What's the correct process to change a production RDS database from non-encrypted to encrypted using AWS CDK (python)?

We have deployed an RDS database without encryption that is being used in production. Everything has been deployed using AWS CDK in Python. Now we need to start storing sensitive information like for example customers bank account information. Due to this we want to make sure our database is encrypted at rest.

I've read that the process is to make a database snapshot, then make an encrypted copy, then restore that encrypted copy, etc. But we probably also need to create a KMS Key.

How would we do this process while using the AWS CDK? The goal is to end up with an encrypted copy and no "drift" in our CDK.

Here is the basic code we are using to create our instance

database = rds.DatabaseInstance(self, 'Database',
	instance_identifier='example',
	database_name='example',
	engine=rds.DatabaseInstanceEngine.postgres(
		version=rds.PostgresEngineVersion.VER_15_2
	),
	instance_type=ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.MICRO),
	vpc=vpc,
	vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PUBLIC),
	credentials=rds.Credentials.from_password(
		username='example',
		password='example123456'
	),
	storage_type=rds.StorageType.GP3,
	allocated_storage=20,
	max_allocated_storage=100,
	backup_retention=30,
	preferred_backup_window='21:00-21:30',
	removal_policy=core.RemovalPolicy.RETAIN,
	delete_automated_backups=False
)