We are trying to figure out why the share function seems to not be working. It is tough to debug because the outputs of the cloudwatch logs do not contain any errors or information pointing us in the right direction. The create snapshot function seems to be working fine and created the appropriate AWS tags on the snapshots. The params are set to TRUE for sharing and the account ID matches.

(We've tested sharing by clicking in the gui and manually sharing the created snapshot to the other account with no problems).

Example setup:
RDS instance: companyname-prod
Created snapshot: companyname-prod-2019-02-07-12-10
AWS tags on the snapshot:
CreatedBy: Snapshot Tool for RDS
CreatedOn: 2019-02-07-12-10
shareAndCopy: YES

We've tried to delete the stack and recreate to no avail. Snapshots are created but no snapshots are being programmatically shared to the other account.

Step function alarms are not showing errors nor is the actual lambda output.

We also deleted the dest stack and recreated that for sanity reasons.

Example output from lambda logs:

START RequestId:
Found credentials in environment variables.
Starting new HTTPS connection (1): rds.amazonaws.com
END RequestId:

At this point after checking the params and recreating the stack Im reaching out to see if there was something missed.

Hi guys,

can oracle se2 be added to the list of supported engines or is there a technical reason the snapshot share/copy model won't work here?

I would like to use aws cdk to deploy this tool so that teams can have this as part of their cdk application rather than have piecemeal cdk and cloudformation templates. The easiest way to deploy custom lambdas with the cdk is to wrap them in an aws-s3-assets.Asset construct. That construct uploads to a generated key and not in the root of a particular bucket. I would like the ability to specify the key of the lambda files so that we can do this. It could be generally useful for other deploy systems.

I can make a pull request for this if there is interest.

Hi,

I think it would be helpful to document that if you make your backup interval less than every 24 hours, you also need to increase the frequency of the "TakeSnapshots" job via the cron definition.

Is that understanding correct?

Hi, quite often for me "copy_snapshots_dest_rds" I get failures while running copy_remove() but no visable exceptions. So I looked into the docs of client.copy_db_snapshot() in boto3 and also noticed none.

My backups still work. The eventual retries pick up the pending snapshots and it always works out. But my logs are very noisy and my monitoring system is going a bit berserk :) I could turn down monitoring but I kind of want to know when I don't have backups.

Thoughts?

Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for snapshots-tool-rds-us-east-1/copy_snapshots_dest_rds.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: Lambda, Status Code: 403, Request ID: 2379f595-084c-40a1-8398-3162ec6b2efd, Extended Request ID: null)" (RequestToken: a8ec598b-f405-5cfe-8001-11b2d31fbfd4, HandlerErrorCode: AccessDenied)

It seems bucket is no longer accessible when using option DEFAULT_BUCKET.

Similar to #38, it appears that we include in progress snapshots when parsing snapshots, which appears to be causing errors like this (since an in-progress snapshot does not have a Create Time):
'SnapshotCreateTime': KeyError Traceback (most recent call last): File "/var/task/lambda_function.py", line 49, in lambda_handler filtered_snapshots = get_own_snapshots_source(PATTERN, paginate_api_call(client, 'describe_db_snapshots', 'DBSnapshots'), BACKUP_INTERVAL) File "/var/task/snapshots_tool_utils.py", line 206, in get_own_snapshots_source if backup_interval and snapshot['SnapshotCreateTime'].replace(tzinfo=None) < datetime.utcnow().replace(tzinfo=None) - timedelta(hours=backup_interval): KeyError: 'SnapshotCreateTime'

I plan to submit a PR against this issue soon.

Even if I specify my own bucket in CodeBucket parameter I still get the error "Template validation error: Template error: Unable to get mapping for Buckets::us-west-1::Bucket" when I create resources using CloudFormation templates.

I tried to create resources in us-west-1 region.

We are running into API rate limit exceeding errors and per AWS support, the culprit is as below. We need to understand how to correct this issue.

