[Postgresql DA]Add support to use a different KMS key for backup encryption #509
Description
As per docs:
BYOK for backups is available only in US regions us-south and us-east, and eu-de.
Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, you must use a key from us-south or eu-de, regardless of your deployment's location.
The problem with the DA is it only supports creating one key (or taking in 1 existing_kms_key_crn value) which is used for both standard and backup encryption. So if that is not one of the supported backup key regions, deployment will fail with:
Error creating database instance: Please contact the Service Provider for this error. [400, Bad Request] We were unable to complete your request: Backup encryption keys are not supported in this region. Try again with valid values or contact support if the issue persists.
The DA should be updated to optionally create a 2nd key (or take in a 2nd existing key) that would be used for backup encryption. It would mean exposing 2 new variable, for example existing_backup_kms_key_crn and existing_backup_kms_instance_crn. KMS auth policies need to be also considered here too.