fix typo of bulk to batch

Fix: AWS Secrets Manager Remove Deletion of other Secrets from Many-to-One Mapping

backend/src/@types/fastify.d.ts

@@ -16,6 +16,9 @@ import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/extern
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
+import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
+import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
+import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@@ -126,6 +129,11 @@ declare module "fastify" {
       isUserCompleted: string;
       providerAuthToken: string;
     };
+    kmipUser: {
+      projectId: string;
+      clientId: string;
+      name: string;
+    };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
     ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
@@ -218,11 +226,14 @@ declare module "fastify" {
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
       secretSync: TSecretSyncServiceFactory;
+      kmip: TKmipServiceFactory;
+      kmipOperation: TKmipOperationServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer
     store: {
       user: Pick<TUserDALFactory, "findById">;
+      kmipClient: Pick<TKmipClientDALFactory, "findByProjectAndClientId">;
     };
   }
 }

backend/src/@types/knex.d.ts

@@ -143,6 +143,18 @@ import {
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
+  TKmipClientCertificates,
+  TKmipClientCertificatesInsert,
+  TKmipClientCertificatesUpdate,
+  TKmipClients,
+  TKmipClientsInsert,
+  TKmipClientsUpdate,
+  TKmipOrgConfigs,
+  TKmipOrgConfigsInsert,
+  TKmipOrgConfigsUpdate,
+  TKmipOrgServerCertificates,
+  TKmipOrgServerCertificatesInsert,
+  TKmipOrgServerCertificatesUpdate,
   TKmsKeys,
   TKmsKeysInsert,
   TKmsKeysUpdate,
@@ -902,5 +914,21 @@ declare module "knex/types/tables" {
       TAppConnectionsUpdate
     >;
     [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
+    [TableName.KmipClient]: KnexOriginal.CompositeTableType<TKmipClients, TKmipClientsInsert, TKmipClientsUpdate>;
+    [TableName.KmipOrgConfig]: KnexOriginal.CompositeTableType<
+      TKmipOrgConfigs,
+      TKmipOrgConfigsInsert,
+      TKmipOrgConfigsUpdate
+    >;
+    [TableName.KmipOrgServerCertificates]: KnexOriginal.CompositeTableType<
+      TKmipOrgServerCertificates,
+      TKmipOrgServerCertificatesInsert,
+      TKmipOrgServerCertificatesUpdate
+    >;
+    [TableName.KmipClientCertificates]: KnexOriginal.CompositeTableType<
+      TKmipClientCertificates,
+      TKmipClientCertificatesInsert,
+      TKmipClientCertificatesUpdate
+    >;
   }
 }

backend/src/db/migrations/20250203141127_add-kmip.ts

@@ -0,0 +1,108 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (!hasKmipClientTable) {
+    await knex.schema.createTable(TableName.KmipClient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.specificType("permissions", "text[]");
+      t.string("description");
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+    });
+  }
+
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (!hasKmipOrgPkiConfig) {
+    await knex.schema.createTable(TableName.KmipOrgConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.unique("orgId");
+
+      t.string("caKeyAlgorithm").notNullable();
+
+      t.datetime("rootCaIssuedAt").notNullable();
+      t.datetime("rootCaExpiration").notNullable();
+      t.string("rootCaSerialNumber").notNullable();
+      t.binary("encryptedRootCaCertificate").notNullable();
+      t.binary("encryptedRootCaPrivateKey").notNullable();
+
+      t.datetime("serverIntermediateCaIssuedAt").notNullable();
+      t.datetime("serverIntermediateCaExpiration").notNullable();
+      t.string("serverIntermediateCaSerialNumber");
+      t.binary("encryptedServerIntermediateCaCertificate").notNullable();
+      t.binary("encryptedServerIntermediateCaChain").notNullable();
+      t.binary("encryptedServerIntermediateCaPrivateKey").notNullable();
+
+      t.datetime("clientIntermediateCaIssuedAt").notNullable();
+      t.datetime("clientIntermediateCaExpiration").notNullable();
+      t.string("clientIntermediateCaSerialNumber").notNullable();
+      t.binary("encryptedClientIntermediateCaCertificate").notNullable();
+      t.binary("encryptedClientIntermediateCaChain").notNullable();
+      t.binary("encryptedClientIntermediateCaPrivateKey").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (!hasKmipOrgServerCertTable) {
+    await knex.schema.createTable(TableName.KmipOrgServerCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("commonName").notNullable();
+      t.string("altNames").notNullable();
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+      t.binary("encryptedCertificate").notNullable();
+      t.binary("encryptedChain").notNullable();
+    });
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (!hasKmipClientCertTable) {
+    await knex.schema.createTable(TableName.KmipClientCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("kmipClientId").notNullable();
+      t.foreign("kmipClientId").references("id").inTable(TableName.KmipClient).onDelete("CASCADE");
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (hasKmipOrgPkiConfig) {
+    await knex.schema.dropTable(TableName.KmipOrgConfig);
+    await dropOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (hasKmipOrgServerCertTable) {
+    await knex.schema.dropTable(TableName.KmipOrgServerCertificates);
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (hasKmipClientCertTable) {
+    await knex.schema.dropTable(TableName.KmipClientCertificates);
+  }
+
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (hasKmipClientTable) {
+    await knex.schema.dropTable(TableName.KmipClient);
+  }
+}

backend/src/db/schemas/index.ts

@@ -45,6 +45,10 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./internal-kms";
+export * from "./kmip-client-certificates";
+export * from "./kmip-clients";
+export * from "./kmip-org-configs";
+export * from "./kmip-org-server-certificates";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";

backend/src/db/schemas/kmip-client-certificates.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  kmipClientId: z.string().uuid(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date()
+});
+
+export type TKmipClientCertificates = z.infer<typeof KmipClientCertificatesSchema>;
+export type TKmipClientCertificatesInsert = Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipClientCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/kmip-clients.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  permissions: z.string().array().nullable().optional(),
+  description: z.string().nullable().optional(),
+  projectId: z.string()
+});
+
+export type TKmipClients = z.infer<typeof KmipClientsSchema>;
+export type TKmipClientsInsert = Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>;
+export type TKmipClientsUpdate = Partial<Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-configs.ts

@@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgConfigsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  caKeyAlgorithm: z.string(),
+  rootCaIssuedAt: z.date(),
+  rootCaExpiration: z.date(),
+  rootCaSerialNumber: z.string(),
+  encryptedRootCaCertificate: zodBuffer,
+  encryptedRootCaPrivateKey: zodBuffer,
+  serverIntermediateCaIssuedAt: z.date(),
+  serverIntermediateCaExpiration: z.date(),
+  serverIntermediateCaSerialNumber: z.string().nullable().optional(),
+  encryptedServerIntermediateCaCertificate: zodBuffer,
+  encryptedServerIntermediateCaChain: zodBuffer,
+  encryptedServerIntermediateCaPrivateKey: zodBuffer,
+  clientIntermediateCaIssuedAt: z.date(),
+  clientIntermediateCaExpiration: z.date(),
+  clientIntermediateCaSerialNumber: z.string(),
+  encryptedClientIntermediateCaCertificate: zodBuffer,
+  encryptedClientIntermediateCaChain: zodBuffer,
+  encryptedClientIntermediateCaPrivateKey: zodBuffer,
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TKmipOrgConfigs = z.infer<typeof KmipOrgConfigsSchema>;
+export type TKmipOrgConfigsInsert = Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>;
+export type TKmipOrgConfigsUpdate = Partial<Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-server-certificates.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgServerCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  commonName: z.string(),
+  altNames: z.string(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date(),
+  encryptedCertificate: zodBuffer,
+  encryptedChain: zodBuffer
+});
+
+export type TKmipOrgServerCertificates = z.infer<typeof KmipOrgServerCertificatesSchema>;
+export type TKmipOrgServerCertificatesInsert = Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipOrgServerCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -132,7 +132,11 @@ export enum TableName {
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
   AppConnection = "app_connections",
-  SecretSync = "secret_syncs"
+  SecretSync = "secret_syncs",
+  KmipClient = "kmip_clients",
+  KmipOrgConfig = "kmip_org_configs",
+  KmipOrgServerCertificates = "kmip_org_server_certificates",
+  KmipClientCertificates = "kmip_client_certificates"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";

backend/src/ee/routes/v1/index.ts

@@ -9,6 +9,8 @@ import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerKmipRouter } from "./kmip-router";
+import { registerKmipSpecRouter } from "./kmip-spec-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
@@ -110,4 +112,12 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   });
 
   await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
+
+  await server.register(
+    async (kmipRouter) => {
+      await kmipRouter.register(registerKmipRouter);
+      await kmipRouter.register(registerKmipSpecRouter, { prefix: "/spec" });
+    },
+    { prefix: "/kmip" }
+  );
 };

backend/src/ee/routes/v1/kmip-router.ts

@@ -0,0 +1,428 @@
+import ms from "ms";
+import { z } from "zod";
+
+import { KmipClientsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
+import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
+import { OrderByDirection } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { validateAltNamesField } from "@app/services/certificate-authority/certificate-authority-validators";
+
+const KmipClientResponseSchema = KmipClientsSchema.pick({
+  projectId: true,
+  name: true,
+  id: true,
+  description: true,
+  permissions: true
+});
+
+export const registerKmipRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/clients",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectId: z.string(),
+        name: z.string().trim().min(1),
+        description: z.string().optional(),
+        permissions: z.nativeEnum(KmipPermission).array()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.createKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.CREATE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id,
+            name: kmipClient.name,
+            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/clients/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        name: z.string().trim().min(1),
+        description: z.string().optional(),
+        permissions: z.nativeEnum(KmipPermission).array()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.updateKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.UPDATE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id,
+            name: kmipClient.name,
+            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/clients/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.deleteKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.DELETE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/clients/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.getKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.GET_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/clients",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List KMIP clients",
+      querystring: z.object({
+        projectId: z.string(),
+        offset: z.coerce.number().min(0).optional().default(0),
+        limit: z.coerce.number().min(1).max(100).optional().default(100),
+        orderBy: z.nativeEnum(KmipClientOrderBy).optional().default(KmipClientOrderBy.Name),
+        orderDirection: z.nativeEnum(OrderByDirection).optional().default(OrderByDirection.ASC),
+        search: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          kmipClients: KmipClientResponseSchema.array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { kmipClients, totalCount } = await server.services.kmip.listKmipClientsByProjectId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_KMIP_CLIENTS,
+          metadata: {
+            ids: kmipClients.map((key) => key.id)
+          }
+        }
+      });
+
+      return { kmipClients, totalCount };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/clients/:id/certificates",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm),
+        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string(),
+          certificateChain: z.string(),
+          certificate: z.string(),
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const certificate = await server.services.kmip.createKmipClientCertificate({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        clientId: req.params.id,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: certificate.projectId,
+        event: {
+          type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE,
+          metadata: {
+            clientId: req.params.id,
+            serialNumber: certificate.serialNumber,
+            ttl: req.body.ttl,
+            keyAlgorithm: req.body.keyAlgorithm
+          }
+        }
+      });
+
+      return certificate;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        caKeyAlgorithm: z.nativeEnum(CertKeyAlgorithm)
+      }),
+      response: {
+        200: z.object({
+          serverCertificateChain: z.string(),
+          clientCertificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const chains = await server.services.kmip.setupOrgKmip({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.SETUP_KMIP,
+          metadata: {
+            keyAlgorithm: req.body.caKeyAlgorithm
+          }
+        }
+      });
+
+      return chains;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          serverCertificateChain: z.string(),
+          clientCertificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmip = await server.services.kmip.getOrgKmip({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_KMIP,
+          metadata: {
+            id: kmip.id
+          }
+        }
+      });
+
+      return kmip;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/server-registration",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        hostnamesOrIps: validateAltNamesField,
+        commonName: z.string().trim().min(1).optional(),
+        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm).optional().default(CertKeyAlgorithm.RSA_2048),
+        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
+      }),
+      response: {
+        200: z.object({
+          clientCertificateChain: z.string(),
+          certificateChain: z.string(),
+          certificate: z.string(),
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const configs = await server.services.kmip.registerServer({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.REGISTER_KMIP_SERVER,
+          metadata: {
+            serverCertificateSerialNumber: configs.serverCertificateSerialNumber,
+            hostnamesOrIps: req.body.hostnamesOrIps,
+            commonName: req.body.commonName ?? "kmip-server",
+            keyAlgorithm: req.body.keyAlgorithm,
+            ttl: req.body.ttl
+          }
+        }
+      });
+
+      return configs;
+    }
+  });
+};

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -0,0 +1,477 @@
+import z from "zod";
+
+import { KmsKeysSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+
+export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
+  server.decorateRequest("kmipUser", null);
+
+  server.addHook("onRequest", async (req) => {
+    const clientId = req.headers["x-kmip-client-id"] as string;
+    const projectId = req.headers["x-kmip-project-id"] as string;
+    const clientCertSerialNumber = req.headers["x-kmip-client-certificate-serial-number"] as string;
+    const serverCertSerialNumber = req.headers["x-kmip-server-certificate-serial-number"] as string;
+
+    if (!serverCertSerialNumber) {
+      throw new ForbiddenRequestError({
+        message: "Missing server certificate serial number from request"
+      });
+    }
+
+    if (!clientCertSerialNumber) {
+      throw new ForbiddenRequestError({
+        message: "Missing client certificate serial number from request"
+      });
+    }
+
+    if (!clientId) {
+      throw new ForbiddenRequestError({
+        message: "Missing client ID from request"
+      });
+    }
+
+    if (!projectId) {
+      throw new ForbiddenRequestError({
+        message: "Missing project ID from request"
+      });
+    }
+
+    // TODO: assert that server certificate used is not revoked
+    // TODO: assert that client certificate used is not revoked
+
+    const kmipClient = await server.store.kmipClient.findByProjectAndClientId(projectId, clientId);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: "KMIP client cannot be found."
+      });
+    }
+
+    if (kmipClient.orgId !== req.permission.orgId) {
+      throw new ForbiddenRequestError({
+        message: "Client specified in the request does not belong in the organization"
+      });
+    }
+
+    req.kmipUser = {
+      projectId,
+      clientId,
+      name: kmipClient.name
+    };
+  });
+
+  server.route({
+    method: "POST",
+    url: "/create",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for creating managed objects",
+      body: z.object({
+        algorithm: z.nativeEnum(SymmetricEncryption)
+      }),
+      response: {
+        200: KmsKeysSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.create({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        algorithm: req.body.algorithm
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_CREATE,
+          metadata: {
+            id: object.id,
+            algorithm: req.body.algorithm
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/get",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for getting managed objects",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          value: z.string(),
+          algorithm: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.get({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_GET,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/get-attributes",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for getting attributes of managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          algorithm: z.string(),
+          isActive: z.boolean(),
+          createdAt: z.date(),
+          updatedAt: z.date()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.getAttributes({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_GET_ATTRIBUTES,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/destroy",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for destroying managed objects",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.destroy({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_DESTROY,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/activate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for activating managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          isActive: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.activate({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_ACTIVATE,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/revoke",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for revoking managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          updatedAt: z.date()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.revoke({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_REVOKE,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/locate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for locating managed objects",
+      response: {
+        200: z.object({
+          objects: z
+            .object({
+              id: z.string(),
+              name: z.string(),
+              isActive: z.boolean(),
+              algorithm: z.string(),
+              createdAt: z.date(),
+              updatedAt: z.date()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const objects = await server.services.kmipOperation.locate({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_LOCATE,
+          metadata: {
+            ids: objects.map((obj) => obj.id)
+          }
+        }
+      });
+
+      return {
+        objects
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/register",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for registering managed object",
+      body: z.object({
+        key: z.string(),
+        name: z.string(),
+        algorithm: z.nativeEnum(SymmetricEncryption)
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.register({
+        ...req.kmipUser,
+        ...req.body,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_REGISTER,
+          metadata: {
+            id: object.id,
+            algorithm: req.body.algorithm,
+            name: object.name
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+};

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -21,6 +21,8 @@ import {
   TUpdateSecretSyncDTO
 } from "@app/services/secret-sync/secret-sync-types";
 
+import { KmipPermission } from "../kmip/kmip-enum";
+
 export type TListProjectAuditLogDTO = {
   filter: {
     userAgentType?: UserAgentType;
@@ -39,7 +41,14 @@ export type TListProjectAuditLogDTO = {
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
+  actor:
+    | UserActor
+    | IdentityActor
+    | ServiceActor
+    | ScimClientActor
+    | PlatformActor
+    | UnknownUserActor
+    | KmipClientActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -252,7 +261,26 @@ export enum EventType {
   SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
   SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets",
   OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER = "oidc-group-membership-mapping-assign-user",
-  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user"
+  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user",
+  CREATE_KMIP_CLIENT = "create-kmip-client",
+  UPDATE_KMIP_CLIENT = "update-kmip-client",
+  DELETE_KMIP_CLIENT = "delete-kmip-client",
+  GET_KMIP_CLIENT = "get-kmip-client",
+  GET_KMIP_CLIENTS = "get-kmip-clients",
+  CREATE_KMIP_CLIENT_CERTIFICATE = "create-kmip-client-certificate",
+
+  SETUP_KMIP = "setup-kmip",
+  GET_KMIP = "get-kmip",
+  REGISTER_KMIP_SERVER = "register-kmip-server",
+
+  KMIP_OPERATION_CREATE = "kmip-operation-create",
+  KMIP_OPERATION_GET = "kmip-operation-get",
+  KMIP_OPERATION_DESTROY = "kmip-operation-destroy",
+  KMIP_OPERATION_GET_ATTRIBUTES = "kmip-operation-get-attributes",
+  KMIP_OPERATION_ACTIVATE = "kmip-operation-activate",
+  KMIP_OPERATION_REVOKE = "kmip-operation-revoke",
+  KMIP_OPERATION_LOCATE = "kmip-operation-locate",
+  KMIP_OPERATION_REGISTER = "kmip-operation-register"
 }
 
 interface UserActorMetadata {
@@ -275,6 +303,11 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
+interface KmipClientActorMetadata {
+  clientId: string;
+  name: string;
+}
+
 interface UnknownUserActorMetadata {}
 
 export interface UserActor {
@@ -292,6 +325,11 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
+export interface KmipClientActor {
+  type: ActorType.KMIP_CLIENT;
+  metadata: KmipClientActorMetadata;
+}
+
 export interface UnknownUserActor {
   type: ActorType.UNKNOWN_USER;
   metadata: UnknownUserActorMetadata;
@@ -307,7 +345,7 @@ export interface ScimClientActor {
   metadata: ScimClientActorMetadata;
 }
 
-export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor;
+export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor | KmipClientActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;
@@ -2091,6 +2129,139 @@ interface OidcGroupMembershipMappingRemoveUserEvent {
   };
 }
 
+interface CreateKmipClientEvent {
+  type: EventType.CREATE_KMIP_CLIENT;
+  metadata: {
+    name: string;
+    id: string;
+    permissions: KmipPermission[];
+  };
+}
+
+interface UpdateKmipClientEvent {
+  type: EventType.UPDATE_KMIP_CLIENT;
+  metadata: {
+    name: string;
+    id: string;
+    permissions: KmipPermission[];
+  };
+}
+
+interface DeleteKmipClientEvent {
+  type: EventType.DELETE_KMIP_CLIENT;
+  metadata: {
+    id: string;
+  };
+}
+
+interface GetKmipClientEvent {
+  type: EventType.GET_KMIP_CLIENT;
+  metadata: {
+    id: string;
+  };
+}
+
+interface GetKmipClientsEvent {
+  type: EventType.GET_KMIP_CLIENTS;
+  metadata: {
+    ids: string[];
+  };
+}
+
+interface CreateKmipClientCertificateEvent {
+  type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE;
+  metadata: {
+    clientId: string;
+    ttl: string;
+    keyAlgorithm: string;
+    serialNumber: string;
+  };
+}
+
+interface KmipOperationGetEvent {
+  type: EventType.KMIP_OPERATION_GET;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationDestroyEvent {
+  type: EventType.KMIP_OPERATION_DESTROY;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationCreateEvent {
+  type: EventType.KMIP_OPERATION_CREATE;
+  metadata: {
+    id: string;
+    algorithm: string;
+  };
+}
+
+interface KmipOperationGetAttributesEvent {
+  type: EventType.KMIP_OPERATION_GET_ATTRIBUTES;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationActivateEvent {
+  type: EventType.KMIP_OPERATION_ACTIVATE;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationRevokeEvent {
+  type: EventType.KMIP_OPERATION_REVOKE;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationLocateEvent {
+  type: EventType.KMIP_OPERATION_LOCATE;
+  metadata: {
+    ids: string[];
+  };
+}
+
+interface KmipOperationRegisterEvent {
+  type: EventType.KMIP_OPERATION_REGISTER;
+  metadata: {
+    id: string;
+    algorithm: string;
+    name: string;
+  };
+}
+
+interface SetupKmipEvent {
+  type: EventType.SETUP_KMIP;
+  metadata: {
+    keyAlgorithm: CertKeyAlgorithm;
+  };
+}
+
+interface GetKmipEvent {
+  type: EventType.GET_KMIP;
+  metadata: {
+    id: string;
+  };
+}
+
+interface RegisterKmipServerEvent {
+  type: EventType.REGISTER_KMIP_SERVER;
+  metadata: {
+    serverCertificateSerialNumber: string;
+    hostnamesOrIps: string;
+    commonName: string;
+    keyAlgorithm: CertKeyAlgorithm;
+    ttl: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2282,4 +2453,21 @@ export type Event =
   | SecretSyncImportSecretsEvent
   | SecretSyncRemoveSecretsEvent
   | OidcGroupMembershipMappingAssignUserEvent
-  | OidcGroupMembershipMappingRemoveUserEvent;
+  | OidcGroupMembershipMappingRemoveUserEvent
+  | CreateKmipClientEvent
+  | UpdateKmipClientEvent
+  | DeleteKmipClientEvent
+  | GetKmipClientEvent
+  | GetKmipClientsEvent
+  | CreateKmipClientCertificateEvent
+  | SetupKmipEvent
+  | GetKmipEvent
+  | RegisterKmipServerEvent
+  | KmipOperationGetEvent
+  | KmipOperationDestroyEvent
+  | KmipOperationCreateEvent
+  | KmipOperationGetAttributesEvent
+  | KmipOperationActivateEvent
+  | KmipOperationRevokeEvent
+  | KmipOperationLocateEvent
+  | KmipOperationRegisterEvent;

backend/src/ee/services/kmip/kmip-client-certificate-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TKmipClientCertificateDALFactory = ReturnType<typeof kmipClientCertificateDALFactory>;
+
+export const kmipClientCertificateDALFactory = (db: TDbClient) => {
+  const kmipClientCertOrm = ormify(db, TableName.KmipClientCertificates);
+
+  return kmipClientCertOrm;
+};