The service team has investigated and has found that the primary API call rate being exceeded is "ListTagsForResource", on 2019-01-09 during a one minute period (at 10:25 UTC), over 700 requests were made, from the following sources:

Boto3/1.7.74 Python/3.6.1 Linux/4.14.88-72.73.amzn1.x86_64 exec-env/AWS_Lambda_python3.6 Botocore/1.10.74
Boto3/1.7.74 Python/3.6.1 Linux/4.14.88-72.73.amzn1.x86_64 exec-env/AWS_Lambda_python3.6 Botocore/1.10.74

Boto3/1.7.74 Python/3.6.1 Linux/4.14.88-72.73.amzn1.x86_64 exec-env/AWS_Lambda_python3.6 Botocore/1.10.74
aws-internal/3 aws-sdk-java/1.11.432 Linux/4.9.124-0.1.ac.198.73.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.192-b12 java/1.8.0_192

The vast majority of these are likely to be the Lambda functions mentioned previously.

Hi All, I am new to Python, I am trying to delete RDS snapshots based on some conditions, actually it should not be only based on time as we have daily weekly and monthly backup but deleting the backup based on time is not possible as AWS RDS API doesn’t support that. if Anyone has done this, deleting a python code based on name and date, possible to help me here.

This is my code
import boto3
import datetime

def lambda_handler(event, context):
print(“Connecting to RDS”)
client = boto3.client(‘rds’)

response = client.describe_db_snapshots(
SnapshotType='manual',
Name=ndi-spcp-'dbname-20-02-19-10'
)
for snapshot in response(DBInstanceIdentifier=‘dbane’, MaxRecords=50)[‘DBSnapshots’]:
create_ts = snapshot[‘SnapshotCreateTime’].replace(tzinfo=None)
if create_ts < datetime.datetime.now() - datetime.timedelta(days=7):
print(“Deleting snapshot id:”, snapshot[‘DBSnapshotIdentifier’])
boto3.client(‘rds’).delete_db_snapshot(
DBSnapshotIdentifier=snapshot[‘DBSnapshotIdentifier’]
)

I am trying to have two copies of backup in my secondary account: one in the same region as the primary account(say, "us-west-2"), and the other in a different region(say, "us-east-1"). In my secondary/dest account, I deployed two snapshots_tool_rds_dest.json in us-west-2: one set destination_region equals to us-west-2 and the other equals to us-east-1. However, in us-west-2, the backup gets deleted every 30 minutes because the copy_remote from the other lambda thinks they are the intermediate copies as shown in here.

Did I misunderstand anything here? Is the setup correct if I want to have both same region and across region backup in the same secondary account?

Hey,

I ran into an issue when trying to copy the encrypted snapshots to the secondary account. The snapshots in the primary account are created using the default KMS key, however, that is not allowed to share to the secondary account by AWS for security reason. Any idea how to fix that?

I've just deployed the stacks in Source and Destination AWS accounts (separate accounts) and configured with KmsKeyDestination and KmsKeySource CMKs. Region in both accounts is eu-west-1.

I am surprised to see that the resultant local snapshot "copies" in the external (destination) account are encrypted with the KmsKeySource and haven't been re-encrypted with my specified KmsKeyDestination.

If I manually copy a shared snapshot I am able to specify the local CMK instead and the copy successfully uses it.

Anything I am missing? What should I look for? Anything I can try?

Thanks!

Karl

Hi. I am about to begin work on a PR that will allow this tool to filter which RDS instances to backup via tags on said instance. This will make it easier for us to configure instances to be backed up within our CloudFormation and at the same time will make it easier to ignore read replicas.

Currently our RDS instance's names are given by CloudFormation so using regular expressions just doesn't work for us.

Before I begin: has anyone else already started work on this ? and/or - do you think there are any gotchas to my plan? All discussion is welcome. Tks.

How should I define the names of different instances in the InstanceNamePattern field? It only works when I leave the value ALL_INSTANCES

Hello,
I'm curious if there's a way to have one instance of rds_snapshot running that can handle multiple rds-instances, having their own kms-keys. Or do we have to have 1-rds-snapshot-instance for each rds-instance? Does this make sense?
Thank you.
--Mike

The description is the same as for the function that shares snapshots:
https://github.com/awslabs/rds-snapshot-tool/blob/master/cftemplates/snapshots_tool_rds_source.json#L394

BTW: why there is no bucket for us-west-1 region in mappings?

