Closed shawon-crosen closed 5 months ago
Hi @shawon-crosen - thanks for reaching out.
This's actually service API model related question rather than SDK. I reached out to RDS team and shared your use case on your behalf to get more insights. (ref: V1416395703).
Since this is not directly actionable by the SDK team and this repo is dedicated for SDK related, I'm going to close this issue. If you have access to support via the AWS developer console, you can create a support ticket and reference the ticket ID I shared above to get updates from the service team directly. Otherwise you'll need to keep an eye out for our release notes to know when its fixed.
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.
Acknowledgements
go get -u github.com/aws/aws-sdk-go-v2/...
)Describe the bug
When restoring a database from a snapshot using
RestoreDBInstanceFromDBSnapshot
it does not encrypt the new database with the KMS key used on the database being restored from.Expected Behavior
I would expect the new database to either use the existing KMS key for the snapshot being restored to encrypt the database, or have an option to set a KMS key for encryption for the new database.
I believe this would probably need to just use the existing key as the snapshot must be decrypted with it first.
Current Behavior
Our AWS organization has a service control policy that requires storage encryption for a database being created or restored:
The
RestoreDbInstanceFromDbSnapshot
function is failing this policy check as it seems to be trying to restore the database snapshot to a new database that is not encrypted. There is no option to specify a KMS key in theRestoreDBInstanceFromDBSnapshotInput
struct.There is also no option to specify a snapshot identifier in the
CreateDBInstanceInput
struct for theCreateDBInstance
function, or I would have just used that.Reproduction Steps
This is our function that is calling the client func:
Possible Solution
I suggest that the function just uses the existing KMS key that must be used to decrypt the snapshot to encrypt the new database being created. This also makes sense because if you have a database that is already encrypted, you would want your new database restored from a snapshot to also be encrypted with the same key.
Additional Information/Context
This is primarily an issue due to an SCP on our organization denying creation of rds instances that are not encrypted.
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2/service/rds v1.79.6
Compiler and Version used
go version go1.22.4 darwin/amd64
Operating System and version
macOS Sonoma 14.5