backend/src/ee/services/kmip/kmip-client-dal.ts

@@ -0,0 +1,86 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName, TKmipClients } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+
+import { KmipClientOrderBy } from "./kmip-types";
+
+export type TKmipClientDALFactory = ReturnType<typeof kmipClientDALFactory>;
+
+export const kmipClientDALFactory = (db: TDbClient) => {
+  const kmipClientOrm = ormify(db, TableName.KmipClient);
+
+  const findByProjectAndClientId = async (projectId: string, clientId: string) => {
+    try {
+      const client = await db
+        .replicaNode()(TableName.KmipClient)
+        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.KmipClient}.projectId`)
+        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.Project}.orgId`)
+        .where({
+          [`${TableName.KmipClient}.projectId` as "projectId"]: projectId,
+          [`${TableName.KmipClient}.id` as "id"]: clientId
+        })
+        .select(selectAllTableCols(TableName.KmipClient))
+        .select(db.ref("id").withSchema(TableName.Organization).as("orgId"))
+        .first();
+
+      return client;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by project and client ID" });
+    }
+  };
+
+  const findByProjectId = async (
+    {
+      projectId,
+      offset = 0,
+      limit,
+      orderBy = KmipClientOrderBy.Name,
+      orderDirection = OrderByDirection.ASC,
+      search
+    }: {
+      projectId: string;
+      offset?: number;
+      limit?: number;
+      orderBy?: KmipClientOrderBy;
+      orderDirection?: OrderByDirection;
+      search?: string;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.KmipClient)
+        .where("projectId", projectId)
+        .where((qb) => {
+          if (search) {
+            void qb.whereILike("name", `%${search}%`);
+          }
+        })
+        .select<
+          (TKmipClients & {
+            total_count: number;
+          })[]
+        >(selectAllTableCols(TableName.KmipClient), db.raw(`count(*) OVER() as total_count`))
+        .orderBy(orderBy, orderDirection);
+
+      if (limit) {
+        void query.limit(limit).offset(offset);
+      }
+
+      const data = await query;
+
+      return { kmipClients: data, totalCount: Number(data?.[0]?.total_count ?? 0) };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find KMIP clients by project id" });
+    }
+  };
+
+  return {
+    ...kmipClientOrm,
+    findByProjectId,
+    findByProjectAndClientId
+  };
+};

backend/src/ee/services/kmip/kmip-enum.ts

@@ -0,0 +1,11 @@
+export enum KmipPermission {
+  Create = "create",
+  Locate = "locate",
+  Check = "check",
+  Get = "get",
+  GetAttributes = "get-attributes",
+  Activate = "activate",
+  Revoke = "revoke",
+  Destroy = "destroy",
+  Register = "register"
+}

backend/src/ee/services/kmip/kmip-operation-service.ts

@@ -0,0 +1,422 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+
+import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TKmipClientDALFactory } from "./kmip-client-dal";
+import { KmipPermission } from "./kmip-enum";
+import {
+  TKmipCreateDTO,
+  TKmipDestroyDTO,
+  TKmipGetAttributesDTO,
+  TKmipGetDTO,
+  TKmipLocateDTO,
+  TKmipRegisterDTO,
+  TKmipRevokeDTO
+} from "./kmip-types";
+
+type TKmipOperationServiceFactoryDep = {
+  kmsService: TKmsServiceFactory;
+  kmsDAL: TKmsKeyDALFactory;
+  kmipClientDAL: TKmipClientDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId" | "findById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TKmipOperationServiceFactory = ReturnType<typeof kmipOperationServiceFactory>;
+
+export const kmipOperationServiceFactory = ({
+  kmsService,
+  kmsDAL,
+  projectDAL,
+  kmipClientDAL,
+  permissionService
+}: TKmipOperationServiceFactoryDep) => {
+  const create = async ({
+    projectId,
+    clientId,
+    algorithm,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TKmipCreateDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Create)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP create"
+      });
+    }
+
+    const kmsKey = await kmsService.generateKmsKey({
+      encryptionAlgorithm: algorithm,
+      orgId: actorOrgId,
+      projectId,
+      isReserved: false
+    });
+
+    return kmsKey;
+  };
+
+  const destroy = async ({ projectId, id, clientId, actor, actorId, actorOrgId, actorAuthMethod }: TKmipDestroyDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Destroy)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP destroy"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot destroy reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot destroy external keys"
+      });
+    }
+
+    if (!completeKeyDetails.isDisabled) {
+      throw new BadRequestError({
+        message: "Cannot destroy active keys"
+      });
+    }
+
+    const kms = kmsDAL.deleteById(id);
+
+    return kms;
+  };
+
+  const get = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipGetDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Get)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP get"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot get reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot get external keys"
+      });
+    }
+
+    const kmsKey = await kmsService.getKeyMaterial({
+      kmsId: key.id
+    });
+
+    return {
+      id: key.id,
+      value: kmsKey.toString("base64"),
+      algorithm: completeKeyDetails.internalKms.encryptionAlgorithm,
+      isActive: !key.isDisabled,
+      createdAt: key.createdAt,
+      updatedAt: key.updatedAt
+    };
+  };
+
+  const activate = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipGetDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Activate)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP activate"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    return {
+      id: key.id,
+      isActive: !key.isDisabled
+    };
+  };
+
+  const revoke = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipRevokeDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Revoke)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP revoke"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot revoke reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot revoke external keys"
+      });
+    }
+
+    const revokedKey = await kmsDAL.updateById(key.id, {
+      isDisabled: true
+    });
+
+    return {
+      id: key.id,
+      updatedAt: revokedKey.updatedAt
+    };
+  };
+
+  const getAttributes = async ({
+    projectId,
+    id,
+    clientId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TKmipGetAttributesDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.GetAttributes)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP get attributes"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot get reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot get external keys"
+      });
+    }
+
+    return {
+      id: key.id,
+      algorithm: completeKeyDetails.internalKms.encryptionAlgorithm,
+      isActive: !key.isDisabled,
+      createdAt: key.createdAt,
+      updatedAt: key.updatedAt
+    };
+  };
+
+  const locate = async ({ projectId, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipLocateDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Locate)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP locate"
+      });
+    }
+
+    const keys = await kmsDAL.findProjectCmeks(projectId);
+
+    return keys;
+  };
+
+  const register = async ({
+    projectId,
+    clientId,
+    key,
+    algorithm,
+    name,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TKmipRegisterDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Register)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP register"
+      });
+    }
+
+    const project = await projectDAL.findById(projectId);
+
+    const kmsKey = await kmsService.importKeyMaterial({
+      name,
+      key: Buffer.from(key, "base64"),
+      algorithm,
+      isReserved: false,
+      projectId,
+      orgId: project.orgId
+    });
+
+    return kmsKey;
+  };
+
+  return {
+    create,
+    get,
+    activate,
+    getAttributes,
+    destroy,
+    revoke,
+    locate,
+    register
+  };
+};

backend/src/ee/services/kmip/kmip-org-config-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TKmipOrgConfigDALFactory = ReturnType<typeof kmipOrgConfigDALFactory>;
+
+export const kmipOrgConfigDALFactory = (db: TDbClient) => {
+  const kmipOrgConfigOrm = ormify(db, TableName.KmipOrgConfig);
+
+  return kmipOrgConfigOrm;
+};

backend/src/ee/services/kmip/kmip-org-server-certificate-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TKmipOrgServerCertificateDALFactory = ReturnType<typeof kmipOrgServerCertificateDALFactory>;
+
+export const kmipOrgServerCertificateDALFactory = (db: TDbClient) => {
+  const kmipOrgServerCertificateOrm = ormify(db, TableName.KmipOrgServerCertificates);
+
+  return kmipOrgServerCertificateOrm;
+};

backend/src/ee/services/kmip/kmip-service.ts

@@ -0,0 +1,817 @@
+import { ForbiddenError } from "@casl/ability";
+import * as x509 from "@peculiar/x509";
+import crypto, { KeyObject } from "crypto";
+import ms from "ms";
+
+import { ActionProjectType } from "@app/db/schemas";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { isValidHostname, isValidIp } from "@app/lib/ip";
+import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
+import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
+import {
+  createSerialNumber,
+  keyAlgorithmToAlgCfg
+} from "@app/services/certificate-authority/certificate-authority-fns";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TLicenseServiceFactory } from "../license/license-service";
+import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionKmipActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TKmipClientCertificateDALFactory } from "./kmip-client-certificate-dal";
+import { TKmipClientDALFactory } from "./kmip-client-dal";
+import { TKmipOrgConfigDALFactory } from "./kmip-org-config-dal";
+import { TKmipOrgServerCertificateDALFactory } from "./kmip-org-server-certificate-dal";
+import {
+  TCreateKmipClientCertificateDTO,
+  TCreateKmipClientDTO,
+  TDeleteKmipClientDTO,
+  TGenerateOrgKmipServerCertificateDTO,
+  TGetKmipClientDTO,
+  TGetOrgKmipDTO,
+  TListKmipClientsByProjectIdDTO,
+  TRegisterServerDTO,
+  TSetupOrgKmipDTO,
+  TUpdateKmipClientDTO
+} from "./kmip-types";
+
+type TKmipServiceFactoryDep = {
+  kmipClientDAL: TKmipClientDALFactory;
+  kmipClientCertificateDAL: TKmipClientCertificateDALFactory;
+  kmipOrgServerCertificateDAL: TKmipOrgServerCertificateDALFactory;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  kmipOrgConfigDAL: TKmipOrgConfigDALFactory;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TKmipServiceFactory = ReturnType<typeof kmipServiceFactory>;
+
+export const kmipServiceFactory = ({
+  kmipClientDAL,
+  permissionService,
+  kmipClientCertificateDAL,
+  kmipOrgConfigDAL,
+  kmsService,
+  kmipOrgServerCertificateDAL,
+  licenseService
+}: TKmipServiceFactoryDep) => {
+  const createKmipClient = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    name,
+    description,
+    permissions
+  }: TCreateKmipClientDTO) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.CreateClients,
+      ProjectPermissionSub.Kmip
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to create KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const kmipClient = await kmipClientDAL.create({
+      projectId,
+      name,
+      description,
+      permissions
+    });
+
+    return kmipClient;
+  };
+
+  const updateKmipClient = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    name,
+    description,
+    permissions,
+    id
+  }: TUpdateKmipClientDTO) => {
+    const kmipClient = await kmipClientDAL.findById(id);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${id} does not exist`
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to update KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.UpdateClients,
+      ProjectPermissionSub.Kmip
+    );
+
+    const updatedKmipClient = await kmipClientDAL.updateById(id, {
+      name,
+      description,
+      permissions
+    });
+
+    return updatedKmipClient;
+  };
+
+  const deleteKmipClient = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TDeleteKmipClientDTO) => {
+    const kmipClient = await kmipClientDAL.findById(id);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${id} does not exist`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.DeleteClients,
+      ProjectPermissionSub.Kmip
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to delete KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const deletedKmipClient = await kmipClientDAL.deleteById(id);
+
+    return deletedKmipClient;
+  };
+
+  const getKmipClient = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TGetKmipClientDTO) => {
+    const kmipClient = await kmipClientDAL.findById(id);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${id} does not exist`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
+
+    return kmipClient;
+  };
+
+  const listKmipClientsByProjectId = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    ...rest
+  }: TListKmipClientsByProjectIdDTO) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
+
+    return kmipClientDAL.findByProjectId({ projectId, ...rest });
+  };
+
+  const createKmipClientCertificate = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    ttl,
+    keyAlgorithm,
+    clientId
+  }: TCreateKmipClientCertificateDTO) => {
+    const kmipClient = await kmipClientDAL.findById(clientId);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${clientId} does not exist`
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to create KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.GenerateClientCertificates,
+      ProjectPermissionSub.Kmip
+    );
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (!kmipConfig) {
+      throw new InternalServerError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+
+    const caCertObj = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaCertificate })
+    );
+
+    const notBeforeDate = new Date();
+    const notAfterDate = new Date(new Date().getTime() + ms(ttl));
+
+    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
+    const caCertNotAfterDate = new Date(caCertObj.notAfter);
+
+    // check not before constraint
+    if (notBeforeDate < caCertNotBeforeDate) {
+      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
+    }
+
+    if (notBeforeDate > notAfterDate) throw new BadRequestError({ message: "notBefore date is after notAfter date" });
+
+    // check not after constraint
+    if (notAfterDate > caCertNotAfterDate) {
+      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
+    }
+
+    const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
+    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const extensions: x509.Extension[] = [
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(leafKeys.publicKey),
+      new x509.CertificatePolicyExtension(["2.5.29.32.0"]), // anyPolicy
+      new x509.KeyUsagesExtension(
+        // eslint-disable-next-line no-bitwise
+        x509.KeyUsageFlags[CertKeyUsage.DIGITAL_SIGNATURE] |
+          x509.KeyUsageFlags[CertKeyUsage.KEY_ENCIPHERMENT] |
+          x509.KeyUsageFlags[CertKeyUsage.KEY_AGREEMENT],
+        true
+      ),
+      new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
+    ];
+
+    const caAlg = keyAlgorithmToAlgCfg(kmipConfig.caKeyAlgorithm as CertKeyAlgorithm);
+
+    const caSkObj = crypto.createPrivateKey({
+      key: decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaPrivateKey }),
+      format: "der",
+      type: "pkcs8"
+    });
+
+    const caPrivateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      caSkObj.export({ format: "der", type: "pkcs8" }),
+      caAlg,
+      true,
+      ["sign"]
+    );
+
+    const serialNumber = createSerialNumber();
+    const leafCert = await x509.X509CertificateGenerator.create({
+      serialNumber,
+      subject: `OU=${kmipClient.projectId},CN=${clientId}`,
+      issuer: caCertObj.subject,
+      notBefore: notBeforeDate,
+      notAfter: notAfterDate,
+      signingKey: caPrivateKey,
+      publicKey: leafKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions
+    });
+
+    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+
+    const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
+    const serverIntermediateCaCert = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedServerIntermediateCaCertificate })
+    );
+
+    await kmipClientCertificateDAL.create({
+      kmipClientId: clientId,
+      keyAlgorithm,
+      issuedAt: notBeforeDate,
+      expiration: notAfterDate,
+      serialNumber
+    });
+
+    return {
+      serialNumber,
+      privateKey: skLeafObj.export({ format: "pem", type: "pkcs8" }) as string,
+      certificate: leafCert.toString("pem"),
+      certificateChain: constructPemChainFromCerts([serverIntermediateCaCert, rootCaCert]),
+      projectId: kmipClient.projectId
+    };
+  };
+
+  const getServerCertificateBySerialNumber = async (orgId: string, serialNumber: string) => {
+    const serverCert = await kmipOrgServerCertificateDAL.findOne({
+      serialNumber,
+      orgId
+    });
+
+    if (!serverCert) {
+      throw new NotFoundError({
+        message: "Server certificate not found"
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId
+    });
+
+    const parsedCertificate = new x509.X509Certificate(decryptor({ cipherTextBlob: serverCert.encryptedCertificate }));
+
+    return {
+      publicKey: parsedCertificate.publicKey.toString("pem"),
+      keyAlgorithm: serverCert.keyAlgorithm as CertKeyAlgorithm
+    };
+  };
+
+  const setupOrgKmip = async ({ caKeyAlgorithm, actorOrgId, actor, actorId, actorAuthMethod }: TSetupOrgKmipDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Setup, OrgPermissionSubjects.Kmip);
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (kmipConfig) {
+      throw new BadRequestError({
+        message: "KMIP has already been configured for the organization"
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to setup KMIP. Upgrade your plan to enterprise."
+      });
+
+    const alg = keyAlgorithmToAlgCfg(caKeyAlgorithm);
+
+    // generate root CA
+    const rootCaSerialNumber = createSerialNumber();
+    const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const rootCaSkObj = KeyObject.from(rootCaKeys.privateKey);
+    const rootCaIssuedAt = new Date();
+    const rootCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 20));
+
+    const rootCaCert = await x509.X509CertificateGenerator.createSelfSigned({
+      name: `CN=KMIP Root CA,OU=${actorOrgId}`,
+      serialNumber: rootCaSerialNumber,
+      notBefore: rootCaIssuedAt,
+      notAfter: rootCaExpiration,
+      signingAlgorithm: alg,
+      keys: rootCaKeys,
+      extensions: [
+        // eslint-disable-next-line no-bitwise
+        new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
+        await x509.SubjectKeyIdentifierExtension.create(rootCaKeys.publicKey)
+      ]
+    });
+
+    // generate intermediate server CA
+    const serverIntermediateCaSerialNumber = createSerialNumber();
+    const serverIntermediateCaIssuedAt = new Date();
+    const serverIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
+    const serverIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const serverIntermediateCaSkObj = KeyObject.from(serverIntermediateCaKeys.privateKey);
+
+    const serverIntermediateCaCert = await x509.X509CertificateGenerator.create({
+      serialNumber: serverIntermediateCaSerialNumber,
+      subject: `CN=KMIP Server Intermediate CA,OU=${actorOrgId}`,
+      issuer: rootCaCert.subject,
+      notBefore: serverIntermediateCaIssuedAt,
+      notAfter: serverIntermediateCaExpiration,
+      signingKey: rootCaKeys.privateKey,
+      publicKey: serverIntermediateCaKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions: [
+        new x509.KeyUsagesExtension(
+          // eslint-disable-next-line no-bitwise
+          x509.KeyUsageFlags.keyCertSign |
+            x509.KeyUsageFlags.cRLSign |
+            x509.KeyUsageFlags.digitalSignature |
+            x509.KeyUsageFlags.keyEncipherment,
+          true
+        ),
+        new x509.BasicConstraintsExtension(true, 0, true),
+        await x509.AuthorityKeyIdentifierExtension.create(rootCaCert, false),
+        await x509.SubjectKeyIdentifierExtension.create(serverIntermediateCaKeys.publicKey)
+      ]
+    });
+
+    // generate intermediate client CA
+    const clientIntermediateCaSerialNumber = createSerialNumber();
+    const clientIntermediateCaIssuedAt = new Date();
+    const clientIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
+    const clientIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const clientIntermediateCaSkObj = KeyObject.from(clientIntermediateCaKeys.privateKey);
+
+    const clientIntermediateCaCert = await x509.X509CertificateGenerator.create({
+      serialNumber: clientIntermediateCaSerialNumber,
+      subject: `CN=KMIP Client Intermediate CA,OU=${actorOrgId}`,
+      issuer: rootCaCert.subject,
+      notBefore: clientIntermediateCaIssuedAt,
+      notAfter: clientIntermediateCaExpiration,
+      signingKey: rootCaKeys.privateKey,
+      publicKey: clientIntermediateCaKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions: [
+        new x509.KeyUsagesExtension(
+          // eslint-disable-next-line no-bitwise
+          x509.KeyUsageFlags.keyCertSign |
+            x509.KeyUsageFlags.cRLSign |
+            x509.KeyUsageFlags.digitalSignature |
+            x509.KeyUsageFlags.keyEncipherment,
+          true
+        ),
+        new x509.BasicConstraintsExtension(true, 0, true),
+        await x509.AuthorityKeyIdentifierExtension.create(rootCaCert, false),
+        await x509.SubjectKeyIdentifierExtension.create(clientIntermediateCaKeys.publicKey)
+      ]
+    });
+
+    const { encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+
+    await kmipOrgConfigDAL.create({
+      orgId: actorOrgId,
+      caKeyAlgorithm,
+      rootCaIssuedAt,
+      rootCaExpiration,
+      rootCaSerialNumber,
+      encryptedRootCaCertificate: encryptor({ plainText: Buffer.from(rootCaCert.rawData) }).cipherTextBlob,
+      encryptedRootCaPrivateKey: encryptor({
+        plainText: rootCaSkObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      }).cipherTextBlob,
+      serverIntermediateCaIssuedAt,
+      serverIntermediateCaExpiration,
+      serverIntermediateCaSerialNumber,
+      encryptedServerIntermediateCaCertificate: encryptor({
+        plainText: Buffer.from(new Uint8Array(serverIntermediateCaCert.rawData))
+      }).cipherTextBlob,
+      encryptedServerIntermediateCaChain: encryptor({ plainText: Buffer.from(rootCaCert.toString("pem")) })
+        .cipherTextBlob,
+      encryptedServerIntermediateCaPrivateKey: encryptor({
+        plainText: serverIntermediateCaSkObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      }).cipherTextBlob,
+      clientIntermediateCaIssuedAt,
+      clientIntermediateCaExpiration,
+      clientIntermediateCaSerialNumber,
+      encryptedClientIntermediateCaCertificate: encryptor({
+        plainText: Buffer.from(new Uint8Array(clientIntermediateCaCert.rawData))
+      }).cipherTextBlob,
+      encryptedClientIntermediateCaChain: encryptor({ plainText: Buffer.from(rootCaCert.toString("pem")) })
+        .cipherTextBlob,
+      encryptedClientIntermediateCaPrivateKey: encryptor({
+        plainText: clientIntermediateCaSkObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      }).cipherTextBlob
+    });
+
+    return {
+      serverCertificateChain: constructPemChainFromCerts([serverIntermediateCaCert, rootCaCert]),
+      clientCertificateChain: constructPemChainFromCerts([clientIntermediateCaCert, rootCaCert])
+    };
+  };
+
+  const getOrgKmip = async ({ actorOrgId, actor, actorId, actorAuthMethod }: TGetOrgKmipDTO) => {
+    await permissionService.getOrgPermission(actor, actorId, actorOrgId, actorAuthMethod, actorOrgId);
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (!kmipConfig) {
+      throw new BadRequestError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+
+    const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
+    const serverIntermediateCaCert = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedServerIntermediateCaCertificate })
+    );
+
+    const clientIntermediateCaCert = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaCertificate })
+    );
+
+    return {
+      id: kmipConfig.id,
+      serverCertificateChain: constructPemChainFromCerts([serverIntermediateCaCert, rootCaCert]),
+      clientCertificateChain: constructPemChainFromCerts([clientIntermediateCaCert, rootCaCert])
+    };
+  };
+
+  const generateOrgKmipServerCertificate = async ({
+    orgId,
+    ttl,
+    commonName,
+    altNames,
+    keyAlgorithm
+  }: TGenerateOrgKmipServerCertificateDTO) => {
+    const kmipOrgConfig = await kmipOrgConfigDAL.findOne({
+      orgId
+    });
+
+    if (!kmipOrgConfig) {
+      throw new BadRequestError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to generate KMIP server certificate. Upgrade your plan to enterprise."
+      });
+
+    const { decryptor, encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId
+    });
+
+    const caCertObj = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaCertificate })
+    );
+
+    const notBeforeDate = new Date();
+    const notAfterDate = new Date(new Date().getTime() + ms(ttl));
+
+    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
+    const caCertNotAfterDate = new Date(caCertObj.notAfter);
+
+    // check not before constraint
+    if (notBeforeDate < caCertNotBeforeDate) {
+      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
+    }
+
+    if (notBeforeDate > notAfterDate) throw new BadRequestError({ message: "notBefore date is after notAfter date" });
+
+    // check not after constraint
+    if (notAfterDate > caCertNotAfterDate) {
+      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
+    }
+
+    const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
+    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const extensions: x509.Extension[] = [
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(leafKeys.publicKey),
+      new x509.CertificatePolicyExtension(["2.5.29.32.0"]), // anyPolicy
+      new x509.KeyUsagesExtension(
+        // eslint-disable-next-line no-bitwise
+        x509.KeyUsageFlags[CertKeyUsage.DIGITAL_SIGNATURE] | x509.KeyUsageFlags[CertKeyUsage.KEY_ENCIPHERMENT],
+        true
+      ),
+      new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.SERVER_AUTH]], true)
+    ];
+
+    const altNamesArray: {
+      type: "email" | "dns" | "ip";
+      value: string;
+    }[] = altNames
+      .split(",")
+      .map((name) => name.trim())
+      .map((altName) => {
+        if (isValidHostname(altName)) {
+          return {
+            type: "dns",
+            value: altName
+          };
+        }
+
+        if (isValidIp(altName)) {
+          return {
+            type: "ip",
+            value: altName
+          };
+        }
+
+        throw new Error(`Invalid altName: ${altName}`);
+      });
+
+    const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+    extensions.push(altNamesExtension);
+
+    const caAlg = keyAlgorithmToAlgCfg(kmipOrgConfig.caKeyAlgorithm as CertKeyAlgorithm);
+
+    const decryptedCaCertChain = decryptor({
+      cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaChain
+    }).toString("utf-8");
+
+    const caSkObj = crypto.createPrivateKey({
+      key: decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaPrivateKey }),
+      format: "der",
+      type: "pkcs8"
+    });
+
+    const caPrivateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      caSkObj.export({ format: "der", type: "pkcs8" }),
+      caAlg,
+      true,
+      ["sign"]
+    );
+
+    const serialNumber = createSerialNumber();
+    const leafCert = await x509.X509CertificateGenerator.create({
+      serialNumber,
+      subject: `CN=${commonName}`,
+      issuer: caCertObj.subject,
+      notBefore: notBeforeDate,
+      notAfter: notAfterDate,
+      signingKey: caPrivateKey,
+      publicKey: leafKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions
+    });
+
+    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const certificateChain = `${caCertObj.toString("pem")}\n${decryptedCaCertChain}`.trim();
+
+    await kmipOrgServerCertificateDAL.create({
+      orgId,
+      keyAlgorithm,
+      issuedAt: notBeforeDate,
+      expiration: notAfterDate,
+      serialNumber,
+      commonName,
+      altNames,
+      encryptedCertificate: encryptor({ plainText: Buffer.from(new Uint8Array(leafCert.rawData)) }).cipherTextBlob,
+      encryptedChain: encryptor({ plainText: Buffer.from(certificateChain) }).cipherTextBlob
+    });
+
+    return {
+      serialNumber,
+      privateKey: skLeafObj.export({ format: "pem", type: "pkcs8" }) as string,
+      certificate: leafCert.toString("pem"),
+      certificateChain
+    };
+  };
+
+  const registerServer = async ({
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    ttl,
+    commonName,
+    keyAlgorithm,
+    hostnamesOrIps
+  }: TRegisterServerDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (!kmipConfig) {
+      throw new BadRequestError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to register KMIP server. Upgrade your plan to enterprise."
+      });
+
+    const { privateKey, certificate, certificateChain, serialNumber } = await generateOrgKmipServerCertificate({
+      orgId: actorOrgId,
+      commonName: commonName ?? "kmip-server",
+      altNames: hostnamesOrIps,
+      keyAlgorithm: keyAlgorithm ?? (kmipConfig.caKeyAlgorithm as CertKeyAlgorithm),
+      ttl
+    });
+
+    const { clientCertificateChain } = await getOrgKmip({
+      actor,
+      actorAuthMethod,
+      actorId,
+      actorOrgId
+    });
+
+    return {
+      serverCertificateSerialNumber: serialNumber,
+      clientCertificateChain,
+      privateKey,
+      certificate,
+      certificateChain
+    };
+  };
+
+  return {
+    createKmipClient,
+    updateKmipClient,
+    deleteKmipClient,
+    getKmipClient,
+    listKmipClientsByProjectId,
+    createKmipClientCertificate,
+    setupOrgKmip,
+    generateOrgKmipServerCertificate,
+    getOrgKmip,
+    getServerCertificateBySerialNumber,
+    registerServer
+  };
+};

