Merge branch 'main' into ajewell/buckets

Author: ajewellamz

.github/actions/install_smithy_dafny_codegen_dependencies/action.yml

@@ -30,6 +30,16 @@ runs:
         python -m pip install --upgrade black
         python -m pip install --upgrade docformatter
 
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: "1.23"
+
+    - name: Install Go imports
+      shell: bash
+      run: |
+        go install golang.org/x/tools/cmd/goimports@latest
+
     # Without this the if-dafny-at-least command includes "Downloading ..." output
     - name: Arbitrary makefile target to force downloading Gradle
       shell: bash

.github/workflows/ci_codegen.yml

@@ -56,10 +56,6 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
 
-      - name: Install Go imports
-        run: |
-          go install golang.org/x/tools/cmd/goimports@latest
-
       - name: Create temporary global.json
         run: echo '{"sdk":{"rollForward":"latestFeature","version":"6.0.0"}}' > ./global.json
 

.github/workflows/ci_test_go.yml

@@ -95,10 +95,6 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
 
-      - name: Install Go imports
-        run: |
-          go install golang.org/x/tools/cmd/goimports@latest
-
       - uses: actions/checkout@v3
       - name: Init Submodules
         shell: bash
@@ -109,11 +105,6 @@ jobs:
       - name: Install Smithy-Dafny codegen dependencies
         uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
 
-      - name: Install Go imports
-        shell: bash
-        run: |
-          go install golang.org/x/tools/cmd/goimports@latest
-
       - name: Build ${{ matrix.library }} implementation
         shell: bash
         working-directory: ./${{ matrix.library }}

.github/workflows/go-release.yml

@@ -52,15 +52,6 @@ jobs:
         with:
           dafny-version: ${{ needs.get-dafny-version.outputs.version }}
 
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23"
-
-      - name: Install Go imports
-        run: |
-          go install golang.org/x/tools/cmd/goimports@latest
-
       - name: Install Smithy-Dafny codegen dependencies
         uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
 

.github/workflows/library_rust_tests.yml

@@ -70,7 +70,7 @@ jobs:
       - name: Setup Dafny
         uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
         with:
-          dafny-version: nightly-2025-01-30-7db1e5f
+          dafny-version: 4.10.0
 
       - name: Update MPL submodule if using MPL HEAD
         if: ${{ inputs.mpl-head == true }}
@@ -91,12 +91,6 @@ jobs:
         if: matrix.os == 'windows-latest'
         uses: ilammy/setup-nasm@v1
 
-      # Go is needed for aws-lc-FIPS
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ">=1.18"
-
       - name: Install Smithy-Dafny codegen dependencies
         uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
 
@@ -146,3 +140,4 @@ jobs:
         shell: bash
         run: |
           cargo run --release --example main
+          cargo test --release --example main

DynamoDbEncryption/runtimes/rust/examples/main.rs

@@ -14,6 +14,7 @@ pub mod keyring;
 pub mod multi_get_put_example;
 pub mod searchableencryption;
 pub mod test_utils;
+pub mod migration;
 
 use std::convert::From;
 

DynamoDbEncryption/runtimes/rust/examples/migration/mod.rs

@@ -0,0 +1,4 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+pub mod plaintext_to_awsdbe;

DynamoDbEncryption/runtimes/rust/examples/migration/plaintext_to_awsdbe/README.md

@@ -0,0 +1,51 @@
+# Plaintext DynamoDB Table to AWS Database Encryption SDK Encrypted Table Migration
+
+This projects demonstrates the steps necessary
+to migrate to the AWS Database Encryption SDK for DynamoDb
+from a plaintext database.
+
+[Step 0](plaintext/step0.go) demonstrates the starting state for your system.
+
+## Step 1
+
+In Step 1, you update your system to do the following:
+
+- continue to read plaintext items
+- continue to write plaintext items
+- prepare to read encrypted items
+
+When you deploy changes in Step 1,
+you should not expect any behavior change in your system,
+and your dataset still consists of plaintext data.
+
+You must ensure that the changes in Step 1 make it to all your readers before you proceed to Step 2.
+
+## Step 2
+
+In Step 2, you update your system to do the following:
+
+- continue to read plaintext items
+- start writing encrypted items
+- continue to read encrypted items
+
+When you deploy changes in Step 2,
+you are introducing encrypted items to your system,
+and must make sure that all your readers are updated with the changes from Step 1.
+
+Before you move onto the next step, you will need to encrypt all plaintext items in your dataset.
+Once you have completed this step,
+while new items are being encrypted using the new format and will be authenticated on read,
+your system will still accept reading plaintext, unauthenticated items.
+In order to complete migration to a system where you always authenticate your items,
+you should prioritize moving on to Step 3.
+
+## Step 3
+
+Once all old items are encrypted,
+update your system to do the following:
+
+- continue to write encrypted items
+- continue to read encrypted items
+- do not accept reading plaintext items
+
+Once you have deployed these changes to your system, you have completed migration.

