migration examples for Encrypted Paginator

Author: imabhichow

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/paginator/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/paginator/migration_step_1.py

@@ -0,0 +1,94 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""
+Migration Step 1.
+
+This is an example demonstrating how to start using the
+AWS Database Encryption SDK with a pre-existing table used with DynamoDB Encryption Client.
+In this example, you configure a EncryptedPaginator to do the following:
+  - Read items encrypted in the old format
+  - Continue to encrypt items in the old format on write
+  - Read items encrypted in the new format
+While this step configures your paginator to be ready to start reading items encrypted,
+we do not yet expect to be reading any items in the new format.
+Before you move on to step 2, ensure that these changes have successfully been deployed
+to all of your readers.
+
+Running this example requires access to the DDB Table whose name
+is provided in CLI arguments.
+This table must be configured with the following
+primary key configuration:
+  - Partition key is named "partition_key" with type (S)
+  - Sort key is named "sort_key" with type (N)
+"""
+from aws_dbesdk_dynamodb.structures.dynamodb import LegacyPolicy
+
+from ..client.common import setup_awsdbe_client_with_legacy_override
+
+
+def migration_step_1_with_paginator(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 1):
+    """
+    Migration Step 1: Using the AWS Database Encryption SDK EncryptedPaginator with Legacy Override.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    """
+    # 1. Create a EncryptedClient with legacy override.
+    #    For Legacy Policy, use `FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
+    #    With this policy, you will continue to read and write items using the old format,
+    #    but will be able to start reading new items in the new format as soon as they appear
+    policy = LegacyPolicy.FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT
+    encrypted_client = setup_awsdbe_client_with_legacy_override(
+        kms_key_id=kms_key_id, ddb_table_name=ddb_table_name, policy=policy
+    )
+
+    # 2. Put an item in the old format since we are using a legacy override
+    #    with FORCE_LEGACY_ENCRYPT_ALLOW_DECRYPT policy
+    item_to_encrypt = {
+        "partition_key": {"S": "PaginatorMigrationExampleForPython"},
+        "sort_key": {"N": "1"},
+        "attribute1": {"S": "encrypt and sign me!"},
+        "attribute2": {"S": "sign me!"},
+        ":attribute3": {"S": "ignore me!"},
+    }
+
+    put_item_request = {
+        "TableName": ddb_table_name,
+        "Item": item_to_encrypt,
+    }
+
+    put_item_response = encrypted_client.put_item(**put_item_request)
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # 3. Get the EncryptedPaginator from the EncryptedClient
+    encrypted_paginator = encrypted_client.get_paginator("query")
+
+    # 4. Use the EncryptedPaginator to paginate through the items in the table
+    #    If the items were written in the old format (e.g. any item written
+    #    during Step 0 or 1), then we will attempt to decrypt the item
+    #    using the legacy behavior.
+    #    If the items were written in the new format (e.g. any item written
+    #    during Step 2 or after), then we will attempt to decrypt the item using
+    #    the non-legacy behavior.
+    items = []
+    for page in encrypted_paginator.paginate(
+        TableName=ddb_table_name,
+        KeyConditionExpression="partition_key = :partition_key AND sort_key = :sort_key",
+        ExpressionAttributeValues={
+            ":partition_key": {"S": "PaginatorMigrationExampleForPython"},
+            ":sort_key": {"N": str(sort_read_value)},
+        },
+    ):
+        for item in page["Items"]:
+            items.append(item)
+
+    # 5. Verify the decrypted items
+    assert len(items) == 1  # We should have only one item with above key condition
+    item = next((i for i in items if i["sort_key"]["N"] == str(sort_read_value)), None)
+    assert item is not None
+    assert item["partition_key"]["S"] == "PaginatorMigrationExampleForPython"
+    assert item["attribute1"]["S"] == "encrypt and sign me!"
+    assert item["attribute2"]["S"] == "sign me!"
+    assert item[":attribute3"]["S"] == "ignore me!"

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/paginator/migration_step_2.py

