This module creates an AWS Lambda function that runs periodically and makes local
copies of snapshots of an Amazon Relational Database (RDS) database that were shared
from some external AWS account. This allows you to make backups of your RDS snapshots in a totally separate AWS
account.
Let's say you created an RDS snapshot in account 111111111111 encrypted with a KMS key and shared that snapshot with
account 222222222222. To be able to make a copy of that snapshot in account 222222222222 using this module, you must:
Give account 222222222222 access to the KMS key in account 111111111111, including the kms:CreateGrant permission.
If you're using the kms-master-key module
to manage your KMS keys, then in account 111111111111, you add the ARN of account 222222222222 to the
cmk_user_iam_arns variable:
In account 222222222222, you create another KMS key which can be used to re-encrypt the copied snapshot. You need
to give the Lambda function in this module permissions to use that key as follows:
# In account 222222222222module"kms_master_key" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-master-key?ref=<VERSION>"# (Other params omitted)
}
module"copy_snapshot" {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/lambda-copy-shared-snapshot?ref=<VERSION>"# Tell this copy snapshot module to use this key to encrypt the copied snapshot
kms_key_id = "${module.kms_master_key.key_arn}"# (Other params omitted)
}
# Giver the copy snapshot module permissions to use the KMS keyresource"aws_iam_role_policy""access_kms_master_key" {
name = "access-kms-master-key"
role = "${module.copy_snapshot.lambda_iam_role_id}"
policy = "${data.aws_iam_policy_document.access_kms_master_key.json}"
}
data"aws_iam_policy_document""access_kms_master_key" {
statement {
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["${module.kms_master_key.key_arn}"]
}
statement {
effect = "Allow"
resources = ["*"]
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
condition {
test = "Bool"variable = "kms:GrantIsForAWSResource"
values = ["true"]
}
}
}
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"59fa4c1f8309395b1d67b04242b632c0f0c1424b"}]},{"name":".gitignore","path":".gitignore","sha":"4c3b4ca1c64636908768c4d6c450069c924ecb69"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"76191b4678792b12eff3c8ed1038df33074d91fe"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"f6e0666fa0dee5df6743291167734a2bcfbb359b"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.adoc","path":"README.adoc","sha":"60bc31ef257d19758d5e2a953bbd39fe4c62fa81"},{"name":"_docs","children":[{"name":"aurora-serverless.png","path":"_docs/aurora-serverless.png","sha":"5a53145be56705c76f7f7aa6a25aa0ddee78e4a3"},{"name":"aurora.png","path":"_docs/aurora.png","sha":"fc218831bfa34097a56f1b0e47fe05521bdb4a8a"},{"name":"data-backup-architecture.png","path":"_docs/data-backup-architecture.png","sha":"fcc7ce8753e28c19af87ea5cea96e6ded648d429"},{"name":"data-backup.png","path":"_docs/data-backup.png","sha":"116b10f231073f8c52255ca98e48cc228c48a2c3"},{"name":"mariadb.png","path":"_docs/mariadb.png","sha":"d540d3d3ff8797c4a4c3a62c65e7d3f63621568f"},{"name":"mysql.png","path":"_docs/mysql.png","sha":"73b55bd0d517dcba53c878712544abf96be3a66e"},{"name