aws / aws-sdk-go-v2

AWS SDK for the Go programming language.
https://aws.github.io/aws-sdk-go-v2/docs/
Apache License 2.0
2.68k stars 651 forks source link

RestoreDbInstanceFromDbSnapshot fails when SCP policy for encryption exists #2678

Closed shawon-crosen closed 5 months ago

shawon-crosen commented 5 months ago

Acknowledgements

Describe the bug

When restoring a database from a snapshot using RestoreDBInstanceFromDBSnapshot it does not encrypt the new database with the KMS key used on the database being restored from.

Expected Behavior

I would expect the new database to either use the existing KMS key for the snapshot being restored to encrypt the database, or have an option to set a KMS key for encryption for the new database.

I believe this would probably need to just use the existing key as the snapshot must be decrypted with it first.

Current Behavior

Our AWS organization has a service control policy that requires storage encryption for a database being created or restored:

{
"Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "rds:CreateDBInstance",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:StorageEncrypted": "false"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "rds:RestoreDBInstanceFromDBSnapshot",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:StorageEncrypted": "false"
        }
      }
    }
  ]
}

The RestoreDbInstanceFromDbSnapshot function is failing this policy check as it seems to be trying to restore the database snapshot to a new database that is not encrypted. There is no option to specify a KMS key in the RestoreDBInstanceFromDBSnapshotInput struct.

There is also no option to specify a snapshot identifier in the CreateDBInstanceInput struct for the CreateDBInstance function, or I would have just used that.

Reproduction Steps

This is our function that is calling the client func:

func CloneDbInstance(client *rds.Client, identifier string, snapshot string, options map[string]interface{}) (*string, error) {
    data, err := client.RestoreDBInstanceFromDBSnapshot(
        context.TODO(),
        &rds.RestoreDBInstanceFromDBSnapshotInput{
            AllocatedStorage:     aws.Int32(options["allocatedStorage"].(int32)),
            DBInstanceIdentifier: aws.String(identifier),
            DBParameterGroupName: aws.String(options["parameterGroup"].(string)),
            DBSnapshotIdentifier: aws.String(snapshot),
            DBSubnetGroupName:    aws.String(options["subnet"].(string)),
            DeletionProtection:   aws.Bool(false),
            StorageType:          aws.String(options["storageType"].(string)),
            VpcSecurityGroupIds:  options["vpcIds"].([]string),
        },
    )

    if err != nil {
        return nil, err
    }

    return data.DBInstance.DBInstanceStatus, nil
}

Possible Solution

I suggest that the function just uses the existing KMS key that must be used to decrypt the snapshot to encrypt the new database being created. This also makes sense because if you have a database that is already encrypted, you would want your new database restored from a snapshot to also be encrypted with the same key.

Additional Information/Context

This is primarily an issue due to an SCP on our organization denying creation of rds instances that are not encrypted.

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/rds v1.79.6

Compiler and Version used

go version go1.22.4 darwin/amd64

Operating System and version

macOS Sonoma 14.5

aBurmeseDev commented 5 months ago

Hi @shawon-crosen - thanks for reaching out.

This's actually service API model related question rather than SDK. I reached out to RDS team and shared your use case on your behalf to get more insights. (ref: V1416395703).

Since this is not directly actionable by the SDK team and this repo is dedicated for SDK related, I'm going to close this issue. If you have access to support via the AWS developer console, you can create a support ticket and reference the ticket ID I shared above to get updates from the service team directly. Otherwise you'll need to keep an eye out for our release notes to know when its fixed.

github-actions[bot] commented 5 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.