feature: add the AWS RDS cert bundles (#329)

* add the AWS RDS cert bundles * store the bundle in the repo directly * remove redundant pushd/popd
heroku · Nov 6, 2024 · 18f7a20 · 18f7a20
1 parent 2863716
commit 18f7a20
Show file tree

Hide file tree

Showing 6 changed files with 7,610 additions and 0 deletions.
diff --git a/heroku-20/rds-global-bundle.pem b/heroku-20/rds-global-bundle.pem
diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh
@@ -160,6 +160,14 @@ apt-get install -y --no-install-recommends "${packages[@]}"
 
 cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml
 
+# Install AWS RDS global CA bundle (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions)
+mkdir -p /usr/local/share/ca-certificates/rds-ca-certs
+awk '
+  split_after == 1 {n++;split_after=0}
+  /-----END CERTIFICATE-----/ {split_after=1}
+  {print > "/usr/local/share/ca-certificates/rds-ca-certs/rds-ca" n ".crt"}' < /build/rds-global-bundle.pem
+update-ca-certificates
+
 # Install ca-certificates-java so that the JVM buildpacks can configure Java apps to use the Java certs
 # store in the base image instead of the one that ships in each JRE release, allowing certs to be updated
 # via base image updates. Generation of the `cacerts` file occurs in a post-install script which requires