|
| 1 | +package awsdbe |
| 2 | + |
| 3 | +import ( |
| 4 | + // Standard imports |
| 5 | + "context" |
| 6 | + "reflect" |
| 7 | + |
| 8 | + // AWS SDK imports |
| 9 | + |
| 10 | + "github.com/aws/aws-sdk-go-v2/aws" |
| 11 | + "github.com/aws/aws-sdk-go-v2/config" |
| 12 | + "github.com/aws/aws-sdk-go-v2/service/dynamodb" |
| 13 | + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" |
| 14 | + |
| 15 | + dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" |
| 16 | + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" |
| 17 | + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" |
| 18 | +) |
| 19 | + |
| 20 | +/* |
| 21 | +Migration Step 2: This is an example demonstrating how to update your configuration |
| 22 | +to start writing encrypted items, but still continue to read any plaintext or |
| 23 | +encrypted items. |
| 24 | +
|
| 25 | +Once you deploy this change to your system, you will have a dataset |
| 26 | +containing both encrypted and plaintext items. |
| 27 | +Because the changes in Step 1 have been deployed to all our readers, |
| 28 | +we can be sure that our entire system is ready to read this new data. |
| 29 | +
|
| 30 | +Before you move onto the next step, you will need to encrypt all plaintext items in your dataset. |
| 31 | +How you will want to do this depends on your system. |
| 32 | +
|
| 33 | +Running this example requires access to the DDB Table whose name |
| 34 | +is provided in CLI arguments. |
| 35 | +This table must be configured with the following |
| 36 | +primary key configuration: |
| 37 | + - Partition key is named "partition_key" with type (S) |
| 38 | + - Sort key is named "sort_key" with type (S) |
| 39 | +*/ |
| 40 | +func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { |
| 41 | + cfg, err := config.LoadDefaultConfig(context.TODO()) |
| 42 | + utils.HandleError(err) |
| 43 | + |
| 44 | + // 1. Configure your Keyring, attribute actions, |
| 45 | + // allowedUnsignedAttributes, and encryption configuration for table. |
| 46 | + // This is common across all the steps. |
| 47 | + |
| 48 | + // When creating encryption configuration for your table, |
| 49 | + // you must use the plaintext override `FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ`. |
| 50 | + // This plaintext override means: |
| 51 | + // - Write: Items are forbidden to be written as plaintext. |
| 52 | + // Items will be written as encrypted items. |
| 53 | + // - Read: Items are allowed to be read as plaintext. |
| 54 | + // Items are allowed to be read as encrypted items. |
| 55 | + |
| 56 | + listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteAllowPlaintextRead) |
| 57 | + |
| 58 | + // 5. Create DynamoDB client with dbEsdkMiddleware |
| 59 | + dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) |
| 60 | + utils.HandleError(err) |
| 61 | + |
| 62 | + ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) |
| 63 | + |
| 64 | + // 6. Put an item into your table. |
| 65 | + // This item will be encrypted. |
| 66 | + item := map[string]types.AttributeValue{ |
| 67 | + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, |
| 68 | + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, |
| 69 | + "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, |
| 70 | + "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, |
| 71 | + "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, |
| 72 | + } |
| 73 | + |
| 74 | + putInput := dynamodb.PutItemInput{ |
| 75 | + TableName: &ddbTableName, |
| 76 | + Item: item, |
| 77 | + } |
| 78 | + |
| 79 | + _, err = ddb.PutItem(context.TODO(), &putInput) |
| 80 | + utils.HandleError(err) |
| 81 | + |
| 82 | + // 7. Get an item back from the table. |
| 83 | + // If this is an item written in plaintext (i.e. any item written |
| 84 | + // during Step 0 or 1), then the item will still be in plaintext. |
| 85 | + // If this is an item that was encrypted client-side (i.e. any item written |
| 86 | + // during Step 2 or after), then the DDB enhanced client will decrypt the |
| 87 | + // item client-sid and surface it in our code as a plaintext item. |
| 88 | + key := map[string]types.AttributeValue{ |
| 89 | + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, |
| 90 | + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, |
| 91 | + } |
| 92 | + |
| 93 | + getInput := &dynamodb.GetItemInput{ |
| 94 | + TableName: aws.String(ddbTableName), |
| 95 | + Key: key, |
| 96 | + ConsistentRead: aws.Bool(true), |
| 97 | + } |
| 98 | + |
| 99 | + result, err := ddb.GetItem(context.TODO(), getInput) |
| 100 | + utils.HandleError(err) |
| 101 | + |
| 102 | + // Demonstrate we get the expected item back |
| 103 | + if !reflect.DeepEqual(item, result.Item) { |
| 104 | + panic("Decrypted item does not match original item") |
| 105 | + } |
| 106 | +} |
0 commit comments