misc: updated admin integration picture

doc: add mention of helm install for pki issuer

backend/src/db/instance.ts

@@ -50,6 +50,8 @@ export const initDbConnection = ({
           }
         : false
     },
+    // https://knexjs.org/guide/#pool
+    pool: { min: 0, max: 10 },
     migrations: {
       tableName: "infisical_migrations"
     }
@@ -70,7 +72,8 @@ export const initDbConnection = ({
       },
       migrations: {
         tableName: "infisical_migrations"
-      }
+      },
+      pool: { min: 0, max: 10 }
     });
   });
 

backend/src/db/migrations/20250613153957_add-machine-identity-delete-protection.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Identity, "hasDeleteProtection");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.Identity, (t) => {
+      t.boolean("hasDeleteProtection").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Identity, "hasDeleteProtection");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.Identity, (t) => {
+      t.dropColumn("hasDeleteProtection");
+    });
+  }
+}

backend/src/db/migrations/20250618172150_increase-aws-arn-field-size.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 2048).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 255).notNullable().alter();
+    });
+  }
+}

backend/src/db/migrations/20250620144939_add-instance-github-app-connection-credentials.ts

@@ -0,0 +1,91 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientId"
+  );
+  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientSecret"
+  );
+
+  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionSlug"
+  );
+
+  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionId"
+  );
+
+  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionPrivateKey"
+  );
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (!hasEncryptedGithubAppConnectionClientIdColumn) {
+      t.binary("encryptedGitHubAppConnectionClientId").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionClientSecretColumn) {
+      t.binary("encryptedGitHubAppConnectionClientSecret").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionSlugColumn) {
+      t.binary("encryptedGitHubAppConnectionSlug").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionAppIdColumn) {
+      t.binary("encryptedGitHubAppConnectionId").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
+      t.binary("encryptedGitHubAppConnectionPrivateKey").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientId"
+  );
+  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientSecret"
+  );
+
+  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionSlug"
+  );
+
+  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionId"
+  );
+
+  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionPrivateKey"
+  );
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasEncryptedGithubAppConnectionClientIdColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionClientId");
+    }
+    if (hasEncryptedGithubAppConnectionClientSecretColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionClientSecret");
+    }
+    if (hasEncryptedGithubAppConnectionSlugColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionSlug");
+    }
+    if (hasEncryptedGithubAppConnectionAppIdColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionId");
+    }
+    if (hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionPrivateKey");
+    }
+  });
+}

backend/src/db/schemas/identities.ts

@@ -12,7 +12,8 @@ export const IdentitiesSchema = z.object({
   name: z.string(),
   authMethod: z.string().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  hasDeleteProtection: z.boolean().default(false)
 });
 
 export type TIdentities = z.infer<typeof IdentitiesSchema>;

backend/src/db/schemas/super-admin.ts

@@ -29,7 +29,12 @@ export const SuperAdminSchema = z.object({
   adminIdentityIds: z.string().array().nullable().optional(),
   encryptedMicrosoftTeamsAppId: zodBuffer.nullable().optional(),
   encryptedMicrosoftTeamsClientSecret: zodBuffer.nullable().optional(),
-  encryptedMicrosoftTeamsBotId: zodBuffer.nullable().optional()
+  encryptedMicrosoftTeamsBotId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionClientId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/routes/v1/group-router.ts

@@ -48,7 +48,9 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
         id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
       }),
       response: {
-        200: GroupsSchema
+        200: GroupsSchema.extend({
+          customRoleSlug: z.string().nullable()
+        })
       }
     },
     handler: async (req) => {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -780,6 +780,7 @@ interface CreateIdentityEvent {
   metadata: {
     identityId: string;
     name: string;
+    hasDeleteProtection: boolean;
   };
 }
 
@@ -788,6 +789,7 @@ interface UpdateIdentityEvent {
   metadata: {
     identityId: string;
     name?: string;
+    hasDeleteProtection?: boolean;
   };
 }
 

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -128,11 +128,21 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
     const username = generateUsername(usernameTemplate, identity);
     const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
+    const awsTags = [{ Key: "createdBy", Value: "infisical-dynamic-secret" }];
+
+    if (providerInputs.tags && Array.isArray(providerInputs.tags)) {
+      const additionalTags = providerInputs.tags.map((tag) => ({
+        Key: tag.key,
+        Value: tag.value
+      }));
+      awsTags.push(...additionalTags);
+    }
+
     const createUserRes = await client.send(
       new CreateUserCommand({
         Path: awsPath,
         PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-        Tags: [{ Key: "createdBy", Value: "infisical-dynamic-secret" }],
+        Tags: awsTags,
         UserName: username
       })
     );

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -0,0 +1,133 @@
+import axios from "axios";
+import * as jwt from "jsonwebtoken";
+
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { DynamicSecretGithubSchema, TDynamicProviderFns } from "./models";
+
+interface GitHubInstallationTokenResponse {
+  token: string;
+  expires_at: string; // ISO 8601 timestamp e.g., "2024-01-15T12:00:00Z"
+  permissions?: Record<string, string>;
+  repository_selection?: string;
+}
+
+interface TGithubProviderInputs {
+  appId: number;
+  installationId: number;
+  privateKey: string;
+}
+
+export const GithubProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretGithubSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const $generateGitHubInstallationAccessToken = async (
+    credentials: TGithubProviderInputs
+  ): Promise<GitHubInstallationTokenResponse> => {
+    const { appId, installationId, privateKey } = credentials;
+
+    const nowInSeconds = Math.floor(Date.now() / 1000);
+    const jwtPayload = {
+      iat: nowInSeconds - 5,
+      exp: nowInSeconds + 60,
+      iss: String(appId)
+    };
+
+    let appJwt: string;
+    try {
+      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
+    } catch (error) {
+      let message = "Failed to sign JWT.";
+      if (error instanceof jwt.JsonWebTokenError) {
+        message += ` JsonWebTokenError: ${error.message}`;
+      }
+      throw new InternalServerError({
+        message
+      });
+    }
+
+    const tokenUrl = `${IntegrationUrls.GITHUB_API_URL}/app/installations/${String(installationId)}/access_tokens`;
+
+    try {
+      const response = await axios.post<GitHubInstallationTokenResponse>(tokenUrl, undefined, {
+        headers: {
+          Authorization: `Bearer ${appJwt}`,
+          Accept: "application/vnd.github.v3+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      });
+
+      if (response.status === 201 && response.data.token) {
+        return response.data; // Includes token, expires_at, permissions, repository_selection
+      }
+
+      throw new InternalServerError({
+        message: `GitHub API responded with unexpected status ${response.status}: ${JSON.stringify(response.data)}`
+      });
+    } catch (error) {
+      let message = "Failed to fetch GitHub installation access token.";
+      if (axios.isAxiosError(error) && error.response) {
+        const githubErrorMsg =
+          (error.response.data as { message?: string })?.message || JSON.stringify(error.response.data);
+        message += ` GitHub API Error: ${error.response.status} - ${githubErrorMsg}`;
+
+        // Classify as BadRequestError for auth-related issues (401, 403, 404) which might be due to user input
+        if ([401, 403, 404].includes(error.response.status)) {
+          throw new BadRequestError({ message });
+        }
+      }
+
+      throw new InternalServerError({ message });
+    }
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    await $generateGitHubInstallationAccessToken(providerInputs);
+    return true;
+  };
+
+  const create = async (data: { inputs: unknown }) => {
+    const { inputs } = data;
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+    const entityId = alphaNumericNanoId(32);
+
+    return {
+      entityId,
+      data: {
+        TOKEN: ghTokenData.token,
+        EXPIRES_AT: ghTokenData.expires_at,
+        PERMISSIONS: ghTokenData.permissions,
+        REPOSITORY_SELECTION: ghTokenData.repository_selection
+      }
+    };
+  };
+
+  const revoke = async () => {
+    // GitHub installation tokens cannot be revoked.
+    throw new BadRequestError({
+      message:
+        "Github dynamic secret does not support revocation because GitHub itself cannot revoke installation tokens"
+    });
+  };
+
+  const renew = async () => {
+    // No renewal
+    throw new BadRequestError({ message: "Github dynamic secret does not support renewal" });
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -7,6 +7,7 @@ import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { GcpIamProvider } from "./gcp-iam";
+import { GithubProvider } from "./github";
 import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
@@ -44,5 +45,6 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.SapAse]: SapAseProvider(),
   [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
   [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
-  [DynamicSecretProviders.GcpIam]: GcpIamProvider()
+  [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
+  [DynamicSecretProviders.Github]: GithubProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -2,6 +2,7 @@ import RE2 from "re2";
 import { z } from "zod";
 
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 import { TDynamicSecretLeaseConfig } from "../../dynamic-secret-lease/dynamic-secret-lease-types";
 
@@ -207,7 +208,8 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
       permissionBoundaryPolicyArn: z.string().trim().optional(),
       policyDocument: z.string().trim().optional(),
       userGroups: z.string().trim().optional(),
-      policyArns: z.string().trim().optional()
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
     }),
     z.object({
       method: z.literal(AwsIamAuthType.AssumeRole),
@@ -217,7 +219,8 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
       permissionBoundaryPolicyArn: z.string().trim().optional(),
       policyDocument: z.string().trim().optional(),
       userGroups: z.string().trim().optional(),
-      policyArns: z.string().trim().optional()
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
     })
   ])
 );
@@ -474,6 +477,23 @@ export const DynamicSecretGcpIamSchema = z.object({
   serviceAccountEmail: z.string().email().trim().min(1, "Service account email required").max(128)
 });
 
+export const DynamicSecretGithubSchema = z.object({
+  appId: z.number().min(1).describe("The ID of your GitHub App."),
+  installationId: z.number().min(1).describe("The ID of the GitHub App installation."),
+  privateKey: z
+    .string()
+    .trim()
+    .min(1)
+    .refine(
+      (val) =>
+        new RE2(
+          /^-----BEGIN(?:(?: RSA| PGP| ENCRYPTED)? PRIVATE KEY)-----\s*[\s\S]*?-----END(?:(?: RSA| PGP| ENCRYPTED)? PRIVATE KEY)-----$/
+        ).test(val),
+      "Invalid PEM format for private key"
+    )
+    .describe("The private key generated for your GitHub App.")
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -492,7 +512,8 @@ export enum DynamicSecretProviders {
   SapAse = "sap-ase",
   Kubernetes = "kubernetes",
   Vertica = "vertica",
-  GcpIam = "gcp-iam"
+  GcpIam = "gcp-iam",
+  Github = "github"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -513,7 +534,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/group/group-dal.ts

@@ -169,11 +169,29 @@ export const groupDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const doc = await (tx || db.replicaNode())(TableName.Groups)
+        .leftJoin(TableName.OrgRoles, `${TableName.Groups}.roleId`, `${TableName.OrgRoles}.id`)
+        .where(`${TableName.Groups}.id`, id)
+        .select(
+          selectAllTableCols(TableName.Groups),
+          db.ref("slug").as("customRoleSlug").withSchema(TableName.OrgRoles)
+        )
+        .first();
+
+      return doc;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by id" });
+    }
+  };
+
   return {
+    ...groupOrm,
     findGroups,
     findByOrgId,
     findAllGroupPossibleMembers,
     findGroupsByProjectId,
-    ...groupOrm
+    findById
   };
 };

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -698,9 +698,9 @@ export const oidcConfigServiceFactory = ({
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (_req: any, tokenSet: TokenSet, cb: any) => {
         const claims = tokenSet.claims();
-        if (!claims.email || !claims.given_name) {
+        if (!claims.email) {
           throw new BadRequestError({
-            message: "Invalid request. Missing email or first name"
+            message: "Invalid request. Missing email claim."
           });
         }
 
@@ -713,12 +713,19 @@ export const oidcConfigServiceFactory = ({
           }
         }
 
+        const name = claims?.given_name || claims?.name;
+        if (!name) {
+          throw new BadRequestError({
+            message: "Invalid request. Missing name claim."
+          });
+        }
+
         const groups = typeof claims.groups === "string" ? [claims.groups] : (claims.groups as string[] | undefined);
 
         oidcLogin({
           email: claims.email.toLowerCase(),
           externalId: claims.sub,
-          firstName: claims.given_name ?? "",
+          firstName: name,
           lastName: claims.family_name ?? "",
           orgId: org.id,
           groups,

backend/src/ee/services/permission/project-permission.ts

@@ -211,6 +211,11 @@ export type SecretFolderSubjectFields = {
   secretPath: string;
 };
 
+export type SecretSyncSubjectFields = {
+  environment: string;
+  secretPath: string;
+};
+
 export type DynamicSecretSubjectFields = {
   environment: string;
   secretPath: string;
@@ -267,6 +272,10 @@ export type ProjectPermissionSet =
         | (ForcedSubject<ProjectPermissionSub.DynamicSecrets> & DynamicSecretSubjectFields)
       )
     ]
+  | [
+      ProjectPermissionSecretSyncActions,
+      ProjectPermissionSub.SecretSyncs | (ForcedSubject<ProjectPermissionSub.SecretSyncs> & SecretSyncSubjectFields)
+    ]
   | [
       ProjectPermissionActions,
       (
@@ -323,7 +332,6 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SshHostGroups]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
-  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
   | [ProjectPermissionKmipActions, ProjectPermissionSub.Kmip]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
@@ -412,6 +420,23 @@ const DynamicSecretConditionV2Schema = z
   })
   .partial();
 
+const SecretSyncConditionV2Schema = z
+  .object({
+    environment: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
+        })
+        .partial()
+    ]),
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA
+  })
+  .partial();
+
 const SecretImportConditionSchema = z
   .object({
     environment: z.union([
@@ -671,12 +696,6 @@ const GeneralPermissionSchema = [
       "Describe what action an entity can take."
     )
   }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
-      "Describe what action an entity can take."
-    )
-  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.Kmip).describe("The entity this permission pertains to."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionKmipActions).describe(
@@ -836,6 +855,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: SecretSyncConditionV2Schema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
 
