feat(spanner): add CMEK samples (GoogleCloudPlatform#1319)

Author: larkee

spanner/src/create_backup_with_encryption_key.php

@@ -0,0 +1,77 @@
+
+/**
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/spanner/README.md
+ */
+
+namespace Google\Cloud\Samples\Spanner;
+
+// [START spanner_create_backup_with_encryption_key]
+use Google\Cloud\Spanner\Admin\Database\V1\CreateBackupEncryptionConfig;
+use Google\Cloud\Spanner\Backup;
+use Google\Cloud\Spanner\SpannerClient;
+
+/**
+ * Create an encrypted backup.
+ * Example:
+ * ```
+ * create_backup_with_encryption_key($instanceId, $databaseId, $backupId, $kmsKeyName);
+ * ```
+ *
+ * @param string $instanceId The Spanner instance ID.
+ * @param string $databaseId The Spanner database ID.
+ * @param string $backupId The Spanner backup ID.
+ * @param string $kmsKeyName The KMS key used for encryption.
+ */
+function create_backup_with_encryption_key($instanceId, $databaseId, $backupId, $kmsKeyName)
+{
+    $spanner = new SpannerClient();
+    $instance = $spanner->instance($instanceId);
+    $database = $instance->database($databaseId);
+
+    $expireTime = new \DateTime('+14 days');
+    $backup = $instance->backup($backupId);
+    $operation = $backup->create($database->name(), $expireTime, [
+        'encryptionConfig' => [
+            'kmsKeyName' => $kmsKeyName,
+            'encryptionType' => CreateBackupEncryptionConfig\EncryptionType::CUSTOMER_MANAGED_ENCRYPTION
+        ]
+    ]);
+
+    print('Waiting for operation to complete...' . PHP_EOL);
+    $operation->pollUntilComplete();
+
+    $backup->reload();
+    $ready = ($backup->state() == Backup::STATE_READY);
+
+    if ($ready) {
+        print('Backup is ready!' . PHP_EOL);
+        $info = $backup->info();
+        printf(
+            'Backup %s of size %d bytes was created at %s using encryption key %s' . PHP_EOL,
+            basename($info['name']), $info['sizeBytes'], $info['createTime'], $kmsKeyName);
+    } else {
+        print('Backup is not ready!' . PHP_EOL);
+    }
+}
+// [END spanner_create_backup_with_encryption_key]
+
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

spanner/src/create_database_with_encryption_key.php

@@ -0,0 +1,81 @@
+
+/**
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/spanner/README.md
+ */
+
+namespace Google\Cloud\Samples\Spanner;
+
+// [START spanner_create_database_with_encryption_key]
+use Google\Cloud\Spanner\SpannerClient;
+
+/**
+ * Creates an encrypted database with tables for sample data.
+ * Example:
+ * ```
+ * create_database_with_encryption_key($instanceId, $databaseId, $kmsKeyName);
+ * ```
+ *
+ * @param string $instanceId The Spanner instance ID.
+ * @param string $databaseId The Spanner database ID.
+ * @param string $kmsKeyName The KMS key used for encryption.
+ */
+function create_database_with_encryption_key($instanceId, $databaseId, $kmsKeyName)
+{
+    $spanner = new SpannerClient();
+    $instance = $spanner->instance($instanceId);
+
+    if (!$instance->exists()) {
+        throw new \LogicException("Instance $instanceId does not exist");
+    }
+
+    $operation = $instance->createDatabase($databaseId, [
+        'statements' => [
+            "CREATE TABLE Singers (
+                SingerId     INT64 NOT NULL,
+                FirstName    STRING(1024),
+                LastName     STRING(1024),
+                SingerInfo   BYTES(MAX)
+            ) PRIMARY KEY (SingerId)",
+            "CREATE TABLE Albums (
+                SingerId     INT64 NOT NULL,
+                AlbumId      INT64 NOT NULL,
+                AlbumTitle   STRING(MAX)
+            ) PRIMARY KEY (SingerId, AlbumId),
+            INTERLEAVE IN PARENT Singers ON DELETE CASCADE"
+        ],
+        'encryptionConfig' => ['kmsKeyName' => $kmsKeyName]
+    ]);
+
+    print('Waiting for operation to complete...' . PHP_EOL);
+    $operation->pollUntilComplete();
+
+    $database = $instance->database($databaseId);
+    printf(
+        'Created database %s on instance %s with encryption key %s' . PHP_EOL,
+        $databaseId,
+        $instanceId,
+        $database->info()['encryptionConfig']['kmsKeyName']
+    );
+}
+// [END spanner_create_database_with_encryption_key]
+
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