backend/src/ee/services/kmip/kmip-types.ts

@@ -0,0 +1,102 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { OrderByDirection, TOrgPermission, TProjectPermission } from "@app/lib/types";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+
+import { KmipPermission } from "./kmip-enum";
+
+export type TCreateKmipClientCertificateDTO = {
+  clientId: string;
+  keyAlgorithm: CertKeyAlgorithm;
+  ttl: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TCreateKmipClientDTO = {
+  name: string;
+  description?: string;
+  permissions: KmipPermission[];
+} & TProjectPermission;
+
+export type TUpdateKmipClientDTO = {
+  id: string;
+  name?: string;
+  description?: string;
+  permissions?: KmipPermission[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteKmipClientDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetKmipClientDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export enum KmipClientOrderBy {
+  Name = "name"
+}
+
+export type TListKmipClientsByProjectIdDTO = {
+  offset?: number;
+  limit?: number;
+  orderBy?: KmipClientOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
+} & TProjectPermission;
+
+type KmipOperationBaseDTO = {
+  clientId: string;
+  projectId: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TKmipCreateDTO = {
+  algorithm: SymmetricEncryption;
+} & KmipOperationBaseDTO;
+
+export type TKmipGetDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipGetAttributesDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipDestroyDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipActivateDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipRevokeDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipLocateDTO = KmipOperationBaseDTO;
+
+export type TKmipRegisterDTO = {
+  name: string;
+  key: string;
+  algorithm: SymmetricEncryption;
+} & KmipOperationBaseDTO;
+
+export type TSetupOrgKmipDTO = {
+  caKeyAlgorithm: CertKeyAlgorithm;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TGetOrgKmipDTO = Omit<TOrgPermission, "orgId">;
+
+export type TGenerateOrgKmipServerCertificateDTO = {
+  commonName: string;
+  altNames: string;
+  keyAlgorithm: CertKeyAlgorithm;
+  ttl: string;
+  orgId: string;
+};
+
+export type TRegisterServerDTO = {
+  hostnamesOrIps: string;
+  commonName?: string;
+  keyAlgorithm?: CertKeyAlgorithm;
+  ttl: string;
+} & Omit<TOrgPermission, "orgId">;

backend/src/ee/services/license/license-fns.ts

@@ -50,7 +50,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   },
   pkiEst: false,
   enforceMfa: false,
-  projectTemplates: false
+  projectTemplates: false,
+  kmip: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -68,6 +68,7 @@ export type TFeatureSet = {
   pkiEst: boolean;
   enforceMfa: boolean;
   projectTemplates: false;
+  kmip: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -23,6 +23,11 @@ export enum OrgPermissionAppConnectionActions {
   Connect = "connect"
 }
 
+export enum OrgPermissionKmipActions {
+  Proxy = "proxy",
+  Setup = "setup"
+}
+
 export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
@@ -44,7 +49,8 @@ export enum OrgPermissionSubjects {
   AdminConsole = "organization-admin-console",
   AuditLogs = "audit-logs",
   ProjectTemplates = "project-templates",
-  AppConnections = "app-connections"
+  AppConnections = "app-connections",
+  Kmip = "kmip"
 }
 
 export type AppConnectionSubjectFields = {
@@ -74,7 +80,8 @@ export type OrgPermissionSet =
         | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
       )
     ]
-  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
+  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];
 
 const AppConnectionConditionSchema = z
   .object({
@@ -167,6 +174,12 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ]);
 
@@ -253,6 +266,11 @@ const buildAdminPermission = () => {
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
+  can(OrgPermissionKmipActions.Setup, OrgPermissionSubjects.Kmip);
+
+  // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
+  can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
   return rules;
 };
 

backend/src/ee/services/permission/project-permission.ts

@@ -44,6 +44,14 @@ export enum ProjectPermissionSecretSyncActions {
   RemoveSecrets = "remove-secrets"
 }
 
+export enum ProjectPermissionKmipActions {
+  CreateClients = "create-clients",
+  UpdateClients = "update-clients",
+  DeleteClients = "delete-clients",
+  ReadClients = "read-clients",
+  GenerateClientCertificates = "generate-client-certificates"
+}
+
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -75,7 +83,8 @@ export enum ProjectPermissionSub {
   PkiCollections = "pki-collections",
   Kms = "kms",
   Cmek = "cmek",
-  SecretSyncs = "secret-syncs"
+  SecretSyncs = "secret-syncs",
+  Kmip = "kmip"
 }
 
 export type SecretSubjectFields = {
@@ -156,6 +165,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
   | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
+  | [ProjectPermissionKmipActions, ProjectPermissionSub.Kmip]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -410,6 +420,12 @@ const GeneralPermissionSchema = [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Kmip).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionKmipActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ];
 
@@ -575,6 +591,18 @@ const buildAdminPermissionRules = () => {
     ],
     ProjectPermissionSub.SecretSyncs
   );
+
+  can(
+    [
+      ProjectPermissionKmipActions.CreateClients,
+      ProjectPermissionKmipActions.UpdateClients,
+      ProjectPermissionKmipActions.DeleteClients,
+      ProjectPermissionKmipActions.ReadClients,
+      ProjectPermissionKmipActions.GenerateClientCertificates
+    ],
+    ProjectPermissionSub.Kmip
+  );
+
   return rules;
 };
 

backend/src/lib/api-docs/constants.ts

@@ -1722,13 +1722,6 @@ export const SecretSyncs = {
       initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`
     };
   },
-  ADDITIONAL_SYNC_OPTIONS: {
-    AWS_PARAMETER_STORE: {
-      keyId: "The AWS KMS key ID or alias to use when encrypting parameters synced by Infisical.",
-      tags: "Optional resource tags to add to parameters synced by Infisical.",
-      syncSecretMetadataAsTags: `Whether Infisical secret metadata should be added as resource tags to parameters synced by Infisical.`
-    }
-  },
   DESTINATION_CONFIG: {
     AWS_PARAMETER_STORE: {
       region: "The AWS region to sync secrets to.",

backend/src/lib/ip/index.ts

@@ -103,6 +103,16 @@ export const isValidIpOrCidr = (ip: string): boolean => {
   return false;
 };
 
+export const isValidIp = (ip: string) => {
+  return net.isIPv4(ip) || net.isIPv6(ip);
+};
+
+export const isValidHostname = (name: string) => {
+  const hostnameRegex = /^(?!:\/\/)(\*\.)?([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
+
+  return hostnameRegex.test(name);
+};
+
 export type TIp = {
   ipAddress: string;
   type: IPType;

backend/src/server/routes/index.ts

@@ -35,6 +35,12 @@ import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
+import { kmipClientCertificateDALFactory } from "@app/ee/services/kmip/kmip-client-certificate-dal";
+import { kmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
+import { kmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
+import { kmipOrgConfigDALFactory } from "@app/ee/services/kmip/kmip-org-config-dal";
+import { kmipOrgServerCertificateDALFactory } from "@app/ee/services/kmip/kmip-org-server-certificate-dal";
+import { kmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { ldapGroupMapDALFactory } from "@app/ee/services/ldap-config/ldap-group-map-dal";
@@ -382,6 +388,10 @@ export const registerRoutes = async (
 
   const projectTemplateDAL = projectTemplateDALFactory(db);
   const resourceMetadataDAL = resourceMetadataDALFactory(db);
+  const kmipClientDAL = kmipClientDALFactory(db);
+  const kmipClientCertificateDAL = kmipClientCertificateDALFactory(db);
+  const kmipOrgConfigDAL = kmipOrgConfigDALFactory(db);
+  const kmipOrgServerCertificateDAL = kmipOrgServerCertificateDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -1429,6 +1439,24 @@ export const registerRoutes = async (
     keyStore
   });
 
+  const kmipService = kmipServiceFactory({
+    kmipClientDAL,
+    permissionService,
+    kmipClientCertificateDAL,
+    kmipOrgConfigDAL,
+    kmsService,
+    kmipOrgServerCertificateDAL,
+    licenseService
+  });
+
+  const kmipOperationService = kmipOperationServiceFactory({
+    kmsService,
+    kmsDAL,
+    projectDAL,
+    kmipClientDAL,
+    permissionService
+  });
+
   await superAdminService.initServerCfg();
 
   // setup the communication with license key server
@@ -1527,7 +1555,9 @@ export const registerRoutes = async (
     projectTemplate: projectTemplateService,
     totp: totpService,
     appConnection: appConnectionService,
-    secretSync: secretSyncService
+    secretSync: secretSyncService,
+    kmip: kmipService,
+    kmipOperation: kmipOperationService
   });
 
   const cronJobs: CronJob[] = [];
@@ -1539,7 +1569,8 @@ export const registerRoutes = async (
   }
 
   server.decorate<FastifyZodProvider["store"]>("store", {
-    user: userDAL
+    user: userDAL,
+    kmipClient: kmipClientDAL
   });
 
   await server.register(injectIdentity, { userDAL, serviceTokenDAL });

backend/src/server/routes/v1/app-connection-routers/aws-connection-router.ts

@@ -1,19 +1,13 @@
-import { z } from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   CreateAwsConnectionSchema,
   SanitizedAwsConnectionSchema,
   UpdateAwsConnectionSchema
 } from "@app/services/app-connection/aws";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 
-export const registerAwsConnectionRouter = async (server: FastifyZodProvider) => {
+export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
   registerAppConnectionEndpoints({
     app: AppConnection.AWS,
     server,
@@ -21,42 +15,3 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
     createSchema: CreateAwsConnectionSchema,
     updateSchema: UpdateAwsConnectionSchema
   });
-
-  // The below endpoints are not exposed and for Infisical App use
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/kms-keys`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      querystring: z.object({
-        region: z.nativeEnum(AWSRegion),
-        destination: z.enum([SecretSync.AWSParameterStore, SecretSync.AWSSecretsManager])
-      }),
-      response: {
-        200: z.object({
-          kmsKeys: z.object({ alias: z.string(), id: z.string() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const kmsKeys = await server.services.appConnection.aws.listKmsKeys(
-        {
-          connectionId,
-          ...req.query
-        },
-        req.permission
-      );
-
-      return { kmsKeys };
-    }
-  });
-};

backend/src/server/routes/v1/auth-router.ts

@@ -2,10 +2,9 @@ import jwt from "jsonwebtoken";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { authRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode, AuthModeRefreshJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMode, AuthTokenType } from "@app/services/auth/auth-type";
 
 export const registerAuthRoutes = async (server: FastifyZodProvider) => {
   server.route({
@@ -21,18 +20,19 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
     handler: async (req, res) => {
+      const { decodedToken } = await server.services.authToken.validateRefreshToken(req.cookies.jid);
       const appCfg = getConfig();
-      if (req.auth.authMode === AuthMode.JWT) {
-        await server.services.login.logout(req.permission.id, req.auth.tokenVersionId);
-      }
+
+      await server.services.login.logout(decodedToken.userId, decodedToken.tokenVersionId);
+
       void res.cookie("jid", "", {
         httpOnly: true,
         path: "/",
         sameSite: "strict",
         secure: appCfg.HTTPS_ENABLED
       });
+
       return { message: "Successfully logged out" };
     }
   });
@@ -69,37 +69,8 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const refreshToken = req.cookies.jid;
+      const { decodedToken, tokenVersion } = await server.services.authToken.validateRefreshToken(req.cookies.jid);
       const appCfg = getConfig();
-      if (!refreshToken)
-        throw new NotFoundError({
-          name: "AuthTokenNotFound",
-          message: "Failed to find refresh token"
-        });
-
-      const decodedToken = jwt.verify(refreshToken, appCfg.AUTH_SECRET) as AuthModeRefreshJwtTokenPayload;
-      if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN)
-        throw new UnauthorizedError({
-          message: "The token provided is not a refresh token",
-          name: "InvalidToken"
-        });
-
-      const tokenVersion = await server.services.authToken.getUserTokenSessionById(
-        decodedToken.tokenVersionId,
-        decodedToken.userId
-      );
-      if (!tokenVersion)
-        throw new UnauthorizedError({
-          message: "Valid token version not found",
-          name: "InvalidToken"
-        });
-
-      if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) {
-        throw new UnauthorizedError({
-          message: "Token version mismatch",
-          name: "InvalidToken"
-        });
-      }
 
       const token = jwt.sign(
         {

backend/src/services/app-connection/app-connection-service.ts

@@ -22,19 +22,18 @@ import {
   TUpdateAppConnectionDTO,
   TValidateAppConnectionCredentials
 } from "@app/services/app-connection/app-connection-types";
+import { ValidateAwsConnectionCredentialsSchema } from "@app/services/app-connection/aws";
+import { ValidateDatabricksConnectionCredentialsSchema } from "@app/services/app-connection/databricks";
+import { databricksConnectionService } from "@app/services/app-connection/databricks/databricks-connection-service";
+import { ValidateGitHubConnectionCredentialsSchema } from "@app/services/app-connection/github";
+import { githubConnectionService } from "@app/services/app-connection/github/github-connection-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
 import { TAppConnectionDALFactory } from "./app-connection-dal";
-import { ValidateAwsConnectionCredentialsSchema } from "./aws";
-import { awsConnectionService } from "./aws/aws-connection-service";
 import { ValidateAzureAppConfigurationConnectionCredentialsSchema } from "./azure-app-configuration";
 import { ValidateAzureKeyVaultConnectionCredentialsSchema } from "./azure-key-vault";
-import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
-import { databricksConnectionService } from "./databricks/databricks-connection-service";
 import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
 import { gcpConnectionService } from "./gcp/gcp-connection-service";
-import { ValidateGitHubConnectionCredentialsSchema } from "./github";
-import { githubConnectionService } from "./github/github-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -370,7 +369,6 @@ export const appConnectionServiceFactory = ({
     listAvailableAppConnectionsForUser,
     github: githubConnectionService(connectAppConnectionById),
     gcp: gcpConnectionService(connectAppConnectionById),
-    databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    aws: awsConnectionService(connectAppConnectionById)
+    databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -1,4 +1,3 @@
-import { AWSRegion } from "@app/services/app-connection/app-connection-enums";
 import {
   TAwsConnection,
   TAwsConnectionConfig,
@@ -17,7 +16,6 @@ import {
   TGitHubConnectionInput,
   TValidateGitHubConnectionCredentials
 } from "@app/services/app-connection/github";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import {
   TAzureAppConfigurationConnection,
@@ -75,9 +73,3 @@ export type TValidateAppConnectionCredentials =
   | TValidateAzureKeyVaultConnectionCredentials
   | TValidateAzureAppConfigurationConnectionCredentials
   | TValidateDatabricksConnectionCredentials;
-
-export type TListAwsConnectionKmsKeys = {
-  connectionId: string;
-  region: AWSRegion;
-  destination: SecretSync.AWSParameterStore | SecretSync.AWSSecretsManager;
-};

backend/src/services/app-connection/aws/aws-connection-service.ts

@@ -1,88 +0,0 @@
-import AWS from "aws-sdk";
-
-import { OrgServiceActor } from "@app/lib/types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { TListAwsConnectionKmsKeys } from "@app/services/app-connection/app-connection-types";
-import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
-import { TAwsConnection } from "@app/services/app-connection/aws/aws-connection-types";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-type TGetAppConnectionFunc = (
-  app: AppConnection,
-  connectionId: string,
-  actor: OrgServiceActor
-) => Promise<TAwsConnection>;
-
-const listAwsKmsKeys = async (
-  appConnection: TAwsConnection,
-  { region, destination }: Pick<TListAwsConnectionKmsKeys, "region" | "destination">
-) => {
-  const { credentials } = await getAwsConnectionConfig(appConnection, region);
-
-  const awsKms = new AWS.KMS({
-    credentials,
-    region
-  });
-
-  const aliasEntries: AWS.KMS.AliasList = [];
-  let aliasMarker: string | undefined;
-  do {
-    // eslint-disable-next-line no-await-in-loop
-    const response = await awsKms.listAliases({ Limit: 100, Marker: aliasMarker }).promise();
-    aliasEntries.push(...(response.Aliases || []));
-    aliasMarker = response.NextMarker;
-  } while (aliasMarker);
-
-  const keyMetadataRecord: Record<string, AWS.KMS.KeyMetadata | undefined> = {};
-  for await (const aliasEntry of aliasEntries) {
-    if (aliasEntry.TargetKeyId) {
-      const keyDescription = await awsKms.describeKey({ KeyId: aliasEntry.TargetKeyId }).promise();
-
-      keyMetadataRecord[aliasEntry.TargetKeyId] = keyDescription.KeyMetadata;
-    }
-  }
-
-  const validAliasEntries = aliasEntries.filter((aliasEntry) => {
-    if (!aliasEntry.TargetKeyId) return false;
-
-    if (destination === SecretSync.AWSParameterStore && aliasEntry.AliasName === "alias/aws/ssm") return true;
-
-    if (destination === SecretSync.AWSSecretsManager && aliasEntry.AliasName === "alias/aws/secretsmanager")
-      return true;
-
-    if (aliasEntry.AliasName?.includes("alias/aws/")) return false;
-
-    const keyMetadata = keyMetadataRecord[aliasEntry.TargetKeyId];
-
-    if (!keyMetadata || keyMetadata.KeyUsage !== "ENCRYPT_DECRYPT" || keyMetadata.KeySpec !== "SYMMETRIC_DEFAULT")
-      return false;
-
-    return true;
-  });
-
-  const kmsKeys = validAliasEntries.map((aliasEntry) => {
-    return {
-      id: aliasEntry.TargetKeyId!,
-      alias: aliasEntry.AliasName!
-    };
-  });
-
-  return kmsKeys;
-};
-
-export const awsConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
-  const listKmsKeys = async (
-    { connectionId, region, destination }: TListAwsConnectionKmsKeys,
-    actor: OrgServiceActor
-  ) => {
-    const appConnection = await getAppConnection(AppConnection.AWS, connectionId, actor);
-
-    const kmsKeys = await listAwsKmsKeys(appConnection, { region, destination });
-
-    return kmsKeys;
-  };
-
-  return {
-    listKmsKeys
-  };
-};

backend/src/services/auth-token/auth-token-service.ts

@@ -1,6 +1,7 @@
 import crypto from "node:crypto";
 
 import bcrypt from "bcrypt";
+import jwt from "jsonwebtoken";
 import { Knex } from "knex";
 