":"oracle.png","path":"_docs/oracle.png","sha":"b5f1ca801f5af4a30f1b812eea17cec516c1fe6c"},{"name":"postgresql.png","path":"_docs/postgresql.png","sha":"fd9c7ec282aef38a5813e8542d92227b96bd5be8"},{"name":"rds-architecture.png","path":"_docs/rds-architecture.png","sha":"8f2b1b5b4015a5777032c6aa64627ceee24330fc"},{"name":"redshift-architecture.png","path":"_docs/redshift-architecture.png","sha":"0ebffc1b1fbecdb0335a09c6bf7fe7c5f073d16e"},{"name":"redshift-icon.png","path":"_docs/redshift-icon.png","sha":"add0f05edb29726e62c784edf428eef60aed4d5f"},{"name":"sqlserver.png","path":"_docs/sqlserver.png","sha":"a800d188398262593f4f89f27c8f3ce2ce1e76a4"}]},{"name":"examples","children":[{"name":"aurora-global-cluster","children":[{"name":"README.md","path":"examples/aurora-global-cluster/README.md","sha":"d3a56dd88490d5cdb6d990041b2c37af89df7efd"},{"name":"main.tf","path":"examples/aurora-global-cluster/main.tf","sha":"620ecd90ffe16cf2ee205da74d5a412baf5e2235"},{"name":"outputs.tf","path":"examples/aurora-global-cluster/outputs.tf","sha":"105d706d41684b4c7be092ebd43bf6ba8ebf6f80"},{"name":"vars.tf","path":"examples/aurora-global-cluster/vars.tf","sha":"8cecbd36f7acf1364bab4c68b8873080c62ffd51"}]},{"name":"aurora-serverless","children":[{"name":"README.md","path":"examples/aurora-serverless/README.md","sha":"073a25d4190dc28f64d2e1675c30e60eb255d306"},{"name":"main.tf","path":"examples/aurora-serverless/main.tf","sha":"08a80d39835b2f9d7d5d0d0f8c84d7155fb224ab"},{"name":"outputs.tf","path":"examples/aurora-serverless/outputs.tf","sha":"7da44a91e9ac6e14a5c7c144c60c5ad0ceb5ce1b"},{"name":"vars.tf","path":"examples/aurora-serverless/vars.tf","sha":"121ec7d62c6ac37994d5e21c07edcba83cb42cce"}]},{"name":"aurora-with-cross-region-replica","children":[{"name":"README.md","path":"examples/aurora-with-cross-region-replica/README.md","sha":"17c93f6fc01e4df4bc8014f33773dc5f05ab8017"},{"name":"main.tf","path":"examples/aurora-with-cross-region-replica/main.tf","sha":"bbf05ead0edcaaf7cc3c27fa84ff52f594413130"},{"name":"outputs.tf","path":"examples/aurora-with-cross-region-replica/outputs.tf","sha":"58a3862180d107c3d0501ec9b289b08ed09af3a8"},{"name":"vars.tf","path":"examples/aurora-with-cross-region-replica/vars.tf","sha":"7557dd80c47eb4837f04fafe2a2a53fcc6de3aed"}]},{"name":"aurora","children":[{"name":"README.md","path":"examples/aurora/README.md","sha":"8190444c83829a5b7a4e9acad31414e0dced277a"},{"name":"main.tf","path":"examples/aurora/main.tf","sha":"7c32b3e5a1fa6f9f564fce2ea4ea6b772ec501b0"},{"name":"outputs.tf","path":"examples/aurora/outputs.tf","sha":"142569b7d9772c741ee28846de617f5a4b7f0d84"},{"name":"vars.tf","path":"examples/aurora/vars.tf","sha":"767be4c3468fb461c5bd7cd05a7b41164367697a"}]},{"name":"efs","children":[{"name":"README.md","path":"examples/efs/README.md","sha":"5b883e1deac79fb511a39fa062bd854f2a903579"},{"name":"main.tf","path":"examples/efs/main.tf","sha":"305f9a1994b61a1e969e0add7587a28837fb7aa6"},{"name":"outputs.tf","path":"examples/efs/outputs.tf","sha":"b5a6400d4a67e1e6f6773c513acaa8784ceda46b"},{"name":"vars.tf","path":"examples/efs/vars.tf","sha":"3c49e13f2e303786c32ca45a0408a270b4a43bae"}]},{"name":"lambda-rds-snapshot-multiple-schedules","children":[{"name":"README.md","path