Trying to copy a snapshot having an "option group" to a different region results in error: "The snapshot requires a target option group..."

Can the tool be modified to retrieve the option group for a snapshot and pass that to the copy function?

I elected to not define my own S3 buckets and to rely up on downloading the code from the default buckets.

The problem there is that the code from the following commit (specifically line 204) has not made it to your S3 buckets and so folks won't be able to use this tool until that is done.

65f5bae

Curious if there is a timeline to upload those? The spot specifically where it breaks is during the ShareSnapshot step.

Side question: have you been able to find any interesting way to reduce duplication and not have to define that file in each directory?

Is this project still maintained and recommended?

Python 3.7 is EoL as of June 27, 2023 and the python3.7 AWS Lambda Runtime enters stage 1 of deprecation starting November 27, 2023. Is there any plan to update accordingly?

The following resource(s) failed to create: [cwEventBackupRDS, cwEventDeleteOldSnapshotsRDS]. . Rollback requested by user.

cwEventBackupRDS
cwEventDeleteOldSnapshotsRDS

Error: states is not a supported service for a target

We weren't able to copy a snapshot encrypted with the aws managed default key (aws/rds) into another destination account. CopySnapshot lambda which in the destination account fails to copy the shared snapshot, as it has no access to the KMS default key of the other account.

We thought this is a common case and covered by the script. After some deep dive, I think we need to copy the snapshot once more within the source account and attach another CMK to the snapshot which is shared to the destination account. WOuld love to hear some opinions about this issue.

Pattern matching in the share function matches against the DBSnapshotIdentifier instead of the DBInstanceIdentifier. This results in orphaned snapshots which are not shared, and therefore not copied to the destination account.

An example:

The pattern .+(-production)$ matches all instances that end in -production. Given an RDS instance django-production and an RDS instance django-production-reporting, we want to copy the first but not the second.

The pattern matches correctly when taking snapshots, but appends YYYY-MM-DD-hh-mm to the DBSnapshotIdentifier. When the share function executes, the DBSnapshotIdentifier does not match the pattern, so the snapshot is not shared.

I am getting this error when creating the stack in CF.

Parameter ScheduleExpression is not valid. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: d50ae7df-e029-4be2-8755-e7ccf3701bdf)

If I make a change to the lambda code, upload a new zip file into S3 with the new code (overwriting the old zip file), and then update my CloudFormation stack, CloudFormation will not detect that the code has changed, and thus will not deploy the new code.

A solution could be to use the aws cloudformation package command, which will give each version of the zip file a unique name in S3, and will produce a CloudFormation template file that refers to the objects in S3 by their unique name. Then a new version of the Lambda code will result in a change to the CloudFormation template so CloudFormation will update the Lambda correctly.

Hi,
I would like to use your tools to backup and upload automatically to S3 glacier snapshot for Hipaa compliance. How it is possible to achieve it ? Is it possible to put policy on S3 bucket where the snapshot are saved on the destination region ?

Problem

When an account has more than 25 Aurora cluster snapshots of any type, snapshots are no longer copied over to the target account.

Root Cause

snapshots_tool_utils.py uses custom pagination code. Somehow this pagination is limited to 25 rows. Once an account has more than 25 manual backups, snapshots are created but not shared, and thus are not copied over.

Proposed Solution

Modify snapshots_tool_utils.py to use the built-in Boto paginator. A PR will be submitted against this issue.

Hi, everyone

I deployed the Cloudformation templates to do a DR for an Oracle SE1 RDS but is not taking the manual snapshot, no error, no message.

RDS have automated backups and also have AWS Backup Service programmed. can this configuration have conflict?

When executing make I get this error :

Provided region_name '[us-east-1]' doesn't match a supported format.
make: *** [._copy_snapshots_dest_rds] Error 255
rm copy_snapshots_dest_rds.zip

configuration:
AWSARGS=--region [us-east-1] --profile [lz-lab]
AWSCMD=aws
ZIPCMD=zip

can't pass this stage ..really appreciate any help

I've followed the steps and configured the lambda functions for cross account snapshot sharing as well as cross region. I've specified a different destination region via DEST_REGION (us-east-2) then the the source region (us-east-1). However, the shared snapshots continue to show up under the same region (us-east-1) as the source region in the destination account.

