Compare commits

..

29 Commits

Author SHA1 Message Date
1567239fc2 improvement: use secret path input for create policy modal 2025-07-10 16:05:37 -07:00
aae5831f35 Merge pull request #4001 from Infisical/server-admin-sidebar-improvements
improvement(frontend): Server admin sidebar improvements
2025-07-10 15:44:25 -07:00
6f78a6b4c1 Merge pull request #4000 from Infisical/fix-remove-jim-as-sole-author-of-secret-leaks
fix(secret-scanning-v2): Remove Jim as sole author of all secret leaks
2025-07-10 15:41:24 -07:00
7690d5852b improvement: show icons on server admin sidebar and move back to org to top 2025-07-10 15:34:28 -07:00
c2e326b95a fix: remove jim as sole author of all secret leaks 2025-07-10 15:02:38 -07:00
b163c74a05 Merge pull request #3998 from Infisical/fix/foldersCommitsTriggeredOnNestedFolder
Fix folder creation commits triggered on new folder instead of the parent
2025-07-10 16:12:43 -04:00
46a4c6b119 Fix create folder commit issue triggering the commit on the created folder and not the parent folder 2025-07-10 17:02:53 -03:00
b03e9b70a2 Merge pull request #3982 from Infisical/audit-log-secret-path-tooltip
improvement(audit-logs): clarify secret key/path filter behavior for audit logs
2025-07-10 11:22:07 -07:00
f6e1808187 Merge pull request #3930 from Infisical/ENG-3016
feat(dynamic-secrets): AWS IRSA auth method
2025-07-10 13:44:59 -04:00
648cb20eb7 Merge pull request #3994 from Infisical/daniel/podman-docs
docs: add podman compose docs
2025-07-10 21:44:51 +04:00
Sid
fedffea8d5 ENG-2595 (#3976)
* feat: implement railway secret sync

* fix: railway sync config

* feat: add documentation on railway

* fix: undo mock on-prem change

* lint: fix

* fix: cleanup railway integration

* fix: retry and doc images

* fix: sync fields

* fix: query typo

* Update docs/docs.json

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2025-07-10 22:53:18 +05:30
8917629b96 Remove unused env var from docs 2025-07-10 12:36:53 -04:00
7de45ad220 Feedback + small docs update 2025-07-10 12:33:40 -04:00
5eb52edc52 Merge branch 'main' into ENG-3016 2025-07-10 12:28:39 -04:00
Sid
d3d1fb7190 feat: add more admin environment overrides (#3995)
* feat: add more env overrides
* Reorder alphabetically

---------

Co-authored-by: sidwebworks <xodeveloper@gmail.com>
Co-authored-by: x032205 <x032205@gmail.com>
2025-07-10 21:54:52 +05:30
6531e5b942 Merge pull request #3996 from Infisical/misc/remove-concurrently-for-index-creations
misc: remove concurrently for index creations
2025-07-10 11:48:08 -04:00
4164b2f32a misc: remove concurrently for index creations 2025-07-10 23:42:38 +08:00
0ec56c9928 docs: add podman compose docs 2025-07-10 18:57:25 +04:00
35520cfe99 Merge pull request #3989 from Infisical/add-access-token-index
add index for referencing columns in identity access token
2025-07-10 09:48:39 -04:00
Sid
ba0f6e60e2 fix: yaml secret file parsing (#3837) 2025-07-10 15:33:59 +05:30
579c68b2a3 Merge pull request #3991 from Infisical/helm-update-v0.9.4
Update Helm chart to version v0.9.4
2025-07-10 14:03:10 +04:00
f4ea3e1c75 Update Helm chart to version v0.9.4 2025-07-10 10:02:02 +00:00
7d37ea318f Merge pull request #3990 from Infisical/daniel/operator-logs
fix: add request ID to error logs
2025-07-10 13:57:44 +04:00
5cb7ecc354 fix: update go sdk 2025-07-10 13:35:59 +04:00
d2098fda5f Lower perm scope 2025-07-08 23:02:01 -04:00
09d72d6da1 Remove assume role from IRSA 2025-07-08 22:51:43 -04:00
e33a3c281c Merge branch 'main' into ENG-3016 2025-07-08 15:25:15 -04:00
a614b81a7a improvement: clarify secre key/path filter behavior for audit logs 2025-07-08 09:49:22 -07:00
a0e8496256 feat(dynamic-secrets): AWS IRSA auth method 2025-07-05 00:15:54 -04:00
130 changed files with 2684 additions and 250 deletions

View File

@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
# Required
SITE_URL=http://localhost:8080
# Mail/SMTP
# Mail/SMTP
SMTP_HOST=
SMTP_PORT=
SMTP_FROM_ADDRESS=
@ -132,3 +132,6 @@ DATADOG_PROFILING_ENABLED=
DATADOG_ENV=
DATADOG_SERVICE=
DATADOG_HOSTNAME=
# kubernetes
KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

View File

@ -34,6 +34,7 @@ ARG INFISICAL_PLATFORM_VERSION
ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
ARG CAPTCHA_SITE_KEY
ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
ENV NODE_OPTIONS="--max-old-space-size=8192"
# Build
RUN npm run build
@ -77,6 +78,7 @@ RUN npm ci --only-production
COPY /backend .
COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
RUN npm i -D tsconfig-paths
ENV NODE_OPTIONS="--max-old-space-size=8192"
RUN npm run build
# Production stage

View File

@ -13,12 +13,12 @@ export async function up(knex: Knex): Promise<void> {
// iat means IdentityAccessToken
await knex.raw(`
CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_iat_identity_id
CREATE INDEX IF NOT EXISTS idx_iat_identity_id
ON ${TableName.IdentityAccessToken} ("identityId")
`);
await knex.raw(`
CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_iat_ua_client_secret_id
CREATE INDEX IF NOT EXISTS idx_iat_ua_client_secret_id
ON ${TableName.IdentityAccessToken} ("identityUAClientSecretId")
`);
} finally {
@ -44,5 +44,3 @@ export async function down(knex: Knex): Promise<void> {
await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
}
}
export const config = { transaction: false };

View File

@ -21,7 +21,7 @@ import { randomUUID } from "crypto";
import { z } from "zod";
import { getConfig } from "@app/lib/config/env";
import { BadRequestError } from "@app/lib/errors";
import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
import { alphaNumericNanoId } from "@app/lib/nanoid";
import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@ -81,6 +81,21 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
return client;
}
if (providerInputs.method === AwsIamAuthType.IRSA) {
// Allow instances to disable automatic service account token fetching (e.g. for shared cloud)
if (!appCfg.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN) {
throw new UnauthorizedError({
message: "Failed to get AWS credentials via IRSA: KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN is not enabled."
});
}
// The SDK will automatically pick up credentials from the environment
const client = new IAMClient({
region: providerInputs.region
});
return client;
}
const client = new IAMClient({
region: providerInputs.region,
credentials: {
@ -101,7 +116,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
.catch((err) => {
const message = (err as Error)?.message;
if (
providerInputs.method === AwsIamAuthType.AssumeRole &&
(providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
// assume role will throw an error asking to provider username, but if so this has access in aws correctly
message.includes("Must specify userName when calling with non-User credentials")
) {

View File

@ -28,7 +28,8 @@ export enum SqlProviders {
export enum AwsIamAuthType {
AssumeRole = "assume-role",
AccessKey = "access-key"
AccessKey = "access-key",
IRSA = "irsa"
}
export enum ElasticSearchAuthTypes {
@ -221,6 +222,16 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
userGroups: z.string().trim().optional(),
policyArns: z.string().trim().optional(),
tags: ResourceMetadataSchema.optional()
}),
z.object({
method: z.literal(AwsIamAuthType.IRSA),
region: z.string().trim().min(1),
awsPath: z.string().trim().optional(),
permissionBoundaryPolicyArn: z.string().trim().optional(),
policyDocument: z.string().trim().optional(),
userGroups: z.string().trim().optional(),
policyArns: z.string().trim().optional(),
tags: ResourceMetadataSchema.optional()
})
])
);

View File

@ -37,7 +37,8 @@ import {
TQueueSecretScanningDataSourceFullScan,
TQueueSecretScanningResourceDiffScan,
TQueueSecretScanningSendNotification,
TSecretScanningDataSourceWithConnection
TSecretScanningDataSourceWithConnection,
TSecretScanningFinding
} from "./secret-scanning-v2-types";
type TSecretRotationV2QueueServiceFactoryDep = {
@ -459,13 +460,16 @@ export const secretScanningV2QueueServiceFactory = async ({
const newFindings = allFindings.filter((finding) => finding.scanId === scanId);
if (newFindings.length) {
const finding = newFindings[0] as TSecretScanningFinding;
await queueService.queuePg(QueueJobs.SecretScanningV2SendNotification, {
status: SecretScanningScanStatus.Completed,
resourceName: resource.name,
isDiffScan: true,
dataSource,
numberOfSecrets: newFindings.length,
scanId
scanId,
authorName: finding?.details?.author,
authorEmail: finding?.details?.email
});
}
@ -582,8 +586,8 @@ export const secretScanningV2QueueServiceFactory = async ({
substitutions:
payload.status === SecretScanningScanStatus.Completed
? {
authorName: "Jim",
authorEmail: "jim@infisical.com",
authorName: payload.authorName,
authorEmail: payload.authorEmail,
resourceName,
numberOfSecrets: payload.numberOfSecrets,
isDiffScan: payload.isDiffScan,

View File

@ -119,7 +119,14 @@ export type TQueueSecretScanningSendNotification = {
resourceName: string;
} & (
| { status: SecretScanningScanStatus.Failed; errorMessage: string }
| { status: SecretScanningScanStatus.Completed; numberOfSecrets: number; scanId: string; isDiffScan: boolean }
| {
status: SecretScanningScanStatus.Completed;
numberOfSecrets: number;
scanId: string;
isDiffScan: boolean;
authorName?: string;
authorEmail?: string;
}
);
export type TCloneRepository = {

View File

@ -2279,6 +2279,9 @@ export const AppConnections = {
ZABBIX: {
apiToken: "The API Token used to access Zabbix.",
instanceUrl: "The Zabbix instance URL to connect with."
},
RAILWAY: {
apiToken: "The API token used to authenticate with Railway."
}
}
};
@ -2474,6 +2477,14 @@ export const SecretSyncs = {
hostId: "The ID of the Zabbix host to sync secrets to.",
hostName: "The name of the Zabbix host to sync secrets to.",
macroType: "The type of macro to sync secrets to. (0: Text, 1: Secret)"
},
RAILWAY: {
projectId: "The ID of the Railway project to sync secrets to.",
projectName: "The name of the Railway project to sync secrets to.",
environmentId: "The Railway environment to sync secrets to.",
environmentName: "The Railway environment to sync secrets to.",
serviceId: "The Railway service that secrets should be synced to.",
serviceName: "The Railway service that secrets should be synced to."
}
}
};
@ -2594,7 +2605,9 @@ export const SecretRotations = {
export const SecretScanningDataSources = {
LIST: (type?: SecretScanningDataSource) => ({
projectId: `The ID of the project to list ${type ? SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type] : "Scanning"} Data Sources from.`
projectId: `The ID of the project to list ${
type ? SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type] : "Scanning"
} Data Sources from.`
}),
GET_BY_ID: (type: SecretScanningDataSource) => ({
dataSourceId: `The ID of the ${SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type]} Data Source to retrieve.`

