Feat(storage): add bucket encryption enforcement (GoogleCloudPlatform#2190)

Adds metadata support for the following encryption enforcement fields:
- googleManagedEncryptionEnforcementConfig
- customerManagedEncryptionEnforcementConfig
- customerSuppliedEncryptionEnforcementConfig

* Feat(storage): unify encryption enforcement sample

Updates the encryption enforcement sample to a single consolidated file
under the `storage_update_encryption_enforcement_config` region tag.
The updated sample now covers both partial updates (restriction modes)
and the full removal of enforcement configurations.

* Feat(storage):add bucket to encryption region tags

Updates the region tags to include the 'bucket' keyword for better
consistency with other GCS samples:
- storage_get_bucket_encryption_enforcement_config
- storage_update_bucket_encryption_enforcement_config
- storage_set_bucket_encryption_enforcement_config

* Refactor(storage): streamline enforcement flow

- Refactor `set_bucket_encryption_enforcement_config` to apply
enforcement settings during bucket creation instead of a separate update
call.
- Rename test variable to `$enforcementBucketName` to better align with
`BucketEncryptionEnforcementConfig`.
- Update PHPUnit test suite to use a dependent data-passing flow for
improved reliability and cleaner logic.

Author: thiyaguk09

storage/src/get_bucket_encryption_enforcement_config.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright 2026 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_get_bucket_encryption_enforcement_config]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Retrieves the current encryption enforcement configurations for a bucket.
+ *
+ * @param string $bucketName The ID of your GCS bucket (e.g. "my-bucket").
+ */
+function get_bucket_encryption_enforcement_config(string $bucketName): void
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+    $metadata = $bucket->info();
+
+    printf('Encryption enforcement configuration for bucket %s.' . PHP_EOL, $bucketName);
+
+    if (!isset($metadata['encryption'])) {
+        print('No encryption configuration found (Default GMEK is active).' . PHP_EOL);
+        return;
+    }
+
+    $enc = $metadata['encryption'];
+    printf('Default KMS Key: %s' . PHP_EOL, $enc['defaultKmsKeyName'] ?? 'None');
+
+    $printConfig = function ($label, $config) {
+        if ($config) {
+            printf('%s:' . PHP_EOL, $label);
+            printf('  Mode: %s' . PHP_EOL, $config['restrictionMode']);
+            printf('  Effective: %s' . PHP_EOL, $config['effectiveTime'] ?? 'N/A');
+        }
+    };
+
+    $printConfig('Google Managed (GMEK) Enforcement', $enc['googleManagedEncryptionEnforcementConfig'] ?? null);
+    $printConfig('Customer Managed (CMEK) Enforcement', $enc['customerManagedEncryptionEnforcementConfig'] ?? null);
+    $printConfig('Customer Supplied (CSEK) Enforcement', $enc['customerSuppliedEncryptionEnforcementConfig'] ?? null);
+}
+# [END storage_get_bucket_encryption_enforcement_config]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

storage/src/set_bucket_encryption_enforcement_config.php

@@ -0,0 +1,64 @@
+<?php
+/**
+ * Copyright 2026 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_set_bucket_encryption_enforcement_config]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Creates a bucket with specific encryption enforcement (e.g., CMEK-only).
+ *
+ * @param string $bucketName The ID of your GCS bucket (e.g. "my-bucket").
+ * @param string $kmsKeyName The name of the KMS key to be used as the default (e.g. "projects/my-project/...").
+ */
+function set_bucket_encryption_enforcement_config(string $bucketName, string $kmsKeyName): void
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+
+    // This configuration enforces that all objects uploaded to the bucket
+    // must use Customer Managed Encryption Keys (CMEK).
+    $options = [
+        'encryption' => [
+            'defaultKmsKeyName' => $kmsKeyName,
+            'googleManagedEncryptionEnforcementConfig' => [
+                'restrictionMode' => 'FullyRestricted',
+            ],
+            'customerSuppliedEncryptionEnforcementConfig' => [
+                'restrictionMode' => 'FullyRestricted',
+            ],
+            'customerManagedEncryptionEnforcementConfig' => [
+                'restrictionMode' => 'NotRestricted',
+            ],
+        ],
+    ];
+    $storage->createBucket($bucketName, $options);
+
+    printf('Bucket %s created with encryption enforcement configuration.' . PHP_EOL, $bucketName);
+}
+# [END storage_set_bucket_encryption_enforcement_config]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