   ...GeneralPermissionSchema
 ]);

backend/src/lib/api-docs/constants.ts

@@ -111,12 +111,14 @@ export const IDENTITIES = {
   CREATE: {
     name: "The name of the identity to create.",
     organizationId: "The organization ID to which the identity belongs.",
-    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'."
+    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'.",
+    hasDeleteProtection: "Prevents deletion of the identity when enabled."
   },
   UPDATE: {
     identityId: "The ID of the identity to update.",
     name: "The new name of the identity.",
-    role: "The new role of the identity."
+    role: "The new role of the identity.",
+    hasDeleteProtection: "Prevents deletion of the identity when enabled."
   },
   DELETE: {
     identityId: "The ID of the identity to delete."
@@ -2223,6 +2225,9 @@ export const AppConnections = {
     ONEPASS: {
       instanceUrl: "The URL of the 1Password Connect Server instance to authenticate with.",
       apiToken: "The API token used to access the 1Password Connect Server."
+    },
+    FLYIO: {
+      accessToken: "The Access Token used to access fly.io."
     }
   }
 };
@@ -2384,6 +2389,18 @@ export const SecretSyncs = {
     },
     ONEPASS: {
       vaultId: "The ID of the 1Password vault to sync secrets to."
+    },
+    HEROKU: {
+      app: "The ID of the Heroku app to sync secrets to.",
+      appName: "The name of the Heroku app to sync secrets to."
+    },
+    RENDER: {
+      serviceId: "The ID of the Render service to sync secrets to.",
+      scope: "The Render scope that secrets should be synced to.",
+      type: "The Render resource type to sync secrets to."
+    },
+    FLYIO: {
+      appId: "The ID of the Fly.io app to sync secrets to."
     }
   }
 };

backend/src/server/routes/index.ts

@@ -2020,10 +2020,16 @@ export const registerRoutes = async (
     if (licenseSyncJob) {
       cronJobs.push(licenseSyncJob);
     }
+
     const microsoftTeamsSyncJob = await microsoftTeamsService.initializeBackgroundSync();
     if (microsoftTeamsSyncJob) {
       cronJobs.push(microsoftTeamsSyncJob);
     }
+
+    const adminIntegrationsSyncJob = await superAdminService.initializeAdminIntegrationConfigSync();
+    if (adminIntegrationsSyncJob) {
+      cronJobs.push(adminIntegrationsSyncJob);
+    }
   }
 
   server.decorate<FastifyZodProvider["store"]>("store", {

backend/src/server/routes/v1/admin-router.ts

@@ -37,7 +37,12 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             encryptedSlackClientSecret: true,
             encryptedMicrosoftTeamsAppId: true,
             encryptedMicrosoftTeamsClientSecret: true,
-            encryptedMicrosoftTeamsBotId: true
+            encryptedMicrosoftTeamsBotId: true,
+            encryptedGitHubAppConnectionClientId: true,
+            encryptedGitHubAppConnectionClientSecret: true,
+            encryptedGitHubAppConnectionSlug: true,
+            encryptedGitHubAppConnectionId: true,
+            encryptedGitHubAppConnectionPrivateKey: true
           }).extend({
             isMigrationModeOn: z.boolean(),
             defaultAuthOrgSlug: z.string().nullable(),
@@ -87,6 +92,11 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         microsoftTeamsAppId: z.string().optional(),
         microsoftTeamsClientSecret: z.string().optional(),
         microsoftTeamsBotId: z.string().optional(),
+        gitHubAppConnectionClientId: z.string().optional(),
+        gitHubAppConnectionClientSecret: z.string().optional(),
+        gitHubAppConnectionSlug: z.string().optional(),
+        gitHubAppConnectionId: z.string().optional(),
+        gitHubAppConnectionPrivateKey: z.string().optional(),
         authConsentContent: z
           .string()
           .trim()
@@ -348,6 +358,13 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             appId: z.string(),
             clientSecret: z.string(),
             botId: z.string()
+          }),
+          gitHubAppConnection: z.object({
+            clientId: z.string(),
+            clientSecret: z.string(),
+            appSlug: z.string(),
+            appId: z.string(),
+            privateKey: z.string()
           })
         })
       }

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -39,6 +39,7 @@ import {
   DatabricksConnectionListItemSchema,
   SanitizedDatabricksConnectionSchema
 } from "@app/services/app-connection/databricks";
+import { FlyioConnectionListItemSchema, SanitizedFlyioConnectionSchema } from "@app/services/app-connection/flyio";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
 import {
@@ -49,6 +50,7 @@ import {
   HCVaultConnectionListItemSchema,
   SanitizedHCVaultConnectionSchema
 } from "@app/services/app-connection/hc-vault";
+import { HerokuConnectionListItemSchema, SanitizedHerokuConnectionSchema } from "@app/services/app-connection/heroku";
 import {
   HumanitecConnectionListItemSchema,
   SanitizedHumanitecConnectionSchema
@@ -60,6 +62,10 @@ import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
 } from "@app/services/app-connection/postgres";
+import {
+  RenderConnectionListItemSchema,
+  SanitizedRenderConnectionSchema
+} from "@app/services/app-connection/render/render-connection-schema";
 import {
   SanitizedTeamCityConnectionSchema,
   TeamCityConnectionListItemSchema
@@ -100,7 +106,10 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedTeamCityConnectionSchema.options,
   ...SanitizedOCIConnectionSchema.options,
   ...SanitizedOracleDBConnectionSchema.options,
-  ...SanitizedOnePassConnectionSchema.options
+  ...SanitizedOnePassConnectionSchema.options,
+  ...SanitizedHerokuConnectionSchema.options,
+  ...SanitizedRenderConnectionSchema.options,
+  ...SanitizedFlyioConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -127,7 +136,10 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   TeamCityConnectionListItemSchema,
   OCIConnectionListItemSchema,
   OracleDBConnectionListItemSchema,
-  OnePassConnectionListItemSchema
+  OnePassConnectionListItemSchema,
+  HerokuConnectionListItemSchema,
+  RenderConnectionListItemSchema,
+  FlyioConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/flyio-connection-router.ts

@@ -0,0 +1,51 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateFlyioConnectionSchema,
+  SanitizedFlyioConnectionSchema,
+  UpdateFlyioConnectionSchema
+} from "@app/services/app-connection/flyio";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerFlyioConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Flyio,
+    server,
+    sanitizedResponseSchema: SanitizedFlyioConnectionSchema,
+    createSchema: CreateFlyioConnectionSchema,
+    updateSchema: UpdateFlyioConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const apps = await server.services.appConnection.flyio.listApps(connectionId, req.permission);
+      return apps;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/heroku-connection-router.ts

@@ -0,0 +1,54 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateHerokuConnectionSchema,
+  SanitizedHerokuConnectionSchema,
+  THerokuApp,
+  UpdateHerokuConnectionSchema
+} from "@app/services/app-connection/heroku";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerHerokuConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Heroku,
+    server,
+    sanitizedResponseSchema: SanitizedHerokuConnectionSchema,
+    createSchema: CreateHerokuConnectionSchema,
+    updateSchema: UpdateHerokuConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const apps: THerokuApp[] = await server.services.appConnection.heroku.listApps(connectionId, req.permission);
+
+      return apps;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -11,15 +11,18 @@ import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-r
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
+import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 import { registerGitHubRadarConnectionRouter } from "./github-radar-connection-router";
 import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
+import { registerHerokuConnectionRouter } from "./heroku-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerMySqlConnectionRouter } from "./mysql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
+import { registerRenderConnectionRouter } from "./render-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
@@ -52,5 +55,8 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.TeamCity]: registerTeamCityConnectionRouter,
     [AppConnection.OCI]: registerOCIConnectionRouter,
     [AppConnection.OracleDB]: registerOracleDBConnectionRouter,
-    [AppConnection.OnePass]: registerOnePassConnectionRouter
+    [AppConnection.OnePass]: registerOnePassConnectionRouter,
+    [AppConnection.Heroku]: registerHerokuConnectionRouter,
+    [AppConnection.Render]: registerRenderConnectionRouter,
+    [AppConnection.Flyio]: registerFlyioConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/render-connection-router.ts

@@ -0,0 +1,52 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateRenderConnectionSchema,
+  SanitizedRenderConnectionSchema,
+  UpdateRenderConnectionSchema
+} from "@app/services/app-connection/render/render-connection-schema";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerRenderConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Render,
+    server,
+    sanitizedResponseSchema: SanitizedRenderConnectionSchema,
+    createSchema: CreateRenderConnectionSchema,
+    updateSchema: UpdateRenderConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/services`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const services = await server.services.appConnection.render.listServices(connectionId, req.permission);
+
+      return services;
+    }
+  });
+};

backend/src/server/routes/v1/identity-router.ts

@@ -44,6 +44,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         name: z.string().trim().describe(IDENTITIES.CREATE.name),
         organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
         role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role),
+        hasDeleteProtection: z.boolean().default(false).describe(IDENTITIES.CREATE.hasDeleteProtection),
         metadata: z
           .object({ key: z.string().trim().min(1), value: z.string().trim().min(1) })
           .array()
@@ -75,6 +76,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
           type: EventType.CREATE_IDENTITY,
           metadata: {
             name: identity.name,
+            hasDeleteProtection: identity.hasDeleteProtection,
             identityId: identity.id
           }
         }
@@ -86,6 +88,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         properties: {
           orgId: req.body.organizationId,
           name: identity.name,
+          hasDeleteProtection: identity.hasDeleteProtection,
           identityId: identity.id,
           ...req.auditLogInfo
         }
@@ -117,6 +120,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
         role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role),
+        hasDeleteProtection: z.boolean().optional().describe(IDENTITIES.UPDATE.hasDeleteProtection),
         metadata: z
           .object({ key: z.string().trim().min(1), value: z.string().trim().min(1) })
           .array()
@@ -148,6 +152,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
           type: EventType.UPDATE_IDENTITY,
           metadata: {
             name: identity.name,
+            hasDeleteProtection: identity.hasDeleteProtection,
             identityId: identity.id
           }
         }
@@ -243,7 +248,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
               permissions: true,
               description: true
             }).optional(),
-            identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+            identity: IdentitiesSchema.pick({ name: true, id: true, hasDeleteProtection: true }).extend({
               authMethods: z.array(z.string())
             })
           })
@@ -292,7 +297,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
               permissions: true,
               description: true
             }).optional(),
-            identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+            identity: IdentitiesSchema.pick({ name: true, id: true, hasDeleteProtection: true }).extend({
               authMethods: z.array(z.string())
             })
           }).array(),
@@ -386,7 +391,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
               permissions: true,
               description: true
             }).optional(),
-            identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+            identity: IdentitiesSchema.pick({ name: true, id: true, hasDeleteProtection: true }).extend({
               authMethods: z.array(z.string())
             })
           }).array(),
@@ -451,7 +456,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
                   temporaryAccessEndTime: z.date().nullable().optional()
                 })
               ),
-              identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+              identity: IdentitiesSchema.pick({ name: true, id: true, hasDeleteProtection: true }).extend({
                 authMethods: z.array(z.string())
               }),
               project: SanitizedProjectSchema.pick({ name: true, id: true, type: true })

backend/src/server/routes/v1/secret-sync-routers/flyio-sync-router.ts

@@ -0,0 +1,13 @@
+import { CreateFlyioSyncSchema, FlyioSyncSchema, UpdateFlyioSyncSchema } from "@app/services/secret-sync/flyio";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerFlyioSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Flyio,
+    server,
+    responseSchema: FlyioSyncSchema,
+    createSchema: CreateFlyioSyncSchema,
+    updateSchema: UpdateFlyioSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/heroku-sync-router.ts