@@ -0,0 +1,94 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""
+Migration Step 2.
+
+This is an example demonstrating how to update your configuration
+to start writing items using the latest encryption format, but still continue
+to read any items written using the old encryption format.
+
+Once you deploy this change to your system, you will have a dataset
+containing items in both the old and new format.
+Because the changes in Step 1 have been deployed to all our readers,
+we can be sure that our entire system is ready to read this new data.
+
+Running this example requires access to the DDB Table whose name
+is provided in CLI arguments.
+This table must be configured with the following
+primary key configuration:
+  - Partition key is named "partition_key" with type (S)
+  - Sort key is named "sort_key" with type (N)
+"""
+
+from aws_dbesdk_dynamodb.structures.dynamodb import LegacyPolicy
+
+# Import from new AWS Database Encryption SDK
+from ..client.common import setup_awsdbe_client_with_legacy_override
+
+
+def migration_step_2_with_paginator(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 2):
+    """
+    Migration Step 2: Using the AWS Database Encryption SDK EncryptedPaginator with legacy override.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    """
+    # 1. Create a EncryptedClient with legacy override.
+    #    When configuring our legacy behavior, use `FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
+    #    With this policy, you will continue to read items in both formats,
+    #    but will only write new items using the new format.
+    encrypted_client = setup_awsdbe_client_with_legacy_override(
+        kms_key_id, ddb_table_name, policy=LegacyPolicy.FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT
+    )
+
+    # 2. Put an item into your table using the EncryptedClient.
+    #    This item will be encrypted in the latest format, using the
+    #    configuration to decide which attribute to encrypt and/or sign.
+    item_to_encrypt = {
+        "partition_key": {"S": "PaginatorMigrationExampleForPython"},
+        "sort_key": {"N": "2"},
+        "attribute1": {"S": "encrypt and sign me!"},
+        "attribute2": {"S": "sign me!"},
+        ":attribute3": {"S": "ignore me!"},
+    }
+
+    put_item_request = {
+        "TableName": ddb_table_name,
+        "Item": item_to_encrypt,
+    }
+
+    put_item_response = encrypted_client.put_item(**put_item_request)
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # 3. Get the EncryptedPaginator from the EncryptedClient
+    encrypted_paginator = encrypted_client.get_paginator("query")
+
+    # 4. Use the EncryptedPaginator to paginate through the items in the table
+    #    If the items were written in the old format (e.g. any item written
+    #    during Step 0 or 1), then we will attempt to decrypt the item
+    #    using the legacy behavior.
+    #    If the items were written in the new format (e.g. any item written
+    #    during Step 2 or after), then we will attempt to decrypt the item using
+    #    the non-legacy behavior.
+    items = []
+    for page in encrypted_paginator.paginate(
+        TableName=ddb_table_name,
+        KeyConditionExpression="partition_key = :partition_key AND sort_key = :sort_key",
+        ExpressionAttributeValues={
+            ":partition_key": {"S": "PaginatorMigrationExampleForPython"},
+            ":sort_key": {"N": str(sort_read_value)},
+        },
+    ):
+        for item in page["Items"]:
+            items.append(item)
+
+    # 5. Verify the decrypted items
+    assert len(items) == 1  # We should have only one item with above key condition
+    item = next((i for i in items if i["sort_key"]["N"] == str(sort_read_value)), None)
+    assert item is not None
+    assert item["partition_key"]["S"] == "PaginatorMigrationExampleForPython"
+    assert item["attribute1"]["S"] == "encrypt and sign me!"
+    assert item["attribute2"]["S"] == "sign me!"
+    assert item[":attribute3"]["S"] == "ignore me!"

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/paginator/migration_step_3.py

@@ -0,0 +1,85 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""
+Migration Step 3.
+
+This is an example demonstrating how to update your configuration
+to stop accepting reading items encrypted using the old format.
+In order to proceed with this step, you will need to re-encrypt all
+old items in your table.
+
+Once you complete Step 3, you can be sure that all items being read by your system
+ensure the security properties configured for the new format.
+
+Running this example requires access to the DDB Table whose name
+is provided in CLI arguments.
+This table must be configured with the following
+primary key configuration:
+  - Partition key is named "partition_key" with type (S)
+  - Sort key is named "sort_key" with type (N)
+"""
+
+from ..client.common import setup_pure_awsdbe_client
+
+
+def migration_step_3_with_paginator(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 3):
+    """
+    Migration Step 3: Using only pure AWS DBESDK (no legacy override) with EncryptedPaginator.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    """
+    # 1. Create the EncryptedClient.
+    #    Do not configure any legacy behavior.
+    encrypted_client = setup_pure_awsdbe_client(kms_key_id, ddb_table_name)
+
+    # 2. Put an item into your table using the Client.
+    #    This item will be encrypted in the latest format, using the
+    #    configuration from your modelled class to decide
+    #    which attribute to encrypt and/or sign.
+    item = {
+        "partition_key": {"S": "PaginatorMigrationExampleForPython"},
+        "sort_key": {"N": "3"},
+        "attribute1": {"S": "encrypt and sign me!"},
+        "attribute2": {"S": "sign me!"},
+        ":attribute3": {"S": "ignore me!"},
+    }
+
+    put_item_response = encrypted_client.put_item(TableName=ddb_table_name, Item=item)
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # 3. Get the EncryptedPaginator from the EncryptedClient
+    encrypted_paginator = encrypted_client.get_paginator("query")
+
+    # 4. Use the EncryptedPaginator to paginate through the items in the table
+    #    If the items were written in the old format (e.g. any item written
+    #    during Step 0 or 1), then we will fail to decrypt those items.
+    #    If the items were written in the new format (e.g. any item written
+    #    during Step 2 or 3), then we will attempt to decrypt the item using
+    #    the non-legacy behavior.
+    items = []
+    for page in encrypted_paginator.paginate(
+        TableName=ddb_table_name,
+        KeyConditionExpression="partition_key = :partition_key AND sort_key = :sort_key",
+        ExpressionAttributeValues={
+            ":partition_key": {"S": "PaginatorMigrationExampleForPython"},
+            ":sort_key": {"N": str(sort_read_value)},
+        },
+    ):
+        for item in page["Items"]:
+            items.append(item)
+
+    # 5. Verify the decrypted items
+    assert len(items) == 1  # We should have only one item with above key condition
+    item = next((i for i in items if i["sort_key"]["N"] == str(sort_read_value)), None)
+    assert item is not None
+    assert item["partition_key"]["S"] == "PaginatorMigrationExampleForPython"
+    assert item["attribute1"]["S"] == "encrypt and sign me!"
+    assert item["attribute2"]["S"] == "sign me!"
+    assert item[":attribute3"]["S"] == "ignore me!"
+
+    # Note: If we tried to query for items with sort_key = 1 or sort_key = 2 that were
+    # written with the legacy format in previous migration steps and haven't been
+    # re-encrypted, the operation would fail with a verification exception.