":"examples/lambda-rds-snapshot-multiple-schedules/README.md","sha":"86786d958ad7480965d3016263e1058bb959aead"},{"name":"main.tf","path":"examples/lambda-rds-snapshot-multiple-schedules/main.tf","sha":"d1bcce4e6cb4be161ef184b7fc77e7f101bd71ee"},{"name":"outputs.tf","path":"examples/lambda-rds-snapshot-multiple-schedules/outputs.tf","sha":"7a8f966782c659d1568f35684197f232939ea9ec"},{"name":"vars.tf","path":"examples/lambda-rds-snapshot-multiple-schedules/vars.tf","sha":"f6ae16692c02a1ae6ed95d58e16bd3e02b98f703"}]},{"name":"lambda-rds-snapshot","children":[{"name":"README.md","path":"examples/lambda-rds-snapshot/README.md","sha":"ca901bfcf4fcae3bd7ba856561fc841f5a6da3ad"},{"name":"main.tf","path":"examples/lambda-rds-snapshot/main.tf","sha":"7dec4d515b593f8203eb0eb3ea58ac9b6225fd01"},{"name":"outputs.tf","path":"examples/lambda-rds-snapshot/outputs.tf","sha":"375c8bb979dd4133c3675d9e6263e1138c448973"},{"name":"vars.tf","path":"examples/lambda-rds-snapshot/vars.tf","sha":"b777711ea9860aa43f766a5e5edf8b817e994885"}]},{"name":"rds-mariadb","children":[{"name":"README.md","path":"examples/rds-mariadb/README.md","sha":"6540229dddcb38071d37b6697762d27a54e28cc8"},{"name":"main.tf","path":"examples/rds-mariadb/main.tf","sha":"70ea4382ec8ac5bdb318cd4d15e61022cc2cb006"},{"name":"outputs.tf","path":"examples/rds-mariadb/outputs.tf","sha":"bd45b0035943021763d0365da3fe0d1e9f9b16b9"},{"name":"vars.tf","path":"examples/rds-mariadb/vars.tf","sha":"9a85d926698d1a22d8eded7d227d775eb8c7aa15"}]},{"name":"rds-mysql-with-cross-region-replica","children":[{"name":"README.md","path":"examples/rds-mysql-with-cross-region-replica/README.md","sha":"4671d1e9a47e6179c5dc809bf27cffc3468b3460"},{"name":"main.tf","path":"examples/rds-mysql-with-cross-region-replica/main.tf","sha":"54ec89b16737953fa52450dd74cb799482471fd0"},{"name":"outputs.tf","path":"examples/rds-mysql-with-cross-region-replica/outputs.tf","sha":"2d79e34b6bc52c934a62e40e38e3cdcace5196a0"},{"name":"vars.tf","path":"examples/rds-mysql-with-cross-region-replica/vars.tf","sha":"2f6029d38ccc605f9cad77e7005e0600a881b503"}]},{"name":"rds-mysql","children":[{"name":"README.md","path":"examples/rds-mysql/README.md","sha":"6a7fb5d5560cc42ec9a6ac830358aa7ab7ca502d"},{"name":"main.tf","path":"examples/rds-mysql/main.tf","sha":"95515ccccc9e678a36c66db27704dfceb9e2f24e"},{"name":"outputs.tf","path":"examples/rds-mysql/outputs.tf","sha":"e2ae2afdbcc0d27baa5d50be333f9d0a717e1a33"},{"name":"vars.tf","path":"examples/rds-mysql/vars.tf","sha":"0ee52281448e95f13fcaacf427bed62600a32c23"}]},{"name":"rds-postgres","children":[{"name":"README.md","path":"examples/rds-postgres/README.md","sha":"ab4e18c200fc749a54ee700223d27261c731e436"},{"name":"main.tf","path":"examples/rds-postgres/main.tf","sha":"82d8f73bb4467c31411151ef880ee5b86ac42787"},{"name":"outputs.tf","path":"examples/rds-postgres/outputs.tf","sha":"5371c2284c0ea3d4de5790077ba45d9d445c2965"},{"name":"vars.tf","path":"examples/rds-postgres/vars.tf","sha":"0f2541c42ceef4f29fcfdc4aa8141d18b854f7f5"}]},{"name":"rds-sqlserver","children":[{"name":"README.md","path":"examples/rds-sqlserver/README.md","sha":"26bf52d347c247e5f63bc113476e87d75375ba84"},{"name":"main.tf","path":"examples/rds-sqlserver/main.tf","sha":"efd5ef969