@@ -0,0 +1,13 @@
+import { CreateHerokuSyncSchema, HerokuSyncSchema, UpdateHerokuSyncSchema } from "@app/services/secret-sync/heroku";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerHerokuSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Heroku,
+    server,
+    responseSchema: HerokuSyncSchema,
+    createSchema: CreateHerokuSyncSchema,
+    updateSchema: UpdateHerokuSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -9,10 +9,13 @@ import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
+import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
+import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
+import { registerRenderSyncRouter } from "./render-sync-router";
 import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
@@ -37,5 +40,8 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.HCVault]: registerHCVaultSyncRouter,
   [SecretSync.TeamCity]: registerTeamCitySyncRouter,
   [SecretSync.OCIVault]: registerOCIVaultSyncRouter,
-  [SecretSync.OnePass]: registerOnePassSyncRouter
+  [SecretSync.OnePass]: registerOnePassSyncRouter,
+  [SecretSync.Heroku]: registerHerokuSyncRouter,
+  [SecretSync.Render]: registerRenderSyncRouter,
+  [SecretSync.Flyio]: registerFlyioSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/render-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateRenderSyncSchema,
+  RenderSyncSchema,
+  UpdateRenderSyncSchema
+} from "@app/services/secret-sync/render/render-sync-schemas";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerRenderSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Render,
+    server,
+    responseSchema: RenderSyncSchema,
+    createSchema: CreateRenderSyncSchema,
+    updateSchema: UpdateRenderSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -23,10 +23,13 @@ import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/servi
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
+import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
+import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
+import { RenderSyncListItemSchema, RenderSyncSchema } from "@app/services/secret-sync/render/render-sync-schemas";
 import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
@@ -49,7 +52,10 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   HCVaultSyncSchema,
   TeamCitySyncSchema,
   OCIVaultSyncSchema,
-  OnePassSyncSchema
+  OnePassSyncSchema,
+  HerokuSyncSchema,
+  RenderSyncSchema,
+  FlyioSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -69,7 +75,10 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   HCVaultSyncListItemSchema,
   TeamCitySyncListItemSchema,
   OCIVaultSyncListItemSchema,
-  OnePassSyncListItemSchema
+  OnePassSyncListItemSchema,
+  HerokuSyncListItemSchema,
+  RenderSyncListItemSchema,
+  FlyioSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -22,7 +22,10 @@ export enum AppConnection {
   TeamCity = "teamcity",
   OCI = "oci",
   OracleDB = "oracledb",
-  OnePass = "1password"
+  OnePass = "1password",
+  Heroku = "heroku",
+  Render = "render",
+  Flyio = "flyio"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -56,6 +56,7 @@ import {
   getDatabricksConnectionListItem,
   validateDatabricksConnectionCredentials
 } from "./databricks";
+import { FlyioConnectionMethod, getFlyioConnectionListItem, validateFlyioConnectionCredentials } from "./flyio";
 import { GcpConnectionMethod, getGcpConnectionListItem, validateGcpConnectionCredentials } from "./gcp";
 import { getGitHubConnectionListItem, GitHubConnectionMethod, validateGitHubConnectionCredentials } from "./github";
 import {
@@ -68,6 +69,7 @@ import {
   HCVaultConnectionMethod,
   validateHCVaultConnectionCredentials
 } from "./hc-vault";
+import { getHerokuConnectionListItem, HerokuConnectionMethod, validateHerokuConnectionCredentials } from "./heroku";
 import {
   getHumanitecConnectionListItem,
   HumanitecConnectionMethod,
@@ -78,6 +80,8 @@ import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
 import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
+import { RenderConnectionMethod } from "./render/render-connection-enums";
+import { getRenderConnectionListItem, validateRenderConnectionCredentials } from "./render/render-connection-fns";
 import {
   getTeamCityConnectionListItem,
   TeamCityConnectionMethod,
@@ -121,7 +125,10 @@ export const listAppConnectionOptions = () => {
     getTeamCityConnectionListItem(),
     getOCIConnectionListItem(),
     getOracleDBConnectionListItem(),
-    getOnePassConnectionListItem()
+    getOnePassConnectionListItem(),
+    getHerokuConnectionListItem(),
+    getRenderConnectionListItem(),
+    getFlyioConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -196,7 +203,10 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.TeamCity]: validateTeamCityConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.OCI]: validateOCIConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.OracleDB]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Heroku]: validateHerokuConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -212,7 +222,10 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case AzureClientSecretsConnectionMethod.OAuth:
     case GitHubConnectionMethod.OAuth:
     case AzureDevOpsConnectionMethod.OAuth:
+    case HerokuConnectionMethod.OAuth:
       return "OAuth";
+    case HerokuConnectionMethod.AuthToken:
+      return "Auth Token";
     case AwsConnectionMethod.AccessKey:
     case OCIConnectionMethod.AccessKey:
       return "Access Key";
@@ -238,6 +251,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case HCVaultConnectionMethod.AccessToken:
     case TeamCityConnectionMethod.AccessToken:
     case AzureDevOpsConnectionMethod.AccessToken:
+    case FlyioConnectionMethod.AccessToken:
       return "Access Token";
     case Auth0ConnectionMethod.ClientCredentials:
       return "Client Credentials";
@@ -245,6 +259,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       return "App Role";
     case LdapConnectionMethod.SimpleBind:
       return "Simple Bind";
+    case RenderConnectionMethod.ApiKey:
+      return "API Key";
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection Method: ${method}`);
@@ -299,7 +315,10 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.TeamCity]: platformManagedCredentialsNotSupported,
   [AppConnection.OCI]: platformManagedCredentialsNotSupported,
   [AppConnection.OracleDB]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
-  [AppConnection.OnePass]: platformManagedCredentialsNotSupported
+  [AppConnection.OnePass]: platformManagedCredentialsNotSupported,
+  [AppConnection.Heroku]: platformManagedCredentialsNotSupported,
+  [AppConnection.Render]: platformManagedCredentialsNotSupported,
+  [AppConnection.Flyio]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -24,7 +24,10 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.TeamCity]: "TeamCity",
   [AppConnection.OCI]: "OCI",
   [AppConnection.OracleDB]: "OracleDB",
-  [AppConnection.OnePass]: "1Password"
+  [AppConnection.OnePass]: "1Password",
+  [AppConnection.Heroku]: "Heroku",
+  [AppConnection.Render]: "Render",
+  [AppConnection.Flyio]: "Fly.io"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -51,5 +54,8 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.OCI]: AppConnectionPlanType.Enterprise,
   [AppConnection.OracleDB]: AppConnectionPlanType.Enterprise,
   [AppConnection.OnePass]: AppConnectionPlanType.Regular,
-  [AppConnection.MySql]: AppConnectionPlanType.Regular
+  [AppConnection.MySql]: AppConnectionPlanType.Regular,
+  [AppConnection.Heroku]: AppConnectionPlanType.Regular,
+  [AppConnection.Render]: AppConnectionPlanType.Regular,
+  [AppConnection.Flyio]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -49,6 +49,8 @@ import { ValidateCamundaConnectionCredentialsSchema } from "./camunda";
 import { camundaConnectionService } from "./camunda/camunda-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
 import { databricksConnectionService } from "./databricks/databricks-connection-service";
+import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
+import { flyioConnectionService } from "./flyio/flyio-connection-service";
 import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
 import { gcpConnectionService } from "./gcp/gcp-connection-service";
 import { ValidateGitHubConnectionCredentialsSchema } from "./github";
@@ -56,12 +58,16 @@ import { githubConnectionService } from "./github/github-connection-service";
 import { ValidateGitHubRadarConnectionCredentialsSchema } from "./github-radar";
 import { ValidateHCVaultConnectionCredentialsSchema } from "./hc-vault";
 import { hcVaultConnectionService } from "./hc-vault/hc-vault-connection-service";
+import { ValidateHerokuConnectionCredentialsSchema } from "./heroku";
+import { herokuConnectionService } from "./heroku/heroku-connection-service";
 import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
 import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
+import { ValidateRenderConnectionCredentialsSchema } from "./render/render-connection-schema";
+import { renderConnectionService } from "./render/render-connection-service";
 import { ValidateTeamCityConnectionCredentialsSchema } from "./teamcity";
 import { teamcityConnectionService } from "./teamcity/teamcity-connection-service";
 import { ValidateTerraformCloudConnectionCredentialsSchema } from "./terraform-cloud";
@@ -104,7 +110,10 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.TeamCity]: ValidateTeamCityConnectionCredentialsSchema,
   [AppConnection.OCI]: ValidateOCIConnectionCredentialsSchema,
   [AppConnection.OracleDB]: ValidateOracleDBConnectionCredentialsSchema,
-  [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema
+  [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema,
+  [AppConnection.Heroku]: ValidateHerokuConnectionCredentialsSchema,
+  [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
+  [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -509,6 +518,9 @@ export const appConnectionServiceFactory = ({
     windmill: windmillConnectionService(connectAppConnectionById),
     teamcity: teamcityConnectionService(connectAppConnectionById),
     oci: ociConnectionService(connectAppConnectionById, licenseService),
-    onepass: onePassConnectionService(connectAppConnectionById)
+    onepass: onePassConnectionService(connectAppConnectionById),
+    heroku: herokuConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
+    render: renderConnectionService(connectAppConnectionById),
+    flyio: flyioConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -68,6 +68,12 @@ import {
   TDatabricksConnectionInput,
   TValidateDatabricksConnectionCredentialsSchema
 } from "./databricks";
+import {
+  TFlyioConnection,
+  TFlyioConnectionConfig,
+  TFlyioConnectionInput,
+  TValidateFlyioConnectionCredentialsSchema
+} from "./flyio";
 import {
   TGcpConnection,
   TGcpConnectionConfig,
@@ -92,6 +98,12 @@ import {
   THCVaultConnectionInput,
   TValidateHCVaultConnectionCredentialsSchema
 } from "./hc-vault";
+import {
+  THerokuConnection,
+  THerokuConnectionConfig,
+  THerokuConnectionInput,
+  TValidateHerokuConnectionCredentialsSchema
+} from "./heroku";
 import {
   THumanitecConnection,
   THumanitecConnectionConfig,
@@ -111,6 +123,12 @@ import {
   TPostgresConnectionInput,
   TValidatePostgresConnectionCredentialsSchema
 } from "./postgres";
+import {
+  TRenderConnection,
+  TRenderConnectionConfig,
+  TRenderConnectionInput,
+  TValidateRenderConnectionCredentialsSchema
+} from "./render/render-connection-types";
 import {
   TTeamCityConnection,
   TTeamCityConnectionConfig,
@@ -161,6 +179,9 @@ export type TAppConnection = { id: string } & (
   | TOCIConnection
   | TOracleDBConnection
   | TOnePassConnection
+  | THerokuConnection
+  | TRenderConnection
+  | TFlyioConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -192,6 +213,9 @@ export type TAppConnectionInput = { id: string } & (
   | TOCIConnectionInput
   | TOracleDBConnectionInput
   | TOnePassConnectionInput
+  | THerokuConnectionInput
+  | TRenderConnectionInput
+  | TFlyioConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -230,7 +254,10 @@ export type TAppConnectionConfig =
   | TLdapConnectionConfig
   | TTeamCityConnectionConfig
   | TOCIConnectionConfig
-  | TOnePassConnectionConfig;
+  | TOnePassConnectionConfig
+  | THerokuConnectionConfig
+  | TRenderConnectionConfig
+  | TFlyioConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -256,7 +283,10 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateTeamCityConnectionCredentialsSchema
   | TValidateOCIConnectionCredentialsSchema
   | TValidateOracleDBConnectionCredentialsSchema
-  | TValidateOnePassConnectionCredentialsSchema;
+  | TValidateOnePassConnectionCredentialsSchema
+  | TValidateHerokuConnectionCredentialsSchema
+  | TValidateRenderConnectionCredentialsSchema
+  | TValidateFlyioConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/flyio/flyio-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum FlyioConnectionMethod {
+  AccessToken = "access-token"
+}

backend/src/services/app-connection/flyio/flyio-connection-fns.ts

@@ -0,0 +1,72 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { FlyioConnectionMethod } from "./flyio-connection-enums";
+import { TFlyioApp, TFlyioConnection, TFlyioConnectionConfig } from "./flyio-connection-types";
+
+export const getFlyioConnectionListItem = () => {
+  return {
+    name: "Fly.io" as const,
+    app: AppConnection.Flyio as const,
+    methods: Object.values(FlyioConnectionMethod) as [FlyioConnectionMethod.AccessToken]
+  };
+};
+
+export const validateFlyioConnectionCredentials = async (config: TFlyioConnectionConfig) => {
+  const { accessToken } = config.credentials;
+
+  try {
+    const resp = await request.post<{ data: { viewer: { id: string | null; email: string } } | null }>(
+      IntegrationUrls.FLYIO_API_URL,
+      { query: "query { viewer { id email } }" },
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+
+    if (resp.data.data === null) {
+      throw new BadRequestError({
+        message: "Unable to validate connection: Invalid access token provided."
+      });
+    }
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listFlyioApps = async (appConnection: TFlyioConnection) => {
+  const { accessToken } = appConnection.credentials;
+
+  const resp = await request.post<{ data: { apps: { nodes: TFlyioApp[] } } }>(
+    IntegrationUrls.FLYIO_API_URL,
+    {
+      query:
+        "query GetApps { apps { nodes { id name hostname status organization { id slug } currentRelease { version status createdAt } } } }"
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return resp.data.data.apps.nodes;
+};

backend/src/services/app-connection/flyio/flyio-connection-schemas.ts

@@ -0,0 +1,62 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { FlyioConnectionMethod } from "./flyio-connection-enums";
+
+export const FlyioConnectionAccessTokenCredentialsSchema = z.object({
+  accessToken: z
+    .string()
+    .trim()
+    .min(1, "Access Token required")
+    .max(1000)
+    .startsWith("FlyV1", "Token must start with 'FlyV1'")
+    .describe(AppConnections.CREDENTIALS.FLYIO.accessToken)
+});
+
+const BaseFlyioConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Flyio) });
+
+export const FlyioConnectionSchema = BaseFlyioConnectionSchema.extend({
+  method: z.literal(FlyioConnectionMethod.AccessToken),
+  credentials: FlyioConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedFlyioConnectionSchema = z.discriminatedUnion("method", [
+  BaseFlyioConnectionSchema.extend({
+    method: z.literal(FlyioConnectionMethod.AccessToken),
+    credentials: FlyioConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateFlyioConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(FlyioConnectionMethod.AccessToken).describe(AppConnections.CREATE(AppConnection.Flyio).method),
+    credentials: FlyioConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Flyio).credentials
+    )
+  })
+]);
+
+export const CreateFlyioConnectionSchema = ValidateFlyioConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Flyio)
+);
+
+export const UpdateFlyioConnectionSchema = z
+  .object({
+    credentials: FlyioConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Flyio).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Flyio));
+
+export const FlyioConnectionListItemSchema = z.object({
+  name: z.literal("Fly.io"),
+  app: z.literal(AppConnection.Flyio),
+  methods: z.nativeEnum(FlyioConnectionMethod).array()
+});

backend/src/services/app-connection/flyio/flyio-connection-service.ts

@@ -0,0 +1,30 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listFlyioApps } from "./flyio-connection-fns";
+import { TFlyioConnection } from "./flyio-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TFlyioConnection>;
+
+export const flyioConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listApps = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Flyio, connectionId, actor);
+
+    try {
+      const apps = await listFlyioApps(appConnection);
+      return apps;
+    } catch (error) {
+      logger.error(error, "Failed to establish connection with fly.io");
+      return [];
+    }
+  };
+
+  return {
+    listApps
+  };
+};

backend/src/services/app-connection/flyio/flyio-connection-types.ts

@@ -0,0 +1,27 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateFlyioConnectionSchema,
+  FlyioConnectionSchema,
+  ValidateFlyioConnectionCredentialsSchema
+} from "./flyio-connection-schemas";
+
+export type TFlyioConnection = z.infer<typeof FlyioConnectionSchema>;
+
+export type TFlyioConnectionInput = z.infer<typeof CreateFlyioConnectionSchema> & {
+  app: AppConnection.Flyio;
+};
+
+export type TValidateFlyioConnectionCredentialsSchema = typeof ValidateFlyioConnectionCredentialsSchema;
+
+export type TFlyioConnectionConfig = DiscriminativePick<TFlyioConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TFlyioApp = {
+  id: string;
+  name: string;
+};

backend/src/services/app-connection/flyio/index.ts

@@ -0,0 +1,4 @@
+export * from "./flyio-connection-enums";
+export * from "./flyio-connection-fns";
+export * from "./flyio-connection-schemas";
+export * from "./flyio-connection-types";

