diff --git a/root.tf b/root.tf
index 4979a7cd..7b786b75 100644
--- a/root.tf
+++ b/root.tf
@@ -790,6 +790,8 @@ module "consignment_api_database" {
   private_subnets    = module.shared_vpc.private_subnets
   security_group_ids = [module.api_database_security_group.security_group_id]
   multi_az           = local.environment == "prod"
+  ca_cert_identifier = local.database_ca_cert_identifier
+  apply_immediately  = true
 }
 
 module "waf_cloudwatch" {
diff --git a/root_keycloak.tf b/root_keycloak.tf
index bca3d4a4..1ee32757 100644
--- a/root_keycloak.tf
+++ b/root_keycloak.tf
@@ -162,7 +162,9 @@ module "keycloak_database_instance" {
   private_subnets         = module.shared_vpc.private_subnets
   security_group_ids      = [module.keycloak_database_security_group.security_group_id]
   multi_az                = local.environment == "prod"
+  ca_cert_identifier      = local.database_ca_cert_identifier
   backup_retention_period = 30
+  apply_immediately       = true
 }
 
 module "create_keycloak_db_users_lambda_new" {
diff --git a/root_locals.tf b/root_locals.tf
index faf3c324..fc08ccf8 100644
--- a/root_locals.tf
+++ b/root_locals.tf
@@ -24,6 +24,8 @@ locals {
 
   database_availability_zone = "eu-west-2a"
 
+  database_ca_cert_identifier = "rds-ca-rsa2048-g1"
+
   region = "eu-west-2"
 
   dns_zone_id = data.aws_route53_zone.tdr_dns_zone.zone_id
diff --git a/tdr-terraform-modules b/tdr-terraform-modules
index 80db0802..0d4deb02 160000
--- a/tdr-terraform-modules
+++ b/tdr-terraform-modules
@@ -1 +1 @@
-Subproject commit 80db08021f113d912c463624a959c6143b072e1d
+Subproject commit 0d4deb024cc04a9d4f8b147a44323c6516bc3769