b70569cd19f1cc9647b2c5d7bdb9802"},{"name":"outputs.tf","path":"examples/rds-sqlserver/outputs.tf","sha":"a1726fd73528af38b436c053128f24a17da740c3"},{"name":"vars.tf","path":"examples/rds-sqlserver/vars.tf","sha":"a0b78532af6fd6b5d723633a1a227ca3ec239254"}]},{"name":"rds-with-replicas","children":[{"name":"README.md","path":"examples/rds-with-replicas/README.md","sha":"327357a98e9b2bbf650d91a207bd96fc4a6f452f"},{"name":"main.tf","path":"examples/rds-with-replicas/main.tf","sha":"31dbae64c9b43eef025ecee0648a7d10567b39de"},{"name":"outputs.tf","path":"examples/rds-with-replicas/outputs.tf","sha":"991d5436a635194fec1ad1476eb7be6616032c7a"},{"name":"vars.tf","path":"examples/rds-with-replicas/vars.tf","sha":"708a5aaed525a4d6668607e9948f61329c17e29f"}]},{"name":"redshift","children":[{"name":"README.md","path":"examples/redshift/README.md","sha":"89dc29ac778f096ee3ee7993f483da5ecb263147"},{"name":"main.tf","path":"examples/redshift/main.tf","sha":"c6658357240e31a3a28256d69c35cef98f773527"},{"name":"outputs.tf","path":"examples/redshift/outputs.tf","sha":"779c37290dc1c986bfd8d629cc9b2ba1d98c68aa"},{"name":"variables.tf","path":"examples/redshift/variables.tf","sha":"e89ac7c94a3aa6fd900dc5a31a17923c84091fab"}]}]},{"name":"modules","children":[{"name":"aurora","children":[{"name":"README-Aurora-Serverless.adoc","path":"modules/aurora/README-Aurora-Serverless.adoc","sha":"38b6803019c6e108cb4a233fc428c46f05e296ff"},{"name":"README-Aurora.adoc","path":"modules/aurora/README-Aurora.adoc","sha":"89ebb7a7c5aa8632a930c34993fc6c4cebe7efb4"},{"name":"README.adoc","path":"modules/aurora/README.adoc","sha":"7892e4fbfe029fb27cad66a6024413fb668af465"},{"name":"core-concepts.md","path":"modules/aurora/core-concepts.md","sha":"f82207093b3c3849daf276423d8a720d3b325794"},{"name":"main.tf","path":"modules/aurora/main.tf","sha":"e7c02ecd97c43eaceed0f1f1b9356cf3ebd892ec"},{"name":"outputs.tf","path":"modules/aurora/outputs.tf","sha":"68a2cb3817921421369402fab460dc784de279ab"},{"name":"vars.tf","path":"modules/aurora/vars.tf","sha":"0352a5583c045393594a7a66caa0f4a1453958a1"}]},{"name":"efs","children":[{"name":"README.adoc","path":"modules/efs/README.adoc","sha":"e7428e5e9b669b2bfa8422fe6ffa0d3f6fa87309"},{"name":"main.tf","path":"modules/efs/main.tf","sha":"46bb7bff36b755f8dd4f1f829862191ee6ca3daf"},{"name":"outputs.tf","path":"modules/efs/outputs.tf","sha":"b505b3d3c4ade32e06286ebea60be1a5f67ce77a"},{"name":"vars.tf","path":"modules/efs/vars.tf","sha":"203810287c25c3532fe9d442ac6e5afae0324a4e"}]},{"name":"lambda-cleanup-snapshots","children":[{"name":"README.md","path":"modules/lambda-cleanup-snapshots/README.md","sha":"10334b774e43f70584f7f5c2bc1510091092edda"},{"name":"cleanup-rds-snapshots","children":[{"name":"index.py","path":"modules/lambda-cleanup-snapshots/cleanup-rds-snapshots/index.py","sha":"9e651d2d57310054e21d891aec481d02c9d79489"}]},{"name":"main.tf","path":"modules/lambda-cleanup-snapshots/main.tf","sha":"823de36bde93dd08487b8c9316bcba226b079dd0"},{"name":"outputs.tf","path":"modules/lambda-cleanup-snapshots/outputs.tf","sha":"a99c0265d859dd0c87a6eba62aaf2b013e224873"},{"name":"vars.tf","path":"modules/lambda-cleanup-snapshots/vars.tf","sha":"6a8d68f55cf51d75ec84caed75ebcb2ea25a5dab"}]},{"name":"