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -7,6 +7,7 @@ import { request } from "@app/lib/config/request";
 import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
 import { getAppConnectionMethodName } from "@app/services/app-connection/app-connection-fns";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { getInstanceIntegrationsConfig } from "@app/services/super-admin/super-admin-service";
 
 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
@@ -14,13 +15,14 @@ import { TGitHubConnection, TGitHubConnectionConfig } from "./github-connection-
 
 export const getGitHubConnectionListItem = () => {
   const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
+  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
 
   return {
     name: "GitHub" as const,
     app: AppConnection.GitHub as const,
     methods: Object.values(GitHubConnectionMethod) as [GitHubConnectionMethod.App, GitHubConnectionMethod.OAuth],
     oauthClientId: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
-    appClientSlug: INF_APP_CONNECTION_GITHUB_APP_SLUG
+    appClientSlug: gitHubAppConnection.appSlug || INF_APP_CONNECTION_GITHUB_APP_SLUG
   };
 };
 
@@ -30,23 +32,24 @@ export const getGitHubClient = (appConnection: TGitHubConnection) => {
   const { method, credentials } = appConnection;
 
   let client: Octokit;
+  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
+
+  const appId = gitHubAppConnection.appId || appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
+  const appPrivateKey = gitHubAppConnection.privateKey || appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
 
   switch (method) {
     case GitHubConnectionMethod.App:
-      if (!appCfg.INF_APP_CONNECTION_GITHUB_APP_ID || !appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY) {
+      if (!appId || !appPrivateKey) {
         throw new InternalServerError({
-          message: `GitHub ${getAppConnectionMethodName(method).replace(
-            "GitHub",
-            ""
-          )} environment variables have not been configured`
+          message: `GitHub ${getAppConnectionMethodName(method).replace("GitHub", "")} has not been configured`
         });
       }
 
       client = new Octokit({
         authStrategy: createAppAuth,
         auth: {
-          appId: appCfg.INF_APP_CONNECTION_GITHUB_APP_ID,
-          privateKey: appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY,
+          appId,
+          privateKey: appPrivateKey,
           installationId: credentials.installationId
         }
       });
@@ -154,6 +157,8 @@ type TokenRespData = {
 export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
   const { credentials, method } = config;
 
+  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
+
   const {
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET,
@@ -165,8 +170,8 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
   const { clientId, clientSecret } =
     method === GitHubConnectionMethod.App
       ? {
-          clientId: INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
-          clientSecret: INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
+          clientId: gitHubAppConnection.clientId || INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
+          clientSecret: gitHubAppConnection.clientSecret || INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
         }
       : // oauth
         {

backend/src/services/app-connection/heroku/heroku-connection-enums.ts

@@ -0,0 +1,4 @@
+export enum HerokuConnectionMethod {
+  AuthToken = "auth-token",
+  OAuth = "oauth"
+}

backend/src/services/app-connection/heroku/heroku-connection-fns.ts

@@ -0,0 +1,208 @@
+import { AxiosError, AxiosResponse } from "axios";
+
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { HerokuConnectionMethod } from "./heroku-connection-enums";
+import { THerokuApp, THerokuConnection, THerokuConnectionConfig } from "./heroku-connection-types";
+
+interface HerokuOAuthTokenResponse {
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+  token_type: string;
+  user_id: string;
+  session_nonce: string;
+}
+
+export const getHerokuConnectionListItem = () => {
+  const { CLIENT_ID_HEROKU } = getConfig();
+
+  return {
+    name: "Heroku" as const,
+    app: AppConnection.Heroku as const,
+    methods: Object.values(HerokuConnectionMethod) as [HerokuConnectionMethod.AuthToken, HerokuConnectionMethod.OAuth],
+    oauthClientId: CLIENT_ID_HEROKU
+  };
+};
+
+export const refreshHerokuToken = async (
+  refreshToken: string,
+  appId: string,
+  orgId: string,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+): Promise<string> => {
+  const { CLIENT_SECRET_HEROKU } = getConfig();
+
+  const payload = {
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_secret: CLIENT_SECRET_HEROKU
+  };
+
+  const { data } = await request.post<{ access_token: string; expires_in: number }>(
+    IntegrationUrls.HEROKU_TOKEN_URL,
+    payload,
+    {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      }
+    }
+  );
+
+  const encryptedCredentials = await encryptAppConnectionCredentials({
+    credentials: {
+      refreshToken,
+      authToken: data.access_token,
+      expiresAt: new Date(Date.now() + data.expires_in * 1000 - 60000)
+    },
+    orgId,
+    kmsService
+  });
+
+  await appConnectionDAL.updateById(appId, { encryptedCredentials });
+
+  return data.access_token;
+};
+
+export const exchangeHerokuOAuthCode = async (code: string): Promise<HerokuOAuthTokenResponse> => {
+  const { CLIENT_SECRET_HEROKU } = getConfig();
+
+  try {
+    const response = await request.post<HerokuOAuthTokenResponse>(
+      IntegrationUrls.HEROKU_TOKEN_URL,
+      {
+        grant_type: "authorization_code",
+        code,
+        client_secret: CLIENT_SECRET_HEROKU
+      },
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      }
+    );
+
+    if (!response.data) {
+      throw new InternalServerError({
+        message: "Failed to exchange OAuth code: Empty response"
+      });
+    }
+
+    return response.data;
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+        message: `Failed to exchange OAuth code: ${error.response?.data?.message || error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to exchange OAuth code"
+    });
+  }
+};
+
+export const validateHerokuConnectionCredentials = async (config: THerokuConnectionConfig) => {
+  const { credentials: inputCredentials, method } = config;
+
+  let authToken: string;
+  let oauthData: HerokuOAuthTokenResponse | null = null;
+
+  if (method === HerokuConnectionMethod.OAuth && "code" in inputCredentials) {
+    oauthData = await exchangeHerokuOAuthCode(inputCredentials.code);
+    authToken = oauthData.access_token;
+  } else if (method === HerokuConnectionMethod.AuthToken && "authToken" in inputCredentials) {
+    authToken = inputCredentials.authToken;
+  } else {
+    throw new BadRequestError({
+      message: "Invalid credentials for the selected connection method"
+    });
+  }
+
+  let response: AxiosResponse<THerokuApp[]> | null = null;
+
+  try {
+    response = await request.get<THerokuApp[]>(`${IntegrationUrls.HEROKU_API_URL}/apps`, {
+      headers: {
+        Authorization: `Bearer ${authToken}`,
+        Accept: "application/vnd.heroku+json; version=3"
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  if (!response?.data) {
+    throw new InternalServerError({
+      message: "Failed to get apps: Response was empty"
+    });
+  }
+
+  if (method === HerokuConnectionMethod.OAuth && oauthData) {
+    return {
+      authToken,
+      refreshToken: oauthData.refresh_token,
+      expiresIn: oauthData.expires_in,
+      tokenType: oauthData.token_type,
+      userId: oauthData.user_id,
+      sessionNonce: oauthData.session_nonce
+    };
+  }
+
+  return inputCredentials;
+};
+
+export const listHerokuApps = async ({
+  appConnection,
+  appConnectionDAL,
+  kmsService
+}: {
+  appConnection: THerokuConnection;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+}): Promise<THerokuApp[]> => {
+  let authCredential = appConnection.credentials.authToken;
+  if (
+    appConnection.method === HerokuConnectionMethod.OAuth &&
+    appConnection.credentials.refreshToken &&
+    appConnection.credentials.expiresAt < new Date()
+  ) {
+    authCredential = await refreshHerokuToken(
+      appConnection.credentials.refreshToken,
+      appConnection.id,
+      appConnection.orgId,
+      appConnectionDAL,
+      kmsService
+    );
+  }
+
+  const { data } = await request.get<THerokuApp[]>(`${IntegrationUrls.HEROKU_API_URL}/apps`, {
+    headers: {
+      Authorization: `Bearer ${authCredential}`,
+      Accept: "application/vnd.heroku+json; version=3"
+    }
+  });
+
+  if (!data) {
+    throw new InternalServerError({
+      message: "Failed to get apps: Response was empty"
+    });
+  }
+
+  return data.map((res) => ({ name: res.name, id: res.id }));
+};

backend/src/services/app-connection/heroku/heroku-connection-schemas.ts

@@ -0,0 +1,103 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { HerokuConnectionMethod } from "./heroku-connection-enums";
+
+export const HerokuConnectionAuthTokenCredentialsSchema = z.object({
+  authToken: z.string().trim().min(1, "Auth Token required").startsWith("HRKU-", "Token must start with 'HRKU-")
+});
+
+export const HerokuConnectionOAuthCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "OAuth code required")
+});
+
+export const HerokuConnectionOAuthOutputCredentialsSchema = z.object({
+  authToken: z.string().trim(),
+  refreshToken: z.string().trim(),
+  expiresAt: z.date()
+});
+
+// Schema for refresh token input during initial setup
+export const HerokuConnectionRefreshTokenCredentialsSchema = z.object({
+  refreshToken: z.string().trim().min(1, "Refresh token required")
+});
+
+const BaseHerokuConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.Heroku)
+});
+
+export const HerokuConnectionSchema = z.intersection(
+  BaseHerokuConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(HerokuConnectionMethod.AuthToken),
+      credentials: HerokuConnectionAuthTokenCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(HerokuConnectionMethod.OAuth),
+      credentials: HerokuConnectionOAuthOutputCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedHerokuConnectionSchema = z.discriminatedUnion("method", [
+  BaseHerokuConnectionSchema.extend({
+    method: z.literal(HerokuConnectionMethod.AuthToken),
+    credentials: HerokuConnectionAuthTokenCredentialsSchema.pick({})
+  }),
+  BaseHerokuConnectionSchema.extend({
+    method: z.literal(HerokuConnectionMethod.OAuth),
+    credentials: HerokuConnectionOAuthOutputCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateHerokuConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(HerokuConnectionMethod.AuthToken).describe(AppConnections.CREATE(AppConnection.Heroku).method),
+    credentials: HerokuConnectionAuthTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Heroku).credentials
+    )
+  }),
+  z.object({
+    method: z.literal(HerokuConnectionMethod.OAuth).describe(AppConnections.CREATE(AppConnection.Heroku).method),
+    credentials: z
+      .union([
+        HerokuConnectionOAuthCredentialsSchema,
+        HerokuConnectionRefreshTokenCredentialsSchema,
+        HerokuConnectionOAuthOutputCredentialsSchema
+      ])
+      .describe(AppConnections.CREATE(AppConnection.Heroku).credentials)
+  })
+]);
+
+export const CreateHerokuConnectionSchema = ValidateHerokuConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Heroku)
+);
+
+export const UpdateHerokuConnectionSchema = z
+  .object({
+    credentials: z
+      .union([
+        HerokuConnectionAuthTokenCredentialsSchema,
+        HerokuConnectionOAuthOutputCredentialsSchema,
+        HerokuConnectionRefreshTokenCredentialsSchema,
+        HerokuConnectionOAuthCredentialsSchema
+      ])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.Heroku).credentials)
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Heroku));
+
+export const HerokuConnectionListItemSchema = z.object({
+  name: z.literal("Heroku"),
+  app: z.literal(AppConnection.Heroku),
+  methods: z.nativeEnum(HerokuConnectionMethod).array(),
+  oauthClientId: z.string().optional()
+});

backend/src/services/app-connection/heroku/heroku-connection-service.ts

@@ -0,0 +1,35 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { AppConnection } from "../app-connection-enums";
+import { listHerokuApps as getHerokuApps } from "./heroku-connection-fns";
+import { THerokuConnection } from "./heroku-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<THerokuConnection>;
+
+export const herokuConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const listApps = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Heroku, connectionId, actor);
+    try {
+      const apps = await getHerokuApps({ appConnection, appConnectionDAL, kmsService });
+      return apps;
+    } catch (error) {
+      logger.error(error, `Failed to establish connection with Heroku for app ${connectionId}`);
+      return [];
+    }
+  };
+
+  return {
+    listApps
+  };
+};

backend/src/services/app-connection/heroku/heroku-connection-types.ts

@@ -0,0 +1,27 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateHerokuConnectionSchema,
+  HerokuConnectionSchema,
+  ValidateHerokuConnectionCredentialsSchema
+} from "./heroku-connection-schemas";
+
+export type THerokuConnection = z.infer<typeof HerokuConnectionSchema>;
+
+export type THerokuConnectionInput = z.infer<typeof CreateHerokuConnectionSchema> & {
+  app: AppConnection.Heroku;
+};
+
+export type TValidateHerokuConnectionCredentialsSchema = typeof ValidateHerokuConnectionCredentialsSchema;
+
+export type THerokuConnectionConfig = DiscriminativePick<THerokuConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type THerokuApp = {
+  name: string;
+  id: string;
+};

backend/src/services/app-connection/heroku/index.ts

@@ -0,0 +1,4 @@
+export * from "./heroku-connection-enums";
+export * from "./heroku-connection-fns";
+export * from "./heroku-connection-schemas";
+export * from "./heroku-connection-types";

backend/src/services/app-connection/render/render-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum RenderConnectionMethod {
+  ApiKey = "api-key"
+}

