This topic describes the changes in this minor release of Tanzu Cloud Service Broker for AWS.

v1.3.0

Release Date: 16 November 2022

Breaking Changes

This release has the following breaking changes:

Amazon RDS MySQL service

This release has the following breaking changes for the Amazon RDS MySQL service:

  • Amazon RDS MySQL pre-configured plans removed: From this version onwards, plans are no longer provided with the brokerpak. If you have RDS MySQL service instances that you want to maintain that use the formerly built-in plans, you must add the plans through the tile configuration. For more information, see Previously Provided Pre-configured Plans.

  • The default storage type is now set as io1 (provisioned IOPS SSD): Previously the default used gp2 (general purpose SSD). Users who previously had custom plans must add the property "storage_type":"gp2" to the plan definition to ensure that the storage type is not amended on any update. For more information, see Changing custom plans.

  • Defined production grade defaults: By default, all RDS MySQL instances created have encryption and Multi-AZ enabled. You can change these properties by setting storage_encrypted or multi_az to false. This change is applied to all existing instances unless the custom plans are updated before the broker upgrade to include setting storage_encrypted or multi_az to false. For more information, see Changing custom plans.

  • Unsecured connections are no longer supported: Every connection in RDS MySQL instances must use TLS encryption. This change is applied to previously existing instances after upgrading or binding recreation. The property use_tls is now removed. The old custom plans containing the property use_tls must be changed. For more information, see Changing custom plans. The AWS certificate bundle must be installed in Ops Manager.

Features

New features and changes in this release:

Amazon RDS MySQL service offering is generally available

The Amazon RDS MySQL service offering is no longer in beta and can be used in production. As part of this the following RDS MySQL features are introduced:

  • MySQL version is no longer restricted: Previously the parameter mysql_version was restricted to a list of supported values. You can now choose the version you want when creating a plan. To view the supported versions, see the AWS documentation.

  • The default maintenance window can be set more easily: To use the AWS default maintenance window when provisioning, the properties related to the maintenance window can all be set to null instead of empty strings.

  • Automated backups: Automated backups can now be scheduled through backup_window. The backup_window configuration uses a AWS default value for the region if the value is null when provisioning the instance. By default, automated backups are enabled. This feature can be customized through the following properties:

    • delete_automated_backups: Delete backups when deleting the instance. It is true by default.
    • copy_tags_to_snapshot: Copy all instance tags to snapshots. It is true by default.
    • backup_retention_period: The number of days (1-35) for which automatic backups are kept. Set the value to 0 to deactivate automated backups. It is 7 by default.

  • db_name property can no longer be updated: Updating the db_name property causes a destructive action because Terraform recreates the database. This change fails the update quickly for improved user experience.

  • deletion_protection can be configured and updated: Added a property that enables you to configure the deletion protection for the MySQL database in the plan configuration or during provision or update operations. By default the protection is deactivated.

  • storage_type and iops can be configured and updated: New added property that enables you to configure the storage type in both the provisioning and the updating phase of the instance. In addition, if using the provisioned IOPS SSD (io1) storage type, then the iops value can also be defined through the property iops. The default storage_type is io1 if none is defined.

  • Added deprecation warning to cores property: The cores property is now deprecated and optional if you use the instance_class property. cores is a translation layer to the instance_class property. The database instance class determines the computation and memory capacity of an Amazon RDS database instance. The database instance class you need depends on your processing power and memory requirements. Use instance_class to adjust the database instance to your requirements.

  • subsume property was removed from the plans: The subsume property wasn’t working and was removed to prevent confusion. The old custom plans that contained this property must be modified or deleted. For more information, see Changing custom plans.

  • Database option group association: A database option group can now be associated through option_group_name. MySQL offers additional features, such as the audit plug-in or Memcached to manage data and the database or to provide additional security for the database. RDS uses option groups to enable and configure these features.

  • Audit-logging: You can now activate audit-logging by setting option_group_name with a pre-created Option Group that fulfils the requirements for audit log exports. By default, audit-logging is deactivated. When activated, the default number of log retention days is 30. You can configure these properties:

    • cloudwatch_log_group_retention_in_days: This is used in conjunction with enable_audit_logging. If provided, it sets the retention days for the log group containing the RDS audit logs.

    • cloudwatch_log_group_kms_key_id: This is used in conjunction with enable_audit_logging. If provided, it sets the KSM key to use for encrypting the CloudWatch log group that is created for the RDS audit logs.

  • Enhanced Monitoring: You can activate Enhanced Monitoring to enable all the system metrics and process information for the RDS database instances on the console. By default, enhanced monitoring is deactivated. To enable this feature, configure these properties:

    • monitoring_interval: The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database instance. To deactivate collecting Enhanced Monitoring metrics, specify 0. Valid values are 0, 1, 5, 10, 15, 30, and 60. It is 0 by default. A monitoring_role_arn value is required if you specify a monitoring_interval value other than 0.

    • monitoring_role_arn: Enhanced Monitoring requires permission to act on your behalf to send OS metric information to CloudWatch Logs. This property represents the ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to CloudWatch Logs.

