awslabs · churtado-edrans · Dec 9, 2019 · Dec 10, 2019 · Feb 20, 2020 · fschroder-slyp
diff --git a/cftemplates/snapshots_tool_rds_source.json b/cftemplates/snapshots_tool_rds_source.json
@@ -51,6 +51,12 @@
 			"Default": "NO",
 			"Description": "Set to the region where your RDS instances run, only if such region does not support Step Functions. Leave as NO otherwise"
 		},
+		"BackupKmsArn": {
+			"Type": "String",
+			"Default": "NO",
+			"AllowedPattern": "arn:aws:kms:*",
+			"Description": "Set ARN of kms key to copy snapshot with shared key (remember, destination account should be access it)"
+		},
 		"DeleteOldSnapshots": {
 			"Type": "String",
 			"Default": "TRUE",
@@ -341,7 +347,10 @@
 						},
 						"TAGGEDINSTANCE": {
 							"Ref": "TaggedInstance"
-						}
+						},
+						"BACKUP_KMS":{
+							"Ref": "BackupKmsArn"
+						}	
 					}
 				},
 				"Role": {

diff --git a/lambda/share_snapshots_rds/lambda_function.py b/lambda/share_snapshots_rds/lambda_function.py
@@ -29,6 +29,7 @@
     REGION = os.getenv('REGION_OVERRIDE').strip()
 else:
     REGION = os.getenv('AWS_DEFAULT_REGION')
+BACKUP_KMS = os.getenv('BACKUP_KMS')
 
 SUPPORTED_ENGINES = [ 'mariadb', 'sqlserver-se', 'sqlserver-ee', 'sqlserver-ex', 'sqlserver-web', 'mysql', 'oracle-se', 'oracle-se1', 'oracle-se2', 'oracle-ee', 'postgres' ]
 
@@ -38,6 +39,7 @@
 
 
 def lambda_handler(event, context):
+    now = datetime.now()
     pending_snapshots = 0
     client = boto3.client('rds', region_name=REGION)
     response = paginate_api_call(client, 'describe_db_snapshots', 'DBSnapshots', SnapshotType='manual')
@@ -50,8 +52,51 @@ def lambda_handler(event, context):
             ResourceName=snapshot_arn)
 
         if snapshot_object['Status'].lower() == 'available' and search_tag_shared(response_tags):
+
+            snapshot_info = client.describe_db_snapshots(
+                DBSnapshotIdentifier=snapshot_arn
+            )
+            timestamp_format = now.strftime('%Y-%m-%d-%H-%M')
+            targetSnapshot = snapshot_info['DBSnapshots'][0]['DBInstanceIdentifier'] + '-' + timestamp_format
+            logger.info('snapshot_info:{}'.format(snapshot_info))
+
+            if snapshot_info['DBSnapshots'][0]['Encrypted'] == True:
+                kms = get_kms_type(snapshot_info['DBSnapshots'][0]['KmsKeyId'],REGION)
+            else:
+                kms = False
+
+
+            logger.info('Checking Snapshot: {}'.format(snapshot_identifier))
+
+
+            if kms is True and BACKUP_KMS is not '':
+                try:
+                    copy_status = client.copy_db_snapshot(
+                    SourceDBSnapshotIdentifier=snapshot_arn,
+                    TargetDBSnapshotIdentifier=targetSnapshot,
+                    KmsKeyId=BACKUP_KMS,
+                    CopyTags=True
+                )
+                    pass
+                except Exception as e:
+                    logger.error('Exception copy {}: {}'.format(snapshot_arn, e))
+                    pending_snapshots += 1
+                    pass
+                else:
+                    modify_status = client.add_tags_to_resource(
+                    ResourceName=snapshot_arn,
+                    Tags=[
+                        {
+                            'Key': 'shareAndCopy',
+                            'Value': 'No'
+                        }
+                        ]
+                        )
+
+
             try:
                 # Share snapshot with dest_account
+                logger.info('Sharing snapshot: {}'.format(snapshot_identifier))
                 response_modify = client.modify_db_snapshot_attribute(
                     DBSnapshotIdentifier=snapshot_identifier,
                     AttributeName='restore',

diff --git a/lambda/snapshots_tool_utils.py b/lambda/snapshots_tool_utils.py
@@ -47,6 +47,23 @@ class SnapshotToolException(Exception):
     pass
 
 
+def get_kms_type(kmskeyid,REGION):
+
+    keys = re.findall(r'([^\/]+$)',kmskeyid)
+    client = boto3.client('kms', region_name=REGION)
+
+    for key in keys:
+        response = client.describe_key(
+            KeyId=key
+        )
+    #print(response)
+    kms_owner = response['KeyMetadata']['KeyManager']
+
+    if kms_owner != 'AWS':
+        return False
+    else:
+        return True
+
 def search_tag_copydbsnapshot(response):
 # Takes a list_tags_for_resource response and searches for our CopyDBSnapshot tag
     try:

diff --git a/lambda/take_snapshots_rds/lambda_function.py b/lambda/take_snapshots_rds/lambda_function.py
@@ -49,7 +49,6 @@ def lambda_handler(event, context):
     filtered_snapshots = get_own_snapshots_source(PATTERN, paginate_api_call(client, 'describe_db_snapshots', 'DBSnapshots'), BACKUP_INTERVAL)
 
     for db_instance in filtered_instances:
-
         timestamp_format = now.strftime(TIMESTAMP_FORMAT)
 
         if requires_backup(BACKUP_INTERVAL, db_instance, filtered_snapshots):