backend/src/services/app-connection/render/render-connection-fns.ts

@@ -0,0 +1,88 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { AppConnection } from "../app-connection-enums";
+import { RenderConnectionMethod } from "./render-connection-enums";
+import {
+  TRawRenderService,
+  TRenderConnection,
+  TRenderConnectionConfig,
+  TRenderService
+} from "./render-connection-types";
+
+export const getRenderConnectionListItem = () => {
+  return {
+    name: "Render" as const,
+    app: AppConnection.Render as const,
+    methods: Object.values(RenderConnectionMethod) as [RenderConnectionMethod.ApiKey]
+  };
+};
+
+export const listRenderServices = async (appConnection: TRenderConnection): Promise<TRenderService[]> => {
+  const {
+    credentials: { apiKey }
+  } = appConnection;
+
+  const services: TRenderService[] = [];
+  let hasMorePages = true;
+  const perPage = 100;
+  let cursor;
+
+  while (hasMorePages) {
+    const res: TRawRenderService[] = (
+      await request.get<TRawRenderService[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
+        params: new URLSearchParams({
+          ...(cursor ? { cursor: String(cursor) } : {}),
+          limit: String(perPage)
+        }),
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          Accept: "application/json",
+          "Accept-Encoding": "application/json"
+        }
+      })
+    ).data;
+
+    res.forEach((item) => {
+      services.push({
+        name: item.service.name,
+        id: item.service.id
+      });
+    });
+
+    if (res.length < perPage) {
+      hasMorePages = false;
+    } else {
+      cursor = res[res.length - 1].cursor;
+    }
+  }
+
+  return services;
+};
+
+export const validateRenderConnectionCredentials = async (config: TRenderConnectionConfig) => {
+  const { credentials: inputCredentials } = config;
+
+  try {
+    await request.get(`${IntegrationUrls.RENDER_API_URL}/v1/users`, {
+      headers: {
+        Authorization: `Bearer ${inputCredentials.apiKey}`
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return inputCredentials;
+};

backend/src/services/app-connection/render/render-connection-schema.ts

@@ -0,0 +1,56 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { RenderConnectionMethod } from "./render-connection-enums";
+
+export const RenderConnectionApiKeyCredentialsSchema = z.object({
+  apiKey: z.string().trim().min(1, "API key required").max(256, "API key cannot exceed 256 characters")
+});
+
+const BaseRenderConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Render) });
+
+export const RenderConnectionSchema = BaseRenderConnectionSchema.extend({
+  method: z.literal(RenderConnectionMethod.ApiKey),
+  credentials: RenderConnectionApiKeyCredentialsSchema
+});
+
+export const SanitizedRenderConnectionSchema = z.discriminatedUnion("method", [
+  BaseRenderConnectionSchema.extend({
+    method: z.literal(RenderConnectionMethod.ApiKey),
+    credentials: RenderConnectionApiKeyCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateRenderConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(RenderConnectionMethod.ApiKey).describe(AppConnections.CREATE(AppConnection.Render).method),
+    credentials: RenderConnectionApiKeyCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Render).credentials
+    )
+  })
+]);
+
+export const CreateRenderConnectionSchema = ValidateRenderConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Render)
+);
+
+export const UpdateRenderConnectionSchema = z
+  .object({
+    credentials: RenderConnectionApiKeyCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Render).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Render));
+
+export const RenderConnectionListItemSchema = z.object({
+  name: z.literal("Render"),
+  app: z.literal(AppConnection.Render),
+  methods: z.nativeEnum(RenderConnectionMethod).array()
+});

backend/src/services/app-connection/render/render-connection-service.ts

@@ -0,0 +1,30 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listRenderServices } from "./render-connection-fns";
+import { TRenderConnection } from "./render-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TRenderConnection>;
+
+export const renderConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listServices = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Render, connectionId, actor);
+    try {
+      const services = await listRenderServices(appConnection);
+
+      return services;
+    } catch (error) {
+      logger.error(error, "Failed to list services for Render connection");
+      return [];
+    }
+  };
+
+  return {
+    listServices
+  };
+};

backend/src/services/app-connection/render/render-connection-types.ts

@@ -0,0 +1,35 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateRenderConnectionSchema,
+  RenderConnectionSchema,
+  ValidateRenderConnectionCredentialsSchema
+} from "./render-connection-schema";
+
+export type TRenderConnection = z.infer<typeof RenderConnectionSchema>;
+
+export type TRenderConnectionInput = z.infer<typeof CreateRenderConnectionSchema> & {
+  app: AppConnection.Render;
+};
+
+export type TValidateRenderConnectionCredentialsSchema = typeof ValidateRenderConnectionCredentialsSchema;
+
+export type TRenderConnectionConfig = DiscriminativePick<TRenderConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TRenderService = {
+  name: string;
+  id: string;
+};
+
+export type TRawRenderService = {
+  cursor: string;
+  service: {
+    id: string;
+    name: string;
+  };
+};

backend/src/services/identity-aws-auth/identity-aws-auth-validators.ts

@@ -9,6 +9,7 @@ const arnRegex = new RE2(/^arn:aws:iam::\d{12}:(user\/[a-zA-Z0-9_.@+*/-]+|role\/
 export const validateAccountIds = z
   .string()
   .trim()
+  .max(2048)
   .default("")
   // Custom validation to ensure each part is a 12-digit number
   .refine(
@@ -36,6 +37,7 @@ export const validateAccountIds = z
 export const validatePrincipalArns = z
   .string()
   .trim()
+  .max(2048)
   .default("")
   // Custom validation for ARN format
   .refine(

backend/src/services/identity-project/identity-project-dal.ts

@@ -101,6 +101,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
 
           db.ref("id").as("identityId").withSchema(TableName.Identity),
           db.ref("name").as("identityName").withSchema(TableName.Identity),
+          db.ref("hasDeleteProtection").withSchema(TableName.Identity),
           db.ref("id").withSchema(TableName.IdentityProjectMembership),
           db.ref("role").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("id").withSchema(TableName.IdentityProjectMembershipRole).as("membershipRoleId"),
@@ -130,6 +131,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
         data: docs,
         parentMapper: ({
           identityName,
+          hasDeleteProtection,
           uaId,
           awsId,
           gcpId,
@@ -151,6 +153,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           identity: {
             id: identityId,
             name: identityName,
+            hasDeleteProtection,
             authMethods: buildAuthMethods({
               uaId,
               awsId,

backend/src/services/identity/identity-org-dal.ts

@@ -114,16 +114,18 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
           db.ref("id").as("jwtId").withSchema(TableName.IdentityJwtAuth),
           db.ref("id").as("ldapId").withSchema(TableName.IdentityLdapAuth),
-          db.ref("name").withSchema(TableName.Identity)
+          db.ref("name").withSchema(TableName.Identity),
+          db.ref("hasDeleteProtection").withSchema(TableName.Identity)
         );
 
       if (data) {
-        const { name } = data;
+        const { name, hasDeleteProtection } = data;
         return {
           ...data,
           identity: {
             id: data.identityId,
             name,
+            hasDeleteProtection,
             authMethods: buildAuthMethods(data)
           }
         };
@@ -155,7 +157,8 @@ export const identityOrgDALFactory = (db: TDbClient) => {
         .orderBy(`${TableName.Identity}.${orderBy}`, orderDirection)
         .select(
           selectAllTableCols(TableName.IdentityOrgMembership),
-          db.ref("name").withSchema(TableName.Identity).as("identityName")
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("hasDeleteProtection").withSchema(TableName.Identity)
         )
         .where(filter)
         .as("paginatedIdentity");
@@ -245,6 +248,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("updatedAt").withSchema("paginatedIdentity"),
           db.ref("identityId").withSchema("paginatedIdentity").as("identityId"),
           db.ref("identityName").withSchema("paginatedIdentity"),
+          db.ref("hasDeleteProtection").withSchema("paginatedIdentity"),
 
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
@@ -286,6 +290,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           crName,
           identityId,
           identityName,
+          hasDeleteProtection,
           role,
           roleId,
           id,
@@ -324,6 +329,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           identity: {
             id: identityId,
             name: identityName,
+            hasDeleteProtection,
             authMethods: buildAuthMethods({
               uaId,
               alicloudId,
@@ -476,6 +482,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("updatedAt").withSchema(TableName.IdentityOrgMembership),
           db.ref("identityId").withSchema(TableName.IdentityOrgMembership).as("identityId"),
           db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("hasDeleteProtection").withSchema(TableName.Identity),
 
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
@@ -518,6 +525,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           crName,
           identityId,
           identityName,
+          hasDeleteProtection,
           role,
           roleId,
           total_count,
@@ -556,6 +564,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           identity: {
             id: identityId,
             name: identityName,
+            hasDeleteProtection,
             authMethods: buildAuthMethods({
               uaId,
               alicloudId,

backend/src/services/identity/identity-service.ts

@@ -47,6 +47,7 @@ export const identityServiceFactory = ({
   const createIdentity = async ({
     name,
     role,
+    hasDeleteProtection,
     actor,
     orgId,
     actorId,
@@ -96,7 +97,7 @@ export const identityServiceFactory = ({
     }
 
     const identity = await identityDAL.transaction(async (tx) => {
-      const newIdentity = await identityDAL.create({ name }, tx);
+      const newIdentity = await identityDAL.create({ name, hasDeleteProtection }, tx);
       await identityOrgMembershipDAL.create(
         {
           identityId: newIdentity.id,
@@ -138,6 +139,7 @@ export const identityServiceFactory = ({
   const updateIdentity = async ({
     id,
     role,
+    hasDeleteProtection,
     name,
     actor,
     actorId,
@@ -189,7 +191,11 @@ export const identityServiceFactory = ({
     }
 
     const identity = await identityDAL.transaction(async (tx) => {
-      const newIdentity = name ? await identityDAL.updateById(id, { name }, tx) : await identityDAL.findById(id, tx);
+      const newIdentity =
+        name || hasDeleteProtection
+          ? await identityDAL.updateById(id, { name, hasDeleteProtection }, tx)
+          : await identityDAL.findById(id, tx);
+
       if (role) {
         await identityOrgMembershipDAL.updateById(
           identityOrgMembership.id,
@@ -272,6 +278,9 @@ export const identityServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);
 
+    if (identityOrgMembership.identity.hasDeleteProtection)
+      throw new BadRequestError({ message: "Identity has delete protection" });
+
     const deletedIdentity = await identityDAL.deleteById(id);
 
     await licenseService.updateSubscriptionOrgMemberCount(identityOrgMembership.orgId);

backend/src/services/identity/identity-types.ts

@@ -5,12 +5,14 @@ import { OrderByDirection, TOrgPermission } from "@app/lib/types";
 export type TCreateIdentityDTO = {
   role: string;
   name: string;
+  hasDeleteProtection: boolean;
   metadata?: { key: string; value: string }[];
 } & TOrgPermission;
 
 export type TUpdateIdentityDTO = {
   id: string;
   role?: string;
+  hasDeleteProtection?: boolean;
   name?: string;
   metadata?: { key: string; value: string }[];
   isActorSuperAdmin?: boolean;

backend/src/services/secret-sync/flyio/flyio-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const FLYIO_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Fly.io",
+  destination: SecretSync.Flyio,
+  connection: AppConnection.Flyio,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/flyio/flyio-sync-fns.ts

@@ -0,0 +1,133 @@
+import { request } from "@app/lib/config/request";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import {
+  TDeleteFlyioVariable,
+  TFlyioListVariables,
+  TFlyioSecret,
+  TFlyioSyncWithCredentials,
+  TPutFlyioVariable
+} from "@app/services/secret-sync/flyio/flyio-sync-types";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
+const listFlyioSecrets = async ({ accessToken, appId }: TFlyioListVariables) => {
+  const { data } = await request.post<{ data: { app: { secrets: TFlyioSecret[] } } }>(
+    IntegrationUrls.FLYIO_API_URL,
+    {
+      query: "query GetAppSecrets($appId: String!) { app(id: $appId) { id name secrets { name createdAt } } }",
+      variables: { appId }
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return data.data.app.secrets.map((s) => s.name);
+};
+
+const putFlyioSecrets = async ({ accessToken, appId, secretMap }: TPutFlyioVariable) => {
+  return request.post(
+    IntegrationUrls.FLYIO_API_URL,
+    {
+      query:
+        "mutation SetAppSecrets($appId: ID!, $secrets: [SecretInput!]!) { setSecrets(input: { appId: $appId, secrets: $secrets }) { app { name } release { version } } }",
+      variables: {
+        appId,
+        secrets: Object.entries(secretMap).map(([key, { value }]) => ({ key, value }))
+      }
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+};
+
+const deleteFlyioSecrets = async ({ accessToken, appId, keys }: TDeleteFlyioVariable) => {
+  return request.post(
+    IntegrationUrls.FLYIO_API_URL,
+    {
+      query:
+        "mutation UnsetAppSecrets($appId: ID!, $keys: [String!]!) { unsetSecrets(input: { appId: $appId, keys: $keys }) { app { name } release { version } } }",
+      variables: {
+        appId,
+        keys
+      }
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+};
+
+export const FlyioSyncFns = {
+  syncSecrets: async (secretSync: TFlyioSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      environment,
+      destinationConfig: { appId }
+    } = secretSync;
+
+    const { accessToken } = connection.credentials;
+
+    try {
+      await putFlyioSecrets({ accessToken, appId, secretMap });
+    } catch (error) {
+      throw new SecretSyncError({
+        error
+      });
+    }
+
+    if (secretSync.syncOptions.disableSecretDeletion) return;
+
+    const secrets = await listFlyioSecrets({ accessToken, appId });
+
+    const keys = secrets.filter(
+      (secret) =>
+        matchesSchema(secret, environment?.slug || "", secretSync.syncOptions.keySchema) && !(secret in secretMap)
+    );
+
+    try {
+      await deleteFlyioSecrets({ accessToken, appId, keys });
+    } catch (error) {
+      throw new SecretSyncError({
+        error
+      });
+    }
+  },
+  removeSecrets: async (secretSync: TFlyioSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      destinationConfig: { appId }
+    } = secretSync;
+
+    const { accessToken } = connection.credentials;
+
+    const secrets = await listFlyioSecrets({ accessToken, appId });
+
+    const keys = secrets.filter((secret) => secret in secretMap);
+
+    try {
+      await deleteFlyioSecrets({ accessToken, appId, keys });
+    } catch (error) {
+      throw new SecretSyncError({
+        error
+      });
+    }
+  },
+  getSecrets: async (secretSync: TFlyioSyncWithCredentials) => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  }
+};

backend/src/services/secret-sync/flyio/flyio-sync-schemas.ts

@@ -0,0 +1,43 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const FlyioSyncDestinationConfigSchema = z.object({
+  appId: z.string().trim().min(1, "App required").max(255).describe(SecretSyncs.DESTINATION_CONFIG.FLYIO.appId)
+});
+
+const FlyioSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const FlyioSyncSchema = BaseSecretSyncSchema(SecretSync.Flyio, FlyioSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Flyio),
+  destinationConfig: FlyioSyncDestinationConfigSchema
+});
+
+export const CreateFlyioSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Flyio,
+  FlyioSyncOptionsConfig
+).extend({
+  destinationConfig: FlyioSyncDestinationConfigSchema
+});
+
+export const UpdateFlyioSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Flyio,
+  FlyioSyncOptionsConfig
+).extend({
+  destinationConfig: FlyioSyncDestinationConfigSchema.optional()
+});
+
+export const FlyioSyncListItemSchema = z.object({
+  name: z.literal("Fly.io"),
+  connection: z.literal(AppConnection.Flyio),
+  destination: z.literal(SecretSync.Flyio),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/flyio/flyio-sync-types.ts