DynamoDbEncryption/runtimes/rust/examples/migration/plaintext_to_awsdbe/awsdbe/common.rs

@@ -0,0 +1,90 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use aws_db_esdk::material_providers::client;
+use aws_db_esdk::material_providers::types::material_providers_config::MaterialProvidersConfig;
+use aws_db_esdk::CryptoAction;
+use aws_db_esdk::dynamodb::types::DynamoDbTableEncryptionConfig;
+use aws_db_esdk::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig;
+use aws_db_esdk::dynamodb::types::PlaintextOverride;
+use std::collections::HashMap;
+
+pub async fn create_table_configs(
+    kms_key_id: &str,
+    ddb_table_name: &str,
+    plaintext_override: PlaintextOverride,
+) -> Result<DynamoDbTablesEncryptionConfig, Box<dyn std::error::Error>> {
+    // Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
+    // For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
+    // We will use the `CreateMrkMultiKeyring` method to create this keyring,
+    // as it will correctly handle both single region and Multi-Region KMS Keys.
+    let provider_config = MaterialProvidersConfig::builder().build()?;
+    let mat_prov = client::Client::from_conf(provider_config)?;
+    let kms_keyring = mat_prov
+        .create_aws_kms_mrk_multi_keyring()
+        .generator(kms_key_id)
+        .send()
+        .await?;
+
+    // Configure which attributes are encrypted and/or signed when writing new items.
+    // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+    // we must explicitly configure how they should be treated during item encryption:
+    //  - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+    //  - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+    //  - DO_NOTHING: The attribute is not encrypted and not included in the signature
+    let partition_key_name = "partition_key";
+    let sort_key_name = "sort_key";
+    let attribute_actions_on_encrypt = HashMap::from([
+        (partition_key_name.to_string(), CryptoAction::SignOnly),
+        (sort_key_name.to_string(), CryptoAction::SignOnly),
+        ("attribute1".to_string(), CryptoAction::EncryptAndSign),
+        ("attribute2".to_string(), CryptoAction::SignOnly),
+        ("attribute3".to_string(), CryptoAction::DoNothing),
+    ]);
+
+    // Configure which attributes we expect to be excluded in the signature
+    // when reading items. There are two options for configuring this:
+    //
+    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+    //      When defining your DynamoDb schema and deciding on attribute names,
+    //      choose a distinguishing prefix (such as ":") for all attributes that
+    //      you do not want to include in the signature.
+    //      This has two main benefits:
+    //      - It is easier to reason about the security and authenticity of data within your item
+    //        when all unauthenticated data is easily distinguishable by their attribute name.
+    //      - If you need to add new unauthenticated attributes in the future,
+    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+    //        and immediately start writing to that new attribute, without
+    //        any other configuration update needed.
+    //      Once you configure this field, it is not safe to update it.
+    //
+    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+    //      a set of attributes that should be considered unauthenticated when encountered
+    //      on read. Be careful if you use this configuration. Do not remove an attribute
+    //      name from this configuration, even if you are no longer writing with that attribute,
+    //      as old items may still include this attribute, and our configuration needs to know
+    //      to continue to exclude this attribute from the signature scope.
+    //      If you add new attribute names to this field, you must first deploy the update to this
+    //      field to all readers in your host fleet before deploying the update to start writing
+    //      with that new attribute.
+    //
+    //   For this example, we will explicitly list the attributes that are not signed.
+    let unsigned_attributes = vec!["attribute3".to_string()];
+
+    // Create the DynamoDb Encryption configuration for the table we will be writing to.
+    let table_config = DynamoDbTableEncryptionConfig::builder()
+        .logical_table_name(ddb_table_name)
+        .partition_key_name(partition_key_name)
+        .sort_key_name(sort_key_name)
+        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
+        .keyring(kms_keyring)
+        .allowed_unsigned_attributes(unsigned_attributes)
+        .plaintext_override(plaintext_override)
+        .build()?;
+
+    let table_configs = DynamoDbTablesEncryptionConfig::builder()
+        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
+        .build()?;
+
+    Ok(table_configs)
+}