  • Performance Insights: You can now enable Performance Insights that expand on existing Amazon RDS monitoring features to illustrate the database performance and help you analyze it. By default, Performance Insights are deactivated. To activate this feature, configure these properties:

    • performance_insights_enabled: Specifies whether Performance Insights are enabled. It is false by default.

    • performance_insights_kms_key_id: The ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, you must set performance_insights_enabled as true. After the KMS key is set, it can never be changed.

    • performance_insights_retention_period: The number of days to retain Performance Insights data. When specifying performance_insights_retention_period, you must set performance_insights_enabled as true. The following values are valid: 7, month * 31, where month is a number of months from 1-23, 731.

  • KMS encryption key for encrypting the storage: By default, an AWS managed key for Amazon RDS is used to encrypt the database instance. You can use the kms_key_id property to define a customer managed key. You must enable the storage_encrypted property if the key is specified. Use the ARN in this field and not the ID as the name might suggest.

Amazon RDS PostgreSQL service

This release has the following changes for the Amazon RDS PostgreSQL service:

  • Performance Insights retention period: The number of days to retain Performance Insights data can be configured through performance_insights_retention_period. By default, when Performance Insights is enabled, this value is 7 days. The value must be 7, NUMBER-OF-MONTHS * 31 (where NUMBER-OF-MONTHS is 1-23), or 731. For example, the following values are valid: 93 (3 months * 31), 341 (11 months * 31), 589 (19 months * 31), and 731. If you specify an invalid retention period, such as 94, RDS issues an error.

Amazon Aurora MySQL-Compatible Edition and Amazon Aurora PostgreSQL-Compatible Edition services

This release has the following changes for the Amazon Aurora MySQL-Compatible Edition and Amazon Aurora PostgreSQL-Compatible Edition services:

  • Added Amazon Aurora MySQL-Compatible Edition and Amazon Aurora PostgreSQL-Compatible Edition (Beta) services: For more information about how to create and manage these services, see Amazon Aurora MySQL-Compatible Edition (Beta) and Amazon Aurora PostgreSQL-Compatible Edition (Beta).

  • More properties are exposed: Properties such as database name, VPC security group IDs, and whether to allow major and minor version upgrades, are now configurable at plan creation or instance operations for Amazon Aurora MySQL-Compatible Edition and Amazon Aurora PostgreSQL-Compatible Edition. Moreover, you can define your own RDS subnet group when creating a plan or instance.

  • Instances are tagged with TAS IDs: All created instances are tagged with pcf-organization-guid, pcf-space-guid, and pcf-instance-id on provision.

  • Bind and unbind are now performed over TLS: For these operations to work, the AWS certificate bundle must be installed in Ops Manager.

  • deletion_protection can be configured and updated: Added a property that enables you to configure the deletion protection for the Aurora databases in the plan configuration or during provision or update operations. By default, the protection is deactivated.

  • Automated backups: You can schedule automated backups by using preferred_backup_window. The preferred_backup_window configuration uses an AWS default value for the region if the value is null when provisioning the instance. By default, automated backups are activated and cannot be deactivated on Aurora. You can customize this feature by using these properties:

    • copy_tags_to_snapshot: Copy all cluster tags to snapshots. It is true by default.
    • backup_retention_period: The backup retention period property sets the period in which you can perform a point-in-time recovery. It is 1 by default.

  • Enhanced Monitoring: Enhanced Monitoring can now be activated to enable all the system metrics and process information for the RDS database instances on the console. By default, enhanced monitoring is deactivated. To enable this feature, configure these properties:

    • monitoring_interval: The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database instance. To deactivate collecting Enhanced Monitoring metrics, specify 0. Valid values are 0, 1, 5, 10, 15, 30, and 60. It is 0 by default. A monitoring_role_arn value is required if you specify a monitoring_interval value other than 0.

    • monitoring_role_arn: Enhanced Monitoring requires permission to act on your behalf to send OS metric information to CloudWatch Logs. This property represents the ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to CloudWatch Logs.

  • Performance Insights: Performance insights can now be enabled to expand on existing Amazon RDS monitoring features to illustrate the database performance and help you analyze it. By default, Performance Insights is deactivated. To enable this feature, configure these properties:

    • performance_insights_enabled: Specifies whether Performance Insights are enabled. It is false by default.

    • performance_insights_kms_key_id: The ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, you must set performance_insights_enabled as true. After the KMS key is set, it can never be changed.

    • performance_insights_retention_period: The number of days to retain Performance Insights data. When specifying performance_insights_retention_period, you must set performance_insights_enabled as true. The following values are valid: 7, month * 31, where month is a number of months from 1-23, 731.

Amazon Aurora PostgreSQL-Compatible Edition services

This release has the following changes for Amazon Aurora PostgreSQL-Compatible Edition services:

  • You can configure a database cluster parameter group name: The db_cluster_parameter_group_name sets the database cluster parameter group name. If not set, a database cluster parameter group is created. The database cluster parameter group contains the set of engine configuration parameters that apply throughout the Aurora PostgreSQL database cluster. The database cluster parameter group also contains default settings for the database parameter group for the database instances that make up the cluster.

