Nearly 4 years later and I have a solution (and another problem for another day)

STEPS:
1. Get a root certificate from Amazon https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
2. Tack this on to your DBD ;mysql_ssl=1;mysql_ssl_ca_file=<path to your>rds-combined-ca-bundle.pem
3. run your script

In my case to get the pem file I used the command: wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

At this point (assuming you connected) you're asking yourself, how the heck you know you've connected securely. I can't speak for windows but this helped me on unix.

sudo tcpdump -nn -s2048 -X host <IP TO YOUR DB>

Assuming that you only have Amazon's long hostname you can find IP TO YOUR DB

dig <AMAZON's LONG RDS HOSTNAME>

If you run some calls to your database you will see it's encrypted.

So this is great, you have an SSL connection to your RDS system ~~ this was relatively painless.

Here's the complete code (assuming you put your .pem in the local directory)

#!/usr/bin/perl
use strict;
use warnings;
use v5.10; # for say() function

use DBI;
say "Perl MySQL Connect Demo";
# MySQL database configuration
my $dsn = 'DBI:mysql:information_schema:<AWS RDS HOST NAME>;mysql_ssl=
+1;mysql_ssl_ca_file=./rds-combined-ca-bundle.pem';

my $username = '<MYSQL USER>';
my $password = '<MYSQL PASS>';

my %attr = ( 
  PrintError=>0,  # turn off error reporting via warn()
  RaiseError=>1
);   # turn on error reporting via die()

my $dbh  = DBI->connect($dsn,$username,$password, \%attr);

say "Connected to the MySQL database.";
[download]

As programmers painless just isn't our thing. Let's really pile it on.

Start by using AWS's Authentication Plugin with your MySQL database. This is really secure as you can control the accounts directly from Amazon's IAM and passwords are generated instead of recorded. They also require an SSL connection (of course).

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html

Now instead of reinventing the wheel here's an article (complete with perl) outlining how to make the connection.

https://www.capside.com/labs/rds-aurora-database-with-iam-authentication/

I submit that as an example, don't retype all that. Instead use this package to generate your password.

use Signer::AWSv4::RDS

However, it's incomplete. You'll want to take that output and prepend it with your AWS RDS Hostname and port.

my $password = $host . ':3306/?' . $pass_gen->signed_qstring

Armed with that you have everything you need to make an AWSAuthenicationPlugin connection and you'll be so excited you'll decide to plug it into your catalyst server.

It's really a simple matter of overriding the connection subroutine in your Schema.pm like so

before 'connection' => sub { .. }

you can generate your password and add a $_[1]->{password} = $password to the result. Fire up catalyst and you're good to go...

straight to programming hell

We have a memory leak so when a child process exceeds it's allocated memory we give it a suicide signal (-HUP) and it completes what it was doing before it dies. The parent realizing it died restarts a new child and passes over the db credentials. However, fifteen minutes later the password has expired and the child can't connect.

I have no idea how to get in the middle of the connection to tell the parent to generate a new password, or tell the child that when they can't connect, they should generate a new password and I'm out of hair to pull out so I gave up and went with my first option - just use SSL.

I'm happy to clarify anything if it helps someone else. This should probably be a post somewhere.