feat: customer-managed encryption keys

[skuruppu]

Supports creating databases and backups, and restoring databases with a customer-managed encryption key.

[snippet-bot]

Here is the summary of changes.

You are about to add 3 region tags.

• samples/backups-create-with-encryption-key.js:25, tag spanner_create_backup_with_encryption_key
• samples/backups-restore-with-encryption-key.js:25, tag spanner_restore_backup_with_encryption_key
• samples/database-create-with-encryption-key.js:23, tag spanner_create_database_with_encryption_key

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[codecov]

Codecov Report

Merging #1274 (0830aa1) into master (a73f9fc) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #1274   +/-   ##
=======================================
  Coverage   98.59%   98.60%           
=======================================
  Files          23       23           
  Lines       21841    21899   +58     
  Branches     1094     1099    +5     
=======================================
+ Hits        21535    21593   +58     
  Misses        297      297           
  Partials        9        9           

Impacted Files	Coverage Δ
src/backup.ts	99.82% <100.00%> (+<0.01%)	⬆️
src/database.ts	99.96% <100.00%> (+<0.01%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a73f9fc...0830aa1. Read the comment docs.

Not a breaking change anymore

[skuruppu]

PTAL @olavloite

[olavloite]

Shouldn't this also include encryptionType: 'CUSTOMER_MANAGED_ENCRYPTION',? Or is it only required for backups?

[skuruppu]

Yeah this is confusing. But CreateDatabaseRequest has an EncryptionConfig field which only lets you specify the kms_key_name.

[skuruppu]

I think this might be because by default, it uses GOOGLE_DEFAULT_ENCRYPTION. But if the customer specifies an encryption key, then it has to be CUSTOMER_MANAGED_ENCRYPTION.

[olavloite]

For the Java client we have merged all backup/restore system tests into one as backups and restores are very slow. Is that something that we should consider for Node as well?

[skuruppu]

I wish we could do that but I guess the samples were designed such that we take a separate backup and do a separate restore for CMEK. That means I have to test them separately here :( But if it becomes too flaky over time, then I may have to end up skipping these.

[olavloite]

Depending on how often we think that users will use encrypted backups, I would consider leaving the encryption information out of this example. As it is now, it at first hand seems to be something that is required for all restore operations, while it is only required if you actually have an encrypted backup.

[skuruppu]

Yeah, I think it's reasonable to remove this as it's not something you have to specify by default. Sometimes we have multiple examples so I may consider adding a separate one.

BTW, for restoring with an encryption key, it's not a requirement to specify the encryption key if the backup was encrypted. If the backup was encrypted, then the restored database is automatically encrypted with the same key as the backup. You only have to specify the key here if you want to encrypt it with a different key.