aws-cdk-lib 2.96.2__py3-none-any.whl → 2.97.1__py3-none-any.whl

aws_cdk/aws_rds/__init__.py

@@ -34,7 +34,7 @@ cluster = rds.DatabaseCluster(self, "Database",
 )
 ```
 
-To adopt Aurora I/O-Optimized. Speicify `DBClusterStorageType.AURORA_IOPT1` on the `storageType` property.
+To adopt Aurora I/O-Optimized. Specify `DBClusterStorageType.AURORA_IOPT1` on the `storageType` property.
 
 ```python
 # vpc: ec2.Vpc
@@ -307,6 +307,28 @@ DB instance to a status of `incompatible-parameters`. While the DB instance has
 the incompatible-parameters status, some operations are blocked. For example,
 you can't upgrade the engine version.
 
+#### CA certificate
+
+Use the `caCertificate` property to specify the [CA certificates](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html)
+to use for a cluster instances:
+
+```python
+# vpc: ec2.Vpc
+
+cluster = rds.DatabaseCluster(self, "Database",
+    engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_01_0),
+    writer=rds.ClusterInstance.provisioned("writer",
+        ca_certificate=rds.CaCertificate.RDS_CA_RDS2048_G1
+    ),
+    readers=[
+        rds.ClusterInstance.serverless_v2("reader",
+            ca_certificate=rds.CaCertificate.of("custom-ca")
+        )
+    ],
+    vpc=vpc
+)
+```
+
 ### Migrating from instanceProps
 
 Creating instances in a `DatabaseCluster` using `instanceProps` & `instances` is
@@ -2855,7 +2877,7 @@ class CaCertificate(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_rds.CaCertificate",
 ):
-    '''The CA certificate used for this DB instance.
+    '''The CA certificate used for a DB instance.
 
     :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
     :exampleMetadata: infused
@@ -2868,7 +2890,7 @@ class CaCertificate(
         rds.DatabaseInstance(self, "Instance",
             engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_30),
             vpc=vpc,
-            ca_certificate=rds.CaCertificate.RDS_CA_RDS2048_G1
+            ca_certificate=rds.CaCertificate.of("future-rds-ca")
         )
     '''
 