 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
@@ -8,7 +9,7 @@ import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 
-import { AuthModeJwtTokenPayload } from "../auth/auth-type";
+import { AuthModeJwtTokenPayload, AuthModeRefreshJwtTokenPayload, AuthTokenType } from "../auth/auth-type";
 import { TUserDALFactory } from "../user/user-dal";
 import { TTokenDALFactory } from "./auth-token-dal";
 import { TCreateTokenForUserDTO, TIssueAuthTokenDTO, TokenType, TValidateTokenForUserDTO } from "./auth-token-types";
@@ -150,6 +151,40 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
 
   const revokeAllMySessions = async (userId: string) => tokenDAL.deleteTokenSession({ userId });
 
+  const validateRefreshToken = async (refreshToken?: string) => {
+    const appCfg = getConfig();
+    if (!refreshToken)
+      throw new NotFoundError({
+        name: "AuthTokenNotFound",
+        message: "Failed to find refresh token"
+      });
+
+    const decodedToken = jwt.verify(refreshToken, appCfg.AUTH_SECRET) as AuthModeRefreshJwtTokenPayload;
+
+    if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN)
+      throw new UnauthorizedError({
+        message: "The token provided is not a refresh token",
+        name: "InvalidToken"
+      });
+
+    const tokenVersion = await getUserTokenSessionById(decodedToken.tokenVersionId, decodedToken.userId);
+
+    if (!tokenVersion)
+      throw new UnauthorizedError({
+        message: "Valid token version not found",
+        name: "InvalidToken"
+      });
+
+    if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) {
+      throw new UnauthorizedError({
+        message: "Token version mismatch",
+        name: "InvalidToken"
+      });
+    }
+
+    return { decodedToken, tokenVersion };
+  };
+
   // to parse jwt identity in inject identity plugin
   const fnValidateJwtIdentity = async (token: AuthModeJwtTokenPayload) => {
     const session = await tokenDAL.findOneTokenSession({
@@ -188,6 +223,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
     clearTokenSessionById,
     getTokenSessionByUser,
     revokeAllMySessions,
+    validateRefreshToken,
     fnValidateJwtIdentity,
     getUserTokenSessionById
   };

backend/src/services/auth/auth-type.ts

@@ -35,6 +35,7 @@ export enum AuthMode {
 
 export enum ActorType { // would extend to AWS, Azure, ...
   PLATFORM = "platform", // Useful for when we want to perform logging on automated actions such as integration syncs.
+  KMIP_CLIENT = "kmipClient",
   USER = "user", // userIdentity
   SERVICE = "service",
   IDENTITY = "identity",

backend/src/services/certificate-authority/certificate-authority-validators.ts

@@ -1,5 +1,7 @@
 import { z } from "zod";
 
+import { isValidIp } from "@app/lib/ip";
+
 const isValidDate = (dateString: string) => {
   const date = new Date(dateString);
   return !Number.isNaN(date.getTime());
@@ -25,7 +27,7 @@ export const validateAltNamesField = z
       if (data === "") return true;
       // Split and validate each alt name
       return data.split(", ").every((name) => {
-        return hostnameRegex.test(name) || z.string().email().safeParse(name).success;
+        return hostnameRegex.test(name) || z.string().email().safeParse(name).success || isValidIp(name);
       });
     },
     {

backend/src/services/certificate/certificate-fns.ts

@@ -40,3 +40,9 @@ export const isCertChainValid = async (certificates: x509.X509Certificate[]) =>
   // chain.build() implicitly verifies the chain
   return chainItems.length === certificates.length;
 };
+
+export const constructPemChainFromCerts = (certificates: x509.X509Certificate[]) =>
+  certificates
+    .map((cert) => cert.toString("pem"))
+    .join("\n")
+    .trim();

backend/src/services/kms/kms-key-dal.ts

@@ -93,6 +93,32 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findProjectCmeks = async (projectId: string, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.KmsKey)
+        .where({
+          [`${TableName.KmsKey}.projectId` as "projectId"]: projectId,
+          [`${TableName.KmsKey}.isReserved` as "isReserved"]: false
+        })
+        .join(TableName.Organization, `${TableName.KmsKey}.orgId`, `${TableName.Organization}.id`)
+        .join(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+        .select(selectAllTableCols(TableName.KmsKey))
+        .select(
+          db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms).as("internalKmsEncryptionAlgorithm"),
+          db.ref("version").withSchema(TableName.InternalKms).as("internalKmsVersion")
+        );
+
+      return result.map((entry) => ({
+        ...KmsKeysSchema.parse(entry),
+        isActive: !entry.isDisabled,
+        algorithm: entry.internalKmsEncryptionAlgorithm,
+        version: entry.internalKmsVersion
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find project cmeks" });
+    }
+  };
+
   const listCmeksByProjectId = async (
     {
       projectId,
@@ -167,5 +193,5 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...kmsOrm, findByIdWithAssociatedKms, listCmeksByProjectId, findCmekById, findCmekByName };
+  return { ...kmsOrm, findByIdWithAssociatedKms, listCmeksByProjectId, findCmekById, findCmekByName, findProjectCmeks };
 };

backend/src/services/kms/kms-service.ts

@@ -37,6 +37,8 @@ import {
   TEncryptWithKmsDataKeyDTO,
   TEncryptWithKmsDTO,
   TGenerateKMSDTO,
+  TGetKeyMaterialDTO,
+  TImportKeyMaterialDTO,
   TUpdateProjectSecretManagerKmsKeyDTO
 } from "./kms-types";
 
@@ -325,6 +327,72 @@ export const kmsServiceFactory = ({
     };
   };
 
+  const getKeyMaterial = async ({ kmsId }: TGetKeyMaterialDTO) => {
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
+    if (!kmsDoc) {
+      throw new NotFoundError({ message: `KMS with ID '${kmsId}' not found` });
+    }
+
+    if (kmsDoc.isReserved) {
+      throw new BadRequestError({
+        message: "Cannot get key material for reserved key"
+      });
+    }
+
+    if (kmsDoc.externalKms) {
+      throw new BadRequestError({
+        message: "Cannot get key material for external key"
+      });
+    }
+
+    const keyCipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const kmsKey = keyCipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+
+    return kmsKey;
+  };
+
+  const importKeyMaterial = async (
+    { key, algorithm, name, isReserved, projectId, orgId }: TImportKeyMaterialDTO,
+    tx?: Knex
+  ) => {
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+
+    const expectedByteLength = getByteLengthForAlgorithm(algorithm);
+    if (key.byteLength !== expectedByteLength) {
+      throw new BadRequestError({
+        message: `Invalid key length for ${algorithm}. Expected ${expectedByteLength} bytes but got ${key.byteLength} bytes`
+      });
+    }
+
+    const encryptedKeyMaterial = cipher.encrypt(key, ROOT_ENCRYPTION_KEY);
+    const sanitizedName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const dbQuery = async (db: Knex) => {
+      const kmsDoc = await kmsDAL.create(
+        {
+          name: sanitizedName,
+          orgId,
+          isReserved,
+          projectId
+        },
+        db
+      );
+
+      await internalKmsDAL.create(
+        {
+          version: 1,
+          encryptedKey: encryptedKeyMaterial,
+          encryptionAlgorithm: algorithm,
+          kmsKeyId: kmsDoc.id
+        },
+        db
+      );
+      return kmsDoc;
+    };
+    if (tx) return dbQuery(tx);
+    const doc = await kmsDAL.transaction(async (tx2) => dbQuery(tx2));
+    return doc;
+  };
+
   const encryptWithKmsKey = async ({ kmsId }: Omit<TEncryptWithKmsDTO, "plainText">, tx?: Knex) => {
     const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId, tx);
     if (!kmsDoc) {
@@ -944,6 +1012,8 @@ export const kmsServiceFactory = ({
     getProjectKeyBackup,
     loadProjectKeyBackup,
     getKmsById,
-    createCipherPairWithDataKey
+    createCipherPairWithDataKey,
+    getKeyMaterial,
+    importKeyMaterial
   };
 };

backend/src/services/kms/kms-types.ts

@@ -61,3 +61,15 @@ export enum RootKeyEncryptionStrategy {
   Software = "SOFTWARE",
   HSM = "HSM"
 }
+export type TGetKeyMaterialDTO = {
+  kmsId: string;
+};
+
+export type TImportKeyMaterialDTO = {
+  key: Buffer;
+  algorithm: SymmetricEncryption;
+  name?: string;
+  isReserved: boolean;
+  projectId: string;
+  orgId: string;
+};

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -7,8 +7,6 @@ import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 import { TAwsParameterStoreSyncWithCredentials } from "./aws-parameter-store-sync-types";
 
 type TAWSParameterStoreRecord = Record<string, AWS.SSM.Parameter>;
-type TAWSParameterStoreMetadataRecord = Record<string, AWS.SSM.ParameterMetadata>;
-type TAWSParameterStoreTagsRecord = Record<string, Record<string, string>>;
 
 const MAX_RETRIES = 5;
 const BATCH_SIZE = 10;
@@ -82,129 +80,6 @@ const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSPara
   return awsParameterStoreSecretsRecord;
 };
 
-const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreMetadataRecord> => {
-  const awsParameterStoreMetadataRecord: TAWSParameterStoreMetadataRecord = {};
-  let hasNext = true;
-  let nextToken: string | undefined;
-  let attempt = 0;
-
-  while (hasNext) {
-    try {
-      // eslint-disable-next-line no-await-in-loop
-      const parameters = await ssm
-        .describeParameters({
-          MaxResults: 10,
-          NextToken: nextToken,
-          ParameterFilters: [
-            {
-              Key: "Path",
-              Option: "OneLevel",
-              Values: [path]
-            }
-          ]
-        })
-        .promise();
-
-      attempt = 0;
-
-      if (parameters.Parameters) {
-        parameters.Parameters.forEach((parameter) => {
-          if (parameter.Name) {
-            // no leading slash if path is '/'
-            const secKey = path.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
-            awsParameterStoreMetadataRecord[secKey] = parameter;
-          }
-        });
-      }
-
-      hasNext = Boolean(parameters.NextToken);
-      nextToken = parameters.NextToken;
-    } catch (e) {
-      if ((e as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
-        attempt += 1;
-        // eslint-disable-next-line no-await-in-loop
-        await sleep();
-        // eslint-disable-next-line no-continue
-        continue;
-      }
-
-      throw e;
-    }
-  }
-
-  return awsParameterStoreMetadataRecord;
-};
-
-const getParameterStoreTagsRecord = async (
-  ssm: AWS.SSM,
-  awsParameterStoreSecretsRecord: TAWSParameterStoreRecord,
-  needsTagsPermissions: boolean
-): Promise<{ shouldManageTags: boolean; awsParameterStoreTagsRecord: TAWSParameterStoreTagsRecord }> => {
-  const awsParameterStoreTagsRecord: TAWSParameterStoreTagsRecord = {};
-
-  for await (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
-    const [key, parameter] = entry;
-
-    if (!parameter.Name) {
-      // eslint-disable-next-line no-continue
-      continue;
-    }
-
-    try {
-      const tags = await ssm
-        .listTagsForResource({
-          ResourceType: "Parameter",
-          ResourceId: parameter.Name
-        })
-        .promise();
-
-      awsParameterStoreTagsRecord[key] = Object.fromEntries(tags.TagList?.map((tag) => [tag.Key, tag.Value]) ?? []);
-    } catch (e) {
-      // users aren't required to provide tag permissions to use sync so we handle gracefully if unauthorized
-      // and they aren't trying to configure tags
-      if ((e as AWSError).code === "AccessDeniedException") {
-        if (!needsTagsPermissions) {
-          return { shouldManageTags: false, awsParameterStoreTagsRecord: {} };
-        }
-
-        throw new SecretSyncError({
-          message:
-            "IAM role has inadequate permissions to manage resource tags. Ensure the following polices are present: ssm:ListTagsForResource, ssm:AddTagsToResource, and ssm:RemoveTagsFromResource",
-          shouldRetry: false
-        });
-      }
-
-      throw e;
-    }
-  }
-
-  return { shouldManageTags: true, awsParameterStoreTagsRecord };
-};
-
-const processParameterTags = ({
-  syncTagsRecord,
-  awsTagsRecord
-}: {
-  syncTagsRecord: Record<string, string>;
-  awsTagsRecord: Record<string, string>;
-}) => {
-  const tagsToAdd: AWS.SSM.TagList = [];
-  const tagKeysToRemove: string[] = [];
-
-  for (const syncEntry of Object.entries(syncTagsRecord)) {
-    const [syncKey, syncValue] = syncEntry;
-
-    if (!(syncKey in awsTagsRecord) || syncValue !== awsTagsRecord[syncKey])
-      tagsToAdd.push({ Key: syncKey, Value: syncValue });
-  }
-
-  for (const awsKey of Object.keys(awsTagsRecord)) {
-    if (!(awsKey in syncTagsRecord)) tagKeysToRemove.push(awsKey);
-  }
-
-  return { tagsToAdd, tagKeysToRemove };
-};
-
 const putParameter = async (
   ssm: AWS.SSM,
   params: AWS.SSM.PutParameterRequest,
@@ -223,42 +98,6 @@ const putParameter = async (
   }
 };
 
-const addTagsToParameter = async (
-  ssm: AWS.SSM,
-  params: Omit<AWS.SSM.AddTagsToResourceRequest, "ResourceType">,
-  attempt = 0
-): Promise<AWS.SSM.AddTagsToResourceResult> => {
-  try {
-    return await ssm.addTagsToResource({ ...params, ResourceType: "Parameter" }).promise();
-  } catch (error) {
-    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
-      await sleep();
-
-      // retry
-      return addTagsToParameter(ssm, params, attempt + 1);
-    }
-    throw error;
-  }
-};
-
-const removeTagsFromParameter = async (
-  ssm: AWS.SSM,
-  params: Omit<AWS.SSM.RemoveTagsFromResourceRequest, "ResourceType">,
-  attempt = 0
-): Promise<AWS.SSM.RemoveTagsFromResourceResult> => {
-  try {
-    return await ssm.removeTagsFromResource({ ...params, ResourceType: "Parameter" }).promise();
-  } catch (error) {
-    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
-      await sleep();
-
-      // retry
-      return removeTagsFromParameter(ssm, params, attempt + 1);
-    }
-    throw error;
-  }
-};
-
 const deleteParametersBatch = async (
   ssm: AWS.SSM,
   parameters: AWS.SSM.Parameter[],
@@ -293,90 +132,35 @@ const deleteParametersBatch = async (
 
 export const AwsParameterStoreSyncFns = {
   syncSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig, syncOptions } = secretSync;
+    const { destinationConfig } = secretSync;
 
     const ssm = await getSSM(secretSync);
 
+    // TODO(scott): KMS Key ID, Tags
+
     const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
 
-    const awsParameterStoreMetadataRecord = await getParameterMetadataByPath(ssm, destinationConfig.path);
-
-    const { shouldManageTags, awsParameterStoreTagsRecord } = await getParameterStoreTagsRecord(
-      ssm,
-      awsParameterStoreSecretsRecord,
-      Boolean(syncOptions.tags?.length || syncOptions.syncSecretMetadataAsTags)
-    );
-    const syncTagsRecord = Object.fromEntries(syncOptions.tags?.map((tag) => [tag.key, tag.value]) ?? []);
-
     for await (const entry of Object.entries(secretMap)) {
-      const [key, { value, secretMetadata }] = entry;
+      const [key, { value }] = entry;
 
-      // skip empty values (not allowed by AWS)
-      if (!value) {
+      // skip empty values (not allowed by AWS) or secrets that haven't changed
+      if (!value || (key in awsParameterStoreSecretsRecord && awsParameterStoreSecretsRecord[key].Value === value)) {
         // eslint-disable-next-line no-continue
         continue;
       }
 
-      // create parameter or update if changed
-      if (
-        !(key in awsParameterStoreSecretsRecord) ||
-        value !== awsParameterStoreSecretsRecord[key].Value ||
-        (syncOptions.keyId ?? "alias/aws/ssm") !== awsParameterStoreMetadataRecord[key]?.KeyId
-      ) {
-        try {
-          await putParameter(ssm, {
-            Name: `${destinationConfig.path}${key}`,
-            Type: "SecureString",
-            Value: value,
-            Overwrite: true,
-            KeyId: syncOptions.keyId
-          });
-        } catch (error) {
-          throw new SecretSyncError({
-            error,
-            secretKey: key
-          });
-        }
-      }
-
-      if (shouldManageTags) {
-        const { tagsToAdd, tagKeysToRemove } = processParameterTags({
-          syncTagsRecord: {
-            // configured sync tags take preference over secret metadata
-            ...(syncOptions.syncSecretMetadataAsTags &&
-              Object.fromEntries(secretMetadata?.map((tag) => [tag.key, tag.value]) ?? [])),
-            ...syncTagsRecord
-          },
-          awsTagsRecord: awsParameterStoreTagsRecord[key] ?? {}
+      try {
+        await putParameter(ssm, {
+          Name: `${destinationConfig.path}${key}`,
+          Type: "SecureString",
+          Value: value,
+          Overwrite: true
+        });
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
         });
-
-        if (tagsToAdd.length) {
-          try {
-            await addTagsToParameter(ssm, {
-              ResourceId: `${destinationConfig.path}${key}`,
-              Tags: tagsToAdd
-            });
-          } catch (error) {
-            throw new SecretSyncError({
-              error,
-              secretKey: key
-            });
-          }
-        }
-
-        if (tagKeysToRemove.length) {
-          try {
-            await removeTagsFromParameter(ssm, {
-              ResourceId: `${destinationConfig.path}${key}`,
-              TagKeys: tagKeysToRemove
-            });
-          } catch (error) {
-            throw new SecretSyncError({
-              error,
-              secretKey: key
-            });
-          }
-        }
       }
     }
 

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-schemas.ts

@@ -8,7 +8,6 @@ import {
   GenericCreateSecretSyncFieldsSchema,
   GenericUpdateSecretSyncFieldsSchema
 } from "@app/services/secret-sync/secret-sync-schemas";
-import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
 const AwsParameterStoreSyncDestinationConfigSchema = z.object({
   region: z.nativeEnum(AWSRegion).describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.region),
@@ -21,68 +20,19 @@ const AwsParameterStoreSyncDestinationConfigSchema = z.object({
     .describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.path)
 });
 
-const AwsParameterStoreSyncOptionsSchema = z.object({
-  keyId: z
-    .string()
-    .regex(/^([a-zA-Z0-9:/_-]+)$/, "Invalid KMS Key ID")
-    .min(1, "Invalid KMS Key ID")
-    .max(256, "Invalid KMS Key ID")
-    .optional()
-    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.keyId),
-  tags: z
-    .object({
-      key: z
-        .string()
-        .regex(
-          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
-          "Invalid resource tag key: keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
-        )
-        .min(1, "Resource tag key required")
-        .max(128, "Resource tag name cannot exceed 128 characters"),
-      value: z
-        .string()
-        .regex(
-          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
-          "Invalid resource tag value: tag values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
-        )
-        .max(256, "Resource tag value cannot exceed 256 characters")
-    })
-    .array()
-    .max(50)
-    .refine((items) => new Set(items.map((item) => item.key)).size === items.length, {
-      message: "AWS tag keys must be unique"
-    })
-    .optional()
-    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.tags),
-  syncSecretMetadataAsTags: z
-    .boolean()
-    .optional()
-    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.syncSecretMetadataAsTags)
-});
-
-const AwsParameterStoreSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
-
-export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(
-  SecretSync.AWSParameterStore,
-  AwsParameterStoreSyncOptionsConfig,
-  AwsParameterStoreSyncOptionsSchema
-).extend({
+export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(SecretSync.AWSParameterStore).extend({
   destination: z.literal(SecretSync.AWSParameterStore),
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
 });
 
 export const CreateAwsParameterStoreSyncSchema = GenericCreateSecretSyncFieldsSchema(
-  SecretSync.AWSParameterStore,
-  AwsParameterStoreSyncOptionsConfig,
-  AwsParameterStoreSyncOptionsSchema
+  SecretSync.AWSParameterStore
 ).extend({
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
 });
 
 export const UpdateAwsParameterStoreSyncSchema = GenericUpdateSecretSyncFieldsSchema(
-  SecretSync.AWSParameterStore,
-  AwsParameterStoreSyncOptionsConfig,
-  AwsParameterStoreSyncOptionsSchema
+  SecretSync.AWSParameterStore
 ).extend({
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema.optional()
 });

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts

@@ -272,22 +272,6 @@ export const AwsSecretsManagerSyncFns = {
           SecretString: secretValue
         });
       }
-
-      for await (const secretKey of Object.keys(awsSecretsRecord)) {
-        if (secretKey === destinationConfig.secretName) {
-          // eslint-disable-next-line no-continue
-          continue;
-        }
-
-        try {
-          await deleteSecret(client, secretKey);
-        } catch (error) {
-          throw new SecretSyncError({
-            error,
-            secretKey
-          });
-        }
-      }
     }
   },
   getSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials): Promise<TSecretMap> => {

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-schemas.ts

@@ -9,7 +9,6 @@ import {
   GenericCreateSecretSyncFieldsSchema,
   GenericUpdateSecretSyncFieldsSchema
 } from "@app/services/secret-sync/secret-sync-schemas";
-import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
 const AwsSecretsManagerSyncDestinationConfigSchema = z
   .discriminatedUnion("mappingBehavior", [
@@ -39,26 +38,19 @@ const AwsSecretsManagerSyncDestinationConfigSchema = z
     })
   );
 
-const AwsSecretsManagerSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
-
-export const AwsSecretsManagerSyncSchema = BaseSecretSyncSchema(
-  SecretSync.AWSSecretsManager,
-  AwsSecretsManagerSyncOptionsConfig
-).extend({
+export const AwsSecretsManagerSyncSchema = BaseSecretSyncSchema(SecretSync.AWSSecretsManager).extend({
   destination: z.literal(SecretSync.AWSSecretsManager),
   destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
 });
 
 export const CreateAwsSecretsManagerSyncSchema = GenericCreateSecretSyncFieldsSchema(
-  SecretSync.AWSSecretsManager,
-  AwsSecretsManagerSyncOptionsConfig
+  SecretSync.AWSSecretsManager
 ).extend({
   destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
 });
 
 export const UpdateAwsSecretsManagerSyncSchema = GenericUpdateSecretSyncFieldsSchema(
-  SecretSync.AWSSecretsManager,
-  AwsSecretsManagerSyncOptionsConfig
+  SecretSync.AWSSecretsManager
 ).extend({
   destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema.optional()
 });

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -233,7 +233,6 @@ export const secretSyncQueueFactory = ({
         }
 
         secretMap[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
-        secretMap[secretKey].secretMetadata = secret.secretMetadata;
       })
     );
 
@@ -259,8 +258,7 @@ export const secretSyncQueueFactory = ({
             secretMap[importedSecret.key] = {
               skipMultilineEncoding: importedSecret.skipMultilineEncoding,
               comment: importedSecret.secretComment,
-              value: importedSecret.secretValue || "",
-              secretMetadata: importedSecret.secretMetadata
+              value: importedSecret.secretValue || ""
             };
           }
         }

