Skip to content

Commit

Permalink
Merge pull request #437 from guardian/aa/rds-ca
Browse files Browse the repository at this point in the history
fix: Update RDS certificate authority
  • Loading branch information
akash1810 authored Nov 7, 2023
2 parents b784810 + 718fac4 commit fa32362
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 22 deletions.
41 changes: 21 additions & 20 deletions packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ exports[`The ServiceCatalogue stack matches the snapshot 1`] = `
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -835,7 +835,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -1476,7 +1476,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: fastly
path: cloudquery/fastly
Expand Down Expand Up @@ -2077,7 +2077,7 @@ spec:
"Fn::Join": [
"",
[
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: galaxies
path: guardian/galaxies
Expand Down Expand Up @@ -2930,7 +2930,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"echo $GITHUB_PRIVATE_KEY | base64 -d > /github-private-key;echo $GITHUB_APP_ID > /github-app-id;echo $GITHUB_INSTALLATION_ID > /github-installation-id;wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"echo $GITHUB_PRIVATE_KEY | base64 -d > /github-private-key;echo $GITHUB_APP_ID > /github-app-id;echo $GITHUB_INSTALLATION_ID > /github-installation-id;wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: github
path: cloudquery/github
Expand Down Expand Up @@ -3377,7 +3377,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"echo $GITHUB_PRIVATE_KEY | base64 -d > /github-private-key;echo $GITHUB_APP_ID > /github-app-id;echo $GITHUB_INSTALLATION_ID > /github-installation-id;wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"echo $GITHUB_PRIVATE_KEY | base64 -d > /github-private-key;echo $GITHUB_APP_ID > /github-app-id;echo $GITHUB_INSTALLATION_ID > /github-installation-id;wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: github
path: cloudquery/github
Expand Down Expand Up @@ -4041,7 +4041,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"echo $GITHUB_PRIVATE_KEY | base64 -d > /github-private-key;echo $GITHUB_APP_ID > /github-app-id;echo $GITHUB_INSTALLATION_ID > /github-installation-id;wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"echo $GITHUB_PRIVATE_KEY | base64 -d > /github-private-key;echo $GITHUB_APP_ID > /github-app-id;echo $GITHUB_INSTALLATION_ID > /github-installation-id;wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: github
path: cloudquery/github
Expand Down Expand Up @@ -4735,7 +4735,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: guardian-snyk
path: guardian/snyk-full-project
Expand Down Expand Up @@ -5327,7 +5327,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -5969,7 +5969,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -6641,7 +6641,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -7453,7 +7453,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -7895,7 +7895,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -8537,7 +8537,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -9180,7 +9180,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -10023,7 +10023,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -10466,7 +10466,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -11108,7 +11108,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: aws
path: cloudquery/aws
Expand Down Expand Up @@ -12010,7 +12010,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: postgresql
path: cloudquery/postgresql
Expand Down Expand Up @@ -12452,7 +12452,7 @@ spec:
"Command": [
"/bin/sh",
"-c",
"wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates;printf 'kind: source
"wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates;printf 'kind: source
spec:
name: snyk
path: cloudquery/snyk
Expand Down Expand Up @@ -13093,6 +13093,7 @@ spec:
"DeletionPolicy": "Snapshot",
"Properties": {
"AllocatedStorage": "100",
"CACertificateIdentifier": "rds-ca-rsa2048-g1",
"CopyTagsToSnapshot": true,
"DBInstanceClass": "db.t4g.small",
"DBSubnetGroupName": {
Expand Down
8 changes: 7 additions & 1 deletion packages/cdk/lib/ecs/task.ts
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,13 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask {
'-c',
[
...additionalCommands,
'wget -O /usr/local/share/ca-certificates/rds-ca-2019-root.crt -q https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem && update-ca-certificates',

/*
Install the CA bundle for all RDS certificates.
See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions
*/
'wget -O /usr/local/share/ca-certificates/global-bundle.crt -q https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem && update-ca-certificates',

`printf '${dump(sourceConfig)}' > /source.yaml`,
`printf '${dump(destinationConfig)}' > /destination.yaml`,
'/app/cloudquery sync /source.yaml /destination.yaml --log-format json --log-console',
Expand Down
12 changes: 11 additions & 1 deletion packages/cdk/lib/service-catalogue.ts
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,11 @@ import { Secret } from 'aws-cdk-lib/aws-ecs';
import { Schedule } from 'aws-cdk-lib/aws-events';
import { Runtime } from 'aws-cdk-lib/aws-lambda';
import type { DatabaseInstanceProps } from 'aws-cdk-lib/aws-rds';
import { DatabaseInstance, DatabaseInstanceEngine } from 'aws-cdk-lib/aws-rds';
import {
CaCertificate,
DatabaseInstance,
DatabaseInstanceEngine,
} from 'aws-cdk-lib/aws-rds';
import { Secret as SecretsManager } from 'aws-cdk-lib/aws-secretsmanager';
import { Topic } from 'aws-cdk-lib/aws-sns';
import { Queue } from 'aws-cdk-lib/aws-sqs';
Expand Down Expand Up @@ -121,6 +125,12 @@ export class ServiceCatalogue extends GuStack {
storageEncrypted: true,
securityGroups: [dbSecurityGroup],
deletionProtection: rdsDeletionProtection,

/*
This certificate supports automatic rotation.
See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities
*/
caCertificate: CaCertificate.RDS_CA_RDS2048_G1,
};

const db = new DatabaseInstance(this, 'PostgresInstance1', dbProps);
Expand Down

0 comments on commit fa32362

Please sign in to comment.