MQE-1919: MFTF AWS Secrets Manager - CI Use

jilu1 · jilu1 · commit fd9e7212a568 · 2020-01-17T16:05:37.000-06:00
diff --git a/etc/config/.env.example b/etc/config/.env.example
@@ -37,8 +37,6 @@ BROWSER=chrome
 #*** To use AWS Secrets Manager to manage _CREDS secrets, uncomment and set region, profile is optional, when omitted, AWS default credential provider chain will be used ***#
 #CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE=default
 #CREDENTIAL_AWS_SECRETS_MANAGER_REGION=us-east-1
-#*** If using non-default AWS account ***#
-#CREDENTIAL_AWS_ACCOUNT_ID=
 
 #*** Uncomment these properties to set up a dev environment with symlinked projects ***#
 #TESTS_BP=
diff --git a/src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/CredentialStore.php b/src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/CredentialStore.php
@@ -57,45 +57,10 @@ public static function getInstance()
      */
     private function __construct()
     {
-        // Initialize file storage
-        try {
-            $this->credStorage[self::ARRAY_KEY_FOR_FILE]  = new FileStorage();
-        } catch (TestFrameworkException $e) {
-        }
-
-        // Initialize vault storage
-        $cvAddress = getenv('CREDENTIAL_VAULT_ADDRESS');
-        $cvSecretPath = getenv('CREDENTIAL_VAULT_SECRET_BASE_PATH');
-        if ($cvAddress !== false && $cvSecretPath !== false) {
-            try {
-                $this->credStorage[self::ARRAY_KEY_FOR_VAULT] = new VaultStorage(
-                    UrlFormatter::format($cvAddress, false),
-                    '/' . trim($cvSecretPath, '/')
-                );
-            } catch (TestFrameworkException $e) {
-            }
-        }
-
-        // Initialize AWS Secrets Manager storage
-        $awsRegion = getenv('CREDENTIAL_AWS_SECRETS_MANAGER_REGION');
-        $awsProfile = getenv('CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE');
-        $awsId = getenv('CREDENTIAL_AWS_ACCOUNT_ID');
-        if ($awsRegion !== false) {
-            if ($awsProfile === false) {
-                $awsProfile = null;
-            }
-            if ($awsId === false) {
-                $awsId = null;
-            }
-            try {
-                $this->credStorage[self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER] = new AwsSecretsManagerStorage(
-                    $awsRegion,
-                    $awsProfile,
-                    $awsId
-                );
-            } catch (TestFrameworkException $e) {
-            }
-        }
+        // Initialize credential storage by defined order of precedence as the following
+        $this->initializeFileStorage();
+        $this->initializeVaultStorage();
+        $this->initializeAwsSecretsManagerStorage();
 
         if (empty($this->credStorage)) {
             throw new TestFrameworkException(
@@ -155,4 +120,68 @@ public function decryptAllSecretsInString($string)
             return $storage->getAllDecryptedValuesInString($string);
         }
     }
+
+    /**
+     * Initialize file storage
+     *
+     * @return void
+     */
+    private function initializeFileStorage()
+    {
+        // Initialize file storage
+        try {
+            $this->credStorage[self::ARRAY_KEY_FOR_FILE]  = new FileStorage();
+        } catch (TestFrameworkException $e) {
+        }
+    }
+
+    /**
+     * Initialize Vault storage
+     *
+     * @return void
+     */
+    private function initializeVaultStorage()
+    {
+        // Initialize vault storage
+        $cvAddress = getenv('CREDENTIAL_VAULT_ADDRESS');
+        $cvSecretPath = getenv('CREDENTIAL_VAULT_SECRET_BASE_PATH');
+        if ($cvAddress !== false && $cvSecretPath !== false) {
+            try {
+                $this->credStorage[self::ARRAY_KEY_FOR_VAULT] = new VaultStorage(
+                    UrlFormatter::format($cvAddress, false),
+                    '/' . trim($cvSecretPath, '/')
+                );
+            } catch (TestFrameworkException $e) {
+            }
+        }
+    }
+
+    /**
+     * Initialize AWS Secrets Manager storage
+     *
+     * @return void
+     */
+    private function initializeAwsSecretsManagerStorage()
+    {
+        // Initialize AWS Secrets Manager storage
+        $awsRegion = getenv('CREDENTIAL_AWS_SECRETS_MANAGER_REGION');
+        $awsProfile = getenv('CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE');
+        $awsId = getenv('CREDENTIAL_AWS_ACCOUNT_ID');
+        if (!empty($awsRegion)) {
+            if (empty($awsProfile)) {
+                $awsProfile = null;
+            }
+            if (empty($awsId)) {
+                $awsId = null;
+            }
+            try {
+                $this->credStorage[self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER] = new AwsSecretsManagerStorage(
+                    $awsRegion,
+                    $awsProfile,
+                    $awsId
+                );
+            } catch (TestFrameworkException $e) {
+            }
+        }
+    }
 }
diff --git a/src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/AwsSecretsManagerStorage.php b/src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/AwsSecretsManagerStorage.php
@@ -145,13 +145,20 @@ private function parseAwsSecretResult($awsResult, $key)
         if (isset($awsResult['SecretString'])) {
             $rawSecret = $awsResult['SecretString'];
         } else {
-            throw new TestFrameworkException("Error parsing result from AWS Secrets Manager");
+            throw new TestFrameworkException(
+                "'SecretString' field is not set in AWS Result. Error parsing result from AWS Secrets Manager"
+            );
         }
+
+        // Secrets are saved as JSON structures of key/value pairs if using AWS Secrets Manager console, and
+        // Secrets are saved as plain text if using AWS CLI. We need to handle both cases.
         $secret = json_decode($rawSecret, true);
         if (isset($secret[$key])) {
             return $secret[$key];
+        } elseif (is_string($awsResult)) {
+            return $awsResult;
         }
-        throw new TestFrameworkException("Error parsing result from AWS Secrets Manager");
+        throw new TestFrameworkException("$key not found in AWS Result. Error parsing result from AWS Secrets Manager");
     }
 
     /**
@@ -169,13 +176,17 @@ private function createAwsSecretsManagerClient($region, $profile)
             return;
         }
 
-        // Create AWS Secrets Manager client
-        $this->client = new SecretsManagerClient([
-            'profile' => $profile,
+        $options = [
             'region' => $region,
-            'version' => self::LATEST_VERSION
-        ]);
+            'version' => self::LATEST_VERSION,
+        ];
 
+        if (!empty($profile)) {
+            $options['profile'] = $profile;
+        }
+
+        // Create AWS Secrets Manager client
+        $this->client = new SecretsManagerClient($options);
         if ($this->client === null) {
             throw new TestFrameworkException("Unable to create AWS Secrets Manager client");
         }