View File

@ -28,6 +28,7 @@ const databaseReadReplicaSchema = z
const envSchema = z
.object({
INFISICAL_PLATFORM_VERSION: zpStr(z.string().optional()),
KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN: zodStrBool.default("false"),
PORT: z.coerce.number().default(IS_PACKAGED ? 8080 : 4000),
DISABLE_SECRET_SCANNING: z
.enum(["true", "false"])
@ -373,6 +374,19 @@ export const overwriteSchema: {
fields: { key: keyof TEnvConfig; description?: string }[];
};
} = {
aws: {
name: "AWS",
fields: [
{
key: "INF_APP_CONNECTION_AWS_ACCESS_KEY_ID",
description: "The Access Key ID of your AWS account."
},
{
key: "INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY",
description: "The Client Secret of your AWS application."
}
]
},
azure: {
name: "Azure",
fields: [
@ -386,16 +400,79 @@ export const overwriteSchema: {
}
]
},
google_sso: {
name: "Google SSO",
gcp: {
name: "GCP",
fields: [
{
key: "CLIENT_ID_GOOGLE_LOGIN",
description: "The Client ID of your GCP OAuth2 application."
key: "INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL",
description: "The GCP Service Account JSON credentials."
}
]
},
github_app: {
name: "GitHub App",
fields: [
{
key: "INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID",
description: "The Client ID of your GitHub application."
},
{
key: "CLIENT_SECRET_GOOGLE_LOGIN",
description: "The Client Secret of your GCP OAuth2 application."
key: "INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET",
description: "The Client Secret of your GitHub application."
},
{
key: "INF_APP_CONNECTION_GITHUB_APP_SLUG",
description: "The Slug of your GitHub application. This is the one found in the URL."
},
{
key: "INF_APP_CONNECTION_GITHUB_APP_ID",
description: "The App ID of your GitHub application."
},
{
key: "INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY",
description: "The Private Key of your GitHub application."
}
]
},
github_oauth: {
name: "GitHub OAuth",
fields: [
{
key: "INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID",
description: "The Client ID of your GitHub OAuth application."
},
{
key: "INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET",
description: "The Client Secret of your GitHub OAuth application."
}
]
},
github_radar_app: {
name: "GitHub Radar App",
fields: [
{
key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID",
description: "The Client ID of your GitHub application."
},
{
key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET",
description: "The Client Secret of your GitHub application."
},
{
key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG",
description: "The Slug of your GitHub application. This is the one found in the URL."
},
{
key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_ID",
description: "The App ID of your GitHub application."
},
{
key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY",
description: "The Private Key of your GitHub application."
},
{
key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET",
description: "The Webhook Secret of your GitHub application."
}
]
},
@ -412,6 +489,19 @@ export const overwriteSchema: {
}
]
},
gitlab_oauth: {
name: "GitLab OAuth",
fields: [
{
key: "INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID",
description: "The Client ID of your GitLab OAuth application."
},
{
key: "INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET",
description: "The Client Secret of your GitLab OAuth application."
}
]
},
gitlab_sso: {
name: "GitLab SSO",
fields: [
@ -429,6 +519,19 @@ export const overwriteSchema: {
"The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to https://gitlab.com."
}
]
},
google_sso: {
name: "Google SSO",
fields: [
{
key: "CLIENT_ID_GOOGLE_LOGIN",
description: "The Client ID of your GCP OAuth2 application."
},
{
key: "CLIENT_SECRET_GOOGLE_LOGIN",
description: "The Client Secret of your GCP OAuth2 application."
}
]
}
};

View File

@ -1,11 +1,18 @@
import axios from "axios";
import axiosRetry from "axios-retry";
import axios, { AxiosInstance, CreateAxiosDefaults } from "axios";
import axiosRetry, { IAxiosRetryConfig } from "axios-retry";
export const request = axios.create();
export function createRequestClient(defaults: CreateAxiosDefaults = {}, retry: IAxiosRetryConfig = {}): AxiosInstance {
const client = axios.create(defaults);
axiosRetry(request, {
retries: 3,
// eslint-disable-next-line
retryDelay: axiosRetry.exponentialDelay,
retryCondition: (err) => axiosRetry.isNetworkError(err) || axiosRetry.isRetryableError(err)
});
axiosRetry(client, {
retries: 3,
// eslint-disable-next-line
retryDelay: axiosRetry.exponentialDelay,
retryCondition: (err) => axiosRetry.isNetworkError(err) || axiosRetry.isRetryableError(err),
...retry
});
return client;
}
export const request = createRequestClient();

View File

@ -49,7 +49,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
defaultAuthOrgSlug: z.string().nullable(),
defaultAuthOrgAuthEnforced: z.boolean().nullish(),
defaultAuthOrgAuthMethod: z.string().nullish(),
isSecretScanningDisabled: z.boolean()
isSecretScanningDisabled: z.boolean(),
kubernetesAutoFetchServiceAccountToken: z.boolean()
})
})
}
@ -61,7 +62,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
config: {
...config,
isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN
}
};
}

View File

@ -71,6 +71,10 @@ import {
PostgresConnectionListItemSchema,
SanitizedPostgresConnectionSchema
} from "@app/services/app-connection/postgres";
import {
RailwayConnectionListItemSchema,
SanitizedRailwayConnectionSchema
} from "@app/services/app-connection/railway";
import {
RenderConnectionListItemSchema,
SanitizedRenderConnectionSchema
@ -123,7 +127,8 @@ const SanitizedAppConnectionSchema = z.union([
...SanitizedGitLabConnectionSchema.options,
...SanitizedCloudflareConnectionSchema.options,
...SanitizedBitbucketConnectionSchema.options,
...SanitizedZabbixConnectionSchema.options
...SanitizedZabbixConnectionSchema.options,
...SanitizedRailwayConnectionSchema.options
]);
const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@ -157,7 +162,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
GitLabConnectionListItemSchema,
CloudflareConnectionListItemSchema,
BitbucketConnectionListItemSchema,
ZabbixConnectionListItemSchema
ZabbixConnectionListItemSchema,
RailwayConnectionListItemSchema
]);
export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

View File

@ -25,6 +25,7 @@ import { registerLdapConnectionRouter } from "./ldap-connection-router";
import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
import { registerMySqlConnectionRouter } from "./mysql-connection-router";
import { registerPostgresConnectionRouter } from "./postgres-connection-router";
import { registerRailwayConnectionRouter } from "./railway-connection-router";
import { registerRenderConnectionRouter } from "./render-connection-router";
import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@ -66,5 +67,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
[AppConnection.GitLab]: registerGitLabConnectionRouter,
[AppConnection.Cloudflare]: registerCloudflareConnectionRouter,
[AppConnection.Bitbucket]: registerBitbucketConnectionRouter,
[AppConnection.Zabbix]: registerZabbixConnectionRouter
[AppConnection.Zabbix]: registerZabbixConnectionRouter,
[AppConnection.Railway]: registerRailwayConnectionRouter
};

View File

@ -0,0 +1,67 @@
import { z } from "zod";
import { readLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
CreateRailwayConnectionSchema,
SanitizedRailwayConnectionSchema,
UpdateRailwayConnectionSchema
} from "@app/services/app-connection/railway";
import { AuthMode } from "@app/services/auth/auth-type";
import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
export const registerRailwayConnectionRouter = async (server: FastifyZodProvider) => {
registerAppConnectionEndpoints({
app: AppConnection.Railway,
server,
sanitizedResponseSchema: SanitizedRailwayConnectionSchema,
createSchema: CreateRailwayConnectionSchema,
updateSchema: UpdateRailwayConnectionSchema
});
// The below endpoints are not exposed and for Infisical App use
server.route({
method: "GET",
url: `/:connectionId/projects`,
config: {
rateLimit: readLimit
},
schema: {
params: z.object({
connectionId: z.string().uuid()
}),
response: {
200: z.object({
projects: z
.object({
name: z.string(),
id: z.string(),
services: z.array(
z.object({
name: z.string(),
id: z.string()
})
),
environments: z.array(
z.object({
name: z.string(),
id: z.string()
})
)
})
.array()
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const { connectionId } = req.params;
const projects = await server.services.appConnection.railway.listProjects(connectionId, req.permission);
return { projects };
}
});
};

View File

@ -17,6 +17,7 @@ import { registerGitLabSyncRouter } from "./gitlab-sync-router";
import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
import { registerHerokuSyncRouter } from "./heroku-sync-router";
import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
import { registerRailwaySyncRouter } from "./railway-sync-router";
import { registerRenderSyncRouter } from "./render-sync-router";
import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
@ -49,5 +50,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
[SecretSync.Flyio]: registerFlyioSyncRouter,
[SecretSync.GitLab]: registerGitLabSyncRouter,
[SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter,
[SecretSync.Zabbix]: registerZabbixSyncRouter
[SecretSync.Zabbix]: registerZabbixSyncRouter,
[SecretSync.Railway]: registerRailwaySyncRouter
};

View File

@ -0,0 +1,17 @@
import {
CreateRailwaySyncSchema,
RailwaySyncSchema,
UpdateRailwaySyncSchema
} from "@app/services/secret-sync/railway/railway-sync-schemas";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
export const registerRailwaySyncRouter = async (server: FastifyZodProvider) =>
registerSyncSecretsEndpoints({
destination: SecretSync.Railway,
server,
responseSchema: RailwaySyncSchema,
createSchema: CreateRailwaySyncSchema,
updateSchema: UpdateRailwaySyncSchema
});

View File

@ -34,6 +34,7 @@ import { GitLabSyncListItemSchema, GitLabSyncSchema } from "@app/services/secret
import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
import { RailwaySyncListItemSchema, RailwaySyncSchema } from "@app/services/secret-sync/railway/railway-sync-schemas";
import { RenderSyncListItemSchema, RenderSyncSchema } from "@app/services/secret-sync/render/render-sync-schemas";
import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
@ -64,7 +65,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
FlyioSyncSchema,
GitLabSyncSchema,
CloudflarePagesSyncSchema,
ZabbixSyncSchema
ZabbixSyncSchema,
RailwaySyncSchema
]);
const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@ -90,7 +92,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
FlyioSyncListItemSchema,
GitLabSyncListItemSchema,
CloudflarePagesSyncListItemSchema,
ZabbixSyncListItemSchema
ZabbixSyncListItemSchema,
RailwaySyncListItemSchema
]);
export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

View File

@ -28,8 +28,9 @@ export enum AppConnection {
Flyio = "flyio",
GitLab = "gitlab",
Cloudflare = "cloudflare",
Bitbucket = "bitbucket",
Zabbix = "zabbix"
Zabbix = "zabbix",
Railway = "railway",
Bitbucket = "bitbucket"
}
export enum AWSRegion {

View File

@ -91,6 +91,7 @@ import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
import { getRailwayConnectionListItem, validateRailwayConnectionCredentials } from "./railway";
import { RenderConnectionMethod } from "./render/render-connection-enums";
import { getRenderConnectionListItem, validateRenderConnectionCredentials } from "./render/render-connection-fns";
import {
@ -143,8 +144,9 @@ export const listAppConnectionOptions = () => {
getFlyioConnectionListItem(),
getGitLabConnectionListItem(),
getCloudflareConnectionListItem(),
getBitbucketConnectionListItem(),
getZabbixConnectionListItem()
getZabbixConnectionListItem(),
getRailwayConnectionListItem(),
getBitbucketConnectionListItem()
].sort((a, b) => a.name.localeCompare(b.name));
};
@ -225,8 +227,9 @@ export const validateAppConnectionCredentials = async (
[AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator
[AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Railway]: validateRailwayConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator
};
return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@ -345,8 +348,9 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
[AppConnection.Flyio]: platformManagedCredentialsNotSupported,
[AppConnection.GitLab]: platformManagedCredentialsNotSupported,
[AppConnection.Cloudflare]: platformManagedCredentialsNotSupported,
[AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
[AppConnection.Zabbix]: platformManagedCredentialsNotSupported
[AppConnection.Zabbix]: platformManagedCredentialsNotSupported,
[AppConnection.Railway]: platformManagedCredentialsNotSupported,
[AppConnection.Bitbucket]: platformManagedCredentialsNotSupported
};
export const enterpriseAppCheck = async (

View File

@ -30,8 +30,9 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
[AppConnection.Flyio]: "Fly.io",
[AppConnection.GitLab]: "GitLab",
[AppConnection.Cloudflare]: "Cloudflare",
[AppConnection.Bitbucket]: "Bitbucket",
[AppConnection.Zabbix]: "Zabbix"
[AppConnection.Zabbix]: "Zabbix",
[AppConnection.Railway]: "Railway",
[AppConnection.Bitbucket]: "Bitbucket"
};
export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@ -64,6 +65,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
[AppConnection.Flyio]: AppConnectionPlanType.Regular,
[AppConnection.GitLab]: AppConnectionPlanType.Regular,
[AppConnection.Cloudflare]: AppConnectionPlanType.Regular,
[AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
[AppConnection.Zabbix]: AppConnectionPlanType.Regular
[AppConnection.Zabbix]: AppConnectionPlanType.Regular,
[AppConnection.Railway]: AppConnectionPlanType.Regular,
[AppConnection.Bitbucket]: AppConnectionPlanType.Regular
};