@@ -6951,7 +6973,11 @@ class CfnDBInstance(
             delete_automated_backups=False,
             deletion_protection=False,
             domain="domain",
+            domain_auth_secret_arn="domainAuthSecretArn",
+            domain_dns_ips=["domainDnsIps"],
+            domain_fqdn="domainFqdn",
             domain_iam_role_name="domainIamRoleName",
+            domain_ou="domainOu",
             enable_cloudwatch_logs_exports=["enableCloudwatchLogsExports"],
             enable_iam_database_authentication=False,
             enable_performance_insights=False,
@@ -7042,7 +7068,11 @@ class CfnDBInstance(
         delete_automated_backups: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         domain: typing.Optional[builtins.str] = None,
+        domain_auth_secret_arn: typing.Optional[builtins.str] = None,
+        domain_dns_ips: typing.Optional[typing.Sequence[builtins.str]] = None,
+        domain_fqdn: typing.Optional[builtins.str] = None,
         domain_iam_role_name: typing.Optional[builtins.str] = None,
+        domain_ou: typing.Optional[builtins.str] = None,
         enable_cloudwatch_logs_exports: typing.Optional[typing.Sequence[builtins.str]] = None,
         enable_iam_database_authentication: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         enable_performance_insights: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -7116,7 +7146,11 @@ class CfnDBInstance(
         :param delete_automated_backups: A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted. *Amazon Aurora* Not applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted.
         :param deletion_protection: A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see `Deleting a DB Instance <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html>`_ . *Amazon Aurora* Not applicable. You can enable or disable deletion protection for the DB cluster. For more information, see ``CreateDBCluster`` . DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.
         :param domain: The Active Directory directory ID to create the DB instance in. Currently, only Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain. For more information, see `Kerberos Authentication <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html>`_ in the *Amazon RDS User Guide* .
+        :param domain_auth_secret_arn: The ARN for the Secrets Manager secret with the credentials for the user joining the domain. Example: ``arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456``
+        :param domain_dns_ips: The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers. Constraints: - Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. Example: ``123.124.125.126,234.235.236.237``
+        :param domain_fqdn: The fully qualified domain name (FQDN) of an Active Directory domain. Constraints: - Can't be longer than 64 characters. Example: ``mymanagedADtest.mymanagedAD.mydomain``
         :param domain_iam_role_name: The name of the IAM role to use when making API calls to the Directory Service. This setting doesn't apply to the following DB instances: - Amazon Aurora (The domain is managed by the DB cluster.) - RDS Custom
+        :param domain_ou: The Active Directory organizational unit for your DB instance to join. Constraints: - Must be in the distinguished name format. - Can't be longer than 64 characters. Example: ``OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain``
         :param enable_cloudwatch_logs_exports: The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see `Publishing Database Logs to Amazon CloudWatch Logs <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch>`_ in the *Amazon Relational Database Service User Guide* . *Amazon Aurora* Not applicable. CloudWatch Logs exports are managed by the DB cluster. *MariaDB* Valid values: ``audit`` , ``error`` , ``general`` , ``slowquery`` *Microsoft SQL Server* Valid values: ``agent`` , ``error`` *MySQL* Valid values: ``audit`` , ``error`` , ``general`` , ``slowquery`` *Oracle* Valid values: ``alert`` , ``audit`` , ``listener`` , ``trace`` , ``oemagent`` *PostgreSQL* Valid values: ``postgresql`` , ``upgrade``
         :param enable_iam_database_authentication: A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled. This property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see `IAM Database Authentication for MariaDB, MySQL, and PostgreSQL <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html>`_ in the *Amazon RDS User Guide.* *Amazon Aurora* Not applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster.
         :param enable_performance_insights: Specifies whether to enable Performance Insights for the DB instance. For more information, see `Using Amazon Performance Insights <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html>`_ in the *Amazon RDS User Guide* . This setting doesn't apply to RDS Custom DB instances.
@@ -7192,7 +7226,11 @@ class CfnDBInstance(
             delete_automated_backups=delete_automated_backups,
             deletion_protection=deletion_protection,
             domain=domain,
+            domain_auth_secret_arn=domain_auth_secret_arn,
+            domain_dns_ips=domain_dns_ips,
+            domain_fqdn=domain_fqdn,
             domain_iam_role_name=domain_iam_role_name,
+            domain_ou=domain_ou,
             enable_cloudwatch_logs_exports=enable_cloudwatch_logs_exports,
             enable_iam_database_authentication=enable_iam_database_authentication,
             enable_performance_insights=enable_performance_insights,
@@ -7732,6 +7770,45 @@ class CfnDBInstance(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "domain", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="domainAuthSecretArn")
+    def domain_auth_secret_arn(self) -> typing.Optional[builtins.str]:
+        '''The ARN for the Secrets Manager secret with the credentials for the user joining the domain.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "domainAuthSecretArn"))
+
+    @domain_auth_secret_arn.setter
+    def domain_auth_secret_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9b5d4902ede3d92cf4c7fab61f72976571c6eb7c6ab3f302c7a3141ebf579693)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "domainAuthSecretArn", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="domainDnsIps")
+    def domain_dns_ips(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.'''
+        return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "domainDnsIps"))
+
+    @domain_dns_ips.setter
+    def domain_dns_ips(self, value: typing.Optional[typing.List[builtins.str]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a7b0abeab7a2e8161cf91da1b3dc87147814a47d1bfd5ad97fc9f7e9cf76a60e)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "domainDnsIps", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="domainFqdn")
+    def domain_fqdn(self) -> typing.Optional[builtins.str]:
+        '''The fully qualified domain name (FQDN) of an Active Directory domain.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "domainFqdn"))
+
+    @domain_fqdn.setter
+    def domain_fqdn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7df38ba6bc42bad8a2ae880683ff414eeb28bb260f5afef16aa42f7acff5f965)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "domainFqdn", value)
+
     @builtins.property
     @jsii.member(jsii_name="domainIamRoleName")
     def domain_iam_role_name(self) -> typing.Optional[builtins.str]:
@@ -7745,6 +7822,19 @@ class CfnDBInstance(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "domainIamRoleName", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="domainOu")
+    def domain_ou(self) -> typing.Optional[builtins.str]:
+        '''The Active Directory organizational unit for your DB instance to join.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "domainOu"))
+
+    @domain_ou.setter
+    def domain_ou(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2fbe1d1078f743fa5360c26d9fed3f54f1a508a16b962a9b930ace1bb00a3a25)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "domainOu", value)
+
     @builtins.property
     @jsii.member(jsii_name="enableCloudwatchLogsExports")
     def enable_cloudwatch_logs_exports(
@@ -8845,7 +8935,11 @@ class CfnDBInstance(
         "delete_automated_backups": "deleteAutomatedBackups",
         "deletion_protection": "deletionProtection",
         "domain": "domain",
+        "domain_auth_secret_arn": "domainAuthSecretArn",
+        "domain_dns_ips": "domainDnsIps",
+        "domain_fqdn": "domainFqdn",
         "domain_iam_role_name": "domainIamRoleName",
+        "domain_ou": "domainOu",
         "enable_cloudwatch_logs_exports": "enableCloudwatchLogsExports",
         "enable_iam_database_authentication": "enableIamDatabaseAuthentication",
         "enable_performance_insights": "enablePerformanceInsights",
@@ -8921,7 +9015,11 @@ class CfnDBInstanceProps:
         delete_automated_backups: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         domain: typing.Optional[builtins.str] = None,
+        domain_auth_secret_arn: typing.Optional[builtins.str] = None,
+        domain_dns_ips: typing.Optional[typing.Sequence[builtins.str]] = None,
+        domain_fqdn: typing.Optional[builtins.str] = None,
         domain_iam_role_name: typing.Optional[builtins.str] = None,
+        domain_ou: typing.Optional[builtins.str] = None,
         enable_cloudwatch_logs_exports: typing.Optional[typing.Sequence[builtins.str]] = None,
         enable_iam_database_authentication: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         enable_performance_insights: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -8994,7 +9092,11 @@ class CfnDBInstanceProps:
