def copy_shared_backup(self, source_account: str, source_backup: BackupResource): docdb_client = AwsHelper.boto3_client('docdb', arn=self.role_arn, external_id=self.role_external_id) # copying of tags happens outside this method source_arn = f"arn:aws:rds:{source_backup.region}:{source_backup.account_id}:cluster-snapshot:{source_backup.backup_id}" params = { 'SourceDBClusterSnapshotIdentifier': source_arn, 'SourceRegion': source_backup.region, 'CopyTags': False, 'TargetDBClusterSnapshotIdentifier': source_backup.backup_id } # If the backup is encrypted, include the KMS key ID in the request. if source_backup.resource_properties['StorageEncrypted']: kms_key = source_backup.resource_properties['KmsKeyId'] self.logger.info(f"Snapshot {source_backup.backup_id} is encrypted with the kms key {kms_key}") copy_kms_key = RuntimeConfig.get_copy_kms_key_id(backup_resource.entity_resource.tags, self) # if a new key is provided by config encypt the copy with the new kms key if copy_kms_key is not None: self.logger.info(f"Snapshot {source_backup.backup_id} will be copied and encrypted with the kms key {copy_kms_key}") kms_key = copy_kms_key params['KmsKeyId'] = kms_key else: # if the backup is not encrypted and the encrypt_copy is enabled, encrypted the backup with the provided kms key if RuntimeConfig.get_encrypt_copy(backup_resource.entity_resource.tags, self): kms_key = RuntimeConfig.get_copy_kms_key_id(backup_resource.entity_resource.tags, self) if kms_key is not None: self.logger.info(f"Snapshot {source_backup.backup_id} is not encrypted. Encrypting the copy with KMS key {kms_key}") params['KmsKeyId'] = kms_key snap = docdb_client.copy_db_cluster_snapshot(**params) return snap['DBClusterSnapshot']['DBClusterSnapshotIdentifier']
def copy_shared_backup(self, source_account: str, source_backup: BackupResource): rds_client = AwsHelper.boto3_client('rds', arn=self.role_arn, external_id=self.role_external_id) # copying of tags happens outside this method source_arn = f"arn:aws:rds:{source_backup.region}:{source_backup.account_id}:snapshot:{source_backup.backup_id}" params = { 'SourceDBSnapshotIdentifier': source_arn, 'SourceRegion': source_backup.region, 'CopyTags': False, 'TargetDBSnapshotIdentifier': source_backup.backup_id } # If the backup is encrypted, include the KMS key ID in the request. # We have to check the attribute to support our previous YAML file format for backup data stored in S3 if hasattr(source_backup, 'resource_properties' ) and source_backup.resource_properties['Encrypted']: kms_key = source_backup.resource_properties['KmsKeyId'] self.logger.info( f"Snapshot {source_backup.backup_id} is encrypted with the kms key {kms_key}" ) copy_kms_key = RuntimeConfig.get_copy_kms_key_id( source_backup.tags, self) # if a new key is provided by config encypt the copy with the new kms key if copy_kms_key is not None: self.logger.info( f"Snapshot {source_backup.backup_id} will be copied and encrypted with the kms key {copy_kms_key}" ) kms_key = copy_kms_key params['KmsKeyId'] = kms_key else: # if the backup is not encrypted and the encrypt_copy is enabled, encrypted the backup with the provided kms key if RuntimeConfig.get_encrypt_copy(source_backup.tags, self): kms_key = RuntimeConfig.get_copy_kms_key_id( source_backup.tags, self) if kms_key is not None: self.logger.info( f"Snapshot {source_backup.backup_id} is not encrypted. Encrypting the copy with KMS key {kms_key}" ) params['KmsKeyId'] = kms_key snap = rds_client.copy_db_snapshot(**params) return snap['DBSnapshot']['DBSnapshotIdentifier']