storage/src/update_bucket_encryption_enforcement_config.php

@@ -0,0 +1,69 @@
+<?php
+/**
+ * Copyright 2026 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_update_bucket_encryption_enforcement_config]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Updates or removes encryption enforcement configurations from a bucket.
+ *
+ * @param string $bucketName The ID of your GCS bucket (e.g. "my-bucket").
+ */
+function update_bucket_encryption_enforcement_config(string $bucketName): void
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+
+    // Update a specific encryption type's restriction mode
+    // This partial update preserves other existing encryption settings.
+    $updateOptions = [
+        'encryption' => [
+            'googleManagedEncryptionEnforcementConfig' => [
+                'restrictionMode' => 'FullyRestricted'
+            ]
+        ]
+    ];
+    $bucket->update($updateOptions);
+    printf('Google-managed encryption enforcement set to FullyRestricted for %s.' . PHP_EOL, $bucketName);
+
+    // Remove all encryption enforcement configurations altogether
+    // Setting these values to null removes the policies from the bucket metadata.
+    $clearOptions = [
+        'encryption' => [
+            'defaultKmsKeyName' => null,
+            'googleManagedEncryptionEnforcementConfig' => null,
+            'customerSuppliedEncryptionEnforcementConfig' => null,
+            'customerManagedEncryptionEnforcementConfig' => null,
+        ],
+    ];
+
+    $bucket->update($clearOptions);
+    printf('All encryption enforcement configurations removed from bucket %s.' . PHP_EOL, $bucketName);
+}
+# [END storage_update_bucket_encryption_enforcement_config]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

storage/test/storageTest.php

@@ -573,6 +573,69 @@ public function testObjectGetKmsKey(string $objectName)
         );
     }
 
+    public function testSetBucketEncryptionEnforcementConfig()
+    {
+        $enforcementBucketName = self::$bucketName . '-enc-enforcement';
+
+        $output = $this->runFunctionSnippet('set_bucket_encryption_enforcement_config', [
+            $enforcementBucketName,
+            $this->keyName(),
+        ]);
+
+        $this->assertEquals($output, sprintf(
+            'Bucket %s created with encryption enforcement configuration.' . PHP_EOL,
+            $enforcementBucketName
+        ));
+    }
+
+    /** @depends testSetBucketEncryptionEnforcementConfig */
+    public function testGetBucketEncryptionEnforcementConfig()
+    {
+        $enforcementBucketName = self::$bucketName . '-enc-enforcement';
+
+        sleep(2);
+        $output = $this->runFunctionSnippet('get_bucket_encryption_enforcement_config', [
+            $enforcementBucketName
+        ]);
+
+        $this->assertStringContainsString(
+            sprintf('Encryption enforcement configuration for bucket %s.', $enforcementBucketName),
+            $output
+        );
+        $this->assertStringContainsString(sprintf('Default KMS Key: %s', $this->keyName()), $output);
+        $this->assertStringContainsString('Google Managed (GMEK) Enforcement:' . PHP_EOL . '  Mode: FullyRestricted', $output);
+        $this->assertStringContainsString('Customer Supplied (CSEK) Enforcement:' . PHP_EOL . '  Mode: FullyRestricted', $output);
+        $this->assertStringContainsString('Customer Managed (CMEK) Enforcement:' . PHP_EOL . '  Mode: NotRestricted', $output);
+    }
+
+    /** @depends testGetBucketEncryptionEnforcementConfig */
+    public function testUpdateBucketEncryptionEnforcementConfig()
+    {
+        $enforcementBucketName = self::$bucketName . '-enc-enforcement';
+
+        $output = $this->runFunctionSnippet('update_bucket_encryption_enforcement_config', [
+            $enforcementBucketName
+        ]);
+
+        $this->assertStringContainsString(
+            sprintf('Google-managed encryption enforcement set to FullyRestricted for %s.', $enforcementBucketName),
+            $output
+        );
+
+        $this->assertStringContainsString(
+            sprintf('All encryption enforcement configurations removed from bucket %s.', $enforcementBucketName),
+            $output
+        );
+
+        // Final verification: Ensure 'Get' now shows no configuration
+        sleep(2);
+        $finalOutput = $this->runFunctionSnippet('get_bucket_encryption_enforcement_config', [
+            $enforcementBucketName
+        ]);
+
+        $this->assertStringContainsString('No encryption configuration found (Default GMEK is active).', $finalOutput);
+    }
+
     public function testBucketVersioning()
     {
         $output = self::runFunctionSnippet('enable_versioning', [