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -1,4 +1,4 @@
-import { AnyZodObject, z } from "zod";
+import { z } from "zod";
 
 import { SecretSyncsSchema } from "@app/db/schemas/secret-syncs";
 import { SecretSyncs } from "@app/lib/api-docs";
@@ -8,45 +8,34 @@ import { SecretSync, SecretSyncInitialSyncBehavior } from "@app/services/secret-
 import { SECRET_SYNC_CONNECTION_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
-const BaseSyncOptionsSchema = <T extends AnyZodObject | undefined = undefined>({
-  destination,
-  syncOptionsConfig: { canImportSecrets },
-  merge,
-  isUpdateSchema
-}: {
-  destination: SecretSync;
-  syncOptionsConfig: TSyncOptionsConfig;
-  merge?: T;
-  isUpdateSchema?: boolean;
-}) => {
-  const baseSchema = z.object({
-    initialSyncBehavior: (canImportSecrets
+const SyncOptionsSchema = (secretSync: SecretSync, options: TSyncOptionsConfig = { canImportSecrets: true }) =>
+  z.object({
+    initialSyncBehavior: (options.canImportSecrets
       ? z.nativeEnum(SecretSyncInitialSyncBehavior)
       : z.literal(SecretSyncInitialSyncBehavior.OverwriteDestination)
-    ).describe(SecretSyncs.SYNC_OPTIONS(destination).initialSyncBehavior)
+    ).describe(SecretSyncs.SYNC_OPTIONS(secretSync).initialSyncBehavior)
+    // prependPrefix: z
+    //   .string()
+    //   .trim()
+    //   .transform((str) => str.toUpperCase())
+    //   .optional()
+    //   .describe(SecretSyncs.SYNC_OPTIONS(secretSync).PREPEND_PREFIX),
+    // appendSuffix: z
+    //   .string()
+    //   .trim()
+    //   .transform((str) => str.toUpperCase())
+    //   .optional()
+    //   .describe(SecretSyncs.SYNC_OPTIONS(secretSync).APPEND_SUFFIX)
   });
 
-  const schema = merge ? baseSchema.merge(merge) : baseSchema;
-
-  return (
-    isUpdateSchema
-      ? schema.describe(SecretSyncs.UPDATE(destination).syncOptions).optional()
-      : schema.describe(SecretSyncs.CREATE(destination).syncOptions)
-  ) as T extends AnyZodObject ? z.ZodObject<z.objectUtil.MergeShapes<typeof schema.shape, T["shape"]>> : typeof schema;
-};
-
-export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefined>(
-  destination: SecretSync,
-  syncOptionsConfig: TSyncOptionsConfig,
-  merge?: T
-) =>
+export const BaseSecretSyncSchema = (destination: SecretSync, syncOptionsConfig?: TSyncOptionsConfig) =>
   SecretSyncsSchema.omit({
     destination: true,
     destinationConfig: true,
     syncOptions: true
   }).extend({
     // destination needs to be on the extended object for type differentiation
-    syncOptions: BaseSyncOptionsSchema({ destination, syncOptionsConfig, merge }),
+    syncOptions: SyncOptionsSchema(destination, syncOptionsConfig),
     // join properties
     projectId: z.string(),
     connection: z.object({
@@ -58,11 +47,7 @@ export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefi
     folder: z.object({ id: z.string(), path: z.string() }).nullable()
   });
 
-export const GenericCreateSecretSyncFieldsSchema = <T extends AnyZodObject | undefined = undefined>(
-  destination: SecretSync,
-  syncOptionsConfig: TSyncOptionsConfig,
-  merge?: T
-) =>
+export const GenericCreateSecretSyncFieldsSchema = (destination: SecretSync, syncOptionsConfig?: TSyncOptionsConfig) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(SecretSyncs.CREATE(destination).name),
     projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.CREATE(destination).projectId),
@@ -81,14 +66,10 @@ export const GenericCreateSecretSyncFieldsSchema = <T extends AnyZodObject | und
       .transform(removeTrailingSlash)
       .describe(SecretSyncs.CREATE(destination).secretPath),
     isAutoSyncEnabled: z.boolean().default(true).describe(SecretSyncs.CREATE(destination).isAutoSyncEnabled),
-    syncOptions: BaseSyncOptionsSchema({ destination, syncOptionsConfig, merge })
+    syncOptions: SyncOptionsSchema(destination, syncOptionsConfig).describe(SecretSyncs.CREATE(destination).syncOptions)
   });
 
-export const GenericUpdateSecretSyncFieldsSchema = <T extends AnyZodObject | undefined = undefined>(
-  destination: SecretSync,
-  syncOptionsConfig: TSyncOptionsConfig,
-  merge?: T
-) =>
+export const GenericUpdateSecretSyncFieldsSchema = (destination: SecretSync, syncOptionsConfig?: TSyncOptionsConfig) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(SecretSyncs.UPDATE(destination).name).optional(),
     connectionId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).connectionId).optional(),
@@ -109,5 +90,7 @@ export const GenericUpdateSecretSyncFieldsSchema = <T extends AnyZodObject | und
       .optional()
       .describe(SecretSyncs.UPDATE(destination).secretPath),
     isAutoSyncEnabled: z.boolean().optional().describe(SecretSyncs.UPDATE(destination).isAutoSyncEnabled),
-    syncOptions: BaseSyncOptionsSchema({ destination, syncOptionsConfig, merge, isUpdateSchema: true })
+    syncOptions: SyncOptionsSchema(destination, syncOptionsConfig)
+      .optional()
+      .describe(SecretSyncs.UPDATE(destination).syncOptions)
   });

backend/src/services/secret-sync/secret-sync-types.ts

@@ -2,7 +2,6 @@ import { Job } from "bullmq";
 
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { QueueJobs } from "@app/queue";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import {
   TAwsSecretsManagerSync,
   TAwsSecretsManagerSyncInput,
@@ -198,10 +197,5 @@ export type TSendSecretSyncFailedNotificationsJobDTO = Job<
 
 export type TSecretMap = Record<
   string,
-  {
-    value: string;
-    comment?: string;
-    skipMultilineEncoding?: boolean | null | undefined;
-    secretMetadata?: ResourceMetadataDTO;
-  }
+  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
 >;

cli/go.mod

@@ -10,7 +10,8 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.4.7
+	github.com/infisical/go-sdk v0.4.8
+	github.com/infisical/infisical-kmip v0.3.5
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
@@ -65,6 +66,9 @@ require (
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.5 // indirect
+	github.com/gosimple/slug v1.15.0 // indirect
+	github.com/gosimple/unidecode v1.0.1 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
@@ -77,6 +81,7 @@ require (
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
@@ -91,12 +96,12 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
@@ -108,7 +113,7 @@ require (
 
 require (
 	github.com/fatih/color v1.17.0
-	github.com/go-resty/resty/v2 v2.13.1
+	github.com/go-resty/resty/v2 v2.16.5
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jedib0t/go-pretty v4.3.0+incompatible
 	github.com/manifoldco/promptui v0.9.0

cli/go.sum

@@ -152,8 +152,8 @@ github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02E
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-resty/resty/v2 v2.13.1 h1:x+LHXBI2nMB1vqndymf26quycC4aggYJ7DECYbiz03g=
-github.com/go-resty/resty/v2 v2.13.1/go.mod h1:GznXlLxkq6Nh4sU59rPmUw3VtgpO3aS96ORAI6Q7d+0=
+github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
+github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -237,6 +237,10 @@ github.com/googleapis/gax-go/v2 v2.12.5 h1:8gw9KZK8TiVKB6q3zHY3SBzLnrGp6HQjyfYBY
 github.com/googleapis/gax-go/v2 v2.12.5/go.mod h1:BUDKcWo+RaKq5SC9vVYL0wLADa3VcfswbOMMRmB9H3E=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo=
+github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ=
+github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o=
+github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
 github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
@@ -255,6 +259,8 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
@@ -265,8 +271,10 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.4.7 h1:+cxIdDfciMh0Syxbxbqjhvz9/ShnN1equ2zqlVQYGtw=
-github.com/infisical/go-sdk v0.4.7/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
+github.com/infisical/go-sdk v0.4.8 h1:aphRnaauC5//PkP1ZbY9RSK2RiT1LjPS5o4CbX0x5OQ=
+github.com/infisical/go-sdk v0.4.8/go.mod h1:bMO9xSaBeXkDBhTIM4FkkREAfw2V8mv5Bm7lvo4+uDk=
+github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BAJM2scIeiE=
+github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -340,6 +348,7 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 h1:lL+y4Xv20pVlCGyLzNHRC0I0rIHhIL1lTvHizoS/dU8=
 github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9/go.mod h1:EHPiTAKtiFmrMldLUNswFwfZ2eJIYBHktdaUTZxYWRw=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -413,7 +422,6 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
@@ -448,11 +456,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -490,8 +495,6 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -530,13 +533,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -562,8 +560,6 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -612,22 +608,11 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -639,17 +624,13 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -702,8 +683,6 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

cli/packages/cmd/kmip.go

@@ -0,0 +1,103 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/util"
+	kmip "github.com/infisical/infisical-kmip"
+	"github.com/spf13/cobra"
+)
+
+var kmipCmd = &cobra.Command{
+	Example:               `infisical kmip`,
+	Short:                 "Used to manage KMIP servers",
+	Use:                   "kmip",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+}
+
+var kmipStartCmd = &cobra.Command{
+	Example:               `infisical kmip start`,
+	Short:                 "Used to start a KMIP server",
+	Use:                   "start",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   startKmipServer,
+}
+
+func startKmipServer(cmd *cobra.Command, args []string) {
+	listenAddr, err := cmd.Flags().GetString("listen-address")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	identityAuthMethod, err := cmd.Flags().GetString("identity-auth-method")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	authMethodValid, strategy := util.IsAuthMethodValid(identityAuthMethod, false)
+	if !authMethodValid {
+		util.PrintErrorMessageAndExit(fmt.Sprintf("Invalid login method: %s", identityAuthMethod))
+	}
+
+	var identityClientId string
+	var identityClientSecret string
+
+	if strategy == util.AuthStrategy.UNIVERSAL_AUTH {
+		identityClientId, err = util.GetCmdFlagOrEnv(cmd, "identity-client-id", util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
+
+		if err != nil {
+			util.HandleError(err, "Unable to parse identity client ID")
+		}
+
+		identityClientSecret, err = util.GetCmdFlagOrEnv(cmd, "identity-client-secret", util.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME)
+		if err != nil {
+			util.HandleError(err, "Unable to parse identity client secret")
+		}
+	} else {
+		util.PrintErrorMessageAndExit(fmt.Sprintf("Unsupported login method: %s", identityAuthMethod))
+	}
+
+	serverName, err := cmd.Flags().GetString("server-name")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	certificateTTL, err := cmd.Flags().GetString("certificate-ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	hostnamesOrIps, err := cmd.Flags().GetString("hostnames-or-ips")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	kmip.StartServer(kmip.ServerConfig{
+		Addr:                 listenAddr,
+		InfisicalBaseAPIURL:  config.INFISICAL_URL,
+		IdentityClientId:     identityClientId,
+		IdentityClientSecret: identityClientSecret,
+		ServerName:           serverName,
+		CertificateTTL:       certificateTTL,
+		HostnamesOrIps:       hostnamesOrIps,
+	})
+}
+
+func init() {
+	kmipStartCmd.Flags().String("listen-address", "localhost:5696", "The address for the KMIP server to listen on. Defaults to localhost:5696")
+	kmipStartCmd.Flags().String("identity-auth-method", string(util.AuthStrategy.UNIVERSAL_AUTH), "The auth method to use for authenticating the machine identity. Defaults to universal-auth.")
+	kmipStartCmd.Flags().String("identity-client-id", "", "Universal auth client ID of machine identity")
+	kmipStartCmd.Flags().String("identity-client-secret", "", "Universal auth client secret of machine identity")
+	kmipStartCmd.Flags().String("server-name", "kmip-server", "The name of the KMIP server")
+	kmipStartCmd.Flags().String("certificate-ttl", "1y", "The TTL duration for the server certificate")
+	kmipStartCmd.Flags().String("hostnames-or-ips", "", "Comma-separated list of hostnames or IPs")
+
+	kmipCmd.AddCommand(kmipStartCmd)
+	rootCmd.AddCommand(kmipCmd)
+}

docs/documentation/platform/identities/oidc-auth/terraform-cloud.mdx

@@ -0,0 +1,87 @@
+---
+title: "Terraform Cloud"
+description: "How to authenticate with Infisical from Terraform Cloud using OIDC."
+---
+
+This guide will walk you through setting up Terraform Cloud to inject a [workload identity token](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens) and use it for OIDC-based authentication with the Infisical Terraform provider. You'll start by creating a machine identity in Infisical, then configure Terraform Cloud to pass the injected token into your Terraform runs.
+
+<Steps>
+  <Step title="Create a Machine Identity in Infisical">
+    Follow the instructions [in this documentation](/documentation/platform/identities/oidc-auth/general) to create a machine identity with OIDC auth. Infisical OIDC configuration values for Terraform Cloud:
+    1. Set the OIDC Discovery URL to https://app.terraform.io.
+    2. Set the Issuer to https://app.terraform.io.
+    3. Configure the Audience to match the value you will use for **TFC_WORKLOAD_IDENTITY_AUDIENCE** in Terraform Cloud for the next step.
+
+    
+    To view all possible claims available from Terraform cloud, visit [HashiCorp’s documentation](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens#token-structure).
+
+  </Step>
+  <Step title="Enable Workload Identity Token Injection in Terraform Cloud">
+
+    <Tabs>
+      <Tab title="Generate single token">
+        1. **Navigate to your workspace** in Terraform Cloud.  
+        2. **Add a workspace variable** named `TFC_WORKLOAD_IDENTITY_AUDIENCE`:
+          - **Key**: `TFC_WORKLOAD_IDENTITY_AUDIENCE`
+          - **Value**: For example, `my-infisical-audience`
+          - **Category**: Environment
+
+        > **Important**:  
+        > - The presence of `TFC_WORKLOAD_IDENTITY_AUDIENCE` is required for Terraform Cloud to inject a token.  
+        > - If you are self-hosting HCP Terraform agents, ensure they are **v1.7.0 or above**.
+
+        Once set, Terraform Cloud will inject a workload identity token into the run environment as `TFC_WORKLOAD_IDENTITY_TOKEN`.
+      </Tab>
+      <Tab title="(Optional) Generate Multiple Tokens">
+        If you need multiple tokens (each with a different audience), create additional variables:
+
+        ```
+        TFC_WORKLOAD_IDENTITY_AUDIENCE_[YOUR_TAG_HERE]
+        ```
+
+        For example:
+        - `TFC_WORKLOAD_IDENTITY_AUDIENCE_INFISICAL`
+        - `TFC_WORKLOAD_IDENTITY_AUDIENCE_OTHER_SERVICE`
+
+        Terraform Cloud will then inject:
+        - `TFC_WORKLOAD_IDENTITY_TOKEN_INFISICAL`
+        - `TFC_WORKLOAD_IDENTITY_TOKEN_OTHER_SERVICE`
+
+        > **Note**:  
+        > - The `[YOUR_TAG_HERE]` can only contain letters, numbers, and underscores.  
+        > - You **cannot** use the reserved keyword `TYPE`.  
+        > - Generating multiple tokens requires **v1.12.0 or later** if you are self-hosting agents.
+      </Tab>
+    </Tabs>
+
+    <Warning>
+      If you are running on self-hosted HCP Terraform agents, you must use v1.7.0 or later to enable token injection. If you need to generate multiple tokens, you must use v1.12.0 or later.
+    </Warning>
+  </Step>
+  <Step title="Configure the Infisical Provider">
+    In your Terraform configuration, reference the injected token by name. For example:
+
+    ```hcl
+    provider "infisical" {
+      host = "https://app.infisical.com"
+
+      auth = {
+        oidc = {
+          identity_id = "<identity-id>"
+          # This must match the environment variable Terraform injects:
+          token_environment_variable_name = "TFC_WORKLOAD_IDENTITY_TOKEN"
+        }
+      }
+    }
+    ```
+
+    - **`host`**: Defaults to `https://app.infisical.com`. Override if using a self-hosted Infisical instance.
+    - **`identity_id`**: The OIDC identity ID from Infisical.
+    - **`token_environment_variable_name`**: Must match the injected variable name from Terraform Cloud. If using single token, use `TFC_WORKLOAD_IDENTITY_TOKEN`. If using multiple tokens, choose the one you want to use (e.g., `TFC_WORKLOAD_IDENTITY_TOKEN_INFISICAL`).
+  </Step>
+  <Step title="Validate Your Setup">
+    1. Run a plan and apply in Terraform Cloud.  
+    2. Verify the Infisical provider authenticates successfully without issues. If you run into authentication errors, double-check the Infisical identity has the correct roles/permissions in Infisical.
+
+  </Step>
+</Steps>

docs/documentation/platform/kms/kmip.mdx

@@ -0,0 +1,142 @@
+---
+title: "KMIP Integration"
+description: "Learn more about integrating with Infisical KMS using KMIP (Key Management Interoperability Protocol)."
+---
+
+<Note>
+  KMIP integration is an Enterprise-only feature. Please reach out to
+  sales@infisical.com if you have any questions.
+</Note>
+
+## Overview
+
+Infisical KMS provides **Key Management Interoperability Protocol (KMIP)** support, enabling seamless integration with KMIP-compatible clients. This allows for enhanced key management across various applications that support the **KMIP 1.4 protocol**.
+
+## Supported Operations
+
+The Infisical KMIP server supports the following operations for **symmetric keys**:
+
+- **Create** - Generate symmetric keys.
+- **Register** - Register externally created keys.
+- **Locate** - Find keys using attributes.
+- **Get** - Retrieve keys securely.
+- **Activate** - Enable keys for usage.
+- **Revoke** - Revoke existing keys.
+- **Destroy** - Permanently remove keys.
+- **Get Attributes** - Retrieve metadata associated with keys.
+- **Query** - Query server capabilities and supported operations.
+
+## Benefits of KMIP Integration
+
+Integrating Infisical KMS with KMIP-compatible clients provides the following benefits:
+
+- **Standardized Key Management**: Allows interoperability with security and cryptographic applications that support KMIP.
+- **Enterprise-Grade Security**: Utilizes Infisical’s encryption mechanisms to securely store and manage keys.
+- **Centralized Key Management**: Enables a unified approach for managing cryptographic keys across multiple environments.
+
+## Compatibility
+
+Infisical KMIP supports **KMIP versions 1.0 to 1.4**, ensuring compatibility with a wide range of clients and security tools.
+
+## Secure Communication & Authorization
+
+KMIP client-server communication is secured using **mutual TLS (mTLS)**, ensuring strong identity verification and encrypted data exchange via **PKI certificates**. Each KMIP entity must possess valid certificates signed by a trusted Root CA to establish trust.
+For strong isolation, each Infisical organization has its own KMIP PKI (Public Key Infrastructure), ensuring that cryptographic operations and certificate authorities remain separate across organizations.
+
+Infisical KMS enforces a **two-layer authorization model** for KMIP operations:
+
+1. **KMIP Server Authorization** – The KMIP server, acting as a proxy, must have the `proxy KMIP` permission to forward client requests to Infisical KMS. This is done using a **machine identity** attached to the KMIP server.
+2. **KMIP Client Authorization** – Clients must have the necessary KMIP-level permissions to perform specific key management operations.
+
+By combining **mTLS for secure communication** and **machine identity-based proxying**, Infisical KMS ensures **strong authentication, controlled access, and centralized key management** for KMIP operations.
+
+## Setup Instructions
+
+### Setup KMIP for your organization
+
+<Steps>
+  <Step title="Navigate to the organization settings > KMIP">
+    From there, press Setup KMIP.
+    ![KMIP org navigate](/images/platform/kms/kmip/kmip-org-setup-navigation.png)
+  </Step>
+  <Step title="Configure KMIP PKI for the organization">
+    In the modal, select the desired key algorithm to use for the KMIP PKI of your organization. Press continue.
+    ![KMIP org PKI setup](/images/platform/kms/kmip/kmip-org-setup-modal.png)
+
+    This generates the KMIP PKI for your organization. After this, you can proceed to setting up your KMIP server.
+
+  </Step>
+</Steps>
+
+### Deploying and Configuring the KMIP Server
+
+Follow these steps to configure and deploy a KMIP server.
+
+<Steps>
+  <Step title="Setup Machine Identity">
+    Configure a [machine identity](https://infisical.com/docs/documentation/platform/identities/machine-identities#machine-identities) for the KMIP server to use.
+    ![KMIP create machine identity](/images/platform/kms/kmip/kmip-create-mi.png)
+
+    Create a custom organization role and give it the **Proxy KMIP** permission.
+    ![KMIP create custom role](/images/platform/kms/kmip/kmip-create-custom-role.png)
+    ![KMIP assign proxy to role](/images/platform/kms/kmip/kmip-assign-custom-role-proxy.png)
+
+    Assign the machine identity to the custom organization role. This allows the machine identity to serve KMIP client requests and forward them from your KMIP server to Infisical.
+    ![KMIP assign role to machine identity](/images/platform/kms/kmip/kmip-assign-mi-to-role.png)
+
+  </Step>
+
+  <Step title="Start up the KMIP server">
+    To deploy the KMIP server, use the Infisical CLI’s `kmip start` command.  
+    Before proceeding, make sure you have the [Infisical CLI installed](https://infisical.com/docs/cli/overview).
+
+    Once installed, launch the KMIP server with the following command:
+
+    ```bash
+    infisical kmip start \
+      --identity-client-id=<machine-identity-client-id> \ # This can be set by defining the INFISICAL_UNIVERSAL_AUTH_CLIENT_ID ENV variable
+      --identity-client-secret=<machine-identity-client-secret> \ # This can be set by defining the INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET ENV variable
+      --domain=https://app.infisical.com \
+      --hostnames-or-ips="my-kmip-server.com"
+    ```
+
+    The following flags are available for the `infisical kmip start` command::
+    - **listen-address** (default: localhost:5696): The address the KMIP server listens on.
+    - **identity-auth-method** (default: universal-auth): The authentication method for the machine identity.
+    - **identity-client-id**:  The client ID of the machine identity. This can be set by defining the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` ENV variable.
+    - **identity-client-secret**: The client secret of the machine identity. This can be set by defining the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` ENV variable.
+    - **server-name** (default: "kmip-server"): The name of the KMIP server.
+    - **certificate-ttl** (default: "1y"): The duration for which the server certificate is valid.
+    - **hostnames-or-ips:** A comma-separated list of hostnames or IPs the KMIP server will use (required).
+
+  </Step>
+</Steps>
+
+### Add and Configure KMIP Clients
+
+<Steps>
+  <Step title="Navigate to the desired KMS project and select KMIP">
+    From there, press Add KMIP Client
+    ![KMIP client overview](/images/platform/kms/kmip/kmip-client-overview.png)
+  </Step>
+  <Step title="Configure KMIP client">
+    In the modal, provide the details of your client. The selected permissions determine what KMIP operations can be performed in your KMS project.
+    ![KMIP client modal](/images/platform/kms/kmip/kmip-client-modal.png)
+  </Step>
+    <Step title="Generate client certificate">
+    Once the KMIP client is created, you will have to generate a client certificate.
+    Press Generate Certificate.
+    ![KMIP generate client cert](/images/platform/kms/kmip/kmip-client-generate-cert.png)
+
+    Provide the desired TTL and key algorithm to use and press Generate Client Certificate.
+    ![KMIP client cert config](/images/platform/kms/kmip/kmip-client-cert-config-modal.png)
+
+    Configure your KMIP clients to use the generated client certificate, certificate chain and private key.
+    ![KMIP client cert modal](/images/platform/kms/kmip/kmip-client-certificate-modal.png)
+
+  </Step>
+</Steps>
+
+## Additional Resources
+
+- [KMIP 1.4 Specification](http://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html)