View File

@ -72,6 +72,8 @@ import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
import { ValidateRailwayConnectionCredentialsSchema } from "./railway";
import { railwayConnectionService } from "./railway/railway-connection-service";
import { ValidateRenderConnectionCredentialsSchema } from "./render/render-connection-schema";
import { renderConnectionService } from "./render/render-connection-service";
import { ValidateTeamCityConnectionCredentialsSchema } from "./teamcity";
@ -124,8 +126,9 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
[AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
[AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema,
[AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema,
[AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
[AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema
[AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema,
[AppConnection.Railway]: ValidateRailwayConnectionCredentialsSchema,
[AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema
};
export const appConnectionServiceFactory = ({
@ -536,7 +539,8 @@ export const appConnectionServiceFactory = ({
flyio: flyioConnectionService(connectAppConnectionById),
gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
cloudflare: cloudflareConnectionService(connectAppConnectionById),
bitbucket: bitbucketConnectionService(connectAppConnectionById),
zabbix: zabbixConnectionService(connectAppConnectionById)
zabbix: zabbixConnectionService(connectAppConnectionById),
railway: railwayConnectionService(connectAppConnectionById),
bitbucket: bitbucketConnectionService(connectAppConnectionById)
};
};

View File

@ -141,6 +141,12 @@ import {
TPostgresConnectionInput,
TValidatePostgresConnectionCredentialsSchema
} from "./postgres";
import {
TRailwayConnection,
TRailwayConnectionConfig,
TRailwayConnectionInput,
TValidateRailwayConnectionCredentialsSchema
} from "./railway";
import {
TRenderConnection,
TRenderConnectionConfig,
@ -210,6 +216,7 @@ export type TAppConnection = { id: string } & (
| TCloudflareConnection
| TBitbucketConnection
| TZabbixConnection
| TRailwayConnection
);
export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@ -248,6 +255,7 @@ export type TAppConnectionInput = { id: string } & (
| TCloudflareConnectionInput
| TBitbucketConnectionInput
| TZabbixConnectionInput
| TRailwayConnectionInput
);
export type TSqlConnectionInput =
@ -293,7 +301,8 @@ export type TAppConnectionConfig =
| TGitLabConnectionConfig
| TCloudflareConnectionConfig
| TBitbucketConnectionConfig
| TZabbixConnectionConfig;
| TZabbixConnectionConfig
| TRailwayConnectionConfig;
export type TValidateAppConnectionCredentialsSchema =
| TValidateAwsConnectionCredentialsSchema
@ -326,7 +335,8 @@ export type TValidateAppConnectionCredentialsSchema =
| TValidateGitLabConnectionCredentialsSchema
| TValidateCloudflareConnectionCredentialsSchema
| TValidateBitbucketConnectionCredentialsSchema
| TValidateZabbixConnectionCredentialsSchema;
| TValidateZabbixConnectionCredentialsSchema
| TValidateRailwayConnectionCredentialsSchema;
export type TListAwsConnectionKmsKeys = {
connectionId: string;

View File

@ -0,0 +1,4 @@
export * from "./railway-connection-constants";
export * from "./railway-connection-fns";
export * from "./railway-connection-schemas";
export * from "./railway-connection-types";

View File

@ -0,0 +1,5 @@
export enum RailwayConnectionMethod {
AccountToken = "account-token",
ProjectToken = "project-token",
TeamToken = "team-token"
}

View File

@ -0,0 +1,66 @@
/* eslint-disable no-await-in-loop */
import { AxiosError } from "axios";
import { BadRequestError } from "@app/lib/errors";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { RailwayConnectionMethod } from "./railway-connection-constants";
import { RailwayPublicAPI } from "./railway-connection-public-client";
import { TRailwayConnection, TRailwayConnectionConfig } from "./railway-connection-types";
export const getRailwayConnectionListItem = () => {
return {
name: "Railway" as const,
app: AppConnection.Railway as const,
methods: Object.values(RailwayConnectionMethod)
};
};
export const validateRailwayConnectionCredentials = async (config: TRailwayConnectionConfig) => {
const { credentials, method } = config;
try {
await RailwayPublicAPI.healthcheck({
method,
credentials
});
} catch (error: unknown) {
if (error instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to validate credentials: ${error.message || "Unknown error"}`
});
}
throw new BadRequestError({
message: "Unable to validate connection - verify credentials"
});
}
return credentials;
};
export const listProjects = async (appConnection: TRailwayConnection) => {
const { credentials, method } = appConnection;
try {
return await RailwayPublicAPI.listProjects({
method,
credentials
});
} catch (error: unknown) {
if (error instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to list projects: ${error.message || "Unknown error"}`
});
}
if (error instanceof BadRequestError) {
throw error;
}
throw new BadRequestError({
message: "Unable to list projects",
error
});
}
};

View File

@ -0,0 +1,237 @@
/* eslint-disable class-methods-use-this */
import { AxiosError, AxiosInstance, AxiosResponse } from "axios";
import { createRequestClient } from "@app/lib/config/request";
import { BadRequestError } from "@app/lib/errors";
import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
import { RailwayConnectionMethod } from "./railway-connection-constants";
import {
RailwayAccountWorkspaceListSchema,
RailwayGetProjectsByProjectTokenSchema,
RailwayGetSubscriptionTypeSchema,
RailwayProjectsListSchema
} from "./railway-connection-schemas";
import { RailwayProject, TRailwayConnectionConfig, TRailwayResponse } from "./railway-connection-types";
type RailwaySendReqOptions = Pick<TRailwayConnectionConfig, "credentials" | "method">;
export function getRailwayAuthHeaders(method: RailwayConnectionMethod, token: string): Record<string, string> {
switch (method) {
case RailwayConnectionMethod.AccountToken:
case RailwayConnectionMethod.TeamToken:
return {
Authorization: token
};
case RailwayConnectionMethod.ProjectToken:
return {
"Project-Access-Token": token
};
default:
throw new Error(`Unsupported Railway connection method`);
}
}
export function getRailwayRatelimiter(headers: AxiosResponse["headers"]): {
isRatelimited: boolean;
maxAttempts: number;
wait: () => Promise<void>;
} {
const retryAfter: number | undefined = headers["Retry-After"] as number | undefined;
const requestsLeft = parseInt(headers["X-RateLimit-Remaining"] as string, 10);
const limitResetAt = headers["X-RateLimit-Reset"] as string;
const now = +new Date();
const nextReset = +new Date(limitResetAt);
const remaining = Math.min(0, nextReset - now);
const wait = () => {
return new Promise<void>((res) => {
setTimeout(res, remaining);
});
};
return {
isRatelimited: Boolean(retryAfter || requestsLeft === 0),
wait,
maxAttempts: 3
};
}
class RailwayPublicClient {
private client: AxiosInstance;
constructor() {
this.client = createRequestClient({
method: "POST",
baseURL: IntegrationUrls.RAILWAY_API_URL,
headers: {
"Content-Type": "application/json"
}
});
}
async send<T extends TRailwayResponse>(
query: string,
options: RailwaySendReqOptions,
variables: Record<string, string | Record<string, string>> = {},
retryAttempt: number = 0
): Promise<T["data"] | undefined> {
const body = {
query,
variables
};
const response = await this.client.request<T>({
data: body,
headers: getRailwayAuthHeaders(options.method, options.credentials.apiToken)
});
const { errors } = response.data;
if (Array.isArray(errors) && errors.length > 0) {
throw new AxiosError(errors[0].message);
}
const limiter = getRailwayRatelimiter(response.headers);
if (limiter.isRatelimited && retryAttempt <= limiter.maxAttempts) {
await limiter.wait();
return this.send(query, options, variables, retryAttempt + 1);
}
return response.data.data;
}
healthcheck(config: RailwaySendReqOptions) {
switch (config.method) {
case RailwayConnectionMethod.AccountToken:
return this.send(`{ me { teams { edges { node { id } } } } }`, config);
case RailwayConnectionMethod.ProjectToken:
return this.send(`{ projectToken { projectId environmentId project { id } } }`, config);
case RailwayConnectionMethod.TeamToken:
return this.send(`{ projects { edges { node { id name team { id } } } } }`, config);
default:
throw new Error(`Unsupported Railway connection method`);
}
}
async getSubscriptionType(config: RailwaySendReqOptions & { projectId: string }) {
const res = await this.send(
`query project($projectId: String!) { project(id: $projectId) { subscriptionType }}`,
config,
{
projectId: config.projectId
}
);
const data = await RailwayGetSubscriptionTypeSchema.parseAsync(res);
return data.project.subscriptionType;
}
async listProjects(config: RailwaySendReqOptions): Promise<RailwayProject[]> {
switch (config.method) {
case RailwayConnectionMethod.TeamToken: {
const res = await this.send(
`{ projects { edges { node { id, name, services{ edges{ node { id, name } } } environments { edges { node { name, id } } } } } } }`,
config
);
const data = await RailwayProjectsListSchema.parseAsync(res);
return data.projects.edges.map((p) => ({
id: p.node.id,
name: p.node.name,
environments: p.node.environments.edges.map((e) => e.node),
services: p.node.services.edges.map((s) => s.node)
}));
}
case RailwayConnectionMethod.AccountToken: {
const res = await this.send(
`{ me { workspaces { id, name, team{ projects{ edges{ node{ id, name, services{ edges { node { name, id } } } environments { edges { node { name, id } } } } } } } } } }`,
config
);
const data = await RailwayAccountWorkspaceListSchema.parseAsync(res);
return data.me.workspaces.flatMap((w) =>
w.team.projects.edges.map((p) => ({
id: p.node.id,
name: p.node.name,
environments: p.node.environments.edges.map((e) => e.node),
services: p.node.services.edges.map((s) => s.node)
}))
);
}
case RailwayConnectionMethod.ProjectToken: {
const res = await this.send(
`query { projectToken { project { id, name, services { edges { node { name, id } } } environments { edges { node { name, id } } } } } }`,
config
);
const data = await RailwayGetProjectsByProjectTokenSchema.parseAsync(res);
const p = data.projectToken.project;
return [
{
id: p.id,
name: p.name,
environments: p.environments.edges.map((e) => e.node),
services: p.services.edges.map((s) => s.node)
}
];
}
default:
throw new Error(`Unsupported Railway connection method`);
}
}
async getVariables(
config: RailwaySendReqOptions,
variables: { projectId: string; environmentId: string; serviceId?: string }
) {
const res = await this.send<TRailwayResponse<{ variables: Record<string, string> }>>(
`query variables($environmentId: String!, $projectId: String!, $serviceId: String) { variables( projectId: $projectId, environmentId: $environmentId, serviceId: $serviceId ) }`,
config,
variables
);
if (!res?.variables) {
throw new BadRequestError({
message: "Failed to get railway variables - empty response"
});
}
return res.variables;
}
async deleteVariable(
config: RailwaySendReqOptions,
variables: { input: { projectId: string; environmentId: string; name: string; serviceId?: string } }
) {
await this.send<TRailwayResponse<{ variables: Record<string, string> }>>(
`mutation variableDelete($input: VariableDeleteInput!) { variableDelete(input: $input) }`,
config,
variables
);
}
async upsertVariable(
config: RailwaySendReqOptions,
variables: { input: { projectId: string; environmentId: string; name: string; value: string; serviceId?: string } }
) {
await this.send<TRailwayResponse<{ variables: Record<string, string> }>>(
`mutation variableUpsert($input: VariableUpsertInput!) { variableUpsert(input: $input) }`,
config,
variables
);
}
}
export const RailwayPublicAPI = new RailwayPublicClient();