         :param delete_automated_backups: A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted. *Amazon Aurora* Not applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted.
         :param deletion_protection: A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see `Deleting a DB Instance <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html>`_ . *Amazon Aurora* Not applicable. You can enable or disable deletion protection for the DB cluster. For more information, see ``CreateDBCluster`` . DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.
         :param domain: The Active Directory directory ID to create the DB instance in. Currently, only Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain. For more information, see `Kerberos Authentication <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html>`_ in the *Amazon RDS User Guide* .
+        :param domain_auth_secret_arn: The ARN for the Secrets Manager secret with the credentials for the user joining the domain. Example: ``arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456``
+        :param domain_dns_ips: The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers. Constraints: - Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. Example: ``123.124.125.126,234.235.236.237``
+        :param domain_fqdn: The fully qualified domain name (FQDN) of an Active Directory domain. Constraints: - Can't be longer than 64 characters. Example: ``mymanagedADtest.mymanagedAD.mydomain``
         :param domain_iam_role_name: The name of the IAM role to use when making API calls to the Directory Service. This setting doesn't apply to the following DB instances: - Amazon Aurora (The domain is managed by the DB cluster.) - RDS Custom
+        :param domain_ou: The Active Directory organizational unit for your DB instance to join. Constraints: - Must be in the distinguished name format. - Can't be longer than 64 characters. Example: ``OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain``
         :param enable_cloudwatch_logs_exports: The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see `Publishing Database Logs to Amazon CloudWatch Logs <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch>`_ in the *Amazon Relational Database Service User Guide* . *Amazon Aurora* Not applicable. CloudWatch Logs exports are managed by the DB cluster. *MariaDB* Valid values: ``audit`` , ``error`` , ``general`` , ``slowquery`` *Microsoft SQL Server* Valid values: ``agent`` , ``error`` *MySQL* Valid values: ``audit`` , ``error`` , ``general`` , ``slowquery`` *Oracle* Valid values: ``alert`` , ``audit`` , ``listener`` , ``trace`` , ``oemagent`` *PostgreSQL* Valid values: ``postgresql`` , ``upgrade``
         :param enable_iam_database_authentication: A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled. This property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see `IAM Database Authentication for MariaDB, MySQL, and PostgreSQL <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html>`_ in the *Amazon RDS User Guide.* *Amazon Aurora* Not applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster.
         :param enable_performance_insights: Specifies whether to enable Performance Insights for the DB instance. For more information, see `Using Amazon Performance Insights <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html>`_ in the *Amazon RDS User Guide* . This setting doesn't apply to RDS Custom DB instances.
@@ -9081,7 +9183,11 @@ class CfnDBInstanceProps:
                 delete_automated_backups=False,
                 deletion_protection=False,
                 domain="domain",
+                domain_auth_secret_arn="domainAuthSecretArn",
+                domain_dns_ips=["domainDnsIps"],
+                domain_fqdn="domainFqdn",
                 domain_iam_role_name="domainIamRoleName",
+                domain_ou="domainOu",
                 enable_cloudwatch_logs_exports=["enableCloudwatchLogsExports"],
                 enable_iam_database_authentication=False,
                 enable_performance_insights=False,
@@ -9168,7 +9274,11 @@ class CfnDBInstanceProps:
             check_type(argname="argument delete_automated_backups", value=delete_automated_backups, expected_type=type_hints["delete_automated_backups"])
             check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
+            check_type(argname="argument domain_auth_secret_arn", value=domain_auth_secret_arn, expected_type=type_hints["domain_auth_secret_arn"])
+            check_type(argname="argument domain_dns_ips", value=domain_dns_ips, expected_type=type_hints["domain_dns_ips"])
+            check_type(argname="argument domain_fqdn", value=domain_fqdn, expected_type=type_hints["domain_fqdn"])
             check_type(argname="argument domain_iam_role_name", value=domain_iam_role_name, expected_type=type_hints["domain_iam_role_name"])
+            check_type(argname="argument domain_ou", value=domain_ou, expected_type=type_hints["domain_ou"])
             check_type(argname="argument enable_cloudwatch_logs_exports", value=enable_cloudwatch_logs_exports, expected_type=type_hints["enable_cloudwatch_logs_exports"])
             check_type(argname="argument enable_iam_database_authentication", value=enable_iam_database_authentication, expected_type=type_hints["enable_iam_database_authentication"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
@@ -9263,8 +9373,16 @@ class CfnDBInstanceProps:
             self._values["deletion_protection"] = deletion_protection
         if domain is not None:
             self._values["domain"] = domain
+        if domain_auth_secret_arn is not None:
+            self._values["domain_auth_secret_arn"] = domain_auth_secret_arn
+        if domain_dns_ips is not None:
+            self._values["domain_dns_ips"] = domain_dns_ips
+        if domain_fqdn is not None:
+            self._values["domain_fqdn"] = domain_fqdn
         if domain_iam_role_name is not None:
             self._values["domain_iam_role_name"] = domain_iam_role_name
+        if domain_ou is not None:
+            self._values["domain_ou"] = domain_ou
         if enable_cloudwatch_logs_exports is not None:
             self._values["enable_cloudwatch_logs_exports"] = enable_cloudwatch_logs_exports
         if enable_iam_database_authentication is not None:
@@ -9883,6 +10001,47 @@ class CfnDBInstanceProps:
         result = self._values.get("domain")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def domain_auth_secret_arn(self) -> typing.Optional[builtins.str]:
+        '''The ARN for the Secrets Manager secret with the credentials for the user joining the domain.
+
+        Example: ``arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-domainauthsecretarn
+        '''
+        result = self._values.get("domain_auth_secret_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def domain_dns_ips(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.
+
+        Constraints:
+
+        - Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.
+
+        Example: ``123.124.125.126,234.235.236.237``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-domaindnsips
+        '''
+        result = self._values.get("domain_dns_ips")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    @builtins.property
+    def domain_fqdn(self) -> typing.Optional[builtins.str]:
+        '''The fully qualified domain name (FQDN) of an Active Directory domain.
+
+        Constraints:
+
+        - Can't be longer than 64 characters.
+
+        Example: ``mymanagedADtest.mymanagedAD.mydomain``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-domainfqdn
+        '''
+        result = self._values.get("domain_fqdn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def domain_iam_role_name(self) -> typing.Optional[builtins.str]:
         '''The name of the IAM role to use when making API calls to the Directory Service.
@@ -9897,6 +10056,22 @@ class CfnDBInstanceProps:
         result = self._values.get("domain_iam_role_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def domain_ou(self) -> typing.Optional[builtins.str]:
+        '''The Active Directory organizational unit for your DB instance to join.
+
+        Constraints:
+
+        - Must be in the distinguished name format.
+        - Can't be longer than 64 characters.
+
+        Example: ``OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html#cfn-rds-dbinstance-domainou
+        '''
+        result = self._values.get("domain_ou")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def enable_cloudwatch_logs_exports(
         self,
@@ -15608,6 +15783,7 @@ class ClusterInstanceBindOptions:
     name_mapping={
         "allow_major_version_upgrade": "allowMajorVersionUpgrade",
         "auto_minor_version_upgrade": "autoMinorVersionUpgrade",
+        "ca_certificate": "caCertificate",
         "enable_performance_insights": "enablePerformanceInsights",
         "instance_identifier": "instanceIdentifier",
         "is_from_legacy_instance_props": "isFromLegacyInstanceProps",
@@ -15624,6 +15800,7 @@ class ClusterInstanceOptions:
         *,
         allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
         auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+        ca_certificate: typing.Optional[CaCertificate] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
         instance_identifier: typing.Optional[builtins.str] = None,
         is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -15637,6 +15814,7 @@ class ClusterInstanceOptions:
 