@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+import { TFlyioConnection } from "@app/services/app-connection/flyio";
+
+import { CreateFlyioSyncSchema, FlyioSyncListItemSchema, FlyioSyncSchema } from "./flyio-sync-schemas";
+
+export type TFlyioSync = z.infer<typeof FlyioSyncSchema>;
+
+export type TFlyioSyncInput = z.infer<typeof CreateFlyioSyncSchema>;
+
+export type TFlyioSyncListItem = z.infer<typeof FlyioSyncListItemSchema>;
+
+export type TFlyioSyncWithCredentials = TFlyioSync & {
+  connection: TFlyioConnection;
+};
+
+export type TFlyioSecret = {
+  name: string;
+};
+
+export type TFlyioListVariables = {
+  accessToken: string;
+  appId: string;
+};
+
+export type TPutFlyioVariable = TFlyioListVariables & {
+  secretMap: { [key: string]: { value: string } };
+};
+
+export type TDeleteFlyioVariable = TFlyioListVariables & {
+  keys: string[];
+};

backend/src/services/secret-sync/flyio/index.ts

@@ -0,0 +1,4 @@
+export * from "./flyio-sync-constants";
+export * from "./flyio-sync-fns";
+export * from "./flyio-sync-schemas";
+export * from "./flyio-sync-types";

backend/src/services/secret-sync/heroku/heroku-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const HEROKU_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Heroku",
+  destination: SecretSync.Heroku,
+  connection: AppConnection.Heroku,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/heroku/heroku-sync-fns.ts

@@ -0,0 +1,170 @@
+import { request } from "@app/lib/config/request";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { HerokuConnectionMethod, refreshHerokuToken, THerokuConnection } from "@app/services/app-connection/heroku";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import {
+  THerokuConfigVars,
+  THerokuListVariables,
+  THerokuSyncWithCredentials,
+  THerokuUpdateVariables
+} from "@app/services/secret-sync/heroku/heroku-sync-types";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+type THerokuSyncFactoryDeps = {
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+};
+
+const getValidAuthToken = async (
+  connection: THerokuConnection,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+): Promise<string> => {
+  if (
+    connection.method === HerokuConnectionMethod.OAuth &&
+    connection.credentials.refreshToken &&
+    connection.credentials.expiresAt < new Date()
+  ) {
+    const authToken = await refreshHerokuToken(
+      connection.credentials.refreshToken,
+      connection.id,
+      connection.orgId,
+      appConnectionDAL,
+      kmsService
+    );
+    return authToken;
+  }
+  return connection.credentials.authToken;
+};
+
+const getHerokuConfigVars = async ({ authToken, app }: THerokuListVariables): Promise<THerokuConfigVars> => {
+  const { data } = await request.get<THerokuConfigVars>(
+    `${IntegrationUrls.HEROKU_API_URL}/apps/${encodeURIComponent(app)}/config-vars`,
+    {
+      headers: {
+        Authorization: `Bearer ${authToken}`,
+        Accept: "application/vnd.heroku+json; version=3"
+      }
+    }
+  );
+
+  return data;
+};
+
+const updateHerokuConfigVars = async ({ authToken, app, configVars }: THerokuUpdateVariables) => {
+  return request.patch(`${IntegrationUrls.HEROKU_API_URL}/apps/${encodeURIComponent(app)}/config-vars`, configVars, {
+    headers: {
+      Authorization: `Bearer ${authToken}`,
+      Accept: "application/vnd.heroku+json; version=3",
+      "Content-Type": "application/json"
+    }
+  });
+};
+
+export const HerokuSyncFns = {
+  syncSecrets: async (
+    secretSync: THerokuSyncWithCredentials,
+    secretMap: TSecretMap,
+    { appConnectionDAL, kmsService }: THerokuSyncFactoryDeps
+  ) => {
+    const {
+      connection,
+      environment,
+      destinationConfig: { app }
+    } = secretSync;
+
+    const authToken = await getValidAuthToken(connection, appConnectionDAL, kmsService);
+
+    try {
+      const updatedConfigVars: THerokuConfigVars = {};
+
+      for (const [key, { value }] of Object.entries(secretMap)) {
+        updatedConfigVars[key] = value;
+      }
+
+      if (!secretSync.syncOptions.disableSecretDeletion) {
+        const currentConfigVars = await getHerokuConfigVars({ authToken, app });
+
+        for (const key of Object.keys(currentConfigVars)) {
+          if (matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema) && !(key in secretMap)) {
+            updatedConfigVars[key] = null;
+          }
+        }
+      }
+
+      await updateHerokuConfigVars({
+        authToken,
+        app,
+        configVars: updatedConfigVars
+      });
+    } catch (error) {
+      throw new SecretSyncError({
+        error,
+        secretKey: "batch_update"
+      });
+    }
+  },
+
+  removeSecrets: async (
+    secretSync: THerokuSyncWithCredentials,
+    secretMap: TSecretMap,
+    { appConnectionDAL, kmsService }: THerokuSyncFactoryDeps
+  ) => {
+    const {
+      connection,
+      destinationConfig: { app }
+    } = secretSync;
+
+    const authToken = await getValidAuthToken(connection, appConnectionDAL, kmsService);
+
+    try {
+      const currentConfigVars = await getHerokuConfigVars({ authToken, app });
+      const configVarsToUpdate: Record<string, null> = {};
+
+      for (const key of Object.keys(secretMap)) {
+        if (key in currentConfigVars) {
+          configVarsToUpdate[key] = null;
+        }
+      }
+
+      if (Object.keys(configVarsToUpdate).length > 0) {
+        await updateHerokuConfigVars({
+          authToken,
+          app,
+          configVars: configVarsToUpdate
+        });
+      }
+    } catch (error) {
+      throw new SecretSyncError({
+        error,
+        secretKey: "batch_remove"
+      });
+    }
+  },
+
+  getSecrets: async (
+    secretSync: THerokuSyncWithCredentials,
+    { appConnectionDAL, kmsService }: THerokuSyncFactoryDeps
+  ): Promise<TSecretMap> => {
+    const {
+      connection,
+      destinationConfig: { app }
+    } = secretSync;
+
+    const authToken = await getValidAuthToken(connection, appConnectionDAL, kmsService);
+
+    const data = await getHerokuConfigVars({ authToken, app });
+    const transformed = Object.entries(data).reduce((acc, [key, value]) => {
+      if (!value) {
+        return acc;
+      }
+      acc[key] = { value };
+      return acc;
+    }, {} as TSecretMap);
+
+    return transformed;
+  }
+};

backend/src/services/secret-sync/heroku/heroku-sync-schemas.ts

@@ -0,0 +1,44 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const HerokuSyncDestinationConfigSchema = z.object({
+  app: z.string().trim().min(1, "App required").describe(SecretSyncs.DESTINATION_CONFIG.HEROKU.app),
+  appName: z.string().trim().min(1, "App name required").describe(SecretSyncs.DESTINATION_CONFIG.HEROKU.appName)
+});
+
+const HerokuSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const HerokuSyncSchema = BaseSecretSyncSchema(SecretSync.Heroku, HerokuSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Heroku),
+  destinationConfig: HerokuSyncDestinationConfigSchema
+});
+
+export const CreateHerokuSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Heroku,
+  HerokuSyncOptionsConfig
+).extend({
+  destinationConfig: HerokuSyncDestinationConfigSchema
+});
+
+export const UpdateHerokuSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Heroku,
+  HerokuSyncOptionsConfig
+).extend({
+  destinationConfig: HerokuSyncDestinationConfigSchema.optional()
+});
+
+export const HerokuSyncListItemSchema = z.object({
+  name: z.literal("Heroku"),
+  connection: z.literal(AppConnection.Heroku),
+  destination: z.literal(SecretSync.Heroku),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/heroku/heroku-sync-types.ts

@@ -0,0 +1,24 @@
+import { z } from "zod";
+
+import { THerokuConnection } from "@app/services/app-connection/heroku";
+
+import { CreateHerokuSyncSchema, HerokuSyncListItemSchema, HerokuSyncSchema } from "./heroku-sync-schemas";
+
+export type THerokuSync = z.infer<typeof HerokuSyncSchema>;
+export type THerokuSyncInput = z.infer<typeof CreateHerokuSyncSchema>;
+export type THerokuSyncListItem = z.infer<typeof HerokuSyncListItemSchema>;
+
+export type THerokuSyncWithCredentials = THerokuSync & {
+  connection: THerokuConnection;
+};
+
+export type THerokuConfigVars = Record<string, string | null>;
+
+export type THerokuListVariables = {
+  authToken: string;
+  app: string;
+};
+
+export type THerokuUpdateVariables = THerokuListVariables & {
+  configVars: THerokuConfigVars;
+};

backend/src/services/secret-sync/heroku/index.ts

@@ -0,0 +1,4 @@
+export * from "./heroku-sync-constants";
+export * from "./heroku-sync-fns";
+export * from "./heroku-sync-schemas";
+export * from "./heroku-sync-types";

backend/src/services/secret-sync/render/index.ts

@@ -0,0 +1,4 @@
+export * from "./render-sync-constants";
+export * from "./render-sync-fns";
+export * from "./render-sync-schemas";
+export * from "./render-sync-types";

backend/src/services/secret-sync/render/render-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const RENDER_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Render",
+  destination: SecretSync.Render,
+  connection: AppConnection.Render,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/render/render-sync-enums.ts

@@ -0,0 +1,8 @@
+export enum RenderSyncScope {
+  Service = "service"
+}
+
+export enum RenderSyncType {
+  Env = "env",
+  File = "file"
+}

backend/src/services/secret-sync/render/render-sync-fns.ts

@@ -0,0 +1,134 @@
+/* eslint-disable no-await-in-loop */
+import { request } from "@app/lib/config/request";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { TRenderSecret, TRenderSyncWithCredentials } from "./render-sync-types";
+
+const getRenderEnvironmentSecrets = async (secretSync: TRenderSyncWithCredentials) => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiKey }
+    }
+  } = secretSync;
+
+  const baseUrl = `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars`;
+  const allSecrets: TRenderSecret[] = [];
+  let cursor: string | undefined;
+
+  do {
+    const url = cursor ? `${baseUrl}?cursor=${cursor}` : baseUrl;
+    const { data } = await request.get<
+      {
+        envVar: {
+          key: string;
+          value: string;
+        };
+        cursor: string;
+      }[]
+    >(url, {
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        Accept: "application/json"
+      }
+    });
+
+    const secrets = data.map((item) => ({
+      key: item.envVar.key,
+      value: item.envVar.value
+    }));
+
+    allSecrets.push(...secrets);
+
+    cursor = data[data.length - 1]?.cursor;
+  } while (cursor);
+
+  return allSecrets;
+};
+
+const putEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap, key: string) => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiKey }
+    }
+  } = secretSync;
+
+  await request.put(
+    `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars/${key}`,
+    {
+      key,
+      value: secretMap[key].value
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        Accept: "application/json"
+      }
+    }
+  );
+};
+
+const deleteEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secret: TRenderSecret) => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiKey }
+    }
+  } = secretSync;
+
+  await request.delete(
+    `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars/${secret.key}`,
+    {
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        Accept: "application/json"
+      }
+    }
+  );
+};
+
+const sleep = async () =>
+  new Promise((resolve) => {
+    setTimeout(resolve, 500);
+  });
+
+export const RenderSyncFns = {
+  syncSecrets: async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap) => {
+    const renderSecrets = await getRenderEnvironmentSecrets(secretSync);
+    for await (const key of Object.keys(secretMap)) {
+      await putEnvironmentSecret(secretSync, secretMap, key);
+      await sleep();
+    }
+
+    if (secretSync.syncOptions.disableSecretDeletion) return;
+
+    for await (const renderSecret of renderSecrets) {
+      if (!matchesSchema(renderSecret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema))
+        // eslint-disable-next-line no-continue
+        continue;
+
+      if (!secretMap[renderSecret.key]) {
+        await deleteEnvironmentSecret(secretSync, renderSecret);
+        await sleep();
+      }
+    }
+  },
+  getSecrets: async (secretSync: TRenderSyncWithCredentials): Promise<TSecretMap> => {
+    const renderSecrets = await getRenderEnvironmentSecrets(secretSync);
+    return Object.fromEntries(renderSecrets.map((secret) => [secret.key, { value: secret.value ?? "" }]));
+  },
+
+  removeSecrets: async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap) => {
+    const encryptedSecrets = await getRenderEnvironmentSecrets(secretSync);
+
+    for await (const encryptedSecret of encryptedSecrets) {
+      if (encryptedSecret.key in secretMap) {
+        await deleteEnvironmentSecret(secretSync, encryptedSecret);
+        await sleep();
+      }
+    }
+  }
+};

backend/src/services/secret-sync/render/render-sync-schemas.ts

@@ -0,0 +1,49 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+import { RenderSyncScope, RenderSyncType } from "./render-sync-enums";
+
+const RenderSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
+  z.object({
+    scope: z.literal(RenderSyncScope.Service).describe(SecretSyncs.DESTINATION_CONFIG.RENDER.scope),
+    serviceId: z.string().min(1, "Service ID is required").describe(SecretSyncs.DESTINATION_CONFIG.RENDER.serviceId),
+    type: z.nativeEnum(RenderSyncType).describe(SecretSyncs.DESTINATION_CONFIG.RENDER.type)
+  })
+]);
+
+const RenderSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const RenderSyncSchema = BaseSecretSyncSchema(SecretSync.Render, RenderSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Render),
+  destinationConfig: RenderSyncDestinationConfigSchema
+});
+
+export const CreateRenderSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Render,
+  RenderSyncOptionsConfig
+).extend({
+  destinationConfig: RenderSyncDestinationConfigSchema
+});
+
+export const UpdateRenderSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Render,
+  RenderSyncOptionsConfig
+).extend({
+  destinationConfig: RenderSyncDestinationConfigSchema.optional()
+});
+
+export const RenderSyncListItemSchema = z.object({
+  name: z.literal("Render"),
+  connection: z.literal(AppConnection.Render),
+  destination: z.literal(SecretSync.Render),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/render/render-sync-types.ts