docs/documentation/setup/networking.mdx

@@ -0,0 +1,36 @@
+---
+title: "Networking"
+sidebarTitle: "Networking"
+description: "Network configuration details for Infisical Cloud"
+---
+
+## Overview
+
+When integrating your infrastructure with Infisical Cloud, you may need to configure network access controls. This page provides the IP addresses that Infisical uses to communicate with your services.
+
+## Egress IP Addresses
+
+Infisical Cloud operates from two regions: US and EU. If your infrastructure has strict network policies, you may need to allow traffic from Infisical by adding the following IP addresses to your ingress rules. These are the egress IPs Infisical uses when making outbound requests to your services.
+
+### US Region
+
+To allow connections from Infisical US, add these IP addresses to your ingress rules:
+
+- `3.213.63.16`
+- `54.164.68.7`
+
+### EU Region
+
+To allow connections from Infisical EU, add these IP addresses to your ingress rules:
+
+- `3.77.89.19`
+- `3.125.209.189`
+
+## Common Use Cases
+
+You may need to allow Infisical’s egress IPs if your services require inbound connections for:
+
+- Secret rotation - When Infisical needs to send requests to your systems to automatically rotate credentials
+- Dynamic secrets - When Infisical generates and manages temporary credentials for your cloud services
+- Secret integrations - When syncing secrets with third-party services like Azure Key Vault
+- Native authentication with machine identities - When using methods like Kubernetes authentication

docs/integrations/app-connections/aws.mdx

@@ -118,9 +118,7 @@ Infisical supports two methods for connecting to AWS.
                                             "ssm:GetParametersByPath",
                                             "ssm:DescribeParameters",
                                             "ssm:DeleteParameters",
-                                            "ssm:ListTagsForResource", // if you need to add tags to secrets
                                             "ssm:AddTagsToResource", // if you need to add tags to secrets
-                                            "ssm:RemoveTagsFromResource", // if you need to add tags to secrets
                                             "kms:ListKeys", // if you need to specify the KMS key
                                             "kms:ListAliases", // if you need to specify the KMS key
                                             "kms:Encrypt", // if you need to specify the KMS key
@@ -261,9 +259,7 @@ Infisical supports two methods for connecting to AWS.
                                     "ssm:GetParametersByPath",
                                     "ssm:DescribeParameters",
                                     "ssm:DeleteParameters",
-                                    "ssm:ListTagsForResource", // if you need to add tags to secrets
                                     "ssm:AddTagsToResource", // if you need to add tags to secrets
-                                    "ssm:RemoveTagsFromResource", // if you need to add tags to secrets
                                     "kms:ListKeys", // if you need to specify the KMS key
                                     "kms:ListAliases", // if you need to specify the KMS key
                                     "kms:Encrypt", // if you need to specify the KMS key

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -40,10 +40,6 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Parameter Store when keys conflict.
                 - **Import Secrets (Prioritize AWS Parameter Store)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Parameter Store over Infisical when keys conflict.
-            - **Key ID**: The AWS KMS key ID or alias to encrypt parameters with.
-            - **Tags**: Optional resource tags to add to parameters synced by Infisical.
-            - **Sync Secret Metadata as Resource Tags**: If enabled, metadata attached to secrets will be added as resource tags to parameters synced by Infisical.
-        <Note>Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.</Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
 
         6. Configure the **Details** of your Parameter Store Sync, then click **Next**.

docs/integrations/secret-syncs/overview.mdx

@@ -77,13 +77,6 @@ via the UI or API for the third-party service you intend to sync secrets to.
     - <strong>Destination:</strong> The App Connection to utilize and the destination endpoint to deploy secrets to. These can vary between services.
     - <strong>Options:</strong> Customize how secrets should be synced. Examples include adding a suffix or prefix to your secrets, or importing secrets from the destination on the initial sync.
 
-<Note>
-    Secret Syncs are the source of truth for connected third-party services. Any secret,
-    including associated data, not present or imported in Infisical before syncing will be
-    overwritten, and changes directly in the connected service outside of infisical may also
-    be overwritten by future syncs.
-</Note>
-
 <Info>
     Some third-party services do not support importing secrets.
 </Info>

docs/mint.json

@@ -85,6 +85,10 @@
             "documentation/guides/microsoft-power-apps",
             "documentation/guides/organization-structure"
           ]
+        },
+        {
+          "group": "Setup",
+          "pages": ["documentation/setup/networking"]
         }
       ]
     },
@@ -120,7 +124,8 @@
           "pages": [
             "documentation/platform/kms/overview",
             "documentation/platform/kms/hsm-integration",
-            "documentation/platform/kms/kubernetes-encryption"
+            "documentation/platform/kms/kubernetes-encryption",
+            "documentation/platform/kms/kmip"
           ]
         },
         {
@@ -232,7 +237,8 @@
             "documentation/platform/identities/oidc-auth/general",
             "documentation/platform/identities/oidc-auth/github",
             "documentation/platform/identities/oidc-auth/circleci",
-            "documentation/platform/identities/oidc-auth/gitlab"
+            "documentation/platform/identities/oidc-auth/gitlab",
+            "documentation/platform/identities/oidc-auth/terraform-cloud"
           ]
         },
         "documentation/platform/mfa",
@@ -633,7 +639,8 @@
             "api-reference/endpoints/oidc-auth/attach",
             "api-reference/endpoints/oidc-auth/retrieve",
             "api-reference/endpoints/oidc-auth/update",
-            "api-reference/endpoints/oidc-auth/revoke"
+            "api-reference/endpoints/oidc-auth/revoke",
+            "integrations/frameworks/terraform-cloud"
           ]
         },
         {

docs/sdks/languages/go.mdx

@@ -4,8 +4,6 @@ sidebarTitle: "Go"
 icon: "golang"
 ---
 
-
-
 If you're working with Go Lang, the official [Infisical Go SDK](https://github.com/infisical/go-sdk) package is the easiest way to fetch and work with secrets for your application.
 
 - [Package](https://pkg.go.dev/github.com/infisical/go-sdk)
@@ -57,7 +55,9 @@ func main() {
 This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named `API_KEY` from the `dev` environment of the `YOUR_PROJECT_ID` project.
 
 <Warning>
-    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+  We do not recommend hardcoding your [Machine Identity
+  Tokens](/platform/identities/overview). Setting it as an environment variable
+  would be best.
 </Warning>
 
 # Installation
@@ -95,6 +95,10 @@ client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
         <ParamField query="SilentMode" type="boolean" default={false} optional>
             Whether or not to suppress logs such as warnings from the token refreshing process. Defaults to false if not specified.
         </ParamField>
+
+        <ParamField query="CacheExpiryInSeconds" type="number" default={0} optional>
+            Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
+        </ParamField>
     </Expandable>
 
 </ParamField>
@@ -140,6 +144,7 @@ Call `.Auth().UniversalAuthLogin()` with empty arguments to use the following en
 - `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
 
 **Using the SDK directly**
+
 ```go
 _, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
 
@@ -150,9 +155,12 @@ if err != nil {
 ```
 
 #### GCP ID Token Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
-  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on Google Cloud Platform. Please [read
+  more](/documentation/platform/identities/gcp-auth) about this authentication
+  method.
 </Info>
 
 **Using environment variables**
@@ -162,6 +170,7 @@ Call `.Auth().GcpIdTokenAuthLogin()` with empty arguments to use the following e
 - `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
 
 **Using the SDK directly**
+
 ```go
 _, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")
 
@@ -181,6 +190,7 @@ Call `.Auth().GcpIamAuthLogin()` with empty arguments to use the following envir
 - `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
 
 **Using the SDK directly**
+
 ```go
 _, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")
 
@@ -191,9 +201,12 @@ if err != nil {
 ```
 
 #### AWS IAM Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on AWS.
-  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on AWS. Please [read
+  more](/documentation/platform/identities/aws-auth) about this authentication
+  method.
 </Info>
 
 **Using environment variables**
@@ -203,6 +216,7 @@ Call `.Auth().AwsIamAuthLogin()` with empty arguments to use the following envir
 - `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
 
 **Using the SDK directly**
+
 ```go
 _, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")
 
@@ -212,11 +226,13 @@ if err != nil {
 }
 ```
 
-
 #### Azure Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on Azure.
-  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on Azure. Please [read
+  more](/documentation/platform/identities/azure-auth) about this authentication
+  method.
 </Info>
 
 **Using environment variables**
@@ -226,6 +242,7 @@ Call `.Auth().AzureAuthLogin()` with empty arguments to use the following enviro
 - `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
 
 **Using the SDK directly**
+
 ```go
 _, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")
 
@@ -236,9 +253,12 @@ if err != nil {
 ```
 
 #### Kubernetes Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on Kubernetes.
-  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on Kubernetes. Please [read
+  more](/documentation/platform/identities/kubernetes-auth) about this
+  authentication method.
 </Info>
 
 **Using environment variables**
@@ -249,6 +269,7 @@ Call `.Auth().KubernetesAuthLogin()` with empty arguments to use the following e
 - `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
 
 **Using the SDK directly**
+
 ```go
 // Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
 _, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")
@@ -262,6 +283,7 @@ if err != nil {
 ## Working With Secrets
 
 ### List Secrets
+
 `client.Secrets().List(options)`
 
 Retrieve all secrets within the Infisical project and environment that client is connected to.
@@ -275,7 +297,7 @@ secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object">
     <Expandable title="properties">
@@ -311,7 +333,9 @@ secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
 </ParamField>
 
 ###
+
 ### Retrieve Secret
+
 `client.Secrets().Retrieve(options)`
 
 Retrieve a secret from Infisical. By default `Secrets().Retrieve()` fetches and returns a shared secret.
@@ -324,30 +348,34 @@ secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string" required>
-            The key of the secret to retrieve.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be fetched from.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string" required>
+      The key of the secret to retrieve.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be fetched from.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Create Secret
+
 `client.Secrets().Create(options)`
 