         :param allow_major_version_upgrade: Whether to allow upgrade of major version for the DB instance. Default: - false
         :param auto_minor_version_upgrade: Whether to enable automatic upgrade of minor version for the DB instance. Default: - true
+        :param ca_certificate: The identifier of the CA certificate for this DB cluster's instances. Specifying or updating this property triggers a reboot. For RDS DB engines: Default: - RDS will choose a certificate authority
         :param enable_performance_insights: Whether to enable Performance Insights for the DB instance. Default: - false, unless ``performanceInsightRentention`` or ``performanceInsightEncryptionKey`` is set.
         :param instance_identifier: The identifier for the database instance. Default: - CloudFormation generated identifier
         :param is_from_legacy_instance_props: Only used for migrating existing clusters from using ``instanceProps`` to ``writer`` and ``readers``. Default: false
@@ -15655,12 +15833,14 @@ class ClusterInstanceOptions:
             from aws_cdk import aws_kms as kms
             from aws_cdk import aws_rds as rds
             
+            # ca_certificate: rds.CaCertificate
             # key: kms.Key
             # parameter_group: rds.ParameterGroup
             
             cluster_instance_options = rds.ClusterInstanceOptions(
                 allow_major_version_upgrade=False,
                 auto_minor_version_upgrade=False,
+                ca_certificate=ca_certificate,
                 enable_performance_insights=False,
                 instance_identifier="instanceIdentifier",
                 is_from_legacy_instance_props=False,
@@ -15677,6 +15857,7 @@ class ClusterInstanceOptions:
             type_hints = typing.get_type_hints(_typecheckingstub__8cdde1ea7f85160803079277e8fcc0af34768579c1b17b771033b3c6374858ac)
             check_type(argname="argument allow_major_version_upgrade", value=allow_major_version_upgrade, expected_type=type_hints["allow_major_version_upgrade"])
             check_type(argname="argument auto_minor_version_upgrade", value=auto_minor_version_upgrade, expected_type=type_hints["auto_minor_version_upgrade"])
+            check_type(argname="argument ca_certificate", value=ca_certificate, expected_type=type_hints["ca_certificate"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
             check_type(argname="argument instance_identifier", value=instance_identifier, expected_type=type_hints["instance_identifier"])
             check_type(argname="argument is_from_legacy_instance_props", value=is_from_legacy_instance_props, expected_type=type_hints["is_from_legacy_instance_props"])
@@ -15690,6 +15871,8 @@ class ClusterInstanceOptions:
             self._values["allow_major_version_upgrade"] = allow_major_version_upgrade
         if auto_minor_version_upgrade is not None:
             self._values["auto_minor_version_upgrade"] = auto_minor_version_upgrade
+        if ca_certificate is not None:
+            self._values["ca_certificate"] = ca_certificate
         if enable_performance_insights is not None:
             self._values["enable_performance_insights"] = enable_performance_insights
         if instance_identifier is not None:
@@ -15725,6 +15908,21 @@ class ClusterInstanceOptions:
         result = self._values.get("auto_minor_version_upgrade")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def ca_certificate(self) -> typing.Optional[CaCertificate]:
+        '''The identifier of the CA certificate for this DB cluster's instances.
+
+        Specifying or updating this property triggers a reboot.
+
+        For RDS DB engines:
+
+        :default: - RDS will choose a certificate authority
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html
+        '''
+        result = self._values.get("ca_certificate")
+        return typing.cast(typing.Optional[CaCertificate], result)
+
     @builtins.property
     def enable_performance_insights(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable Performance Insights for the DB instance.
@@ -15866,6 +16064,7 @@ class ClusterInstanceOptions:
     name_mapping={
         "allow_major_version_upgrade": "allowMajorVersionUpgrade",
         "auto_minor_version_upgrade": "autoMinorVersionUpgrade",
+        "ca_certificate": "caCertificate",
         "enable_performance_insights": "enablePerformanceInsights",
         "instance_identifier": "instanceIdentifier",
         "is_from_legacy_instance_props": "isFromLegacyInstanceProps",
@@ -15884,6 +16083,7 @@ class ClusterInstanceProps(ClusterInstanceOptions):
         *,
         allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
         auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+        ca_certificate: typing.Optional[CaCertificate] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
         instance_identifier: typing.Optional[builtins.str] = None,
         is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -15899,6 +16099,7 @@ class ClusterInstanceProps(ClusterInstanceOptions):
 