  • Server rejects non-SSL connections by default: The require_ssl property is true by default, which makes the server require SSL connections. When false, the server accepts SSL and non-SSL connections. If db_cluster_parameter_group_name is specified then the require_ssl parameter dose not take effect.

  • Bind and unbind are now performed over TLS: For these operations to work, you must install the AWS certificate bundle in Ops Manager.

Amazon Aurora MySQL-Compatible Edition services

This release has the following changes for Amazon Aurora MySQL-Compatible Edition services:

  • Unsecured connections are no longer supported: Every connection in Aurora MySQL instances must use TLS encryption. The AWS certificate bundle must be installed in Ops Manager.

  • You can configure a database cluster parameter group name: The db_cluster_parameter_group_name sets the database cluster parameter group name. The database cluster parameter group contains the set of engine configuration parameters that apply throughout the Aurora PostgreSQL database cluster. The database cluster parameter group also contains default settings for the database parameter group for the DB instances that make up the cluster.

  • Audit-logging: You can now activate audit-logging by setting db_cluster_parameter_group_name with a pre-created database cluster parameter group that fulfils requirements for audit log exports. By default, audit-logging is deactivated. When activated, the default number of log retention days is 30. You can configure these properties:

    • cloudwatch_log_group_retention_in_days: This is used in conjunction with enable_audit_logging. If provided, it sets the retention days for the log group containing the cluster audit logs.

    • cloudwatch_log_group_kms_key_id: This is used in conjunction with enable_audit_logging. If provided, it sets the KSM key to use for encrypting the CloudWatch log group that is created for the cluster audit logs.

Resolved Issues

This release has the following fixes:

  • Fail early when updating RDS storage encryption property: Updating the storage_encrypted property for RDS PostgreSQL and MySQL is no longer allowed, and it causes an error immediately after making an update request. Previously, updating this property caused an IaaS error later on in the update operation.

  • Valid MySQL JDBC URL SSL parameter: By default, RDS for MySQL uses and expects all clients to connect using SSL or TLS. Therefore, the value of the SSL parameter in the MySQL JDBC URL is always set to true.

  • RDS VPC security group IDs cannot be updated: Updating the rds_vpc_security_group_ids for any of the RDS services, MySQL, PostgreSQL, Aurora MySQL, Aurora PostgreSQL, caused a DependencyViolation error after several minutes of attempting the update. Updating this property is now prohibited and causes a more timely error message.

  • Amazon ElastiCache for Redis is configured for the selected Redis version: Passing the Redis version did not have any effect on the engine version selected in the IaaS and it always used the AWS ElastiCache for Redis default version. The version was, however, used to define the parameter group name. This triggered an error message when creating or updating similar to InvalidParameterCombination: Expected a parameter group of family redis7 but found one of family redis6.x. Now the version passed as part of the redis_version plan property is factored into configuration, and the correct version of Redis is created. Also, the versions list is no longer restricted and any version that AWS accepts is allowed.

Known Issues

This release has the following issues:

  • S3 bucket service instance update: If you attempt to deactivate versioning for an instance created before upgrading to this version, it is recorded as an update succeeded operation at the first attempt. However, this value is not updated in the broker or in AWS because deactivating versioning is not supported in the IaaS. Subsequent attempts cause an error message that states that versioning can’t be deactivated, as expected.

  • Aurora service instance engine upgrade version can fail: The engine upgrade version operation throws an error due to an inconsistency between the values of the involved instances because the operation is marked for the next maintenance period instead of performing it after the execution of the command.

    For example, an upgrade operation for the aurora-postgresql version going from version 13.10 to version 14.7 fails when you run the command csb update-service SERVICE-INSTANCE-NAME -c '{"engine_version": "14.7"}'. Minor version updates are done automatically if you set the auto_minor_version_upgrade parameter to true. For more information about auto_minor_version_upgrade, see Configuration Parameters.

  • Aurora-PostgreSQL service instance upgrade for a major version can fail: The engine upgrade operation for a major version of aurora-postgreSQL using the default database cluster parameter group throws an error due to the collision of names in the database cluster parameter groups involved in the operation.

  • Random failure when creating S3 buckets: Since April 2023, a change in AWS deactivates ACLs by setting the object ownership to bucket owner enforced. If using ACLs and therefore setting object ownership to a different value (bucket owner preferred or object writer), random errors when provisioning can occur. This is due to an unspecified order of execution of the operations that edit the object ownership and the ACL type, causing the broker to sometimes attempt the ACL configuration with an incompatible value of object ownership.

Amazon RDS for MySQL and Amazon RDS for PostgreSQL

  • Unable to set I/O operations per seconds (IOPS) when storage type is gp3:

    By using General Purpose SSD gp3 storage volumes, the configuration for customizing storage performance is blocked. A fix is planned for an upcoming release.

View release notes for another version

To view the release notes for another product version, select the version from drop-down menu at the top of this page.

check-circle-line exclamation-circle-line close-line
Scroll to top icon