 Create a new secret in Infisical.
@@ -363,36 +391,38 @@ secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
 })
 ```
 
-
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string" required>
-            The key of the secret to create.
-        </ParamField>
-        <ParamField query="SecretValue" type="string" required>
-            The value of the secret.
-        </ParamField>
-        <ParamField query="SecretComment" type="string" optional>
-            A comment for the secret.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be created.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string" required>
+      The key of the secret to create.
+    </ParamField>
+    <ParamField query="SecretValue" type="string" required>
+      The value of the secret.
+    </ParamField>
+    <ParamField query="SecretComment" type="string" optional>
+      A comment for the secret.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be created.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Update Secret
 
 `client.Secrets().Update(options)`
@@ -409,36 +439,45 @@ secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string" required>
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="NewSecretValue" type="string" required>
-            The new value of the secret.
-        </ParamField>
-        <ParamField query="NewSkipMultilineEncoding" type="boolean" default="false" optional>
-            Whether or not to skip multiline encoding for the new secret value.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be updated.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string" required>
+      The key of the secret to update.
+    </ParamField>
+    <ParamField query="NewSecretValue" type="string" required>
+      The new value of the secret.
+    </ParamField>
+    <ParamField
+      query="NewSkipMultilineEncoding"
+      type="boolean"
+      default="false"
+      optional
+    >
+      Whether or not to skip multiline encoding for the new secret value.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be updated.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Delete Secret
+
 `client.Secrets().Delete(options)`
 
 Delete a secret in Infisical.
@@ -451,33 +490,106 @@ secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string">
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be deleted.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string">
+      The key of the secret to update.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be deleted.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
-## Working With folders
 
+### Batch Create Secrets
+
+`client.Secrets().Batch().Create(options)`
+
+Create multiple secrets in Infisical.
+
+```go
+	createdSecrets, err := client.Secrets().Batch().Create(infisical.BatchCreateSecretsOptions{
+		Environment: "<environment-slug>",
+		SecretPath:  "<secret-path>",
+		ProjectID:   "<project-id>",
+		Secrets: []infisical.BatchCreateSecret{
+			{
+				SecretKey:   "SECRET-1",
+				SecretValue: "test-value-1",
+			},
+			{
+				SecretKey:   "SECRET-2",
+				SecretValue: "test-value-2",
+			},
+		},
+	})
+```
+
+#### Parameters
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be created.
+    </ParamField>
+    <ParamField query="Secrets" type="array" required>
+    <Expandable>
+      <ParamField query="SecretKey" type="string" required>
+        The key of the secret to create.
+      </ParamField>
+      <ParamField query="SecretValue" type="string" required>
+        The value of the secret.
+      </ParamField>
+      <ParamField query="SecretComment" type="string" optional>
+      The comment to add to the secret.
+      </ParamField>
+      <ParamField query="SkipMultiLineEncoding" type="boolean" optional>
+        Whether or not to skip multiline encoding for the secret value.
+      </ParamField>
+      <ParamField query="TagIDs" type="string[]" optional>
+        The tag IDs to associate with the secret.
+      </ParamField>
+
+      <ParamField query="SecretMetadata" type="object" optional>
+        <Expandable>
+          <ParamField query="Key" type="string" required>
+            The key of the metadata.
+          </ParamField>
+          <ParamField query="Value" type="string" required>
+            The value of the metadata.
+          </ParamField>
+        </Expandable>
+      </ParamField>
+    </Expandable>
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+## Working With Folders
 
 ###
+
 ### List Folders
+
 `client.Folders().List(options)`
 
 Retrieve all within the Infisical project and environment that client is connected to.
@@ -490,7 +602,7 @@ folders, err := client.Folders().List(infisical.ListFoldersOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object">
     <Expandable title="properties">
@@ -510,7 +622,9 @@ folders, err := client.Folders().List(infisical.ListFoldersOptions{
 </ParamField>
 
 ###
+
 ### Create Folder
+
 `client.Folders().Create(options)`
 
 Create a new folder in Infisical.
@@ -524,28 +638,30 @@ folder, err := client.Folders().Create(infisical.CreateFolderOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="ProjectID" type="string" required>
-            The ID of the project where the folder will be created.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment where the folder will be created.
-        </ParamField>
-        <ParamField query="Path" type="string" optional>
-            The path to create the folder in. The root path is `/`.
-        </ParamField>
-        <ParamField query="Name" type="string" optional>
-            The name of the folder to create.
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="ProjectID" type="string" required>
+      The ID of the project where the folder will be created.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment where the folder will be
+      created.
+    </ParamField>
+    <ParamField query="Path" type="string" optional>
+      The path to create the folder in. The root path is `/`.
+    </ParamField>
+    <ParamField query="Name" type="string" optional>
+      The name of the folder to create.
+    </ParamField>
+  </Expandable>
 </ParamField>
 
-
 ###
+
 ### Update Folder
+
 `client.Folders().Update(options)`
 
 Update an existing folder in Infisical.
@@ -560,30 +676,33 @@ folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="ProjectID" type="string" required>
-            The ID of the project where the folder will be updated.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where the folder lives in.
-        </ParamField>
-        <ParamField query="Path" type="string" optional>
-            The path from where the folder should be updated.
-        </ParamField>
-        <ParamField query="FolderID" type="string" required>
-            The ID of the folder to update.
-        </ParamField>
-        <ParamField query="NewName" type="string" required>
-            The new name of the folder.
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="ProjectID" type="string" required>
+      The ID of the project where the folder will be updated.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where the folder
+      lives in.
+    </ParamField>
+    <ParamField query="Path" type="string" optional>
+      The path from where the folder should be updated.
+    </ParamField>
+    <ParamField query="FolderID" type="string" required>
+      The ID of the folder to update.
+    </ParamField>
+    <ParamField query="NewName" type="string" required>
+      The new name of the folder.
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Delete Folder
+
 `client.Folders().Delete(options)`
 
 Delete a folder in Infisical.
@@ -599,7 +718,7 @@ deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
     <Expandable title="properties">
@@ -620,6 +739,5 @@ deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
             The path from where the folder should be deleted.
         </ParamField>
     </Expandable>
+
 </ParamField>
-
-

frontend/src/components/secret-syncs/forms/CreateSecretSyncForm.tsx

@@ -1,13 +1,11 @@
 import { useState } from "react";
 import { Controller, FormProvider, useForm } from "react-hook-form";
-import { faInfoCircle } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Tab } from "@headlessui/react";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { twMerge } from "tailwind-merge";
 
 import { createNotification } from "@app/components/notifications";
-import { Button, FormControl, Modal, ModalContent, Switch } from "@app/components/v2";
+import { Button, Checkbox, FormControl, Switch } from "@app/components/v2";
 import { useWorkspace } from "@app/context";
 import { SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import {
@@ -18,10 +16,10 @@ import {
   useSecretSyncOption
 } from "@app/hooks/api/secretSyncs";
 
-import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields/SecretSyncOptionsFields";
 import { SecretSyncFormSchema, TSecretSyncForm } from "./schemas";
 import { SecretSyncDestinationFields } from "./SecretSyncDestinationFields";
 import { SecretSyncDetailsFields } from "./SecretSyncDetailsFields";
+import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields";
 import { SecretSyncReviewFields } from "./SecretSyncReviewFields";
 import { SecretSyncSourceFields } from "./SecretSyncSourceFields";
 
@@ -34,7 +32,7 @@ type Props = {
 const FORM_TABS: { name: string; key: string; fields: (keyof TSecretSyncForm)[] }[] = [
   { name: "Source", key: "source", fields: ["secretPath", "environment"] },
   { name: "Destination", key: "destination", fields: ["connection", "destinationConfig"] },
-  { name: "Sync Options", key: "options", fields: ["syncOptions"] },
+  { name: "Options", key: "options", fields: ["syncOptions"] },
   { name: "Details", key: "details", fields: ["name", "description"] },
   { name: "Review", key: "review", fields: [] }
 ];
@@ -44,9 +42,8 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
   const { currentWorkspace } = useWorkspace();
   const { name: destinationName } = SECRET_SYNC_MAP[destination];
 
-  const [showConfirmation, setShowConfirmation] = useState(false);
-
   const [selectedTabIndex, setSelectedTabIndex] = useState(0);
+  const [confirmOverwrite, setConfirmOverwrite] = useState(false);
 
   const { syncOption } = useSecretSyncOption(destination);
 
@@ -80,7 +77,6 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
       onComplete(secretSync);
     } catch (err: any) {
       console.error(err);
-      setShowConfirmation(false);
       createNotification({
         title: `Failed to add ${destinationName} Sync`,
         text: err.message,
@@ -98,7 +94,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
     setSelectedTabIndex((prev) => prev - 1);
   };
 
-  const { handleSubmit, trigger, control } = formMethods;
+  const { handleSubmit, trigger, watch, control } = formMethods;
 
   const isStepValid = async (index: number) => trigger(FORM_TABS[index].fields);
 
@@ -106,7 +102,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
 
   const handleNext = async () => {
     if (isFinalStep) {
-      setShowConfirmation(true);
+      handleSubmit(onSubmit)();
       return;
     }
 
@@ -127,146 +123,113 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
     return isEnabled;
   };
 
-  if (showConfirmation)
-    return (
-      <>
-        <div className="flex flex-col rounded-sm border border-l-[2px] border-mineshaft-600 border-l-primary bg-mineshaft-700/80 px-4 py-3">
-          <div className="mb-1 flex items-center text-sm">
-            <FontAwesomeIcon icon={faInfoCircle} size="sm" className="mr-1.5 text-primary" />
-            Secret Sync Behavior
-          </div>
-          <p className="mt-1 text-sm text-bunker-200">
-            Secret Syncs are the source of truth for connected third-party services. Any secret,
-            including associated data, not present or imported in Infisical before syncing will be
-            overwritten, and changes directly in the connected service outside of infisical may also
-            be overwritten by future syncs.
-          </p>
-        </div>
-        <div className="mt-4 flex gap-4">
-          <Button
-            isDisabled={createSecretSync.isPending}
-            isLoading={createSecretSync.isPending}
-            onClick={handleSubmit(onSubmit)}
-            colorSchema="secondary"
-          >
-            I Understand
-          </Button>
-
-          <Button
-            isDisabled={createSecretSync.isPending}
-            variant="plain"
-            onClick={() => setShowConfirmation(false)}
-            colorSchema="secondary"
-          >
-            Cancel
-          </Button>
-        </div>
-      </>
-    );
+  const initialSyncBehavior = watch("syncOptions.initialSyncBehavior");
 
   return (
-    <>
-      <form className={twMerge(isFinalStep && "max-h-[70vh] overflow-y-auto")}>
-        <FormProvider {...formMethods}>
-          <Tab.Group selectedIndex={selectedTabIndex} onChange={setSelectedTabIndex}>
-            <Tab.List className="-pb-1 mb-6 w-full border-b-2 border-mineshaft-600">
-              {FORM_TABS.map((tab, index) => (
-                <Tab
-                  onClick={async (e) => {
-                    e.preventDefault();
-                    const isEnabled = await isTabEnabled(index);
-                    setSelectedTabIndex((prev) => (isEnabled ? index : prev));
-                  }}
-                  className={({ selected }) =>
-                    `w-30 -mb-[0.14rem] ${index > selectedTabIndex ? "opacity-30" : ""} px-4 py-2 text-sm font-medium outline-none disabled:opacity-60 ${
-                      selected
-                        ? "border-b-2 border-mineshaft-300 text-mineshaft-200"
-                        : "text-bunker-300"
-                    }`
-                  }
-                  key={tab.key}
-                >
-                  {index + 1}. {tab.name}
-                </Tab>
-              ))}
-            </Tab.List>
-            <Tab.Panels>
-              <Tab.Panel>
-                <SecretSyncSourceFields />
-              </Tab.Panel>
-              <Tab.Panel>
-                <SecretSyncDestinationFields />
-              </Tab.Panel>
-              <Tab.Panel>
-                <SecretSyncOptionsFields />
-                <Controller
-                  control={control}
-                  name="isAutoSyncEnabled"
-                  render={({ field: { value, onChange }, fieldState: { error } }) => {
-                    return (
-                      <FormControl
-                        helperText={
-                          value
-                            ? "Secrets will automatically be synced when changes occur in the source location."
-                            : "Secrets will not automatically be synced when changes occur in the source location. You can still trigger syncs manually."
-                        }
-                        isError={Boolean(error)}
-                        errorText={error?.message}
+    <form className={twMerge(isFinalStep && "max-h-[70vh] overflow-y-auto")}>
+      <FormProvider {...formMethods}>
+        <Tab.Group selectedIndex={selectedTabIndex} onChange={setSelectedTabIndex}>
+          <Tab.List className="-pb-1 mb-6 w-full border-b-2 border-mineshaft-600">
+            {FORM_TABS.map((tab, index) => (
+              <Tab
+                onClick={async (e) => {
+                  e.preventDefault();
+                  const isEnabled = await isTabEnabled(index);
+                  setSelectedTabIndex((prev) => (isEnabled ? index : prev));
+                }}
+                className={({ selected }) =>
+                  `w-30 -mb-[0.14rem] ${index > selectedTabIndex ? "opacity-30" : ""} px-4 py-2 text-sm font-medium outline-none disabled:opacity-60 ${
+                    selected
+                      ? "border-b-2 border-mineshaft-300 text-mineshaft-200"
+                      : "text-bunker-300"
+                  }`
+                }
+                key={tab.key}
+              >
+                {index + 1}. {tab.name}
+              </Tab>
+            ))}
+          </Tab.List>
+          <Tab.Panels>
+            <Tab.Panel>
+              <SecretSyncSourceFields />
+            </Tab.Panel>
+            <Tab.Panel>
+              <SecretSyncDestinationFields />
+            </Tab.Panel>
+            <Tab.Panel>
+              <SecretSyncOptionsFields />
+              <Controller
+                control={control}
+                name="isAutoSyncEnabled"
+                render={({ field: { value, onChange }, fieldState: { error } }) => {
+                  return (
+                    <FormControl
+                      helperText={
+                        value
+                          ? "Secrets will automatically be synced when changes occur in the source location."
+                          : "Secrets will not automatically be synced when changes occur in the source location. You can still trigger syncs manually."
+                      }
+                      isError={Boolean(error)}
+                      errorText={error?.message}
+                    >
+                      <Switch
+                        className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/50"
+                        id="auto-sync-enabled"
+                        thumbClassName="bg-mineshaft-800"
+                        onCheckedChange={onChange}
+                        isChecked={value}
                       >
-                        <Switch
-                          className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/50"
-                          id="auto-sync-enabled"
-                          thumbClassName="bg-mineshaft-800"
-                          onCheckedChange={onChange}
-                          isChecked={value}
-                        >
-                          <p className="w-[8.4rem]">Auto-Sync {value ? "Enabled" : "Disabled"}</p>
-                        </Switch>
-                      </FormControl>
-                    );
-                  }}
-                />
-              </Tab.Panel>
-              <Tab.Panel>
-                <SecretSyncDetailsFields />
-              </Tab.Panel>
-              <Tab.Panel>
-                <SecretSyncReviewFields />
-              </Tab.Panel>
-            </Tab.Panels>
-          </Tab.Group>
-        </FormProvider>
-
-        <div className="flex w-full flex-row-reverse justify-between gap-4 pt-4">
-          <Button onClick={handleNext} colorSchema="secondary">
-            {isFinalStep ? "Create Sync" : "Next"}
-          </Button>
-          {selectedTabIndex > 0 && (
-            <Button onClick={handlePrev} colorSchema="secondary">
-              Back
-            </Button>
-          )}
-        </div>
-      </form>
-      <Modal isOpen={showConfirmation} onOpenChange={setShowConfirmation}>
-        <ModalContent
-          title="Import Secrets"
-          subTitle={`Import secrets into Infisical from this ${destinationName} Sync destination.`}
-        >
-          <div className="mt-6 flex flex-col rounded-sm border border-l-[2px] border-mineshaft-600 border-l-primary bg-mineshaft-700/80 px-4 py-3">
-            <div className="mb-1 flex items-center text-sm">
-              <FontAwesomeIcon icon={faInfoCircle} size="sm" className="mr-1.5 text-primary" />
-              Secret Sync Behavior
-            </div>
-            <p className="mb-2 mt-1 text-sm text-bunker-200">
-              Secret Syncs are the source of truth for connected third-party services. Any secret
-              not present or imported in Infisical before syncing will be overwritten, and changes
-              made directly in the connected service may also be overwritten by future syncs from
-              Infisical.
+                        <p className="w-[8.4rem]">Auto-Sync {value ? "Enabled" : "Disabled"}</p>
+                      </Switch>
+                    </FormControl>
+                  );
+                }}
+              />
+            </Tab.Panel>
+            <Tab.Panel>
+              <SecretSyncDetailsFields />
+            </Tab.Panel>
+            <Tab.Panel>
+              <SecretSyncReviewFields />
+            </Tab.Panel>
+          </Tab.Panels>
+        </Tab.Group>
+      </FormProvider>
+      {isFinalStep &&
+        initialSyncBehavior === SecretSyncInitialSyncBehavior.OverwriteDestination && (
+          <Checkbox
+            id="confirm-overwrite"
+            isChecked={confirmOverwrite}
+            containerClassName="-mt-5"
+            onCheckedChange={(isChecked) => setConfirmOverwrite(Boolean(isChecked))}
+          >
+            <p
+              className={`mt-5 text-wrap text-xs ${confirmOverwrite ? "text-mineshaft-200" : "text-red"}`}
+            >
+              I understand all secrets present in the configured {destinationName} destination will
+              be removed if they are not present within Infisical.
             </p>
-          </div>
-        </ModalContent>
-      </Modal>
-    </>
+          </Checkbox>
+        )}
+      <div className="flex w-full flex-row-reverse justify-between gap-4 pt-4">
+        <Button
+          isDisabled={
+            isFinalStep &&
+            initialSyncBehavior === SecretSyncInitialSyncBehavior.OverwriteDestination &&
+            !confirmOverwrite
+          }
+          onClick={handleNext}
+          colorSchema="secondary"
+        >
+          {isFinalStep ? "Create Sync" : "Next"}
+        </Button>
+        {selectedTabIndex > 0 && (
+          <Button onClick={handlePrev} colorSchema="secondary">
+            Back
+          </Button>
+        )}
+      </div>
+    </form>
   );
 };

frontend/src/components/secret-syncs/forms/EditSecretSyncForm.tsx

@@ -8,10 +8,10 @@ import { Button, ModalClose } from "@app/components/v2";
 import { SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import { TSecretSync, useUpdateSecretSync } from "@app/hooks/api/secretSyncs";
 
-import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields/SecretSyncOptionsFields";
 import { TSecretSyncForm, UpdateSecretSyncFormSchema } from "./schemas";
 import { SecretSyncDestinationFields } from "./SecretSyncDestinationFields";
 import { SecretSyncDetailsFields } from "./SecretSyncDetailsFields";
+import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields";
 import { SecretSyncSourceFields } from "./SecretSyncSourceFields";
 
 type Props = {

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/AwsParameterStoreSyncFields.tsx

@@ -8,17 +8,13 @@ import { TSecretSyncForm } from "../schemas";
 import { AwsRegionSelect } from "./shared";
 
 export const AwsParameterStoreSyncFields = () => {
-  const { control, setValue } = useFormContext<
+  const { control } = useFormContext<
     TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
   >();
 
   return (
     <>
-      <SecretSyncConnectionField
-        onChange={() => {
-          setValue("syncOptions.keyId", undefined);
-        }}
-      />
+      <SecretSyncConnectionField />
       <Controller
         render={({ field: { value, onChange }, fieldState: { error } }) => (
           <FormControl isError={Boolean(error)} errorText={error?.message} label="Region">

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields.tsx

@@ -1,14 +1,12 @@
-import { ReactNode } from "react";
 import { Controller, useFormContext } from "react-hook-form";
 import { faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { FormControl, Select, SelectItem } from "@app/components/v2";
 import { SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP, SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
-import { SecretSync, useSecretSyncOption } from "@app/hooks/api/secretSyncs";
+import { useSecretSyncOption } from "@app/hooks/api/secretSyncs";
 
-import { TSecretSyncForm } from "../schemas";
-import { AwsParameterStoreSyncOptionsFields } from "./AwsParameterStoreSyncOptionsFields";
+import { TSecretSyncForm } from "./schemas";
 
 type Props = {
   hideInitialSync?: boolean;
@@ -23,24 +21,6 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
 
   const { syncOption } = useSecretSyncOption(destination);
 
-  let AdditionalSyncOptionsFieldsComponent: ReactNode;
-
-  switch (destination) {
-    case SecretSync.AWSParameterStore:
-      AdditionalSyncOptionsFieldsComponent = <AwsParameterStoreSyncOptionsFields />;
-      break;
-    case SecretSync.AWSSecretsManager:
-    case SecretSync.GitHub:
-    case SecretSync.GCPSecretManager:
-    case SecretSync.AzureKeyVault:
-    case SecretSync.AzureAppConfiguration:
-    case SecretSync.Databricks:
-      AdditionalSyncOptionsFieldsComponent = null;
-      break;
-    default:
-      throw new Error(`Unhandled Additional Sync Options Fields: ${destination}`);
-  }
-
   return (
     <>
       <p className="mb-4 text-sm text-bunker-300">Configure how secrets should be synced.</p>
@@ -111,7 +91,6 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
           )}
         </>
       )}
-      {AdditionalSyncOptionsFieldsComponent}
       {/* <Controller
         render={({ field: { value, onChange }, fieldState: { error } }) => (
           <FormControl

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/AwsParameterStoreSyncOptionsFields.tsx

@@ -1,209 +0,0 @@
-import { Fragment } from "react";
-import { Controller, useFieldArray, useFormContext, useWatch } from "react-hook-form";
-import { SingleValue } from "react-select";
-import { faPlus, faQuestionCircle, faTrash } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-
-import {
-  Button,
-  FilterableSelect,
-  FormControl,
-  FormLabel,
-  IconButton,
-  Input,
-  Switch,
-  Tooltip
-} from "@app/components/v2";
-import {
-  TAwsConnectionKmsKey,
-  useListAwsConnectionKmsKeys
-} from "@app/hooks/api/appConnections/aws";
-import { SecretSync } from "@app/hooks/api/secretSyncs";
-
-import { TSecretSyncForm } from "../schemas";
-
-export const AwsParameterStoreSyncOptionsFields = () => {
-  const { control, watch } = useFormContext<
-    TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
-  >();
-
-  const region = watch("destinationConfig.region");
-  const connectionId = useWatch({ name: "connection.id", control });
-
-  const { data: kmsKeys = [], isPending: isKmsKeysPending } = useListAwsConnectionKmsKeys(
-    {
-      connectionId,
-      region,
-      destination: SecretSync.AWSParameterStore
-    },
-    { enabled: Boolean(connectionId && region) }
-  );
-
-  const tagFields = useFieldArray({
-    control,
-    name: "syncOptions.tags"
-  });
-
-  return (
-    <>
-      <Controller
-        name="syncOptions.keyId"
-        control={control}
-        render={({ field: { value, onChange }, fieldState: { error } }) => (
-          <FormControl
-            tooltipText="The AWS KMS key to encrypt parameters with"
-            isError={Boolean(error)}
-            errorText={error?.message}
-            label="KMS Key"
-          >
-            <FilterableSelect
-              isLoading={isKmsKeysPending && Boolean(connectionId && region)}
-              isDisabled={!connectionId}
-              value={kmsKeys.find((org) => org.alias === value) ?? null}
-              onChange={(option) =>
-                onChange((option as SingleValue<TAwsConnectionKmsKey>)?.alias ?? null)
-              }
-              // eslint-disable-next-line react/no-unstable-nested-components
-              noOptionsMessage={({ inputValue }) =>
-                inputValue ? undefined : (
-                  <p>
-                    To configure a KMS key, ensure the following permissions are present on the
-                    selected IAM role:{" "}
-                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
-                      &#34;kms:ListKeys&#34;
-                    </span>
-                    ,{" "}
-                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
-                      &#34;kms:ListAliases&#34;
-                    </span>
-                    ,{" "}
-                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
-                      &#34;kms:Encrypt&#34;
-                    </span>
-                    ,{" "}
-                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
-                      &#34;kms:Decrypt&#34;
-                    </span>
-                    .
-                  </p>
-                )
-              }
-              options={kmsKeys}
-              placeholder="Leave blank to use default KMS key"
-              getOptionLabel={(option) =>
-                option.alias === "alias/aws/ssm" ? `${option.alias} (Default)` : option.alias
-              }
-              getOptionValue={(option) => option.alias}
-            />
-          </FormControl>
-        )}
-      />
-      <FormLabel
-        label="Resource Tags"
-        tooltipText="Add resource tags to parameters synced by Infisical"
-      />
-      <div className="mb-3 grid max-h-[20vh] grid-cols-12 flex-col items-end gap-2 overflow-y-auto">
-        {tagFields.fields.map(({ id: tagFieldId }, i) => (
-          <Fragment key={tagFieldId}>
-            <div className="col-span-5">
-              {i === 0 && <span className="text-xs text-mineshaft-400">Key</span>}
-              <Controller
-                control={control}
-                name={`syncOptions.tags.${i}.key`}
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    isError={Boolean(error?.message)}
-                    errorText={error?.message}
-                    className="mb-0"
-                  >
-                    <Input className="text-xs" {...field} />
-                  </FormControl>
-                )}
-              />
-            </div>
-            <div className="col-span-6">
-              {i === 0 && (
-                <FormLabel label="Value" className="text-xs text-mineshaft-400" isOptional />
-              )}
-              <Controller
-                control={control}
-                name={`syncOptions.tags.${i}.value`}
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    isError={Boolean(error?.message)}
-                    errorText={error?.message}
-                    className="mb-0"
-                  >
-                    <Input className="text-xs" {...field} />
-                  </FormControl>
-                )}
-              />
-            </div>
-            <Tooltip content="Remove tag" position="right">
-              <IconButton
-                variant="plain"
-                ariaLabel="Remove tag"
-                className="col-span-1 mb-1.5"
-                colorSchema="danger"
-                size="xs"
-                onClick={() => tagFields.remove(i)}
-              >
-                <FontAwesomeIcon icon={faTrash} />
-              </IconButton>
-            </Tooltip>
-          </Fragment>
-        ))}
-      </div>
-      <div className="mt-2 flex">
-        <Button
-          leftIcon={<FontAwesomeIcon icon={faPlus} />}
-          size="xs"
-          variant="outline_bg"
-          onClick={() => tagFields.append({ key: "", value: "" })}
-        >
-          Add Tag
-        </Button>
-      </div>
-      <Controller
-        name="syncOptions.syncSecretMetadataAsTags"
-        control={control}