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/ddbec/paginator/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/ddbec/paginator/migration_step_0.py

@@ -0,0 +1,95 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""
+Migration Step 0.
+
+This is an example demonstrating use with the DynamoDb Encryption Client.
+and is the starting state for our migration to the AWS Database Encryption SDK for DynamoDb.
+In this example we configure an EncryptedClient which provides an encrypted paginator
+configured to encrypt and decrypt items. The encryption and decryption of data is
+configured to use a KMS Key as the root of trust.
+
+Running this example requires access to the DDB Table whose name
+is provided in CLI arguments.
+This table must be configured with the following
+primary key configuration:
+  - Partition key is named "partition_key" with type (S)
+  - Sort key is named "sort_key" with type (N)
+"""
+
+import boto3
+
+# Import from legacy DynamoDB Encryption Client
+from dynamodb_encryption_sdk.encrypted.client import EncryptedClient
+from dynamodb_encryption_sdk.identifiers import CryptoAction
+from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
+from dynamodb_encryption_sdk.structures import AttributeActions
+
+
+def migration_step_0_with_paginator(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 0):
+    """
+    Migration Step 0: Using the DynamoDb Encryption Client with EncryptedClient's paginator.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    """
+    # 1. Create the MaterialProvider that protects your data keys. For this example,
+    #    we create a KmsCryptographicMaterialsProvider which protects data keys using a single kmsKey.
+    cmp = AwsKmsCryptographicMaterialsProvider(key_id=kms_key_id)
+
+    # 2. Create the AttributeActions to configure encryption and signing
+    actions = AttributeActions(
+        default_action=CryptoAction.ENCRYPT_AND_SIGN,
+        attribute_actions={
+            "partition_key": CryptoAction.SIGN_ONLY,
+            "sort_key": CryptoAction.SIGN_ONLY,
+            "attribute1": CryptoAction.ENCRYPT_AND_SIGN,
+            "attribute2": CryptoAction.SIGN_ONLY,
+            ":attribute3": CryptoAction.DO_NOTHING,
+        },
+    )
+
+    # 3. Create a legacy EncryptedClient.
+    ddb_client = boto3.client("dynamodb")
+    encrypted_client = EncryptedClient(client=ddb_client, materials_provider=cmp, attribute_actions=actions)
+
+    # 4. Put an example item into our DynamoDb table.
+    #    This item will be encrypted client-side before it is sent to DynamoDb.
+    item = {
+        "partition_key": {"S": "PaginatorMigrationExampleForPython"},
+        "sort_key": {"N": "0"},
+        "attribute1": {"S": "encrypt and sign me!"},
+        "attribute2": {"S": "sign me!"},
+        ":attribute3": {"S": "ignore me!"},
+    }
+
+    put_item_response = encrypted_client.put_item(TableName=ddb_table_name, Item=item)
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # 5. Get a paginator from the encrypted client
+    #    The paginator will automatically decrypt items as they are returned.
+    encrypted_paginator = encrypted_client.get_paginator("query")
+
+    # 6. Use the paginator to get items from the table
+    items = []
+    for page in encrypted_paginator.paginate(
+        TableName=ddb_table_name,
+        KeyConditionExpression="partition_key = :partition_key AND sort_key = :sort_key",
+        ExpressionAttributeValues={
+            ":partition_key": {"S": "PaginatorMigrationExampleForPython"},
+            ":sort_key": {"N": str(sort_read_value)},
+        },
+    ):
+        for item in page["Items"]:
+            items.append(item)
+
+    # 7. Verify the decrypted items
+    assert len(items) == 1  # We should have only one item with above key condition
+    item = next((i for i in items if i["sort_key"]["N"] == str(sort_read_value)), None)
+    assert item is not None
+    assert item["partition_key"]["S"] == "PaginatorMigrationExampleForPython"
+    assert item["attribute1"]["S"] == "encrypt and sign me!"
+    assert item["attribute2"]["S"] == "sign me!"
+    assert item[":attribute3"]["S"] == "ignore me!"

Examples/runtimes/python/Migration/test/ddbec_to_awsdbe/awsdbe/paginator/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""