Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Can't create RDS instances when default account CA isn't supported by engine #39371

Open
williamlord-wise opened this issue Sep 18, 2024 · 1 comment
Open

[Bug]: Can't create RDS instances when default account CA isn't supported by engine #39371

williamlord-wise opened this issue Sep 18, 2024 · 1 comment
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.

Comments

@williamlord-wise
Copy link

Terraform Core Version

1.9.5

AWS Provider Version

5.67.0

Affected Resource(s)

  • aws_db_instance

Expected Behavior

It should be possible to create RDS instances with specific CAs that are specified with ca_cert_identifier , for example SQL Server with rds-ca-rsa4096-g1. It's not possible to create these instances current when the RDS default CA is overridden (https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyCertificates.html) to one that isn't supported by the engine and/or engine version, eg aws rds modify-certificates --certificate-identifier rds-ca-ecc384-g1.

Actual Behavior

The RDS instance can't be created because the RDS default CA is used, and then the ca_cert_identifier is applied afterwards https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/rds/instance.go#L1802-L1806.

Relevant Error/Panic Output Snippet

> │ Error: creating RDS DB Instance (redacted): operation error RDS: CreateDBInstance, https response error StatusCode: 400, RequestID: c9daeb75-abbb-47be-8e53-afb637b875f0, api error InvalidParameterCombination: Version 15.00.4236.7.v1 for DB engine sqlserver-se doesn't support certificate rds-ca-ecc384-g1. Specify a different DB engine version or a different certificate.

Terraform Configuration Files

resource "aws_db_instance" "default" {
  engine             = "sqlserver-se"
  engine_version     = "15.00.4236.7.v1"
  ca_cert_identifier = "rds-ca-rsa4096-g1"
  ...
}

Steps to Reproduce

  1. aws rds modify-certificates --certificate-identifier rds-ca-ecc384-g1
  2. Apply Terraform

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@williamlord-wise williamlord-wise added the bug Addresses a defect in current functionality. label Sep 18, 2024
@github-actions github-actions bot added the service/rds Issues and PRs that pertain to the rds service. label Sep 18, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 18, 2024
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinretzolk @williamlord-wise