chore(integ): use new RDS CA certificate for DocDB instances

[jericht]

Notes

The RDS CA certificate used by DocDB instances deployed by RFDK is expiring in August 2024. See https://docs.aws.amazon.com/documentdb/latest/developerguide/ca_cert_rotation.html

This PR changes the DocDB instances deployed by our integration tests to use the newer RDS CA certificate. We still need to do this for RFDK itself in a future PR.

Testing

• Ran the integration tests in my account and verified the CFN templates had the AWS::DocDB::DBInstance.CACertificateIdentifier property set to the newer certificate ID rds-ca-rsa4096-g1
• Also verified in the AWS console that the DB instance was using the newer RDS CA certificate.

Example CFN template snippet:

  "StorageStruct1RepositoryDocumentDatabaseInstance1670329EE": {
   "Type": "AWS::DocDB::DBInstance",
   "Properties": {
    "AutoMinorVersionUpgrade": true,
    "CACertificateIdentifier": "rds-ca-rsa4096-g1",
    "DBClusterIdentifier": {
     "Ref": "StorageStruct1RepositoryDocumentDatabase8BA714C4"
    },
    "DBInstanceClass": "db.r5.large",
    "Tags": [
     {
      "Key": "aws-rfdk",
      "Value": "1.3.0:Repository"
     }
    ]
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "RFDKInteg-DL-ComponentTier1705531747651705277/StorageStruct1/Repository/DocumentDatabase/Instance1"
   }
  }

AWS Console screenshot showing CA cert is applied:

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[ddneilson]

I've checked that this change doesn't force instance replacement -- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbinstance.html#cfn-docdb-dbinstance-cacertificateidentifier

LGTM. Thanks!

[jusiskin]

Have you tried running the integration tests with this change? I'd expect any of them using DocumentDB to fail because Deadline 10 does not provide a CA trust store with the new CA certificate yet.

[jericht]

Have you tried running the integration tests with this change? I'd expect any of them using DocumentDB to fail because Deadline 10 does not provide a CA trust store with the new CA certificate yet.

Yes, the repository tests failed due to this. We'll need to wait until a new Deadline release is made with the new CA certificate before merging this.