lambda-copy-shared-snapshot","children":[{"name":"README.md","path":"modules/lambda-copy-shared-snapshot/README.md","sha":"1f592e4de130eb5deb9bd1b2732bb5747f82d1fe","toggled":true},{"name":"copy-shared-rds-snapshot","children":[{"name":"index.py","path":"modules/lambda-copy-shared-snapshot/copy-shared-rds-snapshot/index.py","sha":"6b1a0331ee9ffc57c95e0923a4b1db46dec0b2c5"}]},{"name":"main.tf","path":"modules/lambda-copy-shared-snapshot/main.tf","sha":"c1b8a9ed8b3d5f28a7cdaf3b8711086f5d804dec"},{"name":"outputs.tf","path":"modules/lambda-copy-shared-snapshot/outputs.tf","sha":"f4833d96fa6d47190b9d2c3af243142aefc59d59"},{"name":"vars.tf","path":"modules/lambda-copy-shared-snapshot/vars.tf","sha":"167544053dc243f447befed6b576c3b515bc6d58"}],"toggled":true},{"name":"lambda-create-snapshot","children":[{"name":"README.adoc","path":"modules/lambda-create-snapshot/README.adoc","sha":"5f15f9a35c9b47ae69ea2cdb4a9f2ea6e24bb7cd"},{"name":"core-concepts.md","path":"modules/lambda-create-snapshot/core-concepts.md","sha":"b80e9e7b896c04b1491a6dbbfbf7aedb70bea2fd"},{"name":"create-rds-snapshot","children":[{"name":"index.py","path":"modules/lambda-create-snapshot/create-rds-snapshot/index.py","sha":"16bc7d1b67dcee20577808cdbf39b1938972c5cb"}]},{"name":"main.tf","path":"modules/lambda-create-snapshot/main.tf","sha":"09814f30575f302a84920ea639a98a1a72d91bad"},{"name":"outputs.tf","path":"modules/lambda-create-snapshot/outputs.tf","sha":"a0f5ffafa8ef11d00b72f1858b81e182ab2471dd"},{"name":"vars.tf","path":"modules/lambda-create-snapshot/vars.tf","sha":"f18942d85d2e7c5dc4c629b1503a1c32a52e4b56"}]},{"name":"lambda-share-snapshot","children":[{"name":"README.md","path":"modules/lambda-share-snapshot/README.md","sha":"f00a0ab9745632e85d5f4c8e7a9389e1a8608b6b"},{"name":"main.tf","path":"modules/lambda-share-snapshot/main.tf","sha":"7eeb2d20cfe4691cc49634a22f157fa57fd4752c"},{"name":"outputs.tf","path":"modules/lambda-share-snapshot/outputs.tf","sha":"c0d2854f967a6c963662c660d6ae96d8cabe471a"},{"name":"share-rds-snapshot","children":[{"name":"index.py","path":"modules/lambda-share-snapshot/share-rds-snapshot/index.py","sha":"b4e784ff72172d1f3e84f0f97a48fdf60405ed27"}]},{"name":"vars.tf","path":"modules/lambda-share-snapshot/vars.tf","sha":"683571dbf98c2fb4f8077e7adadcb4df4241b9b4"}]},{"name":"rds","children":[{"name":"README-MariaDb.adoc","path":"modules/rds/README-MariaDb.adoc","sha":"52c88eedb3410b14c6ccc4db8ea3eaa484b7c13a"},{"name":"README-MySQL.adoc","path":"modules/rds/README-MySQL.adoc","sha":"75a2e92b04368988ffe7fb405a99155881f2c4f7"},{"name":"README-Oracle.adoc","path":"modules/rds/README-Oracle.adoc","sha":"a9f084cfbd084413bbcc818fd9f438a4faee367b"},{"name":"README-PostgreSQL.adoc","path":"modules/rds/README-PostgreSQL.adoc","sha":"2486401acaa724eba2f0a8814ef9dfa19c510ae0"},{"name":"README-SqlServer.adoc","path":"modules/rds/README-SqlServer.adoc","sha":"76d7220a727d84567e819102617bd01a3bda0cb2"},{"name":"README.adoc","path":"modules/rds/README.adoc","sha":"60bc0e2e6d7cfde8c2d3eeffcd5fc7145aa58591"},{"name":"core-concepts.md","path":"modules/rds/core-concepts.md","sha":"29463161611168b652ba94e011604f23395cde9a"},{"name":"main.tf","path":"modules/rds/main.tf","sha":"71eb29760a02a874c193145e71446012c82c