MQE-1919: MFTF AWS Secrets Manager - CI Use

Author: jilu1

etc/config/.env.example

@@ -37,6 +37,8 @@ BROWSER=chrome
 #*** To use AWS Secrets Manager to manage _CREDS secrets, uncomment and set region, profile is optional, when omitted, AWS default credential provider chain will be used ***#
 #CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE=default
 #CREDENTIAL_AWS_SECRETS_MANAGER_REGION=us-east-1
+#*** If using non-default AWS account ***#
+#CREDENTIAL_AWS_ACCOUNT_ID=
 
 #*** Uncomment these properties to set up a dev environment with symlinked projects ***#
 #TESTS_BP=

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/CredentialStore.php

@@ -79,14 +79,19 @@ private function __construct()
         // Initialize AWS Secrets Manager storage
         $awsRegion = getenv('CREDENTIAL_AWS_SECRETS_MANAGER_REGION');
         $awsProfile = getenv('CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE');
+        $awsId = getenv('CREDENTIAL_AWS_ACCOUNT_ID');
         if ($awsRegion !== false) {
             if ($awsProfile === false) {
                 $awsProfile = null;
             }
+            if ($awsId === false) {
+                $awsId = null;
+            }
             try {
                 $this->credStorage[self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER] = new AwsSecretsManagerStorage(
                     $awsRegion,
-                    $awsProfile
+                    $awsProfile,
+                    $awsId
                 );
             } catch (TestFrameworkException $e) {
             }

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/AwsSecretsManagerStorage.php

@@ -22,6 +22,11 @@ class AwsSecretsManagerStorage extends BaseStorage
      */
     const MFTF_PATH = 'mftf';
 
+    /**
+     * AWS Secrets Manager partial ARN
+     */
+    const AWS_SM_PARTIAL_ARN = 'arn:aws:secretsmanager:';
+
     /**
      * AWS Secrets Manager version
      *
@@ -36,18 +41,35 @@ class AwsSecretsManagerStorage extends BaseStorage
      */
     private $client = null;
 
+    /**
+     * AWS account id
+     *
+     * @var string
+     */
+    private $awsAccountId;
+
+    /**
+     * AWS account region
+     *
+     * @var string
+     */
+    private $region;
+
     /**
      * AwsSecretsManagerStorage constructor
      *
      * @param string $region
      * @param string $profile
+     * @param string $accountId
      * @throws TestFrameworkException
      * @throws InvalidArgumentException
      */
-    public function __construct($region, $profile = null)
+    public function __construct($region, $profile = null, $accountId = null)
     {
         parent::__construct();
         $this->createAwsSecretsManagerClient($region, $profile);
+        $this->region = $region;
+        $this->awsAccountId = $accountId;
     }
 
     /**
@@ -74,7 +96,12 @@ public function getEncryptedValue($key)
         try {
             // Split vendor/key to construct secret id
             list($vendor, $key) = explode('/', trim($key, '/'), 2);
-            $secretId = self::MFTF_PATH
+            // If AWS account id is specified, create and use full ARN, otherwise use partial ARN as secret id
+            $secretId = '';
+            if (!empty($this->awsAccountId)) {
+                $secretId = self::AWS_SM_PARTIAL_ARN . $this->region . ':' . $this->awsAccountId . ':secret:';
+            }
+            $secretId .= self::MFTF_PATH
                 . '/'
                 . $vendor
                 . '/'