View File

@ -0,0 +1,117 @@
import z from "zod";
import { AppConnections } from "@app/lib/api-docs";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
BaseAppConnectionSchema,
GenericCreateAppConnectionFieldsSchema,
GenericUpdateAppConnectionFieldsSchema
} from "@app/services/app-connection/app-connection-schemas";
import { RailwayConnectionMethod } from "./railway-connection-constants";
export const RailwayConnectionMethodSchema = z
.nativeEnum(RailwayConnectionMethod)
.describe(AppConnections.CREATE(AppConnection.Railway).method);
export const RailwayConnectionAccessTokenCredentialsSchema = z.object({
apiToken: z
.string()
.trim()
.min(1, "API Token required")
.max(255)
.describe(AppConnections.CREDENTIALS.RAILWAY.apiToken)
});
const BaseRailwayConnectionSchema = BaseAppConnectionSchema.extend({
app: z.literal(AppConnection.Railway)
});
export const RailwayConnectionSchema = BaseRailwayConnectionSchema.extend({
method: RailwayConnectionMethodSchema,
credentials: RailwayConnectionAccessTokenCredentialsSchema
});
export const SanitizedRailwayConnectionSchema = z.discriminatedUnion("method", [
BaseRailwayConnectionSchema.extend({
method: RailwayConnectionMethodSchema,
credentials: RailwayConnectionAccessTokenCredentialsSchema.pick({})
})
]);
export const ValidateRailwayConnectionCredentialsSchema = z.discriminatedUnion("method", [
z.object({
method: RailwayConnectionMethodSchema,
credentials: RailwayConnectionAccessTokenCredentialsSchema.describe(
AppConnections.CREATE(AppConnection.Railway).credentials
)
})
]);
export const CreateRailwayConnectionSchema = ValidateRailwayConnectionCredentialsSchema.and(
GenericCreateAppConnectionFieldsSchema(AppConnection.Railway)
);
export const UpdateRailwayConnectionSchema = z
.object({
credentials: RailwayConnectionAccessTokenCredentialsSchema.optional().describe(
AppConnections.UPDATE(AppConnection.Railway).credentials
)
})
.and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Railway));
export const RailwayConnectionListItemSchema = z.object({
name: z.literal("Railway"),
app: z.literal(AppConnection.Railway),
methods: z.nativeEnum(RailwayConnectionMethod).array()
});
export const RailwayResourceSchema = z.object({
node: z.object({
id: z.string(),
name: z.string()
})
});
export const RailwayProjectEdgeSchema = z.object({
node: z.object({
id: z.string(),
name: z.string(),
services: z.object({
edges: z.array(RailwayResourceSchema)
}),
environments: z.object({
edges: z.array(RailwayResourceSchema)
})
})
});
export const RailwayProjectsListSchema = z.object({
projects: z.object({
edges: z.array(RailwayProjectEdgeSchema)
})
});
export const RailwayAccountWorkspaceListSchema = z.object({
me: z.object({
workspaces: z.array(
z.object({
id: z.string(),
name: z.string(),
team: RailwayProjectsListSchema
})
)
})
});
export const RailwayGetProjectsByProjectTokenSchema = z.object({
projectToken: z.object({
project: RailwayProjectEdgeSchema.shape.node
})
});
export const RailwayGetSubscriptionTypeSchema = z.object({
project: z.object({
subscriptionType: z.enum(["free", "hobby", "pro", "trial"])
})
});

View File

@ -0,0 +1,30 @@
import { logger } from "@app/lib/logger";
import { OrgServiceActor } from "@app/lib/types";
import { AppConnection } from "../app-connection-enums";
import { listProjects as getRailwayProjects } from "./railway-connection-fns";
import { TRailwayConnection } from "./railway-connection-types";
type TGetAppConnectionFunc = (
app: AppConnection,
connectionId: string,
actor: OrgServiceActor
) => Promise<TRailwayConnection>;
export const railwayConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
const appConnection = await getAppConnection(AppConnection.Railway, connectionId, actor);
try {
const projects = await getRailwayProjects(appConnection);
return projects;
} catch (error) {
logger.error(error, "Failed to establish connection with Railway");
return [];
}
};
return {
listProjects
};
};

View File

@ -0,0 +1,79 @@
import z from "zod";
import { DiscriminativePick } from "@app/lib/types";
import { AppConnection } from "../app-connection-enums";
import {
CreateRailwayConnectionSchema,
RailwayConnectionSchema,
ValidateRailwayConnectionCredentialsSchema
} from "./railway-connection-schemas";
export type TRailwayConnection = z.infer<typeof RailwayConnectionSchema>;
export type TRailwayConnectionInput = z.infer<typeof CreateRailwayConnectionSchema> & {
app: AppConnection.Railway;
};
export type TValidateRailwayConnectionCredentialsSchema = typeof ValidateRailwayConnectionCredentialsSchema;
export type TRailwayConnectionConfig = DiscriminativePick<TRailwayConnection, "method" | "app" | "credentials"> & {
orgId: string;
};
export type TRailwayService = {
id: string;
name: string;
};
export type TRailwayEnvironment = {
id: string;
name: string;
};
export type RailwayProject = {
id: string;
name: string;
services: TRailwayService[];
environments: TRailwayEnvironment[];
};
export type TRailwayResponse<T = unknown> = {
data?: T;
errors?: {
message: string;
}[];
};
export type TAccountProjectListResponse = TRailwayResponse<{
projects: {
edges: TProjectEdge[];
};
}>;
export interface TProjectEdge {
node: {
id: string;
name: string;
services: {
edges: TServiceEdge[];
};
environments: {
edges: TEnvironmentEdge[];
};
};
}
type TServiceEdge = {
node: {
id: string;
name: string;
};
};
type TEnvironmentEdge = {
node: {
id: string;
name: string;
};
};

View File

@ -214,7 +214,7 @@ export const secretFolderServiceFactory = ({
}
},
message: "Folder created",
folderId: doc.id,
folderId: parentFolder.id,
changes: [
{
type: CommitType.ADD,

View File

@ -0,0 +1,10 @@
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
export const RAILWAY_SYNC_LIST_OPTION: TSecretSyncListItem = {
name: "Railway",
destination: SecretSync.Railway,
connection: AppConnection.Railway,
canImportSecrets: true
};

View File

@ -0,0 +1,124 @@
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
/* eslint-disable @typescript-eslint/no-unsafe-assignment */
import { RailwayPublicAPI } from "@app/services/app-connection/railway/railway-connection-public-client";
import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
import { SecretSyncError } from "../secret-sync-errors";
import { TSecretMap } from "../secret-sync-types";
import { TRailwaySyncWithCredentials } from "./railway-sync-types";
export const RailwaySyncFns = {
async getSecrets(secretSync: TRailwaySyncWithCredentials): Promise<TSecretMap> {
try {
const config = secretSync.destinationConfig;
const variables = await RailwayPublicAPI.getVariables(secretSync.connection, {
projectId: config.projectId,
environmentId: config.environmentId,
serviceId: config.serviceId || undefined
});
const entries = {} as TSecretMap;
for (const [key, value] of Object.entries(variables)) {
// Skip importing private railway variables
// eslint-disable-next-line no-continue
if (key.startsWith("RAILWAY_")) continue;
entries[key] = {
value
};
}
return entries;
} catch (error) {
throw new SecretSyncError({
error,
message: "Failed to import secrets from Railway"
});
}
},
async syncSecrets(secretSync: TRailwaySyncWithCredentials, secretMap: TSecretMap) {
const {
environment,
syncOptions: { disableSecretDeletion, keySchema }
} = secretSync;
const railwaySecrets = await this.getSecrets(secretSync);
const config = secretSync.destinationConfig;
for await (const key of Object.keys(secretMap)) {
try {
const existing = railwaySecrets[key];
if (existing === undefined || existing.value !== secretMap[key].value) {
await RailwayPublicAPI.upsertVariable(secretSync.connection, {
input: {
projectId: config.projectId,
environmentId: config.environmentId,
serviceId: config.serviceId || undefined,
name: key,
value: secretMap[key].value ?? ""
}
});
}
} catch (error) {
throw new SecretSyncError({
error,
secretKey: key
});
}
}
if (disableSecretDeletion) return;
for await (const key of Object.keys(railwaySecrets)) {
try {
// eslint-disable-next-line no-continue
if (!matchesSchema(key, environment?.slug || "", keySchema)) continue;
if (!secretMap[key]) {
await RailwayPublicAPI.deleteVariable(secretSync.connection, {
input: {
projectId: config.projectId,
environmentId: config.environmentId,
serviceId: config.serviceId || undefined,
name: key
}
});
}
} catch (error) {
throw new SecretSyncError({
error,
secretKey: key
});
}
}
},
async removeSecrets(secretSync: TRailwaySyncWithCredentials, secretMap: TSecretMap) {
const existing = await this.getSecrets(secretSync);
const config = secretSync.destinationConfig;
for await (const secret of Object.keys(existing)) {
try {
if (secret in secretMap) {
await RailwayPublicAPI.deleteVariable(secretSync.connection, {
input: {
projectId: config.projectId,
environmentId: config.environmentId,
serviceId: config.serviceId || undefined,
name: secret
}
});
}
} catch (error) {
throw new SecretSyncError({
error,
secretKey: secret
});
}
}
}
};

View File

@ -0,0 +1,56 @@
import { z } from "zod";
import { SecretSyncs } from "@app/lib/api-docs";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import {
BaseSecretSyncSchema,
GenericCreateSecretSyncFieldsSchema,
GenericUpdateSecretSyncFieldsSchema
} from "@app/services/secret-sync/secret-sync-schemas";
import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
const RailwaySyncDestinationConfigSchema = z.object({
projectId: z
.string()
.trim()
.min(1, "Railway project ID required")
.describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.projectId),
projectName: z.string().trim().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.projectName),
environmentId: z
.string()
.trim()
.min(1, "Railway environment ID required")
.describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.environmentId),
environmentName: z.string().trim().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.environmentName),
serviceId: z.string().optional().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.serviceId),
serviceName: z.string().optional().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.serviceName)
});
const RailwaySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
export const RailwaySyncSchema = BaseSecretSyncSchema(SecretSync.Railway, RailwaySyncOptionsConfig).extend({
destination: z.literal(SecretSync.Railway),
destinationConfig: RailwaySyncDestinationConfigSchema
});
export const CreateRailwaySyncSchema = GenericCreateSecretSyncFieldsSchema(
SecretSync.Railway,
RailwaySyncOptionsConfig
).extend({
destinationConfig: RailwaySyncDestinationConfigSchema
});
export const UpdateRailwaySyncSchema = GenericUpdateSecretSyncFieldsSchema(
SecretSync.Railway,
RailwaySyncOptionsConfig
).extend({
destinationConfig: RailwaySyncDestinationConfigSchema.optional()
});
export const RailwaySyncListItemSchema = z.object({
name: z.literal("Railway"),
connection: z.literal(AppConnection.Railway),
destination: z.literal(SecretSync.Railway),
canImportSecrets: z.literal(true)
});

View File

@ -0,0 +1,31 @@
import z from "zod";
import { TRailwayConnection } from "@app/services/app-connection/railway";
import { CreateRailwaySyncSchema, RailwaySyncListItemSchema, RailwaySyncSchema } from "./railway-sync-schemas";
export type TRailwaySyncListItem = z.infer<typeof RailwaySyncListItemSchema>;
export type TRailwaySync = z.infer<typeof RailwaySyncSchema>;
export type TRailwaySyncInput = z.infer<typeof CreateRailwaySyncSchema>;
export type TRailwaySyncWithCredentials = TRailwaySync & {
connection: TRailwayConnection;
};
export type TRailwaySecret = {
createdAt: string;
environmentId?: string | null;
id: string;
isSealed: boolean;
name: string;
serviceId?: string | null;
updatedAt: string;
};
export type TRailwayVariablesGraphResponse = {
data: {
variables: Record<string, string>;
};
};

View File

@ -21,7 +21,8 @@ export enum SecretSync {
Flyio = "flyio",
GitLab = "gitlab",
CloudflarePages = "cloudflare-pages",
Zabbix = "zabbix"
Zabbix = "zabbix",
Railway = "railway"
}
export enum SecretSyncInitialSyncBehavior {

