Cross-region RDS backup copy fails with encrypted snapshots

Question

Cross-region RDS backup copy fails with encrypted snapshots

Closed this issue 7 years ago · 3 comments

I just tested the updated Lambda function with the provided example event and it fails because no KMS key is provided for the cross-region RDS snapshot copy.

{
  "errorMessage": "An error occurred (InvalidParameterValue) when calling the CopyDBSnapshot operation: Must specify new KMS key for cross region encrypted snapshot copy.",
  "errorType": "ClientError",
  "stackTrace": [
    [
      "/var/task/index.py",
      103,
      "lambda_handler",
      "copy_latest_snapshot(account_id, message['Source ID'])"
    ],
    [
      "/var/task/index.py",
      48,
      "copy_latest_snapshot",
      "CopyTags=True"
    ],
    [
      "/var/runtime/botocore/client.py",
      317,
      "_api_call",
      "return self._make_api_call(operation_name, kwargs)"
    ],
    [
      "/var/runtime/botocore/client.py",
      615,
      "_make_api_call",
      "raise error_class(parsed_response, operation_name)"
    ]
  ]
}

Many thanks again.

Answer 1 · 2018-01-18T19:36:49.000Z

Thanks for the report. Need to add KmsKeyId parameter to copy_db_snapshot call and modify the CF template to allow to specify the key id (the user will have to create that key manually in the target region, so that needs to be included in the README, unless we want to provide another template which creates the key). Obviously the copy operation will get a bit more complicated, as I'd like to retain the current option for lack of encryption.

If you'd like to propose a pull request - please feel free. Otherwise, I'll take a closer look later on.

Answer 2 · 2018-01-19T15:06:02.000Z

Hi @fsantarelli

I've committed a change which should make this work for you with encrypted instances (wohoo!). Because the Lambda code grew above what can be inserted inline CloudFormation templates, you need to upload the backup-rds.py file into an S3 and provide that path in the CF template (see the new guide in README).

Thanks for the report!

Answer 3 · 2018-01-19T16:11:55.000Z

Hi @pbudzon - amazing, thanks a lot for that!

I've just tried creating a new CF with the new instructions but failed. I've copied the python file to the S3 bucket, created the new KMS key in the destination region, updated the JSON file with the S3 bucket name but when I create the CF it fails. I'll raise another incident with the screenshot.