fix: address json drag behavior

Merge pull request #1865 from Infisical/feat/add-one-to-one-support-for-aws-sm
feat: added one to one support for aws secret manager integration
2025-08-02 08:27:38 +00:00 · 2024-05-24 17:42:38 +08:00 · 2024-05-23 23:48:47 +08:00 · 2024-05-23 22:18:24 +08:00 · 2024-05-23 15:54:14 +02:00 · 2024-05-23 15:48:54 +02:00
36 changed files with 769 additions and 205 deletions
--- a/backend/src/db/migrations/20240520064127_add-integration-sync-status.ts
+++ b/backend/src/db/migrations/20240520064127_add-integration-sync-status.ts
@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
+  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
+  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
+
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    if (!hasIsSyncedColumn) {
+      t.boolean("isSynced").nullable();
+    }
+
+    if (!hasSyncMessageColumn) {
+      t.text("syncMessage").nullable();
+    }
+
+    if (!hasLastSyncJobId) {
+      t.string("lastSyncJobId").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
+  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
+  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
+
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    if (hasIsSyncedColumn) {
+      t.dropColumn("isSynced");
+    }
+
+    if (hasSyncMessageColumn) {
+      t.dropColumn("syncMessage");
+    }
+
+    if (hasLastSyncJobId) {
+      t.dropColumn("lastSyncJobId");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts
+++ b/backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts
@@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.index("projectId");
+      if (doesOrgIdExist) t.index("orgId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.dropIndex("projectId");
+      if (doesOrgIdExist) t.dropIndex("orgId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts
+++ b/backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts
@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522204414_index-secret-version-envId.ts
+++ b/backend/src/db/migrations/20240522204414_index-secret-version-envId.ts
@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts
+++ b/backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts
@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts
+++ b/backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts
@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts
+++ b/backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts
@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
+    });
+  }
+}
--- a/backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts
+++ b/backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts
@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.index("expiresAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.dropIndex("expiresAt");
+    });
+  }
+}
--- a/backend/src/db/schemas/integrations.ts
+++ b/backend/src/db/schemas/integrations.ts
@@ -28,7 +28,10 @@ export const IntegrationsSchema = z.object({
  secretPath: z.string().default("/"),
  createdAt: z.date(),
  updatedAt: z.date(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
+  isSynced: z.boolean().nullable().optional(),
+  syncMessage: z.string().nullable().optional(),
+  lastSyncJobId: z.string().nullable().optional()
 });

 export type TIntegrations = z.infer<typeof IntegrationsSchema>;
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -51,6 +51,7 @@ export enum EventType {
  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
  CREATE_INTEGRATION = "create-integration",
  DELETE_INTEGRATION = "delete-integration",
+  MANUAL_SYNC_INTEGRATION = "manual-sync-integration",
  ADD_TRUSTED_IP = "add-trusted-ip",
  UPDATE_TRUSTED_IP = "update-trusted-ip",
  DELETE_TRUSTED_IP = "delete-trusted-ip",
@@ -281,6 +282,25 @@ interface DeleteIntegrationEvent {
  };
 }

+interface ManualSyncIntegrationEvent {
+  type: EventType.MANUAL_SYNC_INTEGRATION;
+  metadata: {
+    integrationId: string;
+    integration: string;
+    environment: string;
+    secretPath: string;
+    url?: string;
+    app?: string;
+    appId?: string;
+    targetEnvironment?: string;
+    targetEnvironmentId?: string;
+    targetService?: string;
+    targetServiceId?: string;
+    path?: string;
+    region?: string;
+  };
+}
+
 interface AddTrustedIPEvent {
  type: EventType.ADD_TRUSTED_IP;
  metadata: {
@@ -791,6 +811,7 @@ export type Event =
  | UnauthorizeIntegrationEvent
  | CreateIntegrationEvent
  | DeleteIntegrationEvent
+  | ManualSyncIntegrationEvent
  | AddTrustedIPEvent
  | UpdateTrustedIPEvent
  | DeleteTrustedIPEvent
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -662,6 +662,7 @@ export const INTEGRATION = {
      secretPrefix: "The prefix for the saved secret. Used by GCP.",
      secretSuffix: "The suffix for the saved secret. Used by GCP.",
      initialSyncBehavoir: "Type of syncing behavoir with the integration.",
+      mappingBehavior: "The mapping behavior of the integration.",
      shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
      secretGCPLabel: "The label for GCP secrets.",
      secretAWSTag: "The tags for AWS secrets.",
@@ -683,6 +684,9 @@ export const INTEGRATION = {
  },
  DELETE: {
    integrationId: "The ID of the integration object."
+  },
+  SYNC: {
+    integrationId: "The ID of the integration object to manually sync"
  }
 };

--- a/backend/src/lib/logger/logger.ts
+++ b/backend/src/lib/logger/logger.ts
@@ -30,6 +30,37 @@ const loggerConfig = z.object({
  NODE_ENV: z.enum(["development", "test", "production"]).default("production")
 });

