@@ -42,7 +42,8 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue
4242 // This is common across all the steps.
4343
4444 // When creating encryption configuration for your table,
45- // you must use the plaintext override `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`.
45+ // you can either not specify PlaintextOverride or use
46+ // `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead` as PlaintextOverride.
4647 // If you do not specify `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`
4748 // plaintext override defaults to `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`,
4849 // which is the desired behavior for a client interacting with a fully encrypted database.
@@ -83,19 +84,20 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue
8384 return err
8485 }
8586
86- // 4. Get an item back from the table.
87+ // 4. Get an item back from the table using the DynamoDb Client .
8788 // If this is an item written in plaintext (i.e. any item written
88- // during Step 0 or 1), then the item will still be in plaintext.
89+ // during Step 0 or 1), then the read will fail, as we have
90+ // configured our client to forbid reading plaintext items.
8991 // If this is an item that was encrypted client-side (i.e. any item written
90- // during Step 2 or after), then the DDB enhanced client will decrypt the
91- // item client-side and surface it in our code as a plaintext item.
92+ // during Step 2 or after), then the item will be decrypted client-side
93+ // and surfaced as a plaintext item.
9294 key := map [string ]types.AttributeValue {
9395 "partition_key" : & types.AttributeValueMemberS {Value : partitionKeyValue },
9496 "sort_key" : & types.AttributeValueMemberN {Value : sortKeyReadValue },
9597 }
9698
9799 getInput := & dynamodb.GetItemInput {
98- TableName : aws . String ( ddbTableName ) ,
100+ TableName : & ddbTableName ,
99101 Key : key ,
100102 ConsistentRead : aws .Bool (true ),
101103 }
0 commit comments