         :param allow_major_version_upgrade: Whether to allow upgrade of major version for the DB instance. Default: - false
         :param auto_minor_version_upgrade: Whether to enable automatic upgrade of minor version for the DB instance. Default: - true
+        :param ca_certificate: The identifier of the CA certificate for this DB cluster's instances. Specifying or updating this property triggers a reboot. For RDS DB engines: Default: - RDS will choose a certificate authority
         :param enable_performance_insights: Whether to enable Performance Insights for the DB instance. Default: - false, unless ``performanceInsightRentention`` or ``performanceInsightEncryptionKey`` is set.
         :param instance_identifier: The identifier for the database instance. Default: - CloudFormation generated identifier
         :param is_from_legacy_instance_props: Only used for migrating existing clusters from using ``instanceProps`` to ``writer`` and ``readers``. Default: false
@@ -15919,6 +16120,7 @@ class ClusterInstanceProps(ClusterInstanceOptions):
             from aws_cdk import aws_kms as kms
             from aws_cdk import aws_rds as rds
             
+            # ca_certificate: rds.CaCertificate
             # cluster_instance_type: rds.ClusterInstanceType
             # key: kms.Key
             # parameter_group: rds.ParameterGroup
@@ -15929,6 +16131,7 @@ class ClusterInstanceProps(ClusterInstanceOptions):
                 # the properties below are optional
                 allow_major_version_upgrade=False,
                 auto_minor_version_upgrade=False,
+                ca_certificate=ca_certificate,
                 enable_performance_insights=False,
                 instance_identifier="instanceIdentifier",
                 is_from_legacy_instance_props=False,
@@ -15946,6 +16149,7 @@ class ClusterInstanceProps(ClusterInstanceOptions):
             type_hints = typing.get_type_hints(_typecheckingstub__431d59239caf38b9912bfae3130d40eeb8bdb18e013240bac43c980158561c00)
             check_type(argname="argument allow_major_version_upgrade", value=allow_major_version_upgrade, expected_type=type_hints["allow_major_version_upgrade"])
             check_type(argname="argument auto_minor_version_upgrade", value=auto_minor_version_upgrade, expected_type=type_hints["auto_minor_version_upgrade"])
+            check_type(argname="argument ca_certificate", value=ca_certificate, expected_type=type_hints["ca_certificate"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
             check_type(argname="argument instance_identifier", value=instance_identifier, expected_type=type_hints["instance_identifier"])
             check_type(argname="argument is_from_legacy_instance_props", value=is_from_legacy_instance_props, expected_type=type_hints["is_from_legacy_instance_props"])
@@ -15963,6 +16167,8 @@ class ClusterInstanceProps(ClusterInstanceOptions):
             self._values["allow_major_version_upgrade"] = allow_major_version_upgrade
         if auto_minor_version_upgrade is not None:
             self._values["auto_minor_version_upgrade"] = auto_minor_version_upgrade
+        if ca_certificate is not None:
+            self._values["ca_certificate"] = ca_certificate
         if enable_performance_insights is not None:
             self._values["enable_performance_insights"] = enable_performance_insights
         if instance_identifier is not None:
@@ -16000,6 +16206,21 @@ class ClusterInstanceProps(ClusterInstanceOptions):
         result = self._values.get("auto_minor_version_upgrade")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def ca_certificate(self) -> typing.Optional[CaCertificate]:
+        '''The identifier of the CA certificate for this DB cluster's instances.
+
+        Specifying or updating this property triggers a reboot.
+
+        For RDS DB engines:
+
+        :default: - RDS will choose a certificate authority
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html
+        '''
+        result = self._values.get("ca_certificate")
+        return typing.cast(typing.Optional[CaCertificate], result)
+
     @builtins.property
     def enable_performance_insights(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable Performance Insights for the DB instance.
@@ -17205,17 +17426,17 @@ class DatabaseClusterEngine(
         
         cluster = rds.DatabaseCluster(self, "Database",
             engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_2_08_1),
+            credentials=rds.Credentials.from_generated_secret("clusteradmin"),  # Optional - will default to 'admin' username and generated password
             writer=rds.ClusterInstance.provisioned("writer",
-                instance_type=ec2.InstanceType.of(ec2.InstanceClass.R6G, ec2.InstanceSize.XLARGE4)
+                publicly_accessible=False
             ),
-            serverless_v2_min_capacity=6.5,
-            serverless_v2_max_capacity=64,
             readers=[
-                # will be put in promotion tier 1 and will scale with the writer
-                rds.ClusterInstance.serverless_v2("reader1", scale_with_writer=True),
-                # will be put in promotion tier 2 and will not scale with the writer
+                rds.ClusterInstance.provisioned("reader1", promotion_tier=1),
                 rds.ClusterInstance.serverless_v2("reader2")
             ],
+            vpc_subnets=ec2.SubnetSelection(
+                subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS
+            ),
             vpc=vpc
         )
     '''
@@ -30217,6 +30438,7 @@ class ProcessorFeatures:
     name_mapping={
         "allow_major_version_upgrade": "allowMajorVersionUpgrade",
         "auto_minor_version_upgrade": "autoMinorVersionUpgrade",
+        "ca_certificate": "caCertificate",
         "enable_performance_insights": "enablePerformanceInsights",
         "instance_identifier": "instanceIdentifier",
         "is_from_legacy_instance_props": "isFromLegacyInstanceProps",
@@ -30235,6 +30457,7 @@ class ProvisionedClusterInstanceProps(ClusterInstanceOptions):
         *,
         allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
         auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+        ca_certificate: typing.Optional[CaCertificate] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
         instance_identifier: typing.Optional[builtins.str] = None,
         is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -30250,6 +30473,7 @@ class ProvisionedClusterInstanceProps(ClusterInstanceOptions):
 
