Decrypt secrets from SystemsManagerParameterStoreBackend

[n2p5]

This is my first PR, so pardon me if I missed any steps, but this proposed change is also very simple.

The current implementation of SystemsManagerParameterStoreBackend _get_secret uses

            response = self.client.get_parameter(
                Name=ssm_path, WithDecryption=False
            )

but this only allows for secrets to be stored in clear text.

This PR changes the value to WithDecryption=True, which is backwards compatible with clear text values, but also supports KMS decryption in the API call.

for reference in the API docs:
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html

WithDecryption
Return decrypted values for secure string parameters. This flag is ignored for String and StringList parameter types.

Type: Boolean

Required: No

After reviewing the test coverage and the documentation, I don't think there are any changes that need to be made. The are no behavior changes for users other than this will support a storage option and will natively support tools like chamber cli tooling

I guess there could be an argument made to update documentation stating this feature is now supported?

---

Make sure to mark the boxes below before creating PR: [x]

• Description above provides context of the change
• Unit tests coverage for changes (not needed for documentation changes)
• Target Github ISSUE in description if exists
• Commits follow "How to write a good git commit message"
• Relevant documentation is updated including usage instructions.
• I will engage committers as explained in Contribution Workflow Example.

---

In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.
Read the Pull Request Guidelines for more information.

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst)
Here are some useful points:

• Pay attention to the quality of your code (flake8, pylint and type annotations). Our pre-commits will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it’s a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Be sure to read the Airflow Coding style.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://apache-airflow-slack.herokuapp.com/

[BasPH]

How is this change backwards compatible? Does AWS automatically "fallback" in case of a non-secure string?

[robosante]

Per the boto docs, it's a no-op on non-secure strings: https://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetParameter

Parameters
...
WithDecryption (boolean) -- Return decrypted values for secure string parameters. This flag is ignored for String and StringList parameter types.

[n2p5]

@BasPH yes - if you set WithDecryption=True and you are dealing with a String or StringList, instead of a SecureString, it returns the normal output. SecureString has an added reference to a KMS alias used for envelop encryption and SSM will return the clear text of that.

from the reference docs:

This flag is ignored for String and StringList parameter types.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html

[BasPH]

Nice, looks good. Could you add a test for SecureString to airflow.tests.providers.amazon.aws.secrets.test_systems_manager.py?

[boring-cyborg]

Awesome work, congrats on your first merged pull request!