feat: add support to use a different KMS key for backup encryption

[Aashiq-J]

Description

Issue : #509

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[ocofaigh]

Need to wait for #513 #514 to be merged to unblock pipeline

[ocofaigh]

no don't do this - there is a backend bug. We need to remove wal_level all together from the configuration so it defaults to replica. I think @shemau is going to make the change in #513

[ocofaigh]

actually its coming in #514

[ocofaigh]

@Aashiq-J Too many changes here - check out my comments

[ocofaigh]

why are you saying same account? We support KMS being in any account since we have the ibmcloud_kms_api_key input. I think its safe to assume all KMS will be in same account

[ocofaigh]

If not specified, a root key is created.

^ This doesn't make sense here? The instance CRN is required to create the key and the auth policy. If not specified we should mention that for backup encryption, it will use the same instance specified in existing_kms_instance_crn

[ocofaigh]

description needs to be updated to say its used for backup encryption

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[ocofaigh]

@Aashiq-J Hold off running pipeline - I'm reviewing..

[ocofaigh]

see suggestions

[ocofaigh]

Its not a "PostgreSQL instance backup" - its a database backup.
How about this for wording:

The CRN of an Hyper Protect Crypto Services or Key Protect instance that you want to use to encrypt database backups. If no value is passed, the value of the existing_kms_instance_crn input will be used, however backup encryption is only supported in certain regions so you need to ensure the KMS for backup is coming from one of the supported regions. Learn more.

[ocofaigh]

The CRN of an Hyper Protect Crypto Services or Key Protect encryption key that you want to use to encrypt database backups. If no value is passed, the value of existing_kms_key_crn is used. If no is passed for that, a new key will be created in the provided KMS instance and used for both disk encryption, and backup encryption.

[ocofaigh]

The CRN of an Hyper Protect Crypto Services or Key Protect instance that you want to use for both disk and backup encryption. Backup encryption is only supported is some regions (learn more), so if you need to use a different instance for backup encryption from a supported region, use the existing_backup_kms_instance_crn input.

[ocofaigh]

The CRN of an Hyper Protect Crypto Services or Key Protect encryption key that you want to use to use for both disk and backup encryption. If no value is passed, a new key ring and key will be created in the instance provided in the existing_kms_instance_crn input. Backup encryption is only supported is some regions (learn more), so if you need to use a key from a different region for backup encryption, use the existing_backup_kms_key_crn input.

[ocofaigh]

/run pipeline

[Aashiq-J]

/run pipeline

[terraform-ibm-modules-ops]

🎉 This PR is included in version 3.18.0 🎉

The release is available on:

• GitHub release
• v3.18.0

Your semantic-release bot 📦🚀