         :param allow_major_version_upgrade: Whether to allow upgrade of major version for the DB instance. Default: - false
         :param auto_minor_version_upgrade: Whether to enable automatic upgrade of minor version for the DB instance. Default: - true
+        :param ca_certificate: The identifier of the CA certificate for this DB cluster's instances. Specifying or updating this property triggers a reboot. For RDS DB engines: Default: - RDS will choose a certificate authority
         :param enable_performance_insights: Whether to enable Performance Insights for the DB instance. Default: - false, unless ``performanceInsightRentention`` or ``performanceInsightEncryptionKey`` is set.
         :param instance_identifier: The identifier for the database instance. Default: - CloudFormation generated identifier
         :param is_from_legacy_instance_props: Only used for migrating existing clusters from using ``instanceProps`` to ``writer`` and ``readers``. Default: false
@@ -30287,6 +30511,7 @@ class ProvisionedClusterInstanceProps(ClusterInstanceOptions):
             type_hints = typing.get_type_hints(_typecheckingstub__0d5c78a39da629a585066921d3ee78da795285acdbebe6935198fc9293af7e90)
             check_type(argname="argument allow_major_version_upgrade", value=allow_major_version_upgrade, expected_type=type_hints["allow_major_version_upgrade"])
             check_type(argname="argument auto_minor_version_upgrade", value=auto_minor_version_upgrade, expected_type=type_hints["auto_minor_version_upgrade"])
+            check_type(argname="argument ca_certificate", value=ca_certificate, expected_type=type_hints["ca_certificate"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
             check_type(argname="argument instance_identifier", value=instance_identifier, expected_type=type_hints["instance_identifier"])
             check_type(argname="argument is_from_legacy_instance_props", value=is_from_legacy_instance_props, expected_type=type_hints["is_from_legacy_instance_props"])
@@ -30302,6 +30527,8 @@ class ProvisionedClusterInstanceProps(ClusterInstanceOptions):
             self._values["allow_major_version_upgrade"] = allow_major_version_upgrade
         if auto_minor_version_upgrade is not None:
             self._values["auto_minor_version_upgrade"] = auto_minor_version_upgrade
+        if ca_certificate is not None:
+            self._values["ca_certificate"] = ca_certificate
         if enable_performance_insights is not None:
             self._values["enable_performance_insights"] = enable_performance_insights
         if instance_identifier is not None:
@@ -30341,6 +30568,21 @@ class ProvisionedClusterInstanceProps(ClusterInstanceOptions):
         result = self._values.get("auto_minor_version_upgrade")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def ca_certificate(self) -> typing.Optional[CaCertificate]:
+        '''The identifier of the CA certificate for this DB cluster's instances.
+
+        Specifying or updating this property triggers a reboot.
+
+        For RDS DB engines:
+
+        :default: - RDS will choose a certificate authority
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html
+        '''
+        result = self._values.get("ca_certificate")
+        return typing.cast(typing.Optional[CaCertificate], result)
+
     @builtins.property
     def enable_performance_insights(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable Performance Insights for the DB instance.
@@ -32364,6 +32606,7 @@ class ServerlessScalingOptions:
     name_mapping={
         "allow_major_version_upgrade": "allowMajorVersionUpgrade",
         "auto_minor_version_upgrade": "autoMinorVersionUpgrade",
+        "ca_certificate": "caCertificate",
         "enable_performance_insights": "enablePerformanceInsights",
         "instance_identifier": "instanceIdentifier",
         "is_from_legacy_instance_props": "isFromLegacyInstanceProps",
@@ -32381,6 +32624,7 @@ class ServerlessV2ClusterInstanceProps(ClusterInstanceOptions):
         *,
         allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
         auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+        ca_certificate: typing.Optional[CaCertificate] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
         instance_identifier: typing.Optional[builtins.str] = None,
         is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -32395,6 +32639,7 @@ class ServerlessV2ClusterInstanceProps(ClusterInstanceOptions):
 