@@ -0,0 +1,20 @@
+import z from "zod";
+
+import { TRenderConnection } from "@app/services/app-connection/render/render-connection-types";
+
+import { CreateRenderSyncSchema, RenderSyncListItemSchema, RenderSyncSchema } from "./render-sync-schemas";
+
+export type TRenderSyncListItem = z.infer<typeof RenderSyncListItemSchema>;
+
+export type TRenderSync = z.infer<typeof RenderSyncSchema>;
+
+export type TRenderSyncInput = z.infer<typeof CreateRenderSyncSchema>;
+
+export type TRenderSyncWithCredentials = TRenderSync & {
+  connection: TRenderConnection;
+};
+
+export type TRenderSecret = {
+  key: string;
+  value: string;
+};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -15,7 +15,10 @@ export enum SecretSync {
   HCVault = "hashicorp-vault",
   TeamCity = "teamcity",
   OCIVault = "oci-vault",
-  OnePass = "1password"
+  OnePass = "1password",
+  Heroku = "heroku",
+  Render = "render",
+  Flyio = "flyio"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -29,11 +29,14 @@ import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFact
 import { AZURE_DEVOPS_SYNC_LIST_OPTION, azureDevOpsSyncFactory } from "./azure-devops";
 import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
+import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
 import { HC_VAULT_SYNC_LIST_OPTION, HCVaultSyncFns } from "./hc-vault";
+import { HEROKU_SYNC_LIST_OPTION, HerokuSyncFns } from "./heroku";
 import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
 import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
+import { RENDER_SYNC_LIST_OPTION, RenderSyncFns } from "./render";
 import { SECRET_SYNC_PLAN_MAP } from "./secret-sync-maps";
 import { TEAMCITY_SYNC_LIST_OPTION, TeamCitySyncFns } from "./teamcity";
 import { TERRAFORM_CLOUD_SYNC_LIST_OPTION, TerraformCloudSyncFns } from "./terraform-cloud";
@@ -57,7 +60,10 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.HCVault]: HC_VAULT_SYNC_LIST_OPTION,
   [SecretSync.TeamCity]: TEAMCITY_SYNC_LIST_OPTION,
   [SecretSync.OCIVault]: OCI_VAULT_SYNC_LIST_OPTION,
-  [SecretSync.OnePass]: ONEPASS_SYNC_LIST_OPTION
+  [SecretSync.OnePass]: ONEPASS_SYNC_LIST_OPTION,
+  [SecretSync.Heroku]: HEROKU_SYNC_LIST_OPTION,
+  [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
+  [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -203,6 +209,8 @@ export const SecretSyncFns = {
           appConnectionDAL,
           kmsService
         }).syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Heroku:
+        return HerokuSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.Vercel:
         return VercelSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Windmill:
@@ -215,6 +223,10 @@ export const SecretSyncFns = {
         return OCIVaultSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.OnePass:
         return OnePassSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Render:
+        return RenderSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Flyio:
+        return FlyioSyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -292,6 +304,15 @@ export const SecretSyncFns = {
       case SecretSync.OnePass:
         secretMap = await OnePassSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.Heroku:
+        secretMap = await HerokuSyncFns.getSecrets(secretSync, { appConnectionDAL, kmsService });
+        break;
+      case SecretSync.Render:
+        secretMap = await RenderSyncFns.getSecrets(secretSync);
+        break;
+      case SecretSync.Flyio:
+        secretMap = await FlyioSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -359,6 +380,12 @@ export const SecretSyncFns = {
         return OCIVaultSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.OnePass:
         return OnePassSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Heroku:
+        return HerokuSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
+      case SecretSync.Render:
+        return RenderSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Flyio:
+        return FlyioSyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -18,7 +18,10 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.HCVault]: "Hashicorp Vault",
   [SecretSync.TeamCity]: "TeamCity",
   [SecretSync.OCIVault]: "OCI Vault",
-  [SecretSync.OnePass]: "1Password"
+  [SecretSync.OnePass]: "1Password",
+  [SecretSync.Heroku]: "Heroku",
+  [SecretSync.Render]: "Render",
+  [SecretSync.Flyio]: "Fly.io"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -38,7 +41,10 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.HCVault]: AppConnection.HCVault,
   [SecretSync.TeamCity]: AppConnection.TeamCity,
   [SecretSync.OCIVault]: AppConnection.OCI,
-  [SecretSync.OnePass]: AppConnection.OnePass
+  [SecretSync.OnePass]: AppConnection.OnePass,
+  [SecretSync.Heroku]: AppConnection.Heroku,
+  [SecretSync.Render]: AppConnection.Render,
+  [SecretSync.Flyio]: AppConnection.Flyio
 };
 
 export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@@ -58,5 +64,8 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.HCVault]: SecretSyncPlanType.Regular,
   [SecretSync.TeamCity]: SecretSyncPlanType.Regular,
   [SecretSync.OCIVault]: SecretSyncPlanType.Enterprise,
-  [SecretSync.OnePass]: SecretSyncPlanType.Regular
+  [SecretSync.OnePass]: SecretSyncPlanType.Regular,
+  [SecretSync.Heroku]: SecretSyncPlanType.Regular,
+  [SecretSync.Render]: SecretSyncPlanType.Regular,
+  [SecretSync.Flyio]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-service.ts

@@ -1,4 +1,4 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -89,7 +89,17 @@ export const secretSyncServiceFactory = ({
       projectId
     });
 
-    return secretSyncs as TSecretSync[];
+    return secretSyncs.filter((secretSync) =>
+      permission.can(
+        ProjectPermissionSecretSyncActions.Read,
+        secretSync.environment && secretSync.folder
+          ? subject(ProjectPermissionSub.SecretSyncs, {
+              environment: secretSync.environment.slug,
+              secretPath: secretSync.folder.path
+            })
+          : ProjectPermissionSub.SecretSyncs
+      )
+    ) as TSecretSync[];
   };
 
   const listSecretSyncsBySecretPath = async (
@@ -105,7 +115,15 @@ export const secretSyncServiceFactory = ({
       projectId
     });
 
-    if (permission.cannot(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs)) {
+    if (
+      permission.cannot(
+        ProjectPermissionSecretSyncActions.Read,
+        subject(ProjectPermissionSub.SecretSyncs, {
+          environment,
+          secretPath
+        })
+      )
+    ) {
       return [];
     }
 
@@ -142,7 +160,12 @@ export const secretSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSub.SecretSyncs
+      secretSync.environment && secretSync.folder
+        ? subject(ProjectPermissionSub.SecretSyncs, {
+            environment: secretSync.environment.slug,
+            secretPath: secretSync.folder.path
+          })
+        : ProjectPermissionSub.SecretSyncs
     );
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
@@ -179,7 +202,12 @@ export const secretSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSub.SecretSyncs
+      secretSync.environment && secretSync.folder
+        ? subject(ProjectPermissionSub.SecretSyncs, {
+            environment: secretSync.environment.slug,
+            secretPath: secretSync.folder.path
+          })
+        : ProjectPermissionSub.SecretSyncs
     );
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
@@ -217,13 +245,17 @@ export const secretSyncServiceFactory = ({
 
     ForbiddenError.from(projectPermission).throwUnlessCan(
       ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSub.SecretSyncs
+      subject(ProjectPermissionSub.SecretSyncs, { environment, secretPath })
     );
 
-    throwIfMissingSecretReadValueOrDescribePermission(projectPermission, ProjectPermissionSecretActions.ReadValue, {
-      environment,
-      secretPath
-    });
+    throwIfMissingSecretReadValueOrDescribePermission(
+      projectPermission,
+      ProjectPermissionSecretActions.DescribeSecret,
+      {
+        environment,
+        secretPath
+      }
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
 
@@ -286,10 +318,38 @@ export const secretSyncServiceFactory = ({
       projectId: secretSync.projectId
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSub.SecretSyncs
-    );
+    // we always check the permission against the existing environment / secret path
+    // if no secret path / environment is present on the secret sync, we need to check without conditions
+    if (secretSync.environment?.slug && secretSync.folder?.path) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.Edit,
+        subject(ProjectPermissionSub.SecretSyncs, {
+          environment: secretSync.environment.slug,
+          secretPath: secretSync.folder.path
+        })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.Edit,
+        ProjectPermissionSub.SecretSyncs
+      );
+    }
+
+    // if the user is updating the secret path or environment, we need to check the permission against the new values
+    if (secretPath || environment) {
+      const environmentToCheck = environment || secretSync.environment?.slug || "";
+      const secretPathToCheck = secretPath || secretSync.folder?.path || "";
+
+      if (environmentToCheck && secretPathToCheck) {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionSecretSyncActions.Edit,
+          subject(ProjectPermissionSub.SecretSyncs, {
+            environment: environmentToCheck,
+            secretPath: secretPathToCheck
+          })
+        );
+      }
+    }
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
       throw new BadRequestError({
@@ -315,7 +375,7 @@ export const secretSyncServiceFactory = ({
       if (!updatedEnvironment || !updatedSecretPath)
         throw new BadRequestError({ message: "Must specify both source environment and secret path" });
 
-      throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
+      throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret, {
         environment: updatedEnvironment,
         secretPath: updatedSecretPath
       });
@@ -374,10 +434,20 @@ export const secretSyncServiceFactory = ({
       projectId: secretSync.projectId
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSub.SecretSyncs
-    );
+    if (secretSync.environment?.slug && secretSync.folder?.path) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.Delete,
+        subject(ProjectPermissionSub.SecretSyncs, {
+          environment: secretSync.environment.slug,
+          secretPath: secretSync.folder.path
+        })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.Delete,
+        ProjectPermissionSub.SecretSyncs
+      );
+    }
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
       throw new BadRequestError({
@@ -441,10 +511,20 @@ export const secretSyncServiceFactory = ({
       projectId: secretSync.projectId
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSub.SecretSyncs
-    );
+    if (secretSync.environment?.slug && secretSync.folder?.path) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.SyncSecrets,
+        subject(ProjectPermissionSub.SecretSyncs, {
+          environment: secretSync.environment.slug,
+          secretPath: secretSync.folder.path
+        })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.SyncSecrets,
+        ProjectPermissionSub.SecretSyncs
+      );
+    }
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
       throw new BadRequestError({
@@ -503,10 +583,20 @@ export const secretSyncServiceFactory = ({
       projectId: secretSync.projectId
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSub.SecretSyncs
-    );
+    if (secretSync.environment?.slug && secretSync.folder?.path) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.ImportSecrets,
+        subject(ProjectPermissionSub.SecretSyncs, {
+          environment: secretSync.environment.slug,
+          secretPath: secretSync.folder.path
+        })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.ImportSecrets,
+        ProjectPermissionSub.SecretSyncs
+      );
+    }
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
       throw new BadRequestError({
@@ -559,10 +649,20 @@ export const secretSyncServiceFactory = ({
       projectId: secretSync.projectId
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretSyncActions.RemoveSecrets,
-      ProjectPermissionSub.SecretSyncs
-    );
+    if (secretSync.environment?.slug && secretSync.folder?.path) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.RemoveSecrets,
+        subject(ProjectPermissionSub.SecretSyncs, {
+          environment: secretSync.environment.slug,
+          secretPath: secretSync.folder.path
+        })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretSyncActions.RemoveSecrets,
+        ProjectPermissionSub.SecretSyncs
+      );
+    }
 
     if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
       throw new BadRequestError({

backend/src/services/secret-sync/secret-sync-types.ts

@@ -72,6 +72,7 @@ import {
   TAzureKeyVaultSyncListItem,
   TAzureKeyVaultSyncWithCredentials
 } from "./azure-key-vault";
+import { TFlyioSync, TFlyioSyncInput, TFlyioSyncListItem, TFlyioSyncWithCredentials } from "./flyio/flyio-sync-types";
 import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
 import {
   THCVaultSync,
@@ -79,12 +80,19 @@ import {
   THCVaultSyncListItem,
   THCVaultSyncWithCredentials
 } from "./hc-vault/hc-vault-sync-types";
+import { THerokuSync, THerokuSyncInput, THerokuSyncListItem, THerokuSyncWithCredentials } from "./heroku";
 import {
   THumanitecSync,
   THumanitecSyncInput,
   THumanitecSyncListItem,
   THumanitecSyncWithCredentials
 } from "./humanitec";
+import {
+  TRenderSync,
+  TRenderSyncInput,
+  TRenderSyncListItem,
+  TRenderSyncWithCredentials
+} from "./render/render-sync-types";
 import {
   TTeamCitySync,
   TTeamCitySyncInput,
@@ -116,7 +124,10 @@ export type TSecretSync =
   | THCVaultSync
   | TTeamCitySync
   | TOCIVaultSync
-  | TOnePassSync;
+  | TOnePassSync
+  | THerokuSync
+  | TRenderSync
+  | TFlyioSync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -135,7 +146,10 @@ export type TSecretSyncWithCredentials =
   | THCVaultSyncWithCredentials
   | TTeamCitySyncWithCredentials
   | TOCIVaultSyncWithCredentials
-  | TOnePassSyncWithCredentials;
+  | TOnePassSyncWithCredentials
+  | THerokuSyncWithCredentials
+  | TRenderSyncWithCredentials
+  | TFlyioSyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -154,7 +168,10 @@ export type TSecretSyncInput =
   | THCVaultSyncInput
   | TTeamCitySyncInput
   | TOCIVaultSyncInput
-  | TOnePassSyncInput;
+  | TOnePassSyncInput
+  | THerokuSyncInput
+  | TRenderSyncInput
+  | TFlyioSyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -173,7 +190,10 @@ export type TSecretSyncListItem =
   | THCVaultSyncListItem
   | TTeamCitySyncListItem
   | TOCIVaultSyncListItem
-  | TOnePassSyncListItem;
+  | TOnePassSyncListItem
+  | THerokuSyncListItem
+  | TRenderSyncListItem
+  | TFlyioSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

backend/src/services/super-admin/super-admin-service.ts

@@ -1,4 +1,5 @@
 import bcrypt from "bcrypt";
+import { CronJob } from "cron";
 import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
@@ -8,6 +9,7 @@ import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
@@ -35,6 +37,7 @@ import {
   TAdminBootstrapInstanceDTO,
   TAdminGetIdentitiesDTO,
   TAdminGetUsersDTO,
+  TAdminIntegrationConfig,
   TAdminSignUpDTO,
   TGetOrganizationsDTO
 } from "./super-admin-types";
@@ -70,6 +73,31 @@ export let getServerCfg: () => Promise<
   }
 >;
 