View File

@ -39,6 +39,8 @@ import { HC_VAULT_SYNC_LIST_OPTION, HCVaultSyncFns } from "./hc-vault";
import { HEROKU_SYNC_LIST_OPTION, HerokuSyncFns } from "./heroku";
import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
import { RAILWAY_SYNC_LIST_OPTION } from "./railway/railway-sync-constants";
import { RailwaySyncFns } from "./railway/railway-sync-fns";
import { RENDER_SYNC_LIST_OPTION, RenderSyncFns } from "./render";
import { SECRET_SYNC_PLAN_MAP } from "./secret-sync-maps";
import { TEAMCITY_SYNC_LIST_OPTION, TeamCitySyncFns } from "./teamcity";
@ -70,7 +72,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
[SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
[SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
[SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION,
[SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION
[SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION,
[SecretSync.Railway]: RAILWAY_SYNC_LIST_OPTION
};
export const listSecretSyncOptions = () => {
@ -240,6 +243,8 @@ export const SecretSyncFns = {
return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
case SecretSync.Zabbix:
return ZabbixSyncFns.syncSecrets(secretSync, schemaSecretMap);
case SecretSync.Railway:
return RailwaySyncFns.syncSecrets(secretSync, schemaSecretMap);
default:
throw new Error(
`Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@ -335,6 +340,9 @@ export const SecretSyncFns = {
case SecretSync.Zabbix:
secretMap = await ZabbixSyncFns.getSecrets(secretSync);
break;
case SecretSync.Railway:
secretMap = await RailwaySyncFns.getSecrets(secretSync);
break;
default:
throw new Error(
`Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@ -414,6 +422,8 @@ export const SecretSyncFns = {
return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
case SecretSync.Zabbix:
return ZabbixSyncFns.removeSecrets(secretSync, schemaSecretMap);
case SecretSync.Railway:
return RailwaySyncFns.removeSecrets(secretSync, schemaSecretMap);
default:
throw new Error(
`Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

View File

@ -24,7 +24,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
[SecretSync.Flyio]: "Fly.io",
[SecretSync.GitLab]: "GitLab",
[SecretSync.CloudflarePages]: "Cloudflare Pages",
[SecretSync.Zabbix]: "Zabbix"
[SecretSync.Zabbix]: "Zabbix",
[SecretSync.Railway]: "Railway"
};
export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@ -50,7 +51,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
[SecretSync.Flyio]: AppConnection.Flyio,
[SecretSync.GitLab]: AppConnection.GitLab,
[SecretSync.CloudflarePages]: AppConnection.Cloudflare,
[SecretSync.Zabbix]: AppConnection.Zabbix
[SecretSync.Zabbix]: AppConnection.Zabbix,
[SecretSync.Railway]: AppConnection.Railway
};
export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@ -76,5 +78,6 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
[SecretSync.Flyio]: SecretSyncPlanType.Regular,
[SecretSync.GitLab]: SecretSyncPlanType.Regular,
[SecretSync.CloudflarePages]: SecretSyncPlanType.Regular,
[SecretSync.Zabbix]: SecretSyncPlanType.Regular
[SecretSync.Zabbix]: SecretSyncPlanType.Regular,
[SecretSync.Railway]: SecretSyncPlanType.Regular
};

View File

@ -94,6 +94,12 @@ import {
THumanitecSyncListItem,
THumanitecSyncWithCredentials
} from "./humanitec";
import {
TRailwaySync,
TRailwaySyncInput,
TRailwaySyncListItem,
TRailwaySyncWithCredentials
} from "./railway/railway-sync-types";
import {
TRenderSync,
TRenderSyncInput,
@ -138,7 +144,8 @@ export type TSecretSync =
| TFlyioSync
| TGitLabSync
| TCloudflarePagesSync
| TZabbixSync;
| TZabbixSync
| TRailwaySync;
export type TSecretSyncWithCredentials =
| TAwsParameterStoreSyncWithCredentials
@ -163,7 +170,8 @@ export type TSecretSyncWithCredentials =
| TFlyioSyncWithCredentials
| TGitLabSyncWithCredentials
| TCloudflarePagesSyncWithCredentials
| TZabbixSyncWithCredentials;
| TZabbixSyncWithCredentials
| TRailwaySyncWithCredentials;
export type TSecretSyncInput =
| TAwsParameterStoreSyncInput
@ -188,7 +196,8 @@ export type TSecretSyncInput =
| TFlyioSyncInput
| TGitLabSyncInput
| TCloudflarePagesSyncInput
| TZabbixSyncInput;
| TZabbixSyncInput
| TRailwaySyncInput;
export type TSecretSyncListItem =
| TAwsParameterStoreSyncListItem
@ -213,7 +222,8 @@ export type TSecretSyncListItem =
| TFlyioSyncListItem
| TGitLabSyncListItem
| TCloudflarePagesSyncListItem
| TZabbixSyncListItem;
| TZabbixSyncListItem
| TRailwaySyncListItem;
export type TSyncOptionsConfig = {
canImportSecrets: boolean;

View File

@ -0,0 +1,4 @@
---
title: "Available"
openapi: "GET /api/v1/app-connections/railway/available"
---

View File

@ -0,0 +1,8 @@
---
title: "Create"
openapi: "POST /api/v1/app-connections/railway"
---
<Note>
Check out the configuration docs for [Railway Connections](/integrations/app-connections/railway) to learn how to obtain the required credentials.
</Note>

View File

@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/app-connections/railway/{connectionId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/app-connections/railway/{connectionId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by Name"
openapi: "GET /api/v1/app-connections/railway/connection-name/{connectionName}"
---

View File

@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/app-connections/railway"
---

View File

@ -0,0 +1,8 @@
---
title: "Update"
openapi: "PATCH /api/v1/app-connections/railway/{connectionId}"
---
<Note>
Check out the configuration docs for [Railway Connections](/integrations/app-connections/railway) to learn how to obtain the required credentials.
</Note>

View File

@ -0,0 +1,4 @@
---
title: "Create"
openapi: "POST /api/v1/secret-syncs/railway"
---

View File

@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/secret-syncs/railway/{syncId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/secret-syncs/railway/{syncId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by Name"
openapi: "GET /api/v1/secret-syncs/railway/sync-name/{syncName}"
---

View File

@ -0,0 +1,4 @@
---
title: "Import Secrets"
openapi: "POST /api/v1/secret-syncs/railway/{syncId}/import-secrets"
---

View File

@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/secret-syncs/railway"
---

View File

@ -0,0 +1,4 @@
---
title: "Remove Secrets"
openapi: "POST /api/v1/secret-syncs/railway/{syncId}/remove-secrets"
---

View File

@ -0,0 +1,4 @@
---
title: "Sync Secrets"
openapi: "POST /api/v1/secret-syncs/railway/{syncId}/sync-secrets"
---

View File

@ -0,0 +1,4 @@
---
title: "Update"
openapi: "PATCH /api/v1/secret-syncs/railway/{syncId}"
---

View File

@ -78,10 +78,7 @@
},
{
"group": "Infisical SSH",
"pages": [
"documentation/platform/ssh/overview",
"documentation/platform/ssh/host-groups"
]
"pages": ["documentation/platform/ssh/overview", "documentation/platform/ssh/host-groups"]
},
{
"group": "Key Management (KMS)",
@ -378,10 +375,7 @@
},
{
"group": "Architecture",
"pages": [
"internals/architecture/components",
"internals/architecture/cloud"
]
"pages": ["internals/architecture/components", "internals/architecture/cloud"]
},
"internals/security",
"internals/service-tokens"
@ -488,6 +482,7 @@
"integrations/app-connections/oci",
"integrations/app-connections/oracledb",
"integrations/app-connections/postgres",
"integrations/app-connections/railway",
"integrations/app-connections/render",
"integrations/app-connections/teamcity",
"integrations/app-connections/terraform-cloud",
@ -522,6 +517,7 @@
"integrations/secret-syncs/heroku",
"integrations/secret-syncs/humanitec",
"integrations/secret-syncs/oci-vault",
"integrations/secret-syncs/railway",
"integrations/secret-syncs/render",
"integrations/secret-syncs/teamcity",
"integrations/secret-syncs/terraform-cloud",
@ -550,10 +546,7 @@
"integrations/cloud/gcp-secret-manager",
{
"group": "Cloudflare",
"pages": [
"integrations/cloud/cloudflare-pages",
"integrations/cloud/cloudflare-workers"
]
"pages": ["integrations/cloud/cloudflare-pages", "integrations/cloud/cloudflare-workers"]
},
"integrations/cloud/terraform-cloud",
"integrations/cloud/databricks",
@ -563,8 +556,8 @@
"integrations/cloud/digital-ocean-app-platform",
"integrations/cloud/heroku",
"integrations/cloud/netlify",
"integrations/cloud/railway",
"integrations/cloud/flyio",
"integrations/cloud/railway",
"integrations/cloud/render",
"integrations/cloud/laravel-forge",
"integrations/cloud/supabase",
@ -665,11 +658,7 @@
"cli/commands/reset",
{
"group": "infisical scan",
"pages": [
"cli/commands/scan",
"cli/commands/scan-git-changes",
"cli/commands/scan-install"
]
"pages": ["cli/commands/scan", "cli/commands/scan-git-changes", "cli/commands/scan-install"]
}
]
},
@ -853,30 +842,30 @@
{
"group": "Organizations",
"pages": [
{
"group": "OIDC SSO",
"pages": [
"api-reference/endpoints/organizations/oidc-sso/get-oidc-config",
"api-reference/endpoints/organizations/oidc-sso/update-oidc-config",
"api-reference/endpoints/organizations/oidc-sso/create-oidc-config"
]
},
{
"group": "LDAP SSO",
"pages": [
"api-reference/endpoints/organizations/ldap-sso/get-ldap-config",
"api-reference/endpoints/organizations/ldap-sso/update-ldap-config",
"api-reference/endpoints/organizations/ldap-sso/create-ldap-config"
]
},
{
"group": "SAML SSO",
"pages": [
"api-reference/endpoints/organizations/saml-sso/get-saml-config",
"api-reference/endpoints/organizations/saml-sso/update-saml-config",
"api-reference/endpoints/organizations/saml-sso/create-saml-config"
]
},
{
"group": "OIDC SSO",
"pages": [
"api-reference/endpoints/organizations/oidc-sso/get-oidc-config",
"api-reference/endpoints/organizations/oidc-sso/update-oidc-config",
"api-reference/endpoints/organizations/oidc-sso/create-oidc-config"
]
},
{
"group": "LDAP SSO",
"pages": [
"api-reference/endpoints/organizations/ldap-sso/get-ldap-config",
"api-reference/endpoints/organizations/ldap-sso/update-ldap-config",
"api-reference/endpoints/organizations/ldap-sso/create-ldap-config"
]
},
{
"group": "SAML SSO",
"pages": [
"api-reference/endpoints/organizations/saml-sso/get-saml-config",
"api-reference/endpoints/organizations/saml-sso/update-saml-config",
"api-reference/endpoints/organizations/saml-sso/create-saml-config"
]
},
"api-reference/endpoints/organizations/memberships",
"api-reference/endpoints/organizations/update-membership",
"api-reference/endpoints/organizations/delete-membership",
@ -993,9 +982,7 @@
"pages": [
{
"group": "Kubernetes",
"pages": [
"api-reference/endpoints/dynamic-secrets/kubernetes/create-lease"
]
"pages": ["api-reference/endpoints/dynamic-secrets/kubernetes/create-lease"]
},
"api-reference/endpoints/dynamic-secrets/create",
"api-reference/endpoints/dynamic-secrets/update",
@ -1517,6 +1504,18 @@
"api-reference/endpoints/app-connections/postgres/delete"
]
},
{
"group": "Railway",
"pages": [
"api-reference/endpoints/app-connections/railway/list",
"api-reference/endpoints/app-connections/railway/available",
"api-reference/endpoints/app-connections/railway/get-by-id",
"api-reference/endpoints/app-connections/railway/get-by-name",
"api-reference/endpoints/app-connections/railway/create",
"api-reference/endpoints/app-connections/railway/update",
"api-reference/endpoints/app-connections/railway/delete"
]
},
{
"group": "Render",
"pages": [
@ -1826,6 +1825,20 @@
"api-reference/endpoints/secret-syncs/oci-vault/remove-secrets"
]
},
{
"group": "Railway",
"pages": [
"api-reference/endpoints/secret-syncs/railway/list",
"api-reference/endpoints/secret-syncs/railway/get-by-id",
"api-reference/endpoints/secret-syncs/railway/get-by-name",
"api-reference/endpoints/secret-syncs/railway/create",
"api-reference/endpoints/secret-syncs/railway/update",
"api-reference/endpoints/secret-syncs/railway/delete",
"api-reference/endpoints/secret-syncs/railway/sync-secrets",
"api-reference/endpoints/secret-syncs/railway/import-secrets",
"api-reference/endpoints/secret-syncs/railway/remove-secrets"
]
},
{
"group": "Render",
"pages": [
@ -2172,7 +2185,7 @@
"api": {
"openapi": "https://app.infisical.com/api/docs/json",
"mdx": {
"server": ["https://app.infisical.com", "http://localhost:8080"]
"server": ["https://app.infisical.com"]
}
},
"appearance": {

