added support to create backup out of automated backups

[ghost]

Description of changes:

• Added support to create snapshot out of automated backups, controlled by flag UseAutomatedBackup

Why?

In some databases eg. ms sql server, during backup process, brief IO suspension happen. This change help reduce burden from live db instances and create backups from automated backups instead.

Similar PR is filed for aurora-snapshot-tool

[ghost]

@mrcoronel please help me review it

[nishant3794]

Copying automated backup doesn't work in case of encrypted DB. You need to manually add lambda's IAM role as the KMS key administrator to get this working.

[ghost]

@nishant3794 It works for encrypted backups as well. Tested on aurora but doesn't work on mssql. I've opened a ticket with aWS also, but no information from them yet. To make it work on mssql, give KMS Grants permission to your lambda role. That's it.

But if encryption is set via option group eg. TDE on mssql, you can't share snapshot with any other AWS account. This is a hard limit from aws.

[nishant3794]

@smeena667 Doesn't work for postgres as well. Got "KMSKeyNotAccessibleFault".

[ghost]

KMSKeyNotAccessibleFault

mind sharing your kms key policy?

[nishant3794]

I got it working earlier by adding lambda's role to KMS key policy so it's all well now.

[ghost]

I got it working earlier by adding lambda's role to KMS key policy so it's all well now.

I would add permissions to lambda role as lambda role name keep on changing on every cf deploy and using wildcard is not safe. In the CF, you can edit lambda role permissions and this way all following lambda functions will use the same permission.

[nishant3794]

I believe that's better than my way!! Will do that. Thanks..

I would add permissions to lambda role as lambda role name keep on changing on every cf deploy and using wildcard is not safe. In the CF, you can edit lambda role permissions and this way all following lambda functions will use the same permission.