+let adminIntegrationsConfig: TAdminIntegrationConfig = {
+  slack: {
+    clientSecret: "",
+    clientId: ""
+  },
+  microsoftTeams: {
+    appId: "",
+    clientSecret: "",
+    botId: ""
+  },
+  gitHubAppConnection: {
+    clientId: "",
+    clientSecret: "",
+    appSlug: "",
+    appId: "",
+    privateKey: ""
+  }
+};
+
+Object.freeze(adminIntegrationsConfig);
+
+export const getInstanceIntegrationsConfig = () => {
+  return adminIntegrationsConfig;
+};
+
 const ADMIN_CONFIG_KEY = "infisical-admin-cfg";
 const ADMIN_CONFIG_KEY_EXP = 60; // 60s
 export const ADMIN_CONFIG_DB_UUID = "00000000-0000-0000-0000-000000000000";
@@ -138,6 +166,74 @@ export const superAdminServiceFactory = ({
     return serverCfg;
   };
 
+  const getAdminIntegrationsConfig = async () => {
+    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
+
+    if (!serverCfg) {
+      throw new NotFoundError({ name: "AdminConfig", message: "Admin config not found" });
+    }
+
+    const decrypt = kmsService.decryptWithRootKey();
+
+    const slackClientId = serverCfg.encryptedSlackClientId ? decrypt(serverCfg.encryptedSlackClientId).toString() : "";
+    const slackClientSecret = serverCfg.encryptedSlackClientSecret
+      ? decrypt(serverCfg.encryptedSlackClientSecret).toString()
+      : "";
+
+    const microsoftAppId = serverCfg.encryptedMicrosoftTeamsAppId
+      ? decrypt(serverCfg.encryptedMicrosoftTeamsAppId).toString()
+      : "";
+    const microsoftClientSecret = serverCfg.encryptedMicrosoftTeamsClientSecret
+      ? decrypt(serverCfg.encryptedMicrosoftTeamsClientSecret).toString()
+      : "";
+    const microsoftBotId = serverCfg.encryptedMicrosoftTeamsBotId
+      ? decrypt(serverCfg.encryptedMicrosoftTeamsBotId).toString()
+      : "";
+
+    const gitHubAppConnectionClientId = serverCfg.encryptedGitHubAppConnectionClientId
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionClientId).toString()
+      : "";
+    const gitHubAppConnectionClientSecret = serverCfg.encryptedGitHubAppConnectionClientSecret
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionClientSecret).toString()
+      : "";
+
+    const gitHubAppConnectionAppSlug = serverCfg.encryptedGitHubAppConnectionSlug
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionSlug).toString()
+      : "";
+
+    const gitHubAppConnectionAppId = serverCfg.encryptedGitHubAppConnectionId
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionId).toString()
+      : "";
+    const gitHubAppConnectionAppPrivateKey = serverCfg.encryptedGitHubAppConnectionPrivateKey
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionPrivateKey).toString()
+      : "";
+
+    return {
+      slack: {
+        clientSecret: slackClientSecret,
+        clientId: slackClientId
+      },
+      microsoftTeams: {
+        appId: microsoftAppId,
+        clientSecret: microsoftClientSecret,
+        botId: microsoftBotId
+      },
+      gitHubAppConnection: {
+        clientId: gitHubAppConnectionClientId,
+        clientSecret: gitHubAppConnectionClientSecret,
+        appSlug: gitHubAppConnectionAppSlug,
+        appId: gitHubAppConnectionAppId,
+        privateKey: gitHubAppConnectionAppPrivateKey
+      }
+    };
+  };
+
+  const $syncAdminIntegrationConfig = async () => {
+    const config = await getAdminIntegrationsConfig();
+    Object.freeze(config);
+    adminIntegrationsConfig = config;
+  };
+
   const updateServerCfg = async (
     data: TSuperAdminUpdate & {
       slackClientId?: string;
@@ -145,6 +241,11 @@ export const superAdminServiceFactory = ({
       microsoftTeamsAppId?: string;
       microsoftTeamsClientSecret?: string;
       microsoftTeamsBotId?: string;
+      gitHubAppConnectionClientId?: string;
+      gitHubAppConnectionClientSecret?: string;
+      gitHubAppConnectionSlug?: string;
+      gitHubAppConnectionId?: string;
+      gitHubAppConnectionPrivateKey?: string;
     },
     userId: string
   ) => {
@@ -236,10 +337,51 @@ export const superAdminServiceFactory = ({
       updatedData.microsoftTeamsBotId = undefined;
       microsoftTeamsSettingsUpdated = true;
     }
+
+    let gitHubAppConnectionSettingsUpdated = false;
+    if (data.gitHubAppConnectionClientId !== undefined) {
+      const encryptedClientId = encryptWithRoot(Buffer.from(data.gitHubAppConnectionClientId));
+      updatedData.encryptedGitHubAppConnectionClientId = encryptedClientId;
+      updatedData.gitHubAppConnectionClientId = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionClientSecret !== undefined) {
+      const encryptedClientSecret = encryptWithRoot(Buffer.from(data.gitHubAppConnectionClientSecret));
+      updatedData.encryptedGitHubAppConnectionClientSecret = encryptedClientSecret;
+      updatedData.gitHubAppConnectionClientSecret = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionSlug !== undefined) {
+      const encryptedAppSlug = encryptWithRoot(Buffer.from(data.gitHubAppConnectionSlug));
+      updatedData.encryptedGitHubAppConnectionSlug = encryptedAppSlug;
+      updatedData.gitHubAppConnectionSlug = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionId !== undefined) {
+      const encryptedAppId = encryptWithRoot(Buffer.from(data.gitHubAppConnectionId));
+      updatedData.encryptedGitHubAppConnectionId = encryptedAppId;
+      updatedData.gitHubAppConnectionId = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionPrivateKey !== undefined) {
+      const encryptedAppPrivateKey = encryptWithRoot(Buffer.from(data.gitHubAppConnectionPrivateKey));
+      updatedData.encryptedGitHubAppConnectionPrivateKey = encryptedAppPrivateKey;
+      updatedData.gitHubAppConnectionPrivateKey = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
     const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, updatedData);
 
     await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg));
 
+    if (gitHubAppConnectionSettingsUpdated) {
+      await $syncAdminIntegrationConfig();
+    }
+
     if (
       updatedServerCfg.encryptedMicrosoftTeamsAppId &&
       updatedServerCfg.encryptedMicrosoftTeamsClientSecret &&
@@ -593,43 +735,6 @@ export const superAdminServiceFactory = ({
     await userDAL.updateById(userId, { superAdmin: true });
   };
 
-  const getAdminIntegrationsConfig = async () => {
-    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
-
-    if (!serverCfg) {
-      throw new NotFoundError({ name: "AdminConfig", message: "Admin config not found" });
-    }
-
-    const decrypt = kmsService.decryptWithRootKey();
-
-    const slackClientId = serverCfg.encryptedSlackClientId ? decrypt(serverCfg.encryptedSlackClientId).toString() : "";
-    const slackClientSecret = serverCfg.encryptedSlackClientSecret
-      ? decrypt(serverCfg.encryptedSlackClientSecret).toString()
-      : "";
-
-    const microsoftAppId = serverCfg.encryptedMicrosoftTeamsAppId
-      ? decrypt(serverCfg.encryptedMicrosoftTeamsAppId).toString()
-      : "";
-    const microsoftClientSecret = serverCfg.encryptedMicrosoftTeamsClientSecret
-      ? decrypt(serverCfg.encryptedMicrosoftTeamsClientSecret).toString()
-      : "";
-    const microsoftBotId = serverCfg.encryptedMicrosoftTeamsBotId
-      ? decrypt(serverCfg.encryptedMicrosoftTeamsBotId).toString()
-      : "";
-
-    return {
-      slack: {
-        clientSecret: slackClientSecret,
-        clientId: slackClientId
-      },
-      microsoftTeams: {
-        appId: microsoftAppId,
-        clientSecret: microsoftClientSecret,
-        botId: microsoftBotId
-      }
-    };
-  };
-
   const getConfiguredEncryptionStrategies = async () => {
     const appCfg = getConfig();
 
@@ -696,6 +801,19 @@ export const superAdminServiceFactory = ({
     return (await keyStore.getItem("invalidating-cache")) !== null;
   };
 
+  const initializeAdminIntegrationConfigSync = async () => {
+    logger.info("Setting up background sync process for admin integrations config");
+
+    // initial sync upon startup
+    await $syncAdminIntegrationConfig();
+
+    // sync admin integrations config every 5 minutes
+    const job = new CronJob("*/5 * * * *", $syncAdminIntegrationConfig);
+    job.start();
+
+    return job;
+  };
+
   return {
     initServerCfg,
     updateServerCfg,
@@ -714,6 +832,7 @@ export const superAdminServiceFactory = ({
     checkIfInvalidatingCache,
     getOrganizations,
     deleteOrganization,
-    deleteOrganizationMembership
+    deleteOrganizationMembership,
+    initializeAdminIntegrationConfigSync
   };
 };

backend/src/services/super-admin/super-admin-types.ts

@@ -55,3 +55,22 @@ export enum CacheType {
   ALL = "all",
   SECRETS = "secrets"
 }
+
+export type TAdminIntegrationConfig = {
+  slack: {
+    clientSecret: string;
+    clientId: string;
+  };
+  microsoftTeams: {
+    appId: string;
+    clientSecret: string;
+    botId: string;
+  };
+  gitHubAppConnection: {
+    clientId: string;
+    clientSecret: string;
+    appSlug: string;
+    appId: string;
+    privateKey: string;
+  };
+};

backend/src/services/telemetry/telemetry-types.ts

@@ -81,6 +81,7 @@ export type TMachineIdentityCreatedEvent = {
   event: PostHogEventTypes.MachineIdentityCreated;
   properties: {
     name: string;
+    hasDeleteProtection: boolean;
     orgId: string;
     identityId: string;
   };

company/documentation/engineering/oncall-summery-template.mdx

@@ -4,7 +4,7 @@ sidebarTitle: "Summary template"
 ---
 
 ```plain
-Date: MM/DD/YY-MM/DD/YY
+Date: MM/DD/YY-MM/DD/YY (day)
 
 Notable incidents:
 -  [<open/resolved>] <details of the incident including who was impacted. what you did to mitigate/patch the issue>

docs/api-reference/endpoints/app-connections/flyio/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/flyio/available"
+---

docs/api-reference/endpoints/app-connections/flyio/create.mdx

@@ -0,0 +1,8 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/flyio"
+---
+
+<Note>
+    Check out the configuration docs for [Fly.io Connections](/integrations/app-connections/flyio) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/flyio/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/flyio/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/flyio/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/flyio/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/flyio/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/flyio/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/flyio/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/flyio"
+---

docs/api-reference/endpoints/app-connections/flyio/update.mdx

@@ -0,0 +1,8 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/flyio/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Fly.io Connections](/integrations/app-connections/flyio) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/heroku/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/heroku/available"
+---

docs/api-reference/endpoints/app-connections/heroku/create.mdx

@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/heroku"
+---
+
+<Note>
+    Heroku OAuth Connections must be created through the Infisical UI.
+    Check out the configuration docs for [Heroku OAuth Connections](/integrations/app-connections/heroku) for a step-by-step
+    guide.
+</Note>

docs/api-reference/endpoints/app-connections/heroku/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/heroku/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/heroku/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/heroku/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/heroku/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/heroku/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/heroku/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/heroku"
+---

docs/api-reference/endpoints/app-connections/heroku/update.mdx

@@ -0,0 +1,10 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/heroku/{connectionId}"
+---
+
+<Note>
+    Heroku OAuth Connections must be updated through the Infisical UI.
+    Check out the configuration docs for [Heroku OAuth Connections](/integrations/app-connections/heroku) for a step-by-step
+    guide.
+</Note>

docs/api-reference/endpoints/app-connections/render/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/render/available"
+---

docs/api-reference/endpoints/app-connections/render/create.mdx

@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/render"
+---
+
+<Note>
+  Check out the configuration docs for [Render
+  Connections](/integrations/app-connections/render) to learn how to obtain the
+  required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/render/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/render/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/render/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/render/{connectionId}"
+---