-        render={({ field: { value, onChange }, fieldState: { error } }) => (
-          <FormControl
-            className="mt-6"
-            isError={Boolean(error?.message)}
-            errorText={error?.message}
-          >
-            <Switch
-              className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
-              id="overwrite-existing-secrets"
-              thumbClassName="bg-mineshaft-800"
-              isChecked={value}
-              onCheckedChange={onChange}
-            >
-              <p className="w-[18rem]">
-                Sync Secret Metadata as Resource Tags{" "}
-                <Tooltip
-                  className="max-w-md"
-                  content={
-                    <>
-                      <p>
-                        If enabled, metadata attached to secrets will be added as resource tags to
-                        parameters synced by Infisical.
-                      </p>
-                      <p className="mt-4">
-                        Manually configured tags from the field above will take precedence over
-                        secret metadata when tag keys conflict.
-                      </p>
-                    </>
-                  }
-                >
-                  <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
-                </Tooltip>
-              </p>
-            </Switch>
-          </FormControl>
-        )}
-      />
-    </>
-  );
-};

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/index.ts

@@ -1 +0,0 @@
-export * from "./SecretSyncOptionsFields";

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/AwsParameterStoreSyncReviewFields.tsx

@@ -1,71 +1,17 @@
 import { useFormContext } from "react-hook-form";
-import { faEye } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { SecretSyncLabel } from "@app/components/secret-syncs";
 import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
-import { Badge, Table, TBody, Td, Th, THead, Tooltip, Tr } from "@app/components/v2";
+import { Badge } from "@app/components/v2";
 import { AWS_REGIONS } from "@app/helpers/appConnections";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AwsParameterStoreSyncOptionsReviewFields = () => {
+export const AwsParameterStoreSyncReviewFields = () => {
   const { watch } = useFormContext<
     TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
   >();
 
-  const [{ keyId, tags, syncSecretMetadataAsTags }] = watch(["syncOptions"]);
-
-  return (
-    <>
-      {keyId && <SecretSyncLabel label="KMS Key">{keyId}</SecretSyncLabel>}
-      {tags && tags.length > 0 && (
-        <SecretSyncLabel label="Resource Tags">
-          <Tooltip
-            side="right"
-            className="max-w-xl p-1"
-            content={
-              <Table>
-                <THead>
-                  <Th className="whitespace-nowrap p-2">Key</Th>
-                  <Th className="p-2">Value</Th>
-                </THead>
-                <TBody>
-                  {tags.map((tag) => (
-                    <Tr key={tag.key}>
-                      <Td className="p-2">{tag.key}</Td>
-                      <Td className="p-2">{tag.value}</Td>
-                    </Tr>
-                  ))}
-                </TBody>
-              </Table>
-            }
-          >
-            <div className="w-min">
-              <Badge className="flex h-5 w-min items-center gap-1.5 whitespace-nowrap bg-mineshaft-400/50 text-bunker-300">
-                <FontAwesomeIcon icon={faEye} />
-                <span>
-                  {tags.length} Tag{tags.length > 1 ? "s" : ""}
-                </span>
-              </Badge>
-            </div>
-          </Tooltip>
-        </SecretSyncLabel>
-      )}
-      {syncSecretMetadataAsTags && (
-        <SecretSyncLabel label="Sync Secret Metadata as Resource Tags">
-          <Badge variant="success">Enabled</Badge>
-        </SecretSyncLabel>
-      )}
-    </>
-  );
-};
-
-export const AwsParameterStoreDestinationReviewFields = () => {
-  const { watch } = useFormContext<
-    TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
-  >();
-
-  const [{ region, path }] = watch(["destinationConfig"]);
+  const [region, path] = watch(["destinationConfig.region", "destinationConfig.path"]);
 
   const awsRegion = AWS_REGIONS.find((r) => r.slug === region);
 

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -3,18 +3,15 @@ import { useFormContext } from "react-hook-form";
 
 import { SecretSyncLabel } from "@app/components/secret-syncs";
 import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
+import { AwsSecretsManagerSyncReviewFields } from "@app/components/secret-syncs/forms/SecretSyncReviewFields/AwsSecretsManagerSyncReviewFields";
+import { DatabricksSyncReviewFields } from "@app/components/secret-syncs/forms/SecretSyncReviewFields/DatabricksSyncReviewFields";
 import { Badge } from "@app/components/v2";
 import { SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP, SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-import {
-  AwsParameterStoreDestinationReviewFields,
-  AwsParameterStoreSyncOptionsReviewFields
-} from "./AwsParameterStoreSyncReviewFields";
-import { AwsSecretsManagerSyncReviewFields } from "./AwsSecretsManagerSyncReviewFields";
+import { AwsParameterStoreSyncReviewFields } from "./AwsParameterStoreSyncReviewFields";
 import { AzureAppConfigurationSyncReviewFields } from "./AzureAppConfigurationSyncReviewFields";
 import { AzureKeyVaultSyncReviewFields } from "./AzureKeyVaultSyncReviewFields";
-import { DatabricksSyncReviewFields } from "./DatabricksSyncReviewFields";
 import { GcpSyncReviewFields } from "./GcpSyncReviewFields";
 import { GitHubSyncReviewFields } from "./GitHubSyncReviewFields";
 
@@ -22,7 +19,6 @@ export const SecretSyncReviewFields = () => {
   const { watch } = useFormContext<TSecretSyncForm>();
 
   let DestinationFieldsComponent: ReactNode;
-  let AdditionalSyncOptionsFieldsComponent: ReactNode;
 
   const {
     name,
@@ -42,8 +38,7 @@ export const SecretSyncReviewFields = () => {
 
   switch (destination) {
     case SecretSync.AWSParameterStore:
-      DestinationFieldsComponent = <AwsParameterStoreDestinationReviewFields />;
-      AdditionalSyncOptionsFieldsComponent = <AwsParameterStoreSyncOptionsReviewFields />;
+      DestinationFieldsComponent = <AwsParameterStoreSyncReviewFields />;
       break;
     case SecretSync.AWSSecretsManager:
       DestinationFieldsComponent = <AwsSecretsManagerSyncReviewFields />;
@@ -89,7 +84,7 @@ export const SecretSyncReviewFields = () => {
       </div>
       <div className="flex flex-col gap-3">
         <div className="w-full border-b border-mineshaft-600">
-          <span className="text-sm text-mineshaft-300">Sync Options</span>
+          <span className="text-sm text-mineshaft-300">Options</span>
         </div>
         <div className="flex flex-wrap gap-x-8 gap-y-2">
           <SecretSyncLabel label="Auto-Sync">
@@ -102,7 +97,6 @@ export const SecretSyncReviewFields = () => {
           </SecretSyncLabel>
           {/* <SecretSyncLabel label="Prepend Prefix">{prependPrefix}</SecretSyncLabel>
           <SecretSyncLabel label="Append Suffix">{appendSuffix}</SecretSyncLabel> */}
-          {AdditionalSyncOptionsFieldsComponent}
         </div>
       </div>
       <div className="flex flex-col gap-3">

frontend/src/components/secret-syncs/forms/schemas/aws-parameter-store-sync-destination-schema.ts

@@ -1,45 +1,16 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AwsParameterStoreSyncDestinationSchema = BaseSecretSyncSchema(
-  z.object({
-    keyId: z.string().optional(),
-    tags: z
-      .object({
-        key: z
-          .string()
-          .regex(
-            /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
-            "Keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
-          )
-          .min(1, "Key required")
-          .max(128, "AWS tag name cannot exceed 128 characters"),
-        value: z
-          .string()
-          .regex(
-            /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
-            "Values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
-          )
-          .max(256, "Tag value cannot exceed 256 characters")
-      })
-      .array()
-      .max(50)
-      .optional(),
-    syncSecretMetadataAsTags: z.boolean().optional()
+export const AwsParameterStoreSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.AWSParameterStore),
+  destinationConfig: z.object({
+    path: z
+      .string()
+      .trim()
+      .min(1, "Parameter Store Path required")
+      .max(2048, "Cannot exceed 2048 characters")
+      .regex(/^\/([/]|(([\w-]+\/)+))?$/, 'Invalid path - must follow "/example/path/" format'),
+    region: z.string().min(1, "Region required")
   })
-).merge(
-  z.object({
-    destination: z.literal(SecretSync.AWSParameterStore),
-    destinationConfig: z.object({
-      path: z
-        .string()
-        .trim()
-        .min(1, "Parameter Store Path required")
-        .max(2048, "Cannot exceed 2048 characters")
-        .regex(/^\/([/]|(([\w-]+\/)+))?$/, 'Invalid path - must follow "/example/path/" format'),
-      region: z.string().min(1, "Region required")
-    })
-  })
-);
+});

frontend/src/components/secret-syncs/forms/schemas/aws-secrets-manager-sync-destination-schema.ts

@@ -1,33 +1,30 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import { AwsSecretsManagerSyncMappingBehavior } from "@app/hooks/api/secretSyncs/types/aws-secrets-manager-sync";
 
-export const AwsSecretsManagerSyncDestinationSchema = BaseSecretSyncSchema().merge(
-  z.object({
-    destination: z.literal(SecretSync.AWSSecretsManager),
-    destinationConfig: z
-      .discriminatedUnion("mappingBehavior", [
-        z.object({
-          mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.OneToOne)
-        }),
-        z.object({
-          mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.ManyToOne),
-          secretName: z
-            .string()
-            .regex(
-              /^[a-zA-Z0-9/_+=.@-]+$/,
-              "Secret name must contain only alphanumeric characters and the characters /_+=.@-"
-            )
-            .min(1, "Secret name is required")
-            .max(256, "Secret name cannot exceed 256 characters")
-        })
-      ])
-      .and(
-        z.object({
-          region: z.string().min(1, "Region required")
-        })
-      )
-  })
-);
+export const AwsSecretsManagerSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.AWSSecretsManager),
+  destinationConfig: z
+    .discriminatedUnion("mappingBehavior", [
+      z.object({
+        mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.OneToOne)
+      }),
+      z.object({
+        mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.ManyToOne),
+        secretName: z
+          .string()
+          .regex(
+            /^[a-zA-Z0-9/_+=.@-]+$/,
+            "Secret name must contain only alphanumeric characters and the characters /_+=.@-"
+          )
+          .min(1, "Secret name is required")
+          .max(256, "Secret name cannot exceed 256 characters")
+      })
+    ])
+    .and(
+      z.object({
+        region: z.string().min(1, "Region required")
+      })
+    )
+});

frontend/src/components/secret-syncs/forms/schemas/azure-app-configuration-sync-destination-schema.ts

@@ -1,22 +1,19 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AzureAppConfigurationSyncDestinationSchema = BaseSecretSyncSchema().merge(
-  z.object({
-    destination: z.literal(SecretSync.AzureAppConfiguration),
-    destinationConfig: z.object({
-      configurationUrl: z
-        .string()
-        .trim()
-        .min(1, { message: "Azure App Configuration URL is required" })
-        .url()
-        .refine(
-          (val) => val.endsWith(".azconfig.io"),
-          "URL should have the following format: https://resource-name-here.azconfig.io"
-        ),
-      label: z.string().optional()
-    })
+export const AzureAppConfigurationSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.AzureAppConfiguration),
+  destinationConfig: z.object({
+    configurationUrl: z
+      .string()
+      .trim()
+      .min(1, { message: "Azure App Configuration URL is required" })
+      .url()
+      .refine(
+        (val) => val.endsWith(".azconfig.io"),
+        "URL should have the following format: https://resource-name-here.azconfig.io"
+      ),
+    label: z.string().optional()
   })
-);
+});

frontend/src/components/secret-syncs/forms/schemas/azure-key-vault-sync-destination-schema.ts

@@ -1,16 +1,10 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AzureKeyVaultSyncDestinationSchema = BaseSecretSyncSchema().merge(
-  z.object({
-    destination: z.literal(SecretSync.AzureKeyVault),
-    destinationConfig: z.object({
-      vaultBaseUrl: z
-        .string()
-        .url("Invalid vault base URL format")
-        .min(1, "Vault base URL required")
-    })
+export const AzureKeyVaultSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.AzureKeyVault),
+  destinationConfig: z.object({
+    vaultBaseUrl: z.string().url("Invalid vault base URL format").min(1, "Vault base URL required")
   })
-);
+});

frontend/src/components/secret-syncs/forms/schemas/base-secret-sync-schema.ts

@@ -1,39 +0,0 @@
-import { AnyZodObject, z } from "zod";
-
-import { SecretSyncInitialSyncBehavior } from "@app/hooks/api/secretSyncs";
-import { slugSchema } from "@app/lib/schemas";
-
-export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefined>(
-  additionalSyncOptions?: T
-) => {
-  const baseSyncOptionsSchema = z.object({
-    initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior)
-    // scott: removed temporarily for evaluation of template formatting
-    // prependPrefix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional(),
-    // appendSuffix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional()
-  });
-
-  const syncOptionsSchema = additionalSyncOptions
-    ? baseSyncOptionsSchema.merge(additionalSyncOptions)
-    : (baseSyncOptionsSchema as T extends AnyZodObject
-        ? z.ZodObject<z.objectUtil.MergeShapes<typeof baseSyncOptionsSchema.shape, T["shape"]>>
-        : typeof baseSyncOptionsSchema);
-
-  return z.object({
-    name: slugSchema({ field: "Name" }),
-    description: z.string().trim().max(256, "Cannot exceed 256 characters").optional(),
-    connection: z.object({ name: z.string(), id: z.string().uuid() }),
-    environment: z.object({ slug: z.string(), id: z.string(), name: z.string() }),
-    secretPath: z.string().min(1, "Secret path required"),
-    syncOptions: syncOptionsSchema,
-    isAutoSyncEnabled: z.boolean()
-  });
-};

frontend/src/components/secret-syncs/forms/schemas/databricks-sync-destination-schema.ts

@@ -1,13 +1,10 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const DatabricksSyncDestinationSchema = BaseSecretSyncSchema().merge(
-  z.object({
-    destination: z.literal(SecretSync.Databricks),
-    destinationConfig: z.object({
-      scope: z.string().trim().min(1, "Databricks scope required")
-    })
+export const DatabricksSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.Databricks),
+  destinationConfig: z.object({
+    scope: z.string().trim().min(1, "Databricks scope required")
   })
-);
+});

frontend/src/components/secret-syncs/forms/schemas/gcp-sync-destination-schema.ts

@@ -1,15 +1,12 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import { GcpSyncScope } from "@app/hooks/api/secretSyncs/types/gcp-sync";
 
-export const GcpSyncDestinationSchema = BaseSecretSyncSchema().merge(
-  z.object({
-    destination: z.literal(SecretSync.GCPSecretManager),
-    destinationConfig: z.object({
-      scope: z.literal(GcpSyncScope.Global),
-      projectId: z.string().min(1, "Project ID required")
-    })
+export const GcpSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.GCPSecretManager),
+  destinationConfig: z.object({
+    scope: z.literal(GcpSyncScope.Global),
+    projectId: z.string().min(1, "Project ID required")
   })
-);
+});

frontend/src/components/secret-syncs/forms/schemas/github-sync-destination-schema.ts

@@ -1,48 +1,45 @@
 import { z } from "zod";
 
-import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import {
   GitHubSyncScope,
   GitHubSyncVisibility
 } from "@app/hooks/api/secretSyncs/types/github-sync";
 
-export const GitHubSyncDestinationSchema = BaseSecretSyncSchema().merge(
-  z.object({
-    destination: z.literal(SecretSync.GitHub),
-    destinationConfig: z
-      .discriminatedUnion("scope", [
-        z.object({
-          scope: z.literal(GitHubSyncScope.Organization),
-          org: z.string().min(1, "Organization name required"),
-          visibility: z.nativeEnum(GitHubSyncVisibility),
-          selectedRepositoryIds: z.number().array().optional()
-        }),
-        z.object({
-          scope: z.literal(GitHubSyncScope.Repository),
-          owner: z.string().min(1, "Repository owner name required"),
-          repo: z.string().min(1, "Repository name required")
-        }),
-        z.object({
-          scope: z.literal(GitHubSyncScope.RepositoryEnvironment),
-          owner: z.string().min(1, "Repository owner name required"),
-          repo: z.string().min(1, "Repository name required"),
-          env: z.string().min(1, "Environment name required")
-        })
-      ])
-      .superRefine((options, ctx) => {
-        if (options.scope === GitHubSyncScope.Organization) {
-          if (
-            options.visibility === GitHubSyncVisibility.Selected &&
-            !options.selectedRepositoryIds?.length
-          ) {
-            ctx.addIssue({
-              code: z.ZodIssueCode.custom,
-              message: "Select at least 1 repository",
-              path: ["selectedRepositoryIds"]
-            });
-          }
-        }
+export const GitHubSyncDestinationSchema = z.object({
+  destination: z.literal(SecretSync.GitHub),
+  destinationConfig: z
+    .discriminatedUnion("scope", [
+      z.object({
+        scope: z.literal(GitHubSyncScope.Organization),
+        org: z.string().min(1, "Organization name required"),
+        visibility: z.nativeEnum(GitHubSyncVisibility),
+        selectedRepositoryIds: z.number().array().optional()
+      }),
+      z.object({
+        scope: z.literal(GitHubSyncScope.Repository),
+        owner: z.string().min(1, "Repository owner name required"),
+        repo: z.string().min(1, "Repository name required")
+      }),
+      z.object({
+        scope: z.literal(GitHubSyncScope.RepositoryEnvironment),
+        owner: z.string().min(1, "Repository owner name required"),
+        repo: z.string().min(1, "Repository name required"),
+        env: z.string().min(1, "Environment name required")
       })
-  })
-);
+    ])
+    .superRefine((options, ctx) => {
+      if (options.scope === GitHubSyncScope.Organization) {
+        if (
+          options.visibility === GitHubSyncVisibility.Selected &&
+          !options.selectedRepositoryIds?.length
+        ) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: "Select at least 1 repository",
+            path: ["selectedRepositoryIds"]
+          });
+        }
+      }
+    })
+});

frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts

@@ -3,12 +3,37 @@ import { z } from "zod";
 import { AwsSecretsManagerSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/aws-secrets-manager-sync-destination-schema";
 import { DatabricksSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/databricks-sync-destination-schema";
 import { GitHubSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/github-sync-destination-schema";
+import { SecretSyncInitialSyncBehavior } from "@app/hooks/api/secretSyncs";
+import { slugSchema } from "@app/lib/schemas";
 
 import { AwsParameterStoreSyncDestinationSchema } from "./aws-parameter-store-sync-destination-schema";
 import { AzureAppConfigurationSyncDestinationSchema } from "./azure-app-configuration-sync-destination-schema";
 import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
 import { GcpSyncDestinationSchema } from "./gcp-sync-destination-schema";
 
+const BaseSecretSyncSchema = z.object({
+  name: slugSchema({ field: "Name" }),
+  description: z.string().trim().max(256, "Cannot exceed 256 characters").optional(),
+  connection: z.object({ name: z.string(), id: z.string().uuid() }),
+  environment: z.object({ slug: z.string(), id: z.string(), name: z.string() }),
+  secretPath: z.string().min(1, "Secret path required"),
+  syncOptions: z.object({
+    initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior)
+    // scott: removed temporarily for evaluation of template formatting
+    // prependPrefix: z
+    //   .string()
+    //   .trim()
+    //   .transform((str) => str.toUpperCase())
+    //   .optional(),
+    // appendSuffix: z
+    //   .string()
+    //   .trim()
+    //   .transform((str) => str.toUpperCase())
+    //   .optional()
+  }),
+  isAutoSyncEnabled: z.boolean()
+});
+
 const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncDestinationSchema,
   AwsSecretsManagerSyncDestinationSchema,
@@ -19,8 +44,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   DatabricksSyncDestinationSchema
 ]);
 
-export const SecretSyncFormSchema = SecretSyncUnionSchema;
+export const SecretSyncFormSchema = SecretSyncUnionSchema.and(BaseSecretSyncSchema);
 
-export const UpdateSecretSyncFormSchema = SecretSyncUnionSchema;
+export const UpdateSecretSyncFormSchema = SecretSyncUnionSchema.and(BaseSecretSyncSchema.partial());
 
 export type TSecretSyncForm = z.infer<typeof SecretSyncFormSchema>;

frontend/src/components/v2/Menu/Menu.tsx

@@ -1,5 +1,5 @@
 import { ComponentPropsWithRef, ElementType, ReactNode, Ref, useRef } from "react";
-import { DotLottie, DotLottieReact } from "@lottiefiles/dotlottie-react";
+import { DotLottie, DotLottieReact, Mode } from "@lottiefiles/dotlottie-react";
 import { twMerge } from "tailwind-merge";
 
 export type MenuProps = {
@@ -16,6 +16,7 @@ export type MenuItemProps<T extends ElementType> = {
   as?: T;
   children: ReactNode;
   icon?: string;
+  iconMode?: Mode;
   description?: ReactNode;
   isDisabled?: boolean;
   isSelected?: boolean;
@@ -26,6 +27,7 @@ export type MenuItemProps<T extends ElementType> = {
 export const MenuItem = <T extends ElementType = "button">({
   children,
   icon,
+  iconMode,
   className,
   isDisabled,
   isSelected,
@@ -62,6 +64,7 @@ export const MenuItem = <T extends ElementType = "button">({
             dotLottieRefCallback={(el) => {
               iconRef.current = el;
             }}
+            mode={iconMode}
             src={`/lotties/${icon}.json`}
             loop
             className="h-full w-full"

frontend/src/context/OrgPermissionContext/types.ts

@@ -24,7 +24,8 @@ export enum OrgPermissionSubjects {
   AdminConsole = "organization-admin-console",
   AuditLogs = "audit-logs",
   ProjectTemplates = "project-templates",
-  AppConnections = "app-connections"
+  AppConnections = "app-connections",
+  Kmip = "kmip"
 }
 
 export enum OrgPermissionAdminConsoleAction {
@@ -39,6 +40,11 @@ export enum OrgPermissionAppConnectionActions {
   Connect = "connect"
 }
 
+export enum OrgPermissionKmipActions {
+  Proxy = "proxy",
+  Setup = "setup"
+}
+
 export type AppConnectionSubjectFields = {
   connectionId: string;
 };
@@ -61,7 +67,8 @@ export type OrgPermissionSet =
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [OrgPermissionAppConnectionActions, OrgPermissionSubjects.AppConnections];
+  | [OrgPermissionAppConnectionActions, OrgPermissionSubjects.AppConnections]
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];
 // TODO(scott): add back once org UI refactored
 // | [
 //     OrgPermissionAppConnectionActions,

frontend/src/context/ProjectPermissionContext/index.tsx

@@ -4,5 +4,6 @@ export {
   ProjectPermissionActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
+  ProjectPermissionKmipActions,
   ProjectPermissionSub
 } from "./types";

frontend/src/context/ProjectPermissionContext/types.ts

@@ -24,6 +24,14 @@ export enum ProjectPermissionCmekActions {
   Decrypt = "decrypt"
 }
 
+export enum ProjectPermissionKmipActions {
+  CreateClients = "create-clients",
+  UpdateClients = "update-clients",
+  DeleteClients = "delete-clients",
+  ReadClients = "read-clients",
+  GenerateClientCertificates = "generate-client-certificates"
+}
+
 export enum ProjectPermissionSecretSyncActions {
   Read = "read",
   Create = "create",
@@ -102,7 +110,8 @@ export enum ProjectPermissionSub {
   PkiCollections = "pki-collections",
   Kms = "kms",
   Cmek = "cmek",
-  SecretSyncs = "secret-syncs"
+  SecretSyncs = "secret-syncs",
+  Kmip = "kmip"
 }
 
 export type SecretSubjectFields = {
@@ -190,5 +199,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
-  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
+  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms]
+  | [ProjectPermissionKmipActions, ProjectPermissionSub.Kmip];
+
 export type TProjectPermission = MongoAbility<ProjectPermissionSet>;

frontend/src/context/index.tsx

@@ -10,6 +10,7 @@ export {
   ProjectPermissionActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
+  ProjectPermissionKmipActions,
   ProjectPermissionSub,
   useProjectPermission
 } from "./ProjectPermissionContext";

frontend/src/helpers/download.ts

@@ -0,0 +1,6 @@
+import FileSaver from "file-saver";
+
+export const downloadTxtFile = (filename: string, content: string) => {
+  const blob = new Blob([content], { type: "text/plain;charset=utf-8" });
+  FileSaver.saveAs(blob, filename);
+};

frontend/src/hooks/api/appConnections/aws/index.ts

@@ -1,2 +0,0 @@
-export * from "./queries";
-export * from "./types";

frontend/src/hooks/api/appConnections/aws/queries.tsx

@@ -1,42 +0,0 @@
-import { useQuery, UseQueryOptions } from "@tanstack/react-query";
-
-import { apiRequest } from "@app/config/request";
-import { appConnectionKeys } from "@app/hooks/api/appConnections";
-
-import {
-  TAwsConnectionKmsKey,
-  TAwsConnectionListKmsKeysResponse,
-  TListAwsConnectionKmsKeys
-} from "./types";
-
-const awsConnectionKeys = {
-  all: [...appConnectionKeys.all, "aws"] as const,
-  listKmsKeys: (params: TListAwsConnectionKmsKeys) =>
-    [...awsConnectionKeys.all, "kms-keys", params] as const
-};
-
-export const useListAwsConnectionKmsKeys = (
-  { connectionId, ...params }: TListAwsConnectionKmsKeys,
-  options?: Omit<
-    UseQueryOptions<
-      TAwsConnectionKmsKey[],
-      unknown,
-      TAwsConnectionKmsKey[],
-      ReturnType<typeof awsConnectionKeys.listKmsKeys>
-    >,
-    "queryKey" | "queryFn"
-  >
-) => {
-  return useQuery({
-    queryKey: awsConnectionKeys.listKmsKeys({ connectionId, ...params }),
-    queryFn: async () => {
-      const { data } = await apiRequest.get<TAwsConnectionListKmsKeysResponse>(
-        `/api/v1/app-connections/aws/${connectionId}/kms-keys`,
-        { params }
-      );
-
-      return data.kmsKeys;
-    },
-    ...options
-  });
-};

frontend/src/hooks/api/appConnections/aws/types.ts

@@ -1,16 +0,0 @@
-import { SecretSync } from "@app/hooks/api/secretSyncs";
-
-export type TListAwsConnectionKmsKeys = {
-  connectionId: string;
-  region: string;
-  destination: SecretSync.AWSParameterStore | SecretSync.AWSSecretsManager;
-};
-
-export type TAwsConnectionKmsKey = {
-  alias: string;
-  id: string;
-};
-
-export type TAwsConnectionListKmsKeysResponse = {
-  kmsKeys: TAwsConnectionKmsKey[];
-};

frontend/src/hooks/api/auditLogs/constants.tsx

@@ -121,7 +121,24 @@ export const eventToNameMap: { [K in EventType]: string } = {
   [EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER]:
     "OIDC group membership mapping assigned user to groups",
   [EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER]:
-    "OIDC group membership mapping removed user from groups"
+    "OIDC group membership mapping removed user from groups",
+  [EventType.CREATE_KMIP_CLIENT]: "Create KMIP client",
+  [EventType.UPDATE_KMIP_CLIENT]: "Update KMIP client",
+  [EventType.DELETE_KMIP_CLIENT]: "Delete KMIP client",
+  [EventType.GET_KMIP_CLIENT]: "Get KMIP client",
+  [EventType.GET_KMIP_CLIENTS]: "Get KMIP clients",
+  [EventType.CREATE_KMIP_CLIENT_CERTIFICATE]: "Create KMIP client certificate",
+  [EventType.SETUP_KMIP]: "Setup KMIP configuration",
+  [EventType.GET_KMIP]: "Get KMIP configuration",
+  [EventType.REGISTER_KMIP_SERVER]: "Register KMIP server",
+  [EventType.KMIP_OPERATION_CREATE]: "KMIP operation create",
+  [EventType.KMIP_OPERATION_GET]: "KMIP operation get",
+  [EventType.KMIP_OPERATION_DESTROY]: "KMIP operation destroy",
+  [EventType.KMIP_OPERATION_GET_ATTRIBUTES]: "KMIP operation get attributes",
+  [EventType.KMIP_OPERATION_ACTIVATE]: "KMIP operation activate",
+  [EventType.KMIP_OPERATION_REVOKE]: "KMIP operation revoke",
+  [EventType.KMIP_OPERATION_LOCATE]: "KMIP operation locate",
+  [EventType.KMIP_OPERATION_REGISTER]: "KMIP operation register"
 };
 
 export const userAgentTTypeoNameMap: { [K in UserAgentType]: string } = {

frontend/src/hooks/api/auditLogs/enums.tsx

@@ -1,5 +1,6 @@
 export enum ActorType {
   PLATFORM = "platform",
+  KMIP_CLIENT = "kmipClient",
   USER = "user",
   SERVICE = "service",
   IDENTITY = "identity",
@@ -132,5 +133,22 @@ export enum EventType {
   SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
   SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets",
   OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER = "oidc-group-membership-mapping-assign-user",
-  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user"
+  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user",
+  CREATE_KMIP_CLIENT = "create-kmip-client",
+  UPDATE_KMIP_CLIENT = "update-kmip-client",
+  DELETE_KMIP_CLIENT = "delete-kmip-client",
+  GET_KMIP_CLIENT = "get-kmip-client",
+  GET_KMIP_CLIENTS = "get-kmip-clients",
+  CREATE_KMIP_CLIENT_CERTIFICATE = "create-kmip-client-certificate",
+  SETUP_KMIP = "setup-kmip",
+  GET_KMIP = "get-kmip",
+  REGISTER_KMIP_SERVER = "register-kmip-server",
+  KMIP_OPERATION_CREATE = "kmip-operation-create",
+  KMIP_OPERATION_GET = "kmip-operation-get",
+  KMIP_OPERATION_DESTROY = "kmip-operation-destroy",
+  KMIP_OPERATION_GET_ATTRIBUTES = "kmip-operation-get-attributes",
+  KMIP_OPERATION_ACTIVATE = "kmip-operation-activate",
+  KMIP_OPERATION_REVOKE = "kmip-operation-revoke",
+  KMIP_OPERATION_LOCATE = "kmip-operation-locate",
+  KMIP_OPERATION_REGISTER = "kmip-operation-register"
 }

frontend/src/hooks/api/auditLogs/types.tsx

@@ -30,6 +30,10 @@ interface IdentityActorMetadata {
   identityId: string;
   name: string;
 }
+interface KmipClientActorMetadata {
+  clientId: string;
+  name: string;
+}
 
 interface UserActor {
   type: ActorType.USER;
@@ -51,11 +55,22 @@ export interface PlatformActor {
   metadata: object;
 }
 
+export interface KmipClientActor {
+  type: ActorType.KMIP_CLIENT;
+  metadata: KmipClientActorMetadata;
+}
+
 export interface UnknownUserActor {
   type: ActorType.UNKNOWN_USER;
 }
 
-export type Actor = UserActor | ServiceActor | IdentityActor | PlatformActor | UnknownUserActor;
+export type Actor =
+  | UserActor
+  | ServiceActor
+  | IdentityActor
+  | PlatformActor
+  | UnknownUserActor
+  | KmipClientActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;