 ## Modules
 
diff --git a/examples/mysql/versions.tf b/examples/mysql/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
   }
 }
diff --git a/examples/postgresql/README.md b/examples/postgresql/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 
 ## Modules
 
diff --git a/examples/postgresql/versions.tf b/examples/postgresql/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
   }
 }
diff --git a/examples/s3-import/README.md b/examples/s3-import/README.md
@@ -49,13 +49,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 
 ## Modules
 
diff --git a/examples/s3-import/versions.tf b/examples/s3-import/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
   }
 }
diff --git a/examples/serverless/README.md b/examples/serverless/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.42 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.42 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.5 |
 
 ## Modules
diff --git a/examples/serverless/versions.tf b/examples/serverless/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/main.tf b/main.tf
@@ -45,6 +45,7 @@ resource "aws_rds_cluster" "this" {
   availability_zones                  = var.availability_zones
   backup_retention_period             = var.backup_retention_period
   backtrack_window                    = local.backtrack_window
+  ca_certificate_identifier           = var.cluster_ca_cert_identifier
   cluster_identifier                  = var.cluster_use_name_prefix ? null : var.name
   cluster_identifier_prefix           = var.cluster_use_name_prefix ? "${var.name}-" : null
   cluster_members                     = var.cluster_members
diff --git a/outputs.tf b/outputs.tf
@@ -79,6 +79,16 @@ output "cluster_hosted_zone_id" {
   value       = try(aws_rds_cluster.this[0].hosted_zone_id, null)
 }
 
+output "cluster_ca_certificate_identifier" {
+  description = "CA identifier of the CA certificate used for the DB instance's server certificate"
+  value       = try(aws_rds_cluster.this[0].ca_certificate_identifier, null)
+}
+
+output "cluster_ca_certificate_valid_till" {
+  description = "Expiration date of the DB instance’s server certificate"
+  value       = try(aws_rds_cluster.this[0].ca_certificate_valid_till, null)
+}
+
 ################################################################################
 # Cluster Instance(s)
 ################################################################################
diff --git a/variables.tf b/variables.tf
@@ -90,6 +90,12 @@ variable "backtrack_window" {
   default     = null
 }
 
+variable "cluster_ca_cert_identifier" {
+  description = "The CA certificate identifier to use for the DB cluster's server certificate. Currently only supported for multi-az DB clusters"
+  type        = string
+  default     = null
+}
+
 variable "cluster_members" {
   description = "List of RDS Instances that are a part of this cluster"
   type        = list(string)
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.42"
+      version = ">= 5.58"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.42"`
	`7`	`+ version = ">= 5.58"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`