-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(docdb): support CA certificate for cluster instances #28791
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
* @param identifier - CA certificate identifier | ||
*/ | ||
private constructor(private readonly identifier: string) { } | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see RDS has the following:
/**
* Custom CA certificate
*
* @param identifier - CA certificate identifier
*/
public static of(identifier: string) {
return new CaCertificate(identifier);
}
Do we need to support this? If not, this could be an enum
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question!
#27138 allows for it, so we probably should too for consistency. Anyway, in case a new CA gets added, it is probably better to have this instead of relying on a property override?
I've added the method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible to add a unit and integration test for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff! See inline comments.
694a662
to
670845e
Compare
Thanks for the review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @brokad, thanks for this PR! I think this looks good overall, but I was wondering if we can just use the CaCertificate
class defined in RDS. It looks like the two classes are identical, and the class seems more tied to RDS than anything.
I am not an expert on certificates, but unless there is a reason not to, I think we can import CaCertificate
from RDS, and use it the same. This will keep the certificate list in one place for updates and maintainability.
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
Hope this ticket will be released soon, we'd like to update the CaCertificate through CDK instead of customizing or manually before Aug |
Thanks for the review! I have updated this PR to import The update otherwise introduces no change to the previous state of this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great. I think the re-export is very nice for ease of use!
Looks like you are exactly right on the typo in the certificate enum, but probably does not need to be included in this PR. I can do a small change to update the name.
Thanks!
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
@vumdao, should be out in the next release 2.142.0, hopefully mid-next week. |
Exposes the CaCertificateIdentifier property of AWS::DocDB::DBInstance in the L2 constructs
DatabaseCluster
andDatabaseInstance
ofaws_docdb
. This allows specifying a custom CA identifier using the CaCertificate class.Usage with
DatabaseCluster
:Usage with
DatabaseInstance
:This is modelled on #27138.
Closes #28356.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license