Try encrypting KMS key without encryption context first

[nhinsch]

What does this PR do?

When the API key is encrypted using the AWS console, the function name is added as an encryption context. When the API key is encrypted using the AWS CLI, no encryption context is added. We need to try decrypting the API key both with and without the encryption context, because decrypting using the incorrect encryption context will cause decryption to fail.

Previously, we tried decrypting WITH the encryption context first, then fell back to encrypting WITHOUT the encryption context. This PR reverses the order and tries decrypting WITHOUT the encryption context first, falling back to encrypting WITH the encryption context.

Motivation

We want to encourage customers to encrypt their keys using the AWS CLI, without the encryption context. That way, a single encrypted key can be re-used for multiple functions. This is necessary in order to use our deployment tools (e.g. Serverless Framework plugin).

Testing Guidelines

We have unit test coverage of this functionality.

Types of Changes

• Bug fix
• New feature
• Breaking change
• Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

• This PR's description is comprehensive
• This PR contains breaking changes that are documented in the description
• This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
• This PR impacts documentation, and it has been updated (or a ticket has been logged)
• This PR's changes are covered by the automated tests
• This PR collects user input/sensitive content into Datadog
• This PR passes the integration tests (ask a Datadog member to run the tests)