View File

@ -3,13 +3,13 @@ title: "AWS IAM"
description: "Learn how to dynamically generate AWS IAM Users."
---
The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on configured AWS policy.
The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on a configured AWS policy. Infisical supports several authentication methods to connect to your AWS account, including assuming an IAM Role, using IAM Roles for Service Accounts (IRSA) on EKS, or static Access Keys.
## Prerequisite
Infisical needs an initial AWS IAM user with the required permissions to create sub IAM users. This IAM user will be responsible for managing the lifecycle of new IAM users.
Infisical needs an AWS IAM principal (a user or a role) with the required permissions to create and manage other IAM users. This principal will be responsible for the lifecycle of the dynamically generated users.
<Accordion title="Managing AWS IAM User minimum permission policy">
<Accordion title="Required IAM Permissions">
```json
{
@ -235,7 +235,169 @@ Replace **\<account id\>** with your AWS account id and **\<aws-scope-path\>** w
![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
</Step>
</Steps>
</Tab>
<Tab title="IRSA (EKS)">
This method is recommended for self-hosted Infisical instances running on AWS EKS. It uses [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to securely grant permissions to the Infisical pods without managing static credentials.
<Warning type="warning" title="IRSA Configuration Prerequisite">
In order to use IRSA, the `KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN` environment variable must be set to `true` for your self-hosted Infisical instance.
</Warning>
<Steps>
<Step title="Create an IAM OIDC provider for your cluster">
If you don't already have one, you need to create an IAM OIDC provider for your EKS cluster. This allows IAM to trust authentication tokens from your Kubernetes cluster.
1. Find your cluster's OIDC provider URL from the EKS console or by using the AWS CLI:
`aws eks describe-cluster --name <your-cluster-name> --query "cluster.identity.oidc.issuer" --output text`
2. Navigate to the [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers) page in your AWS Console and create a new OpenID Connect provider with the URL and `sts.amazonaws.com` as the audience.
![Create OIDC Provider Placeholder](/images/integrations/aws/irsa-create-oidc-provider.png)
</Step>
<Step title="Create the Managing User IAM Role for Infisical">
1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
2. Select **Web identity** as the **Trusted Entity Type**.
3. Choose the OIDC provider you created in the previous step.
4. For the **Audience**, select `sts.amazonaws.com`.
![IAM Role Creation for IRSA](/images/integrations/aws/irsa-iam-role-creation.png)
5. Attach the permission policy detailed in the **Prerequisite** section at the top of this page.
6. After creating the role, edit its **Trust relationship** to specify the service account Infisical is using in your cluster. This ensures only the Infisical pod can assume this role.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<K8S_NAMESPACE>:<INFISICAL_SERVICE_ACCOUNT_NAME>",
"oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
}
}
}
]
}
```
Replace `<ACCOUNT_ID>`, `<REGION>`, `<OIDC_ID>`, `<K8S_NAMESPACE>`, and `<INFISICAL_SERVICE_ACCOUNT_NAME>` with your specific values.
</Step>
<Step title="Annotate the Infisical Kubernetes Service Account">
For the IRSA mechanism to work, the Infisical service account in your Kubernetes cluster must be annotated with the ARN of the IAM role you just created.
Run the following command, replacing the placeholders with your values:
```bash
kubectl annotate serviceaccount -n <infisical-namespace> <infisical-service-account> \
eks.amazonaws.com/role-arn=arn:aws:iam::<account-id>:role/<iam-role-name>
```
This annotation tells the EKS Pod Identity Webhook to inject the necessary environment variables and tokens into the Infisical pod, allowing it to assume the specified IAM role.
</Step>
<Step title="Secret Overview Dashboard">
Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
</Step>
<Step title="Click on the 'Add Dynamic Secret' button">
![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
</Step>
<Step title="Select AWS IAM">
![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-iam.png)
</Step>
<Step title="Provide the inputs for dynamic secret parameters">
![Dynamic Secret Setup Modal for IRSA](/images/platform/dynamic-secrets/dynamic-secret-setup-modal-aws-iam-irsa.png)
<ParamField path="Secret Name" type="string" required>
Name by which you want the secret to be referenced
</ParamField>
<ParamField path="Default TTL" type="string" required>
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
</ParamField>
<ParamField path="Max TTL" type="string" required>
Maximum time-to-live for a generated secret
</ParamField>
<ParamField path="Username Template" type="string" default="{{randomUsername}}">
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
- `{{randomUsername}}`: Random username string
- `{{unixTimestamp}}`: Current Unix timestamp
- `{{identity.name}}`: Name of the identity that is generating the secret
- `{{random N}}`: Random string of N characters
Allowed template functions are
- `truncate`: Truncates a string to a specified length
- `replace`: Replaces a substring with another value
Examples:
```
{{randomUsername}} // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{unixTimestamp}} // 17490641580
{{identity.name}} // testuser
{{random-5}} // x9k2m
{{truncate identity.name 4}} // test
{{replace identity.name 'user' 'replace'}} // testreplace
```
</ParamField>
<ParamField path="Tags" type="map<string, string>[]">
Tags to be added to the created IAM User resource.
</ParamField>
<ParamField path="Method" type="string" required>
Select *IRSA* method.
</ParamField>
<ParamField path="Aws Role ARN" type="string" required>
The ARN of the AWS IAM Role for the service account to assume.
</ParamField>
<ParamField path="AWS IAM Path" type="string">
[IAM AWS Path](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) to scope created IAM User resource access.
</ParamField>
<ParamField path="AWS Region" type="string" required>
The AWS data center region.
</ParamField>
<ParamField path="IAM User Permission Boundary" type="string" required>
The IAM Policy ARN of the [AWS Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to attach to IAM users created in the role.
</ParamField>
<ParamField path="AWS IAM Groups" type="string">
The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
</ParamField>
<ParamField path="AWS Policy ARNs" type="string">
The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
</ParamField>
<ParamField path="AWS IAM Policy Document" type="string">
The AWS IAM inline policy that should be attached to the created users.
Multiple values can be provided by separating them with commas
</ParamField>
<ParamField path="Username Template" type="string" default="{{randomUsername}}">
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
Allowed template variables are
- `{{randomUsername}}`: Random username string
- `{{unixTimestamp}}`: Current Unix timestamp
</ParamField>
</Step>
<Step title="Click 'Submit'">
After submitting the form, you will see a dynamic secret created in the dashboard.
![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
</Step>
<Step title="Generate dynamic secrets">
Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
<Tip>
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
</Tip>
Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
</Step>
</Steps>
</Tab>
<Tab title="Access Key">
Infisical will use the provided **Access Key ID** and **Secret Key** to connect to your AWS instance.
@ -263,9 +425,9 @@ Replace **\<account id\>** with your AWS account id and **\<aws-scope-path\>** w
Maximum time-to-live for a generated secret
</ParamField>
<ParamField path="Method" type="string" required>
Select *Access Key* method.
</ParamField>
<ParamField path="Method" type="string" required>
Select *Access Key* method.
</ParamField>
<ParamField path="AWS Access Key" type="string" required>
The managing AWS IAM User Access Key

Binary file not shown.

After

Width:  |  Height:  |  Size: 282 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 268 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 283 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 285 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 284 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 498 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 711 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 434 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 282 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 308 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 192 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 282 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 208 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 320 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 285 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 289 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 285 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 346 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 373 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 667 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 755 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 616 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 670 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 661 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 617 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 557 KiB