         :param allow_major_version_upgrade: Whether to allow upgrade of major version for the DB instance. Default: - false
         :param auto_minor_version_upgrade: Whether to enable automatic upgrade of minor version for the DB instance. Default: - true
+        :param ca_certificate: The identifier of the CA certificate for this DB cluster's instances. Specifying or updating this property triggers a reboot. For RDS DB engines: Default: - RDS will choose a certificate authority
         :param enable_performance_insights: Whether to enable Performance Insights for the DB instance. Default: - false, unless ``performanceInsightRentention`` or ``performanceInsightEncryptionKey`` is set.
         :param instance_identifier: The identifier for the database instance. Default: - CloudFormation generated identifier
         :param is_from_legacy_instance_props: Only used for migrating existing clusters from using ``instanceProps`` to ``writer`` and ``readers``. Default: false
@@ -32427,6 +32672,7 @@ class ServerlessV2ClusterInstanceProps(ClusterInstanceOptions):
             type_hints = typing.get_type_hints(_typecheckingstub__c8fd71a155386e8ce12e74b8c5684dfdd43d26e347ef8bbb979e8a2c34f7b38e)
             check_type(argname="argument allow_major_version_upgrade", value=allow_major_version_upgrade, expected_type=type_hints["allow_major_version_upgrade"])
             check_type(argname="argument auto_minor_version_upgrade", value=auto_minor_version_upgrade, expected_type=type_hints["auto_minor_version_upgrade"])
+            check_type(argname="argument ca_certificate", value=ca_certificate, expected_type=type_hints["ca_certificate"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
             check_type(argname="argument instance_identifier", value=instance_identifier, expected_type=type_hints["instance_identifier"])
             check_type(argname="argument is_from_legacy_instance_props", value=is_from_legacy_instance_props, expected_type=type_hints["is_from_legacy_instance_props"])
@@ -32441,6 +32687,8 @@ class ServerlessV2ClusterInstanceProps(ClusterInstanceOptions):
             self._values["allow_major_version_upgrade"] = allow_major_version_upgrade
         if auto_minor_version_upgrade is not None:
             self._values["auto_minor_version_upgrade"] = auto_minor_version_upgrade
+        if ca_certificate is not None:
+            self._values["ca_certificate"] = ca_certificate
         if enable_performance_insights is not None:
             self._values["enable_performance_insights"] = enable_performance_insights
         if instance_identifier is not None:
@@ -32478,6 +32726,21 @@ class ServerlessV2ClusterInstanceProps(ClusterInstanceOptions):
         result = self._values.get("auto_minor_version_upgrade")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def ca_certificate(self) -> typing.Optional[CaCertificate]:
+        '''The identifier of the CA certificate for this DB cluster's instances.
+
+        Specifying or updating this property triggers a reboot.
+
+        For RDS DB engines:
+
+        :default: - RDS will choose a certificate authority
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html
+        '''
+        result = self._values.get("ca_certificate")
+        return typing.cast(typing.Optional[CaCertificate], result)
+
     @builtins.property
     def enable_performance_insights(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable Performance Insights for the DB instance.
@@ -34063,6 +34326,7 @@ class ClusterInstance(
         promotion_tier: typing.Optional[jsii.Number] = None,
         allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
         auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+        ca_certificate: typing.Optional[CaCertificate] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
         instance_identifier: typing.Optional[builtins.str] = None,
         is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -34079,6 +34343,7 @@ class ClusterInstance(
         :param promotion_tier: The promotion tier of the cluster instance. Can be between 0-15 For provisioned instances this just determines the failover priority. If multiple instances have the same priority then one will be picked at random Default: 2
         :param allow_major_version_upgrade: Whether to allow upgrade of major version for the DB instance. Default: - false
         :param auto_minor_version_upgrade: Whether to enable automatic upgrade of minor version for the DB instance. Default: - true
+        :param ca_certificate: The identifier of the CA certificate for this DB cluster's instances. Specifying or updating this property triggers a reboot. For RDS DB engines: Default: - RDS will choose a certificate authority
         :param enable_performance_insights: Whether to enable Performance Insights for the DB instance. Default: - false, unless ``performanceInsightRentention`` or ``performanceInsightEncryptionKey`` is set.
         :param instance_identifier: The identifier for the database instance. Default: - CloudFormation generated identifier
         :param is_from_legacy_instance_props: Only used for migrating existing clusters from using ``instanceProps`` to ``writer`` and ``readers``. Default: false
@@ -34102,6 +34367,7 @@ class ClusterInstance(
             promotion_tier=promotion_tier,
             allow_major_version_upgrade=allow_major_version_upgrade,
             auto_minor_version_upgrade=auto_minor_version_upgrade,
+            ca_certificate=ca_certificate,
             enable_performance_insights=enable_performance_insights,
             instance_identifier=instance_identifier,
             is_from_legacy_instance_props=is_from_legacy_instance_props,
@@ -34123,6 +34389,7 @@ class ClusterInstance(
         scale_with_writer: typing.Optional[builtins.bool] = None,
         allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
         auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+        ca_certificate: typing.Optional[CaCertificate] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
         instance_identifier: typing.Optional[builtins.str] = None,
         is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -34138,6 +34405,7 @@ class ClusterInstance(
         :param scale_with_writer: Only applicable to reader instances. If this is true then the instance will be placed in promotion tier 1, otherwise it will be placed in promotion tier 2. For serverless v2 instances this means: - true: The serverless v2 reader will scale to match the writer instance (provisioned or serverless) - false: The serverless v2 reader will scale with the read workfload on the instance Default: false
         :param allow_major_version_upgrade: Whether to allow upgrade of major version for the DB instance. Default: - false
         :param auto_minor_version_upgrade: Whether to enable automatic upgrade of minor version for the DB instance. Default: - true
