re-encrypt snapshot with cmk during copying

loadsmart · Mar 18, 2022 · b35807a · b35807a
1 parent 773a634
commit b35807a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 9 deletions.
diff --git a/cftemplates/snapshots_tool_rds_source.json b/cftemplates/snapshots_tool_rds_source.json
@@ -67,6 +67,11 @@
 			"Default": "FALSE",
 			"Description": "Set to TRUE to filter instances that have tag CopyDBSnapshot set to True. Set to FALSE to disable",
 			"AllowedValues": ["TRUE", "FALSE"]
+		},
+		"KmsKeySource": {
+			"Type": "String",
+			"Default": "None",
+			"Description": "Set to the ARN for the KMS key in the SOURCE region to re-encrypt encrypted snapshots. Leave None if you are not using encryption"
 		}
 	},
 	"Conditions": {
@@ -295,6 +300,9 @@
 						},
 						"USE_AUTOMATED_BACKUP": {
 							"Ref": "UseAutomatedBackup"
+						},
+						"KMS_KEY_SOURCE_REGION": {
+							"Ref": "KmsKeySource"
 						}
 					}
 				},

diff --git a/lambda/snapshots_tool_utils.py b/lambda/snapshots_tool_utils.py
@@ -205,7 +205,7 @@ def get_own_snapshots_source(pattern, response, backup_interval=None):
     filtered = {}
 
     for snapshot in response['DBSnapshots']:
-        
+
         # No need to consider snapshots that are still in progress
         if 'SnapshotCreateTime' not in snapshot:
             continue
@@ -341,8 +341,6 @@ def copy_local(snapshot_identifier, snapshot_object):
 
     return response
 
-
-
 def copy_remote(snapshot_identifier, snapshot_object):
     client = boto3.client('rds', region_name=_DESTINATION_REGION)
 
@@ -447,10 +445,20 @@ def copy_or_create_db_snapshot(
         }
     )
 
-    return client.copy_db_snapshot(
-        SourceDBSnapshotIdentifier=latest_snapshot['DBSnapshotIdentifier'],
-        TargetDBSnapshotIdentifier=snapshot_identifier,
-        Tags=snapshot_tags,
-        CopyTags=False,
-    )
+    if latest_snapshot['Encrypted']:
+        logger.info('Copying encrypted snapshot %s locally' % snapshot_identifier)
+        response = client.copy_db_snapshot(
+            SourceDBSnapshotIdentifier = latest_snapshot['DBSnapshotArn'],
+            TargetDBSnapshotIdentifier = snapshot_identifier,
+            KmsKeyId = _KMS_KEY_SOURCE_REGION,
+            Tags = snapshot_tags)
 
+    else:
+        logger.info('Copying snapshot %s locally' %snapshot_identifier)
+        response = client.copy_db_snapshot(
+            SourceDBSnapshotIdentifier = latest_snapshot['DBSnapshotArn'],
+            TargetDBSnapshotIdentifier = snapshot_identifier,
+            Tags = snapshot_tags)
+
+
+    return response