View File

@ -0,0 +1,164 @@
---
title: "Railway Connection"
description: "Learn how to configure a Railway Connection for Infisical."
---
Infisical supports the use of [API Tokens](https://docs.railway.com/guides/public-api#creating-a-token) to connect with Railway.
## Create a Railway API Token
<Tabs>
<Tab title="Team Token">
A team token provides access to all resources within a team. It cannot be used to access personal resources in Railway.
<Steps>
<Step title="Click the profile image in the top-right corner and select 'Account Settings'">
![Dashboard Page](/images/app-connections/railway/railway-app-connection-account-settings.png)
</Step>
<Step title="In the personal settings sidebar, click on 'Tokens'">
![Account Settings Page](/images/app-connections/railway/railway-app-connection-account-settings-tokens.png)
</Step>
<Step title="Enter a token name and select a team">
Make sure to provide a descriptive name and select the correct team.
![Enter Name and Select Team](/images/app-connections/railway/railway-app-connection-team-token-form.png)
</Step>
<Step title="Click on 'Create'">
![Create Token](/images/app-connections/railway/railway-app-connection-team-token-create.png)
</Step>
<Step title="Save the token">
After clicking 'Create', your access token will be displayed. Save it securely for later use.
![Copy Token Modal](/images/app-connections/railway/railway-app-connection-team-token-created.png)
</Step>
</Steps>
</Tab>
<Tab title="Account Token">
If no team is selected, the token will be associated with your personal Railway account and will have access to all your individual and team resources.
<Steps>
<Step title="Click the profile image in the top-right corner and select 'Account Settings'">
![Dashboard Page](/images/app-connections/railway/railway-app-connection-account-settings.png)
</Step>
<Step title="In the personal settings sidebar, click on 'Tokens'">
![Account Settings Page](/images/app-connections/railway/railway-app-connection-account-settings-tokens.png)
</Step>
<Step title="Enter a token name and select 'No workspace'">
Provide a descriptive name and ensure no team is selected. This will create an account-level token.
![Enter Name](/images/app-connections/railway/railway-app-connection-account-token-form.png)
</Step>
<Step title="Click on 'Create'">
![Create Token](/images/app-connections/railway/railway-app-connection-account-token-create.png)
</Step>
<Step title="Save the token">
After clicking 'Create', your access token will be shown. Save it for future use.
![Copy Token Modal](/images/app-connections/railway/railway-app-connection-account-token-created.png)
</Step>
</Steps>
</Tab>
<Tab title="Project Token">
Project tokens are limited to a specific environment within a project and can only be used to authenticate requests to that environment.
<Steps>
<Step title="Open your Railway dashboard and click on a project">
![Dashboard Page](/images/app-connections/railway/railway-app-connection-project-token-dashboard.png)
</Step>
<Step title="On the project page, click 'Settings' in the top-right corner">
![Project Settings Page](/images/app-connections/railway/railway-app-connection-project-token-project.png)
</Step>
<Step title="In the left sidebar, scroll to the bottom and click on 'Tokens'">
![Project Token Settings Page](/images/app-connections/railway/railway-app-connection-project-token-settings.png)
</Step>
<Step title="Enter a token name and select an environment">
Provide a descriptive name and select the appropriate environment for the token.
![Enter Name and Select environment](/images/app-connections/railway/railway-app-connection-project-token-form.png)
</Step>
<Step title="Click on 'Create'">
![Create Token](/images/app-connections/railway/railway-app-connection-project-token-create.png)
</Step>
<Step title="Save the token">
After clicking 'Create', the access token will be displayed. Be sure to save it for later use.
![Copy Token Modal](/images/app-connections/railway/railway-app-connection-project-token-created.png)
</Step>
</Steps>
</Tab>
</Tabs>
## Create a Railway Connection in Infisical
<Tabs>
<Tab title="Infisical UI">
<Steps>
<Step title="Navigate to App Connections">
In your Infisical dashboard, go to **Organization Settings** and open the [**App Connections**](https://app.infisical.com/organization/app-connections) tab.
![App Connections Tab](/images/app-connections/general/add-connection.png)
</Step>
<Step title="Select Railway Connection">
Click **+ Add Connection** and choose **Railway Connection** from the list of integrations.
![Select Railway Connection](/images/app-connections/railway/railway-app-connection-option.png)
</Step>
<Step title="Fill out the Railway Connection form">
Complete the form by providing:
- A descriptive name for the connection
- An optional description
- The type of token you created earlier
- The token value from the previous step
![Railway Connection Modal](/images/app-connections/railway/railway-app-connection-form.png)
</Step>
<Step title="Connection created">
After submitting the form, your **Railway Connection** will be successfully created and ready to use with your Infisical projects.
![Railway Connection Created](/images/app-connections/railway/railway-app-connection-generated.png)
</Step>
</Steps>
</Tab>
<Tab title="API">
To create a Railway Connection via API, send a request to the [Create Railway Connection](/api-reference/endpoints/app-connections/railway/create) endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/app-connections/railway \
--header 'Content-Type: application/json' \
--data '{
"name": "my-railway-connection",
"method": "team-token",
"credentials": {
"apiToken": "[TEAM TOKEN]"
}
}'
```
### Sample response
```bash Response
{
"appConnection": {
"id": "e5d18aca-86f7-4026-a95e-efb8aeb0d8e6",
"name": "my-railway-connection",
"description": null,
"version": 1,
"orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
"createdAt": "2025-04-23T19:46:34.831Z",
"updatedAt": "2025-04-23T19:46:34.831Z",
"isPlatformManagedCredentials": false,
"credentialsHash": "7c2d371dec195f82a6a0d5b41c970a229cfcaf88e894a5b6395e2dbd0280661f",
"app": "railway",
"method": "team-token",
"credentials": {}
}
}
```
</Tab>
</Tabs>

View File

@ -0,0 +1,171 @@
---
title: "Railway Sync"
description: "Learn how to configure a Railway Sync for Infisical."
---
**Prerequisites:**
- Create a [Railway Connection](/integrations/app-connections/railway)
<Tabs>
<Tab title="Infisical UI">
<Steps>
<Step title="Add Sync">
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
</Step>
<Step title="Select 'Railway'">
![Select Railway](/images/secret-syncs/railway/select-option.png)
</Step>
<Step title="Configure source">
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source](/images/secret-syncs/railway/railway-sync-source.png)
- **Environment**: The project environment to retrieve secrets from.
- **Secret Path**: The folder path to retrieve secrets from.
<Tip>
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
</Tip>
</Step>
<Step title="Configure destination">
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination](/images/secret-syncs/railway/railway-sync-destination.png)
- **Railway Connection**: The Railway Connection to authenticate with.
- **Project**: The Railway project to sync secrets to.
- **Environment**: The Railway environment to sync secrets to.
- **Service**: The Service to sync secrets to.
- **If not provided**: Secrets will be synced as [shared variables](https://docs.railway.com/guides/variables#shared-variables) on Railway.
</Step>
<Step title="Configure Sync Options">
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options](/images/secret-syncs/railway/railway-sync-options.png)
- **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
- **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
- **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Railway when keys conflict.
- **Import Secrets (Prioritize Railway)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Railway over Infisical when keys conflict.
- **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
<Note>
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
</Note>
- **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
- **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
</Step>
<Step title="Configure details">
Configure the **Details** of your Railway Sync, then click **Next**.
![Configure Details](/images/secret-syncs/railway/railway-sync-details.png)
- **Name**: The name of your sync. Must be slug-friendly.
- **Description**: An optional description for your sync.
</Step>
<Step title="Review configuration">
Review your Railway Sync configuration, then click **Create Sync**.
![Review Configuration](/images/secret-syncs/railway/railway-sync-review.png)
</Step>
<Step title="Sync created">
If enabled, your Railway Sync will begin syncing your secrets to the destination endpoint.
![Sync Created](/images/secret-syncs/railway/railway-sync-created.png)
</Step>
</Steps>
</Tab>
<Tab title="API">
To create a **Railway Sync**, make an API request to the [Create Railway Sync](/api-reference/endpoints/secret-syncs/railway/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/railway \
--header 'Content-Type: application/json' \
--data '{
"name": "my-railway-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"projectId": "dev-project-id",
"projectName": "Development Project",
"environmentId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environmentName": "Development",
"serviceId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"serviceName": "my-railway-service",
}
}'
```
### Sample response
```bash Response
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-railway-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "railway",
"name": "my-railway-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "railway",
"destinationConfig": {
"projectId": "dev-project-id",
"projectName": "Development Project",
"environmentId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environmentName": "Development",
"serviceId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"serviceName": "my-railway-service",
}
}
}
```
</Tab>
</Tabs>

View File

@ -59,6 +59,15 @@ Example values:
connect with internal/private IP addresses.
</ParamField>
<ParamField
query="KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN"
type="bool"
default="false"
optional
>
Determines whether your Infisical instance can automatically read the service account token of the pod it's running on. Used for features such as the IRSA auth method.
</ParamField>
## CORS
Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain.

View File

@ -4,17 +4,20 @@ description: "Read how to run Infisical with Docker Compose template."
---
This self-hosting guide will walk you through the steps to self-host Infisical using Docker Compose.
## Prerequisites
- [Docker](https://docs.docker.com/engine/install/)
- [Docker compose](https://docs.docker.com/compose/install/)
<Warning>
This Docker Compose configuration is not designed for high-availability production scenarios.
It includes just the essential components needed to set up an Infisical proof of concept (POC).
To run Infisical in a highly available manner, give the [Docker Swarm guide](/self-hosting/deployment-options/docker-swarm).
</Warning>
<Tabs>
<Tab title="Docker Compose">
## Prerequisites
- [Docker](https://docs.docker.com/engine/install/)
- [Docker compose](https://docs.docker.com/compose/install/)
## Verify prerequisites
<Warning>
This Docker Compose configuration is not designed for high-availability production scenarios.
It includes just the essential components needed to set up an Infisical proof of concept (POC).
To run Infisical in a highly available manner, give the [Docker Swarm guide](/self-hosting/deployment-options/docker-swarm).
</Warning>
## Verify prerequisites
To verify that Docker compose and Docker are installed on the machine where you plan to install Infisical, run the following commands.
Check for docker installation
@ -27,55 +30,145 @@ To run Infisical in a highly available manner, give the [Docker Swarm guide](/se
docker-compose
```
## Download docker compose file
You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
If your system doesn't have either of these, you can use a equivalent command that works with your machine.
## Download docker compose file
You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
If your system doesn't have either of these, you can use a equivalent command that works with your machine.
<Tabs>
<Tab title="curl">
```bash
curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
```
</Tab>
<Tab title="wget">
```bash
wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
```
</Tab>
</Tabs>
## Configure instance credentials
Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
The default credentials can be downloaded using the one of the commands listed below.
<Tabs>
<Tab title="curl">
```bash
curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
```
</Tab>
<Tab title="wget">
```bash
wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
```
</Tab>
</Tabs>
Once downloaded, the credentials file will be saved to your working directly as `.env` file.
View all available configurations [here](/self-hosting/configuration/envars).
<Warning>
The default .env file contains credentials that are intended solely for testing purposes.
Please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET` for use outside of testing.
Instructions to do so, can be found [here](/self-hosting/configuration/envars).
</Warning>
## Start Infisical
Run the command below to start Infisical and all related services.
<Tabs>
<Tab title="curl">
```bash
curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
docker-compose -f docker-compose.prod.yml up
```
</Tab>
<Tab title="wget">
```bash
wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
<Tab title="Podman Compose">
Podman Compose is an alternative way to run Infisical using Podman as a replacement for Docker. Podman is backwards compatible with Docker Compose files.
## Prerequisites
- [Podman](https://podman-desktop.io/docs/installation)
- [Podman Compose](https://podman-desktop.io/docs/compose)
<Warning>
This Docker Compose configuration is not designed for high-availability production scenarios.
It includes just the essential components needed to set up an Infisical proof of concept (POC).
To run Infisical in a highly available manner, give the [Docker Swarm guide](/self-hosting/deployment-options/docker-swarm).
</Warning>
## Verify prerequisites
To verify that Podman compose and Podman are installed on the machine where you plan to install Infisical, run the following commands.
Check for podman installation
```bash
podman version
```
Check for podman compose installation
```bash
podman-compose version
```
## Download Docker Compose file
You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
If your system doesn't have either of these, you can use a equivalent command that works with your machine.
<Tabs>
<Tab title="curl">
```bash
curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
```
</Tab>
<Tab title="wget">
```bash
wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
```
</Tab>
</Tabs>
## Configure instance credentials
Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
The default credentials can be downloaded using the one of the commands listed below.
<Tabs>
<Tab title="curl">
```bash
curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
```
</Tab>
<Tab title="wget">
```bash
wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
```
</Tab>
</Tabs>
<Note>
Make sure to rename the `.env.example` file to `.env` before starting Infisical. Additionally it's important that the `.env` file is in the same directory as the `docker-compose.prod.yml` file.
</Note>
## Setup Podman
Run the commands below to setup Podman for first time use.
```bash
podman machine init --now
podman machine set --rootful
podman machine start
```
<Note>
If you are using a rootless podman installation, you can skip the `podman machine set --rootful` command.
</Note>
## Start Infisical
Run the command below to start Infisical and all related services.
```bash
podman-compose -f docker-compose.prod.yml up
```
</Tab>
</Tabs>
## Configure instance credentials
Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
The default credentials can be downloaded using the one of the commands listed below.
<Tabs>
<Tab title="curl">
```bash
curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
```
</Tab>
<Tab title="wget">
```bash
wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
```
</Tab>
</Tabs>
Once downloaded, the credentials file will be saved to your working directly as `.env` file.
View all available configurations [here](/self-hosting/configuration/envars).
<Warning>
The default .env file contains credentials that are intended solely for testing purposes.
Please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET` for use outside of testing.
Instructions to do so, can be found [here](/self-hosting/configuration/envars).
</Warning>
## Start Infisical
Run the command below to start Infisical and all related services.
```bash
docker-compose -f docker-compose.prod.yml up
```
Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,138 @@
import { useMemo } from "react";
import { Controller, useFormContext, useWatch } from "react-hook-form";
import { SingleValue } from "react-select";
import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
import { FilterableSelect, FormControl } from "@app/components/v2";
import {
TRailwayProject,
useRailwayConnectionListProjects
} from "@app/hooks/api/appConnections/railway";
import { SecretSync } from "@app/hooks/api/secretSyncs";
import { TSecretSyncForm } from "../schemas";
export const RailwaySyncFields = () => {
const { control, setValue } = useFormContext<
TSecretSyncForm & { destination: SecretSync.Railway }
>();
const connectionId = useWatch({ name: "connection.id", control });
const projectId = useWatch({ name: "destinationConfig.projectId", control });
const { data: projects = [], isPending: isProjectsLoading } = useRailwayConnectionListProjects(
connectionId,
{
enabled: Boolean(connectionId)
}
);
const environments = useMemo(() => {
return projects.find((p) => p.id === projectId)?.environments ?? [];
}, [projects, projectId]);
const services = useMemo(() => {
return projects.find((p) => p.id === projectId)?.services ?? [];
}, [projects, projectId]);
return (
<>
<SecretSyncConnectionField
onChange={() => {
setValue("destinationConfig.environmentId", "");
setValue("destinationConfig.projectId", "");
setValue("destinationConfig.serviceId", "");
setValue("destinationConfig.projectName", "");
setValue("destinationConfig.environmentName", "");
setValue("destinationConfig.serviceName", "");
}}
/>
<Controller
name="destinationConfig.projectId"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
isError={Boolean(error)}
errorText={error?.message}
label="Select a project"
tooltipClassName="max-w-md"
>
<FilterableSelect
isLoading={isProjectsLoading && Boolean(connectionId)}
isDisabled={!connectionId}
value={projects.find((p) => p.id === value) ?? null}
onChange={(option) => {
const v = option as SingleValue<TRailwayProject>;
onChange(v?.id ?? null);
setValue("destinationConfig.projectName", v?.name ?? "");
}}
options={projects}
placeholder="Select a project..."
getOptionLabel={(option) => option.name}
getOptionValue={(option) => option.id}
/>
</FormControl>
)}
/>
<Controller
name="destinationConfig.environmentId"
disabled={!connectionId || !projectId}
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
isError={Boolean(error)}
errorText={error?.message}
label="Select an environment"
tooltipClassName="max-w-md"
>
<FilterableSelect
isLoading={isProjectsLoading && Boolean(connectionId)}
isDisabled={!connectionId}
value={environments.find((p) => p.id === value) ?? null}
onChange={(option) => {
const v = option as SingleValue<TRailwayProject>;
onChange(v?.id ?? null);
setValue("destinationConfig.environmentName", v?.name ?? "");
}}
options={environments}
placeholder="Select an environment..."
getOptionLabel={(option) => option.name}
getOptionValue={(option) => option.id}
/>
</FormControl>
)}
/>
<Controller
name="destinationConfig.serviceId"
disabled={!connectionId || !projectId}
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
isError={Boolean(error)}
errorText={error?.message}
label="Select a service"
tooltipClassName="max-w-md"
tooltipText="By default secrets are created as shared variables in Railway."
helperText="Scope your secrets to a specific service within the environment."
>
<FilterableSelect
isLoading={isProjectsLoading && Boolean(connectionId)}
isDisabled={!connectionId}
value={services.find((p) => p.id === value) ?? null}
onChange={(option) => {
const v = option as SingleValue<TRailwayProject>;
onChange(v?.id ?? null);
setValue("destinationConfig.serviceName", v?.name ?? "");
}}
options={services}
placeholder="Select a service..."
getOptionLabel={(option) => option.name}
getOptionValue={(option) => option.id}
/>
</FormControl>
)}
/>
</>
);
};

