def copy_shared_backup(self, source_account: str, source_backup: BackupResource):
docdb_client = AwsHelper.boto3_client('docdb', arn=self.role_arn, external_id=self.role_external_id)
# copying of tags happens outside this method
source_arn = f"arn:aws:rds:{source_backup.region}:{source_backup.account_id}:cluster-snapshot:{source_backup.backup_id}"
params = {
'SourceDBClusterSnapshotIdentifier': source_arn,
'SourceRegion': source_backup.region,
'CopyTags': False,
'TargetDBClusterSnapshotIdentifier': source_backup.backup_id
}
# If the backup is encrypted, include the KMS key ID in the request.
if source_backup.resource_properties['StorageEncrypted']:
kms_key = source_backup.resource_properties['KmsKeyId']
self.logger.info(f"Snapshot {source_backup.backup_id} is encrypted with the kms key {kms_key}")
copy_kms_key = RuntimeConfig.get_copy_kms_key_id(backup_resource.entity_resource.tags, self)
# if a new key is provided by config encypt the copy with the new kms key
if copy_kms_key is not None:
self.logger.info(f"Snapshot {source_backup.backup_id} will be copied and encrypted with the kms key {copy_kms_key}")
kms_key = copy_kms_key
params['KmsKeyId'] = kms_key
else:
# if the backup is not encrypted and the encrypt_copy is enabled, encrypted the backup with the provided kms key
if RuntimeConfig.get_encrypt_copy(backup_resource.entity_resource.tags, self):
kms_key = RuntimeConfig.get_copy_kms_key_id(backup_resource.entity_resource.tags, self)
if kms_key is not None:
self.logger.info(f"Snapshot {source_backup.backup_id} is not encrypted. Encrypting the copy with KMS key {kms_key}")
params['KmsKeyId'] = kms_key
snap = docdb_client.copy_db_cluster_snapshot(**params)
return snap['DBClusterSnapshot']['DBClusterSnapshotIdentifier']
def copy_shared_backup(self, source_account: str,
source_backup: BackupResource):
rds_client = AwsHelper.boto3_client('rds',
arn=self.role_arn,
external_id=self.role_external_id)
# copying of tags happens outside this method
source_arn = f"arn:aws:rds:{source_backup.region}:{source_backup.account_id}:snapshot:{source_backup.backup_id}"
params = {
'SourceDBSnapshotIdentifier': source_arn,
'SourceRegion': source_backup.region,
'CopyTags': False,
'TargetDBSnapshotIdentifier': source_backup.backup_id
}
# If the backup is encrypted, include the KMS key ID in the request.
# We have to check the attribute to support our previous YAML file format for backup data stored in S3
if hasattr(source_backup, 'resource_properties'
) and source_backup.resource_properties['Encrypted']:
kms_key = source_backup.resource_properties['KmsKeyId']
self.logger.info(
f"Snapshot {source_backup.backup_id} is encrypted with the kms key {kms_key}"
)
copy_kms_key = RuntimeConfig.get_copy_kms_key_id(
source_backup.tags, self)
# if a new key is provided by config encypt the copy with the new kms key
if copy_kms_key is not None:
self.logger.info(
f"Snapshot {source_backup.backup_id} will be copied and encrypted with the kms key {copy_kms_key}"
)
kms_key = copy_kms_key
params['KmsKeyId'] = kms_key
else:
# if the backup is not encrypted and the encrypt_copy is enabled, encrypted the backup with the provided kms key
if RuntimeConfig.get_encrypt_copy(source_backup.tags, self):
kms_key = RuntimeConfig.get_copy_kms_key_id(
source_backup.tags, self)
if kms_key is not None:
self.logger.info(
f"Snapshot {source_backup.backup_id} is not encrypted. Encrypting the copy with KMS key {kms_key}"
)
params['KmsKeyId'] = kms_key
snap = rds_client.copy_db_snapshot(**params)
return snap['DBSnapshot']['DBSnapshotIdentifier']
