Update AWS RDS root CA certificate on Astronomer Enterprise


We received the email below regarding the update of the root CA certificate on the Astronomer Enterprise RDS cluster that we have on our VPC.

I searched through the terraform show output and found no reference to the variable, but found where are you referencing the terraform-aws-modules for Aurora:

Also found this issue and pull request that needs to be merged for you to catch the update:

Please set the latest root CA certificate when you reference terraform-aws-modules for Aurora.

Original email from AWS listing astrodb-XXXXXXXXXXXXXXXX-X as affected RDS instance:

---------- Forwarded message ---------
From: ‘Amazon Web Services, Inc.’ via Operations
Date: Tue, Dec 10, 2019 at 1:52 PM
Subject: Important Reminder: Update Your Amazon RDS SSL/TLS Certificates by February 5, 2020


We previously sent a communication in early October to update your RDS SSL/TLS certificates by October 31, 2019. We have extended the dates and now request that you act before February 5, 2020 to avoid interruption of your applications that use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to connect to your RDS and Aurora database instances. Note that this new date is only 4 weeks before the actual Certificate Authority (CA) expiration on March 5, 2020. Because our own deployments, testing, and scanning to validate all RDS instances are ready for the expiry must take place during the final 4 weeks, the February 5th date cannot be further extended.

You are receiving this message because you have an Amazon RDS database instance(s) that requires action in the us-east-1 Region, listed at the end of the email.

To protect your communications with RDS database instances, a CA generates time-bound certificates that are checked by your client applications that connect via SSL/TLS to authenticate RDS databases before exchanging information. AWS renews the CA and creates new root certificates every five years to ensure RDS customer connections are properly protected for years to come.

The current CA expires on March 5, 2020, requiring updates to client applications and database instances that have certificates referencing the current CA. Client applications must add new CA certificates (root and intermediate where necessary) to their trust stores, and RDS database instances must separately use new server certificates before this hard expiration date. However, we strongly recommend you complete these changes before February 5, 2020. After February 5, 2020, we will begin scheduling certificate rotations for your RDS database instances prior to the March 5, 2020 deadline. The automatic update(s) will be scheduled within your maintenance window.

Additionally, any new RDS database instances created after January 14, 2020 (previously November 1, 2019) will default to using the new certificates. If your client applications have not been updated to add the new certificates to their trust stores, these applications will fail to connect to any new instances created after this date. If you wish to temporarily modify new instances to use the old certificates, you can do so using the AWS console, the RDS API, and the AWS CLI. Any instances created prior to January 14, 2020 will have the old certificates until you update them to the rds-ca-2019 version.

If your applications connect to RDS database instances using the SSL/TLS protocol, please follow the detailed instructions in the links below. Based on your feedback, we have provided, per database engine, further instructions on 1.) how to determine whether your client applications are connecting to your RDS databases via SSL/TLS and 2.) how to update your client application trust stores to include the new CA certificates.

If your applications do not use SSL/TLS to connect, there are no required actions that you need to take. However, using SSL/TLS is a security best practice so we recommend all customers perform this upgrade so that your applications can start using SSL seamlessly. Before March 5, 2020, RDS will schedule and perform pending maintenance actions which you can view in the RDS console to ensure you have valid certificates after the current certificates expire. The automatic update(s) will be scheduled within your maintenance window.

For RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
For Aurora: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html

We encourage you to test these steps in a development or staging environment before implementing them in your production environments. If not completed, your applications using SSL/TLS will fail to connect to your existing database instances as soon as RDS rotates your certificates on the database side prior to March 5, 2020.

If you have questions or issues, please contact AWS Support at: https://aws.amazon.com/support

Your impacted RDS instances:

Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon, Inc. Amazon is a registered trademark of Amazon, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

This is Steven from Astronomer. Thank you for calling this to our attention! I have investigated what changes may be necessary.

I ran across this document from Amazon https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
“Any new RDS DB instances created after January 14, 2020 will use the new certificates by default”. I believe this means no change is required to the Terraform.

For existing DB instances, such as yours, you may choose to schedule a change window with your users and perform the rotation as described here https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-updating . For client-side actions, I believe nothing is required because Astronomer does not make use of the SSL feature for connecting to the database.