40fd"},{"name":"outputs.tf","path":"modules/rds/outputs.tf","sha":"9d073f913ac9b972681753c6831d93bb133f830f"},{"name":"vars.tf","path":"modules/rds/vars.tf","sha":"fdb7b83c1672d9887fbf835160c02e324ea9dd0e"}]},{"name":"redshift","children":[{"name":"README.adoc","path":"modules/redshift/README.adoc","sha":"984919c48acd7904324f8777641558e7c6274fd9"},{"name":"main.tf","path":"modules/redshift/main.tf","sha":"6f3e2728c746ee9d3cacb81a5d384773af3f599e"},{"name":"outputs.tf","path":"modules/redshift/outputs.tf","sha":"a58d5730738046153b5f73edee78cee1a0e76fd9"},{"name":"variables.tf","path":"modules/redshift/variables.tf","sha":"71b62776e88dd328adade081ad65eb2e62ced245"}]}],"toggled":true},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"ebcf2313b7664113168ca7e73d01acbd232d8f39"},{"name":"example_aurora_global_test.go","path":"test/example_aurora_global_test.go","sha":"c99915a7aeaa3f094d79223a48d8671a7013c440"},{"name":"example_aurora_test.go","path":"test/example_aurora_test.go","sha":"14485405d1f5899ca61bea11ba4b7f41d6234d6e"},{"name":"example_aurora_with_cross_region_replica_test.go","path":"test/example_aurora_with_cross_region_replica_test.go","sha":"2fe4b909abbeebfc4cddff2237d6b2470982cd8a"},{"name":"example_efs_test.go","path":"test/example_efs_test.go","sha":"c84d706017cb7ca512c4a4070b470ecc586ffc89"},{"name":"example_lambda_rds_snapshot_create_resources_test.go","path":"test/example_lambda_rds_snapshot_create_resources_test.go","sha":"542c9e0154660daeba8990a16cfa66d5359927ef"},{"name":"example_lambda_rds_snapshot_multiple_schedules_test.go","path":"test/example_lambda_rds_snapshot_multiple_schedules_test.go","sha":"094a8a691f259f79943e7fbf672d2ff8b40b65e4"},{"name":"example_lambda_rds_snapshot_test.go","path":"test/example_lambda_rds_snapshot_test.go","sha":"092e678c8f1297d2767141295933ea4e5795aae1"},{"name":"example_rds_mariadb_test.go","path":"test/example_rds_mariadb_test.go","sha":"72d53a587b47c05cbb9c9c96f2094a70b7882f19"},{"name":"example_rds_mysql_test.go","path":"test/example_rds_mysql_test.go","sha":"cfc6ef03fb0a9ae01f889f6a5db83ed49b008ed2"},{"name":"example_rds_mysql_with_cross_region_replica_test.go","path":"test/example_rds_mysql_with_cross_region_replica_test.go","sha":"62096d069fae76882b712aec89161e5f1d34a2c3"},{"name":"example_rds_postgres_test.go","path":"test/example_rds_postgres_test.go","sha":"d301ebc1542294b294eb299038abff9d305da804"},{"name":"example_rds_sqlserver_test.go","path":"test/example_rds_sqlserver_test.go","sha":"96ae522976ae664c9e74cbd29293f49d7ed2fa26"},{"name":"example_rds_with_replicas_test.go","path":"test/example_rds_with_replicas_test.go","sha":"7693e4d795ca0c1e9e4486cbee9d51cdd14c890e"},{"name":"example_redshift_test.go","path":"test/example_redshift_test.go","sha":"6e7d5773c6e66b98a0279b839ccd33dbb3899b07"},{"name":"go.mod","path":"test/go.mod","sha":"b77ff24627b2cccf6b3fd72046e767fa43d3314c"},{"name":"go.sum","path":"test/go.sum","sha":"de64e80c3eb706a2fc46e578652585dbf165b2d7"},{"name":"util.go","path":"test/util.go","sha":"36dc5c6edd93d346240a4504737f8fda77161e56"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"copy-snapshot-lambda-module\">Copy Snapshot Lambda Module</h1><div class=\"preview__body--border\"></div><p>This module creates an <a href=\"https://aws.amazon.com/lambda/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS Lambda</a> function that runs periodically and makes local\ncopies of snapshots of an <a href=\"https://aws.amazon.com/rds/\" class=\"preview__body--description--blue\" target=\"_blank\">Amazon Relational Database (RDS)</a> database that were shared\nfrom some external AWS account. This allows you to make backups of your RDS snapshots in a totally separate AWS\naccount.