+        :param ca_certificate: The identifier of the CA certificate for this DB cluster's instances. Specifying or updating this property triggers a reboot. For RDS DB engines: Default: - RDS will choose a certificate authority
         :param enable_performance_insights: Whether to enable Performance Insights for the DB instance. Default: - false, unless ``performanceInsightRentention`` or ``performanceInsightEncryptionKey`` is set.
         :param instance_identifier: The identifier for the database instance. Default: - CloudFormation generated identifier
         :param is_from_legacy_instance_props: Only used for migrating existing clusters from using ``instanceProps`` to ``writer`` and ``readers``. Default: false
@@ -34160,6 +34428,7 @@ class ClusterInstance(
             scale_with_writer=scale_with_writer,
             allow_major_version_upgrade=allow_major_version_upgrade,
             auto_minor_version_upgrade=auto_minor_version_upgrade,
+            ca_certificate=ca_certificate,
             enable_performance_insights=enable_performance_insights,
             instance_identifier=instance_identifier,
             is_from_legacy_instance_props=is_from_legacy_instance_props,
@@ -40753,7 +41022,11 @@ def _typecheckingstub__255b0779ca741853674876540bf77279f6293bea05de2cd18724d2b92
     delete_automated_backups: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     domain: typing.Optional[builtins.str] = None,
+    domain_auth_secret_arn: typing.Optional[builtins.str] = None,
+    domain_dns_ips: typing.Optional[typing.Sequence[builtins.str]] = None,
+    domain_fqdn: typing.Optional[builtins.str] = None,
     domain_iam_role_name: typing.Optional[builtins.str] = None,
+    domain_ou: typing.Optional[builtins.str] = None,
     enable_cloudwatch_logs_exports: typing.Optional[typing.Sequence[builtins.str]] = None,
     enable_iam_database_authentication: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     enable_performance_insights: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -40959,12 +41232,36 @@ def _typecheckingstub__983187a72c004fd527e146e600a3ba6e403cc37a21153eb4891e215e5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__9b5d4902ede3d92cf4c7fab61f72976571c6eb7c6ab3f302c7a3141ebf579693(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a7b0abeab7a2e8161cf91da1b3dc87147814a47d1bfd5ad97fc9f7e9cf76a60e(
+    value: typing.Optional[typing.List[builtins.str]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7df38ba6bc42bad8a2ae880683ff414eeb28bb260f5afef16aa42f7acff5f965(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__7fd9be68a3f0ada770758f20ae678e93c881b405fc762613862a364717217184(
     value: typing.Optional[builtins.str],
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__2fbe1d1078f743fa5360c26d9fed3f54f1a508a16b962a9b930ace1bb00a3a25(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__7c0c6818a7c294ab57309fd6f8297e3dcbd9fe8f30e3c917aa472918a93f5ab3(
     value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
@@ -41302,7 +41599,11 @@ def _typecheckingstub__3bddb1be0bd1f1699e3a084c5859d94d8879ff15011f2f2eaac29ec16
     delete_automated_backups: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     deletion_protection: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     domain: typing.Optional[builtins.str] = None,
+    domain_auth_secret_arn: typing.Optional[builtins.str] = None,
+    domain_dns_ips: typing.Optional[typing.Sequence[builtins.str]] = None,
+    domain_fqdn: typing.Optional[builtins.str] = None,
     domain_iam_role_name: typing.Optional[builtins.str] = None,
+    domain_ou: typing.Optional[builtins.str] = None,
     enable_cloudwatch_logs_exports: typing.Optional[typing.Sequence[builtins.str]] = None,
     enable_iam_database_authentication: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     enable_performance_insights: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -42185,6 +42486,7 @@ def _typecheckingstub__8cdde1ea7f85160803079277e8fcc0af34768579c1b17b771033b3c63
     *,
     allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
     auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+    ca_certificate: typing.Optional[CaCertificate] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
     instance_identifier: typing.Optional[builtins.str] = None,
     is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -42201,6 +42503,7 @@ def _typecheckingstub__431d59239caf38b9912bfae3130d40eeb8bdb18e013240bac43c98015
     *,
     allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
     auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+    ca_certificate: typing.Optional[CaCertificate] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
     instance_identifier: typing.Optional[builtins.str] = None,
     is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -43041,6 +43344,7 @@ def _typecheckingstub__0d5c78a39da629a585066921d3ee78da795285acdbebe6935198fc929
     *,
     allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
     auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+    ca_certificate: typing.Optional[CaCertificate] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
     instance_identifier: typing.Optional[builtins.str] = None,
     is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -43276,6 +43580,7 @@ def _typecheckingstub__c8fd71a155386e8ce12e74b8c5684dfdd43d26e347ef8bbb979e8a2c3
     *,
     allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
     auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+    ca_certificate: typing.Optional[CaCertificate] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
     instance_identifier: typing.Optional[builtins.str] = None,
     is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -43410,6 +43715,7 @@ def _typecheckingstub__d0d2cd14a2c7ed00bfb6fd9860c31cd0b1af1bff8343258b1b4a8d847
     promotion_tier: typing.Optional[jsii.Number] = None,
     allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
     auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+    ca_certificate: typing.Optional[CaCertificate] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
     instance_identifier: typing.Optional[builtins.str] = None,
     is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,
@@ -43428,6 +43734,7 @@ def _typecheckingstub__95714f22d2724c29931e2710712a92b10932588d2061fa1ceed93097e
     scale_with_writer: typing.Optional[builtins.bool] = None,
     allow_major_version_upgrade: typing.Optional[builtins.bool] = None,
     auto_minor_version_upgrade: typing.Optional[builtins.bool] = None,
+    ca_certificate: typing.Optional[CaCertificate] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
     instance_identifier: typing.Optional[builtins.str] = None,
     is_from_legacy_instance_props: typing.Optional[builtins.bool] = None,