+const redactedKeys = [
+  "accessToken",
+  "authToken",
+  "serviceToken",
+  "identityAccessToken",
+  "token",
+  "privateKey",
+  "serverPrivateKey",
+  "plainPrivateKey",
+  "plainProjectKey",
+  "encryptedPrivateKey",
+  "userPrivateKey",
+  "protectedKey",
+  "decryptKey",
+  "encryptedProjectKey",
+  "encryptedSymmetricKey",
+  "encryptedPrivateKey",
+  "backupPrivateKey",
+  "secretKey",
+  "SecretKey",
+  "botPrivateKey",
+  "encryptedKey",
+  "plaintextProjectKey",
+  "accessKey",
+  "botKey",
+  "decryptedSecret",
+  "secrets",
+  "key",
+  "password"
+];
+
 export const initLogger = async () => {
  const cfg = loggerConfig.parse(process.env);
  const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -74,7 +105,9 @@ export const initLogger = async () => {
          hostname: bindings.hostname
          // node_version: process.version
        })
-      }
+      },
+      // redact until depth of three
+      redact: [...redactedKeys, ...redactedKeys.map((key) => `*.${key}`), ...redactedKeys.map((key) => `*.*.${key}`)]
    },
    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
    transport
--- a/backend/src/server/app.ts
+++ b/backend/src/server/app.ts
@@ -8,6 +8,8 @@ import cors from "@fastify/cors";
 import fastifyEtag from "@fastify/etag";
 import fastifyFormBody from "@fastify/formbody";
 import helmet from "@fastify/helmet";
+import type { FastifyRateLimitOptions } from "@fastify/rate-limit";
+import ratelimiter from "@fastify/rate-limit";
 import fasitfy from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
@@ -17,6 +19,7 @@ import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";

+import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
@@ -64,6 +67,10 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
    await server.register(fastifyFormBody);
    await server.register(fastifyErrHandler);

+    // Rate limiters and security headers
+    if (appCfg.isProductionMode) {
+      await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
+    }
    await server.register(helmet, { contentSecurityPolicy: false });

    await server.register(maintenanceMode);
--- a/backend/src/server/config/rateLimiter.ts
+++ b/backend/src/server/config/rateLimiter.ts
@@ -1,34 +1,20 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
-import { FastifyRequest } from "fastify";
 import { Redis } from "ioredis";

 import { getConfig } from "@app/lib/config/env";
-import { ActorType } from "@app/services/auth/auth-type";
-
-const getDistinctRequestActorId = (req: FastifyRequest) => {
-  if (req?.auth?.actor === ActorType.USER) {
-    return req.auth.user.username;
-  }
-  if (req?.auth?.actor === ActorType.IDENTITY) {
-    return `${req.auth.identityId}-machine-identity-`;
-  }
-  if (req?.auth?.actor === ActorType.SERVICE) {
-    return `${req.auth.serviceToken.id}-service-token`; // when user gets removed from system
-  }
-  return req.realIp;
-};

 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
  const appCfg = getConfig();
  const redis = appCfg.isRedisConfigured
    ? new Redis(appCfg.REDIS_URL, { connectTimeout: 500, maxRetriesPerRequest: 1 })
    : null;
+
  return {
    timeWindow: 60 * 1000,
    max: 600,
    redis,
    allowList: (req) => req.url === "/healthcheck" || req.url === "/api/status",
-    keyGenerator: (req) => getDistinctRequestActorId(req)
+    keyGenerator: (req) => req.realIp
  };
 };

@@ -36,39 +22,39 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 export const readLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  max: 600,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };

 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  max: 50,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };

 // special endpoints
 export const secretsLimit: RateLimitOptions = {
  // secrets, folders, secret imports
  timeWindow: 60 * 1000,
-  max: 1000,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  max: 60,
+  keyGenerator: (req) => req.realIp
 };

 export const authRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  max: 60,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };

 export const inviteUserRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  max: 30,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };

 export const creationLimit: RateLimitOptions = {
  // identity, project, org
  timeWindow: 60 * 1000,
  max: 30,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };
--- a/backend/src/server/plugins/auth/inject-permission.ts
+++ b/backend/src/server/plugins/auth/inject-permission.ts
@@ -1,5 +1,6 @@
 import fp from "fastify-plugin";

+import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";

 // inject permission type needed based on auth extracted
@@ -15,6 +16,10 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
        authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
      };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.userId}] [type=${ActorType.USER}]`
+      );
    } else if (req.auth.actor === ActorType.IDENTITY) {
      req.permission = {
        type: ActorType.IDENTITY,
@@ -22,6 +27,10 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId,
        authMethod: null
      };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.identityId}] [type=${ActorType.IDENTITY}]`
+      );
    } else if (req.auth.actor === ActorType.SERVICE) {
      req.permission = {
        type: ActorType.SERVICE,
@@ -29,6 +38,10 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId,
        authMethod: null
      };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.serviceTokenId}] [type=${ActorType.SERVICE}]`
+      );
    } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
      req.permission = {
        type: ActorType.SCIM_CLIENT,
@@ -36,6 +49,10 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId,
        authMethod: null
      };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.scimTokenId}] [type=${ActorType.SCIM_CLIENT}]`
+      );
    }
  });
 });
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -1,4 +1,3 @@
-import ratelimiter, { FastifyRateLimitOptions } from "@fastify/rate-limit";
 import { Knex } from "knex";
 import { z } from "zod";

@@ -62,7 +61,7 @@ import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
-import { globalRateLimiterCfg, readLimit } from "@app/server/config/rateLimiter";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { apiKeyDALFactory } from "@app/services/api-key/api-key-dal";
 import { apiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { authDALFactory } from "@app/services/auth/auth-dal";
@@ -840,11 +839,6 @@ export const registerRoutes = async (
    user: userDAL
  });

-  // Rate limiters and security headers
-  if (appCfg.isProductionMode) {
-    await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
-  }
-
  await server.register(injectIdentity, { userDAL, serviceTokenDAL });
  await server.register(injectPermission);
  await server.register(injectAuditLogInfo);
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@@ -8,