</p>\n<p>Note that to use this module, you must have access to the Gruntwork <a href=\"/repos/terraform-aws-ci\" class=\"preview__body--description--blue\">Continuous Delivery Infrastructure Package\n(terraform-aws-ci)</a>. If you need access, email support@gruntwork.io.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<p>See the <a href=\"/repos/v0.23.4/module-data-storage/examples/lambda-rds-snapshot\" class=\"preview__body--description--blue\">lambda-rds-snapshot example</a> for sample code.</p>\n<p>If you are using this function to copy snapshots to another AWS account, you may also want to look at the\n<a href=\"/repos/v0.23.4/module-data-storage/modules/lambda-create-snapshot\" class=\"preview__body--description--blue\">lambda-create-snapshot</a> and\n<a href=\"/repos/v0.23.4/module-data-storage/modules/lambda-share-snapshot\" class=\"preview__body--description--blue\">lambda-share-snapshot</a> modules.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-copy-an-encrypted-snapshot\">How do you copy an encrypted snapshot?</h2>\n<p>Let's say you created an RDS snapshot in account 111111111111 encrypted with a KMS key and shared that snapshot with\naccount 222222222222. To be able to make a copy of that snapshot in account 222222222222 using this module, you must:</p>\n<ol>\n<li>\n<p>Give account 222222222222 access to the KMS key in account 111111111111, including the <code>kms:CreateGrant</code> permission.\nIf you're using the <a href=\"/repos/terraform-aws-security/modules/kms-master-key\" class=\"preview__body--description--blue\">kms-master-key module</a>\nto manage your KMS keys, then in account 111111111111, you add the ARN of account 222222222222 to the\n<code>cmk_user_iam_arns</code> variable:</p>\n<pre><span class=\"hljs-comment\"># In account 111111111111</span>\n\n<span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"kms_master_key\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-master-key?ref=<VERSION>\"</span>\n\n cmk_user_iam_arns = [<span class=\"hljs-string\">\"`arn:aws:iam::222222222222:root`\"</span>]\n\n <span class=\"hljs-comment\"># (Other params omitted)</span>\n}\n</pre>\n</li>\n<li>\n<p>In account 222222222222, you create another KMS key which can be used to re-encrypt the copied snapshot. You need\nto give the Lambda function in this module permissions to use that key as follows:</p>\n<pre><span class=\"hljs-comment\"># In account 222222222222</span>\n\n<span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"kms_master_key\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/kms-master-key?ref=<VERSION>\"</span>\n\n <span class=\"hljs-comment\"># (Other params omitted)</span>\n}\n \n<span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"copy_snapshot\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/lambda-copy-shared-snapshot?ref=<VERSION>\"</span>\n \n <span class=\"hljs-comment\"># Tell this copy snapshot module to use this key to encrypt the copied snapshot</span>\n kms_key_id = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.kms_master_key.key_arn}</span>\"</span>\n\n <span class=\"hljs-comment\"># (Other params omitted)</span>\n}\n\n<span class=\"hljs-comment\"># Giver the copy snapshot module permissions to use the KMS key</span>\n<span class=\"hljs-keyword\">resource</span> <span class=\"hljs-string\">\"aws_iam_role_policy\"</span> <span class=\"hljs-string\">\"access_kms_master_key\"</span> {\n name = <span class=\"hljs-string\">\"access-kms-master-key\"</span>\n role = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.copy_snapshot.lambda_iam_role_id}</span>\"</span>\n policy = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${data.aws_iam_policy_document.access_kms_master_key.json}</span>\"</span>\n}\n\n<span class=\"hljs-keyword\">data</span> <span class=\"hljs-string\">\"aws_iam_policy_document\"</span> <span class=\"hljs-string\">\"access_kms_master_key\"</span> {\n statement {\n effect = <span class=\"hljs-string\">\"Allow\"</span>\n actions = [\n <span class=\"hljs-string\">\"kms:Encrypt\"</span>,\n <span class=\"hljs-string\">\"kms:Decrypt\"</span>,\n <span class=\"hljs-string\">\"kms:ReEncrypt*\"</span>,\n <span class=\"hljs-string\">\"kms:GenerateDataKey*\"</span>,\n <span class=\"hljs-string\">\"kms:DescribeKey\"</span>\n ]\n resources = [<span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.kms_master_key.key_arn}</span>\"</span>]\n }\n\n statement {\n effect = <span class=\"hljs-string\">\"Allow\"</span>\n resources = [<span class=\"hljs-string\">\"*\"</span>]\n actions = [\n <span class=\"hljs-string\">\"kms:CreateGrant\"</span>,\n <span class=\"hljs-string\">\"kms:ListGrants\"</span>,\n <span class=\"hljs-string\">\"kms:RevokeGrant\"</span>\n ]\n condition {\n test = <span class=\"hljs-string\">\"Bool\"</span>\n <span class=\"hljs-keyword\">variable</span> = <span class=\"hljs-string\">\"kms:GrantIsForAWSResource\"</span>\n values = [<span class=\"hljs-string\">\"true\"</span>]\n }\n }\n}\n</pre>\n</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"background-info\">Background info</h2>\n<p>For more info on how to backup RDS snapshots to a separate AWS account, check out the <a href=\"/repos/v0.23.4/module-data-storage/modules/lambda-create-snapshot\" class=\"preview__body--description--blue\">lambda-create-snapshot module\ndocumentation</a>.</p>\n","repoName":"module-data-storage","repoRef":"v0.20.0","serviceDescriptor":{"serviceName":"RDS","serviceRepoName":"module-data-storage","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/rds/foo","cloudProviders":["aws"],"description":"Terraform code and scripts for deploying data-storage resources (e.g. databases, cache) in AWS","imageUrl":"amazon_rds.png","licenseType":"subscriber","technologies":["Terraform","Bash"],"compliance":[],"tags":[""],"noDisplayInUI":true},"serviceCategoryName":"Database","fileName":"README.md","filePath":"/modules/lambda-copy-shared-snapshot","title":"Repo Browser: RDS","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}