I made sure that both source and destination CloudFormation stacks were run on the us-east-1 region.

When I investigate the logs I see the following error.

Local copy pending: experience-builder-development-2021-05-10-15-00 (An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target KMS key [None] does not exist, is not enabled or you do not have permissions to access it.)

[ERROR] SnapshotToolException: Copies pending: 7. Needs retrying
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 112, in lambda_handler
    raise SnapshotToolException(log_message)
[ERROR] SnapshotToolException: Copies pending: 7. Needs retrying Traceback (most recent call last):   File "/var/task/lambda_function.py", line 112, in lambda_handler     raise SnapshotToolException(log_message)

None of these databases are encrypted. So I'm not sure why this error is being thrown.

I need the snapshots on the source account in us-east-1 to be shared to the destination account in us-east-2.

When setting the DeleteOldSnapshots parameter to False, I receive this error:
Template format error: Unresolved resource dependencies [lambdaDeleteOldSnapshotsRDS] in the Resources block of the template.

Setting the RetentionDays to 0 or blank does not work. Only setting DeleteOldSnapshots to True allows the template to be deployed.

On Ubuntu 18.04 LTS I used master branch for creating .zip files and uploading them to my S3 bucket.

From the README:

Type make at the command line. It will call zip to make the zip files, and then it will call aws s3 cp to copy the zip files to the bucket you named.

Indeed, it calls zip. But before creating zip files it builds dependencies for this target, i.e. tries to upload unzipped folder to S3 bucket.

Here is my fix:

-# if you define "._foo.zip" as a file on this line, then it will look for
+# if you define "._foo" as a file on this line, then it will look for
# a folder called foo, copy the standard files into it, and then make foo.zip.
-all:   ._copy_snapshots_dest_rds.zip \
-       ._copy_snapshots_no_x_account_rds.zip \
-       ._delete_old_snapshots_dest_rds.zip \
-       ._delete_old_snapshots_no_x_account_rds.zip \
-       ._delete_old_snapshots_rds.zip \
-       ._share_snapshots_rds.zip \
-       ._take_snapshots_rds.zip
+all:   ._copy_snapshots_dest_rds \
+       ._copy_snapshots_no_x_account_rds \
+       ._delete_old_snapshots_dest_rds \
+       ._delete_old_snapshots_no_x_account_rds \
+       ._delete_old_snapshots_rds \
+       ._share_snapshots_rds \
+       ._take_snapshots_rds

 clean:
        rm -f ._*

-._%: %
+._%: %.zip
        "$(AWSCMD)" $(AWSARGS) s3 cp "$<" "s3://$(S3DEST)" \
                --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
        cp "$<" "$@"

Hello, I'm slightly confused about setting up the rds-snapshot-tool.
I'm interested in it creating snapshots, and copying them to a different region, within the same account.

I noted and set the CrossAccountCopy variable to FALSE; however here's where I'm lost.

My source-region is us-east-1, so I've deployed my cloudformation-source stack in the east-region.
Do I deploy the destination stack in the east-region as well? Or in the west-1 region?

Sorry for the n00b question.
Thank you.

snapshots_tool_rds_source.json - eu-west-1 is duplicate and the second is eu-central-1, remove the second one .

Problem

Automated snapshots are parsed by the tool, even though only manual snapshots can be shared and copied. This results in unnecessary pagination and additional runtime, which leads to additional cost.

Root Cause

Calls to describe_db_cluster_snapshots are not filtered by snapshot type.

Proposed Solution

Modify snapshot pagination calls to only apply to manually-created snapshots via the SnapshotType parameter.

Hi Team,

While testing the rds-snapshot-tool, I found that the snapshots in the destination region (same account) are not getting deleted. This is because of search_tag_created was used instead of search_tag_copied in the code for this (delete_old_snapshots_no_x_account_rds).

Best,
Abhilash.