spanner/src/restore_backup_with_encryption_key.php

@@ -0,0 +1,71 @@
+
+/**
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/spanner/README.md
+ */
+
+namespace Google\Cloud\Samples\Spanner;
+
+// [START spanner_restore_backup_with_encryption_key]
+use Google\Cloud\Spanner\Admin\Database\V1\RestoreDatabaseEncryptionConfig;
+use Google\Cloud\Spanner\SpannerClient;
+
+/**
+ * Restore a database from a backup.
+ * Example:
+ * ```
+ * restore_backup_with_encryption_key($instanceId, $databaseId, $backupId, $kmsKeyName);
+ * ```
+ * @param string $instanceId The Spanner instance ID.
+ * @param string $databaseId The Spanner database ID.
+ * @param string $backupId The Spanner backup ID.
+ * @param string $kmsKeyName The KMS key used for encryption.
+ */
+function restore_backup_with_encryption_key($instanceId, $databaseId, $backupId, $kmsKeyName)
+{
+    $spanner = new SpannerClient();
+    $instance = $spanner->instance($instanceId);
+    $database = $instance->database($databaseId);
+    $backup = $instance->backup($backupId);
+
+    $operation = $database->restore($backup->name(), [
+        'encryptionConfig' => [
+            'kmsKeyName' => $kmsKeyName,
+            'encryptionType' => RestoreDatabaseEncryptionConfig\EncryptionType::CUSTOMER_MANAGED_ENCRYPTION
+        ]
+    ]);
+    // Wait for restore operation to complete.
+    $operation->pollUntilComplete();
+
+    // Newly created database has restore information.
+    $database->reload();
+    $restoreInfo = $database->info()['restoreInfo'];
+    $sourceDatabase = $restoreInfo['backupInfo']['sourceDatabase'];
+    $sourceBackup = $restoreInfo['backupInfo']['backup'];
+    $encryptionConfig = $database->info()['encryptionConfig'];
+
+    printf(
+        "Database %s restored from backup %s using encryption key %s" . PHP_EOL,
+        $sourceDatabase, $sourceBackup, $encryptionConfig['kmsKeyName']);
+}
+// [END spanner_restore_backup_with_encryption_key]
+
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

spanner/test/spannerBackupTest.php

@@ -44,6 +44,9 @@ class spannerBackupTest extends TestCase
     /** @var string backupId */
     protected static $backupId;
 
+    /** @var string encryptedBackupId */
+    protected static $encryptedBackupId;
+
     /** @var string databaseId */
     protected static $databaseId;
 
@@ -53,9 +56,15 @@ class spannerBackupTest extends TestCase
     /** @var string restoredDatabaseId */
     protected static $restoredDatabaseId;
 
+    /** @var string encryptedRestoredDatabaseId */
+    protected static $encryptedRestoredDatabaseId;
+
     /** @var $instance Instance */
     protected static $instance;
 
+    /** @var string kmsKeyName */
+    protected static $kmsKeyName;
+
     public static function setUpBeforeClass(): void
     {
         self::checkProjectEnvVars();
@@ -72,8 +81,13 @@ public static function setUpBeforeClass(): void
         self::$retentionPeriod = '7d';
         self::$databaseId = 'test-' . time() . rand();
         self::$backupId = 'backup-' . self::$databaseId;
-        self::$restoredDatabaseId = self::$databaseId . '-res';
+        self::$encryptedBackupId = 'en-backup-' . self::$databaseId;
+        self::$restoredDatabaseId = self::$databaseId . '-r';
+        self::$encryptedRestoredDatabaseId = self::$databaseId . '-en-r';
         self::$instance = $spanner->instance(self::$instanceId);
+
+        self::$kmsKeyName =
+            "projects/" . self::$projectId . "/locations/us-central1/keyRings/spanner-test-keyring/cryptoKeys/spanner-test-cmek";
     }
 
     public function testCreateDatabaseWithVersionRetentionPeriod()
@@ -86,6 +100,18 @@ public function testCreateDatabaseWithVersionRetentionPeriod()
         $this->assertStringContainsString(self::$retentionPeriod, $output);
     }
 
+    public function testCreateBackupWithEncryptionKey()
+    {
+        $database = self::$instance->database(self::$databaseId);
+
+        $output = $this->runFunctionSnippet('create_backup_with_encryption_key', [
+            self::$databaseId,
+            self::$encryptedBackupId,
+            self::$kmsKeyName,
+        ]);
+        $this->assertStringContainsString(self::$backupId, $output);
+    }
+
     /**
      * @depends testCreateDatabaseWithVersionRetentionPeriod
      */
@@ -168,14 +194,28 @@ public function testRestoreBackup()
         $this->assertStringContainsString(self::$databaseId, $output);
     }
 
+    /**
+     * @depends testCreateBackupWithEncryptionKey
+     */
+    public function testRestoreBackupWithEncryptionKey()
+    {
+        $output = $this->runFunctionSnippet('restore_backup_with_encryption_key', [
+            self::$encryptedRestoredDatabaseId,
+            self::$encryptedBackupId,
+            self::$kmsKeyName,
+        ]);
+        $this->assertStringContainsString(self::$backupId, $output);
+        $this->assertStringContainsString(self::$databaseId, $output);
+    }
+
 
     /**
-     * @depends testRestoreBackup
+     * @depends testRestoreBackupWithEncryptionKey
      */
     public function testListDatabaseOperations()
     {
         $output = $this->runFunctionSnippet('list_database_operations');
-        $this->assertStringContainsString(self::$restoredDatabaseId, $output);
+        $this->assertStringContainsString(self::$encryptedRestoredDatabaseId, $output);
     }
 
     /**

spanner/test/spannerTest.php

@@ -42,12 +42,18 @@ class spannerTest extends TestCase
     /** @var string databaseId */
     protected static $databaseId;
 
+    /** @var string encryptedDatabaseId */
+    protected static $encryptedDatabaseId;
+
     /** @var string backupId */
     protected static $backupId;
 
     /** @var $instance Instance */
     protected static $instance;
 
+    /** @var string kmsKeyName */
+    protected static $kmsKeyName;
+
     /**
      * Low cost instance with less than 1000 processing units.
      *
@@ -73,8 +79,11 @@ public static function setUpBeforeClass(): void
         self::$instanceId = 'test-' . time() . rand();
         self::$lowCostInstanceId = 'test-' . time() . rand();
         self::$databaseId = 'test-' . time() . rand();
+        self::$encryptedDatabaseId = 'en-test-' . time() . rand();
         self::$backupId = 'backup-' . self::$databaseId;
         self::$instance = $spanner->instance(self::$instanceId);
+        self::$kmsKeyName =
+            "projects/" . self::$projectId . "/locations/us-central1/keyRings/spanner-test-keyring/cryptoKeys/spanner-test-cmek";
         self::$lowCostInstance = $spanner->instance(self::$lowCostInstanceId);
     }
 
@@ -106,6 +115,20 @@ public function testCreateDatabase()
         $this->assertStringContainsString('Created database test-', $output);
     }
 
+    /**
+     * @depends testCreateInstance
+     */
+    public function testCreateDatabaseWithEncryptionKey()
+    {
+        $output = $this->runFunctionSnippet('create_database_with_encryption_key', [
+            self::$instanceId,
+            self::$encryptedDatabaseId,
+            self::$kmsKeyName,
+        ]);
+        $this->assertStringContainsString('Waiting for operation to complete...', $output);
+        $this->assertStringContainsString('Created database en-test-', $output);
+    }
+
     /**
      * @depends testCreateDatabase
      */