MQE-1919: MFTF AWS Secrets Manager - CI Use

Author: jilu1

docs/credentials.md

@@ -147,31 +147,33 @@ AWS Secrets Manager offers secret management that supports:
 
 #### Use AWS Secrets Manager from your own AWS account
 
-- AWS account with Secrets Manager service available
-- IAM User or Role is created with appropriate AWS Secrets Manger access permission
+- An AWS account with Secrets Manager service
+- An IAM user with AWS Secrets Manager access permission
 
-#### Use AWS Secrets Manager from other AWS account
+#### Use AWS Secrets Manager in CI/CD
 
 - AWS account ID where the AWS Secrets Manager service is hosted
-- IAM User or Role with appropriate access permission
+- Authorized CI/CD EC2 instances with AWS Secrets Manager service access IAM role attached
 
 ### Store secrets in AWS Secrets Manager
 
-
 #### Secrets format
 
 `Secret Name` and `Secret Value` are two key pieces of information for creating a secret. 
 
 `Secret Value` can be either plaintext or key/value pairs in JSON format.  
 
-`Secrets Name` must use the following format:
+`Secret Name` must use the following format:
 
 ```conf
 mftf/<VENDOR>/<YOUR/SECRET/KEY>
 ```
 
-`Secrets Value` in plaintext format can be any content you want to secure. `Secrets Value` in key/value pairs format, however, the `key` must be same as the `Secret Name` with `mftf/<VENDOR>/` part removed. 
-e.g. in above example, `key` should be `<YOUR/SECRET/KEY>`
+`Secret Value` can be stored in two different formats: plaintext or key/value pairs.
+
+For plaintext format, `Secret Value` can be any string you want to secure.
+
+For key/value pairs format, `Secret Value` is a key/value pair with `key` the same as `Secret Name` without `mftf/<VENDOR>/` prefix,  which is `<YOUR/SECRET/KEY>`, and value can be any string you want to secure.
 
 ##### Create Secrets using AWS CLI
 
@@ -181,8 +183,11 @@ aws secretsmanager create-secret --name "mftf/magento/shipping/carriers_usps_use
 
 ##### Create Secrets using AWS Console
 
-To save the same secret in key/value JSON format, you should use
-
+- Sign in to the AWS Secrets Manager console
+- Choose Store a new secret
+- In the Select secret type section, specify "Other type of secret"
+- For `Secret Name`, `Secret Key` and `Secret Value` field, for example, to save the same secret in key/value JSON format, you should use
+ 
 ```conf
 # Secret Name
 mftf/magento/shipping/carriers_usps_userid
@@ -210,9 +215,8 @@ CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE=default
 
 ### Optionally set CREDENTIAL_AWS_ACCOUNT_ID environment variable
 
-Full AWS KMS ([Key Management Service][]) key ARN ([Amazon Resource Name][]) is required when accessing secrets stored in other AWS account.
-If this is the case, you will also need to set `CREDENTIAL_AWS_ACCOUNT_ID` environment variable so that MFTF can construct the full ARN. 
-This is also commonly used in CI system.
+In case AWS credentials cannot resolve to a valid AWS account, full AWS KMS ([Key Management Service][]) key ARN ([Amazon Resource Name][]) is required.
+You will also need to set `CREDENTIAL_AWS_ACCOUNT_ID` environment variable so that MFTF can construct the full ARN. This is mostly used for CI/CD.
 
 ```bash
 export CREDENTIAL_AWS_ACCOUNT_ID=<Your_12_Digits_AWS_Account_ID>
@@ -236,7 +240,7 @@ Define the value as a reference to the corresponding key in the credentials file
 
 -  `_CREDS` is an environment constant pointing to the `.credentials` file
 -  `my_data_key` is a key in the the `.credentials` file or vault that contains the value to be used in a test step
-   - for File Storage, ensure your key contains the vendor prefix, i.e. `vendor/my_data_key`
+   - for File Storage, ensure your key contains the vendor prefix, which is `vendor/my_data_key`
 
 For example, to reference secret data in the [`fillField`][] action, use the `userInput` attribute using a typical File Storage:
 

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/CredentialStore.php

@@ -28,13 +28,31 @@ class CredentialStore
      */
     private $credStorage = [];
 
+    /**
+     * Boolean to indicate if credential storage have been initialized
+     *
+     * @var boolean
+     */
+    private $initialized;
+
     /**
      * Singleton instance
      *
      * @var CredentialStore
      */
     private static $INSTANCE = null;
 
+    /**
+     * Exception contexts
+     *
+     * @var array
+     */
+    private $exceptionContexts = [
+        self::ARRAY_KEY_FOR_FILE => [],
+        self::ARRAY_KEY_FOR_VAULT => [],
+        self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER => [],
+    ];
+
     /**
      * Static singleton getter for CredentialStore Instance
      *
@@ -57,16 +75,7 @@ public static function getInstance()
      */
     private function __construct()
     {
-        // Initialize credential storage by defined order of precedence as the following
-        $this->initializeFileStorage();
-        $this->initializeVaultStorage();
-        $this->initializeAwsSecretsManagerStorage();
-
-        if (empty($this->credStorage)) {
-            throw new TestFrameworkException(
-                'Invalid Credential Storage. ' . self::CREDENTIAL_STORAGE_INFO . '.'
-            );
-        }
+        $this->initialized = false;
     }
 
     /**
@@ -78,6 +87,9 @@ private function __construct()
      */
     public function getSecret($key)
     {
+        // Initialize credential storage if it's not been done
+        $this->initializeCredentialStorage();
+
         // Get secret data from storage according to the order they are stored which follows this precedence:
         // FileStorage > VaultStorage > AwsSecretsManagerStorage
         foreach ($this->credStorage as $storage) {
@@ -87,9 +99,31 @@ public function getSecret($key)
             }
         }
 
+        // Attach all exceptions collected
+        $exceptionMessage = '';
+        foreach ($this->exceptionContexts as $type => $exceptionContexts) {
+            if (empty($this->exceptionContexts[$type])) {
+                continue;
+            }
+
+            $exceptionMessage .= "\nException from ";
+            if ($type == self::ARRAY_KEY_FOR_FILE) {
+                $exceptionMessage .= "File Storage: \n";
+            }
+            if ($type == self::ARRAY_KEY_FOR_VAULT) {
+                $exceptionMessage .= "Vault Storage: \n";
+            }
+            if ($type == self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER) {
+                $exceptionMessage .= "AWS Secrets Manager Storage: \n";
+            }
+
+            $exceptionMessage .= implode("\n", $this->exceptionContexts[$type]) . "\n";
+        }
+
         throw new TestFrameworkException(
             "{$key} not found. " . self::CREDENTIAL_STORAGE_INFO
-            . ' and ensure key, value exists to use _CREDS in tests.'
+            . " and ensure key, value exists to use _CREDS in tests."
+            . $exceptionMessage
         );
     }
 
@@ -121,6 +155,43 @@ public function decryptAllSecretsInString($string)
         }
     }
 
+    /**
+     * Setter for exception contexts
+     *
+     * @param string $type
+     * @param string $context
+     * @return void
+     */
+    public function setExceptionContexts($type, $context)
+    {
+        if (array_key_exists($type, $this->exceptionContexts) && !empty($context)) {
+            $this->exceptionContexts[$type][] = $context;
+        }
+    }
+
+    /**
+     * Initialize all available credential storage
+     *
+     * @return void
+     * @throws TestFrameworkException
+     */
+    private function initializeCredentialStorage()
+    {
+        if (!$this->initialized) {
+            // Initialize credential storage by defined order of precedence as the following
+            $this->initializeFileStorage();
+            $this->initializeVaultStorage();
+            $this->initializeAwsSecretsManagerStorage();
+            $this->initialized = true;
+            if (empty($this->credStorage)) {
+                $this->initialized = true;
+                throw new TestFrameworkException(
+                    'Invalid Credential Storage. ' . self::CREDENTIAL_STORAGE_INFO . '.'
+                );
+            }
+        }
+    }
+
     /**
      * Initialize file storage
      *
@@ -132,6 +203,10 @@ private function initializeFileStorage()
         try {
             $this->credStorage[self::ARRAY_KEY_FOR_FILE]  = new FileStorage();
         } catch (TestFrameworkException $e) {
+            // Print error message in console
+            print_r($e->getMessage());
+            // Save to exception context for Allure report
+            $this->setExceptionContexts('file', $e->getMessage());
         }
     }
 
@@ -152,6 +227,10 @@ private function initializeVaultStorage()
                     '/' . trim($cvSecretPath, '/')
                 );
             } catch (TestFrameworkException $e) {
+                // Print error message in console
+                print_r($e->getMessage());
+                // Save to exception context for Allure report
+                $this->setExceptionContexts('vault', $e->getMessage());
             }
         }
     }

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/AwsSecretsManagerStorage.php

@@ -7,6 +7,7 @@
 namespace Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage;
 
 use Magento\FunctionalTestingFramework\Config\MftfApplicationConfig;
+use Magento\FunctionalTestingFramework\DataGenerator\Handlers\CredentialStore;
 use Magento\FunctionalTestingFramework\Exceptions\TestFrameworkException;
 use Magento\FunctionalTestingFramework\Util\Logger\LoggingUtil;
 use Aws\SecretsManager\SecretsManagerClient;
@@ -117,17 +118,25 @@ public function getEncryptedValue($key)
         } catch (AwsException $e) {
             $errMessage = "\nAWS Exception:\n" . $e->getAwsErrorMessage()
                 . "\nUnable to read value for key {$key} from AWS Secrets Manager\n";
+            // Print error message in console
             print_r($errMessage);
+            // Add error message in mftf log if verbose is enable
             if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
                 LoggingUtil::getInstance()->getLogger(AwsSecretsManagerStorage::class)->debug($errMessage);
             }
+            // Save to exception context for Allure report
+            CredentialStore::getInstance()->setExceptionContexts('aws', $errMessage);
         } catch (\Exception $e) {
             $errMessage = "\nException:\n" . $e->getMessage()
                 . "\nUnable to read value for key {$key} from AWS Secrets Manager\n";
+            // Print error message in console
             print_r($errMessage);
+            // Add error message in mftf log if verbose is enable
             if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
                 LoggingUtil::getInstance()->getLogger(AwsSecretsManagerStorage::class)->debug($errMessage);
             }
+            // Save to exception context for Allure report
+            CredentialStore::getInstance()->setExceptionContexts('aws', $errMessage);
         }
         return $reValue;
     }

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/VaultStorage.php

@@ -7,6 +7,7 @@
 namespace Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage;
 
 use Magento\FunctionalTestingFramework\Config\MftfApplicationConfig;
+use Magento\FunctionalTestingFramework\DataGenerator\Handlers\CredentialStore;
 use Magento\FunctionalTestingFramework\Exceptions\TestFrameworkException;
 use Magento\FunctionalTestingFramework\Util\Logger\LoggingUtil;
 use Vault\Client;
@@ -123,10 +124,14 @@ public function getEncryptedValue($key)
             $reValue = openssl_encrypt($value, parent::ENCRYPTION_ALGO, parent::$encodedKey, 0, parent::$iv);
             parent::$cachedSecretData[$key] = $reValue;
         } catch (\Exception $e) {
+            $errMessage = "\nUnable to read secret for key name {$key} from vault." . $e->getMessage();
+            // Print error message in console
+            print_r($errMessage);
+            // Save to exception context for Allure report
+            CredentialStore::getInstance()->setExceptionContexts('vault', $errMessage);
+            // Add error message in mftf log if verbose is enable
             if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
-                LoggingUtil::getInstance()->getLogger(VaultStorage::class)->debug(
-                    "Unable to read secret for key name {$key} from vault"
-                );
+                LoggingUtil::getInstance()->getLogger(VaultStorage::class)->debug($errMessage);
             }
         }
         return $reValue;
@@ -149,6 +154,10 @@ private function authenticated()
                 return true;
             }
         } catch (\Exception $e) {
+            // Print error message in console
+            print_r($e->getMessage());
+            // Save to exception context for Allure report
+            CredentialStore::getInstance()->setExceptionContexts('vault', $e->getMessage());
         }
         return false;
     }