View File

@ -20,6 +20,7 @@ import { HCVaultSyncFields } from "./HCVaultSyncFields";
import { HerokuSyncFields } from "./HerokuSyncFields";
import { HumanitecSyncFields } from "./HumanitecSyncFields";
import { OCIVaultSyncFields } from "./OCIVaultSyncFields";
import { RailwaySyncFields } from "./RailwaySyncFields";
import { RenderSyncFields } from "./RenderSyncFields";
import { TeamCitySyncFields } from "./TeamCitySyncFields";
import { TerraformCloudSyncFields } from "./TerraformCloudSyncFields";
@ -79,6 +80,8 @@ export const SecretSyncDestinationFields = () => {
return <CloudflarePagesSyncFields />;
case SecretSync.Zabbix:
return <ZabbixSyncFields />;
case SecretSync.Railway:
return <RailwaySyncFields />;
default:
throw new Error(`Unhandled Destination Config Field: ${destination}`);
}

View File

@ -59,6 +59,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
case SecretSync.GitLab:
case SecretSync.CloudflarePages:
case SecretSync.Zabbix:
case SecretSync.Railway:
AdditionalSyncOptionsFieldsComponent = null;
break;
default:

View File

@ -0,0 +1,29 @@
import { useFormContext } from "react-hook-form";
import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
import { GenericFieldLabel } from "@app/components/v2";
import { useRailwayConnectionListProjects } from "@app/hooks/api/appConnections/railway";
import { SecretSync } from "@app/hooks/api/secretSyncs";
export const RailwaySyncReviewFields = () => {
const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Railway }>();
const connectionId = watch("connection.id");
const projectId = watch("destinationConfig.projectId");
const environmentId = watch("destinationConfig.environmentId");
const { data: projects = [] } = useRailwayConnectionListProjects(connectionId, {
enabled: Boolean(connectionId)
});
const project = projects.find((p) => p.id === projectId);
const environment = project?.environments.find((e) => e.id === environmentId);
return (
<>
<GenericFieldLabel label="Project">{project?.name ?? projectId}</GenericFieldLabel>
<GenericFieldLabel label="Environment">
{environment?.name ?? environmentId}
</GenericFieldLabel>
</>
);
};

View File

@ -30,6 +30,7 @@ import { HerokuSyncReviewFields } from "./HerokuSyncReviewFields";
import { HumanitecSyncReviewFields } from "./HumanitecSyncReviewFields";
import { OCIVaultSyncReviewFields } from "./OCIVaultSyncReviewFields";
import { OnePassSyncReviewFields } from "./OnePassSyncReviewFields";
import { RailwaySyncReviewFields } from "./RailwaySyncReviewFields";
import { RenderSyncReviewFields } from "./RenderSyncReviewFields";
import { TeamCitySyncReviewFields } from "./TeamCitySyncReviewFields";
import { TerraformCloudSyncReviewFields } from "./TerraformCloudSyncReviewFields";
@ -128,6 +129,9 @@ export const SecretSyncReviewFields = () => {
case SecretSync.Zabbix:
DestinationFieldsComponent = <ZabbixSyncReviewFields />;
break;
case SecretSync.Railway:
DestinationFieldsComponent = <RailwaySyncReviewFields />;
break;
default:
throw new Error(`Unhandled Destination Review Fields: ${destination}`);
}

View File

@ -0,0 +1,18 @@
import { z } from "zod";
import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
import { SecretSync } from "@app/hooks/api/secretSyncs";
export const RailwaySyncDestinationSchema = BaseSecretSyncSchema().merge(
z.object({
destination: z.literal(SecretSync.Railway),
destinationConfig: z.object({
projectId: z.string().min(1, "Project ID is required"),
projectName: z.string(),
environmentName: z.string(),
environmentId: z.string().min(1, "Environment is required"),
serviceId: z.string().optional(),
serviceName: z.string().optional()
})
})
);

View File

@ -17,6 +17,7 @@ import { HCVaultSyncDestinationSchema } from "./hc-vault-sync-destination-schema
import { HerokuSyncDestinationSchema } from "./heroku-sync-destination-schema";
import { HumanitecSyncDestinationSchema } from "./humanitec-sync-destination-schema";
import { OCIVaultSyncDestinationSchema } from "./oci-vault-sync-destination-schema";
import { RailwaySyncDestinationSchema } from "./railway-sync-destination-schema";
import { RenderSyncDestinationSchema } from "./render-sync-destination-schema";
import { TeamCitySyncDestinationSchema } from "./teamcity-sync-destination-schema";
import { TerraformCloudSyncDestinationSchema } from "./terraform-cloud-destination-schema";
@ -47,7 +48,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
FlyioSyncDestinationSchema,
GitlabSyncDestinationSchema,
CloudflarePagesSyncDestinationSchema,
ZabbixSyncDestinationSchema
ZabbixSyncDestinationSchema,
RailwaySyncDestinationSchema
]);
export const SecretSyncFormSchema = SecretSyncUnionSchema;

View File

@ -77,3 +77,91 @@ export const parseJson = (src: ArrayBuffer | string) => {
});
return env;
};
/**
* Parses simple flat YAML with support for multiline strings using |, |-, and >.
* @param {ArrayBuffer | string} src
* @returns {Record<string, { value: string, comments: string[] }>}
*/
export function parseYaml(src: ArrayBuffer | string) {
const result: Record<string, { value: string; comments: string[] }> = {};
const content = src.toString().replace(/\r\n?/g, "\n");
const lines = content.split("\n");
let i = 0;
let comments: string[] = [];
while (i < lines.length) {
const line = lines[i].trim();
// Collect comment
if (line.startsWith("#")) {
comments.push(line.slice(1).trim());
i += 1; // move to next line
} else {
// Match key: value or key: |, key: >, etc.
const keyMatch = lines[i].match(/^([\w.-]+)\s*:\s*(.*)$/);
if (keyMatch) {
const [, key, rawValue] = keyMatch;
let value = rawValue.trim();
// Multiline string handling
if (value === "|-" || value === "|" || value === ">") {
const isFolded = value === ">";
const baseIndent = lines[i + 1]?.match(/^(\s*)/)?.[1]?.length ?? 0;
const collectedLines: string[] = [];
i += 1; // move to first content line
while (i < lines.length) {
const current = lines[i];
const currentIndent = current.match(/^(\s*)/)?.[1]?.length ?? 0;
if (current.trim() === "" || currentIndent >= baseIndent) {
collectedLines.push(current.slice(baseIndent));
i += 1; // move to next line
} else {
break;
}
}
if (isFolded) {
// Join lines with space for `>` folded style
value = collectedLines.map((l) => l.trim()).join(" ");
} else {
// Keep lines with newlines for `|` and `|-`
value = collectedLines.join("\n");
}
} else {
// Inline value — strip quotes and inline comment
const commentIndex = value.indexOf(" #");
if (commentIndex !== -1) {
value = value.slice(0, commentIndex).trim();
}
// Remove surrounding quotes
if (
(value.startsWith('"') && value.endsWith('"')) ||
(value.startsWith("'") && value.endsWith("'"))
) {
value = value.slice(1, -1);
}
i += 1; // advance to next line
}
result[key] = {
value,
comments: [...comments]
};
comments = []; // reset
} else {
i += 1; // skip unknown line
}
}
}
return result;
}

View File

@ -26,6 +26,7 @@ export const envConfig = {
import.meta.env.VITE_TELEMETRY_CAPTURING_ENABLED === true
);
},
get PLATFORM_VERSION() {
return import.meta.env.VITE_INFISICAL_PLATFORM_VERSION;
}

View File

@ -43,6 +43,7 @@ import {
import { BitbucketConnectionMethod } from "@app/hooks/api/appConnections/types/bitbucket-connection";
import { HerokuConnectionMethod } from "@app/hooks/api/appConnections/types/heroku-connection";
import { OCIConnectionMethod } from "@app/hooks/api/appConnections/types/oci-connection";
import { RailwayConnectionMethod } from "@app/hooks/api/appConnections/types/railway-connection";
import { RenderConnectionMethod } from "@app/hooks/api/appConnections/types/render-connection";
export const APP_CONNECTION_MAP: Record<
@ -91,8 +92,9 @@ export const APP_CONNECTION_MAP: Record<
[AppConnection.Flyio]: { name: "Fly.io", image: "Flyio.svg" },
[AppConnection.Gitlab]: { name: "GitLab", image: "GitLab.png" },
[AppConnection.Cloudflare]: { name: "Cloudflare", image: "Cloudflare.png" },
[AppConnection.Bitbucket]: { name: "Bitbucket", image: "Bitbucket.png" },
[AppConnection.Zabbix]: { name: "Zabbix", image: "Zabbix.png" }
[AppConnection.Zabbix]: { name: "Zabbix", image: "Zabbix.png" },
[AppConnection.Railway]: { name: "Railway", image: "Railway.png" },
[AppConnection.Bitbucket]: { name: "Bitbucket", image: "Bitbucket.png" }
};
export const getAppConnectionMethodDetails = (method: TAppConnection["method"]) => {
@ -146,6 +148,12 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
return { name: "Simple Bind", icon: faLink };
case HerokuConnectionMethod.AuthToken:
return { name: "Auth Token", icon: faKey };
case RailwayConnectionMethod.AccountToken:
return { name: "Account Token", icon: faKey };
case RailwayConnectionMethod.TeamToken:
return { name: "Team Token", icon: faKey };
case RailwayConnectionMethod.ProjectToken:
return { name: "Project Token", icon: faKey };
case RenderConnectionMethod.ApiKey:
return { name: "API Key", icon: faKey };
default:

View File

@ -85,6 +85,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
[SecretSync.Zabbix]: {
name: "Zabbix",
image: "Zabbix.png"
},
[SecretSync.Railway]: {
name: "Railway",
image: "Railway.png"
}
};
@ -111,7 +115,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
[SecretSync.Flyio]: AppConnection.Flyio,
[SecretSync.GitLab]: AppConnection.Gitlab,
[SecretSync.CloudflarePages]: AppConnection.Cloudflare,
[SecretSync.Zabbix]: AppConnection.Zabbix
[SecretSync.Zabbix]: AppConnection.Zabbix,
[SecretSync.Railway]: AppConnection.Railway
};
export const SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP: Record<

View File

@ -40,6 +40,7 @@ export type TServerConfig = {
trustLdapEmails: boolean;
trustOidcEmails: boolean;
isSecretScanningDisabled: boolean;
kubernetesAutoFetchServiceAccountToken: boolean;
defaultAuthOrgSlug: string | null;
defaultAuthOrgId: string | null;
defaultAuthOrgAuthMethod?: string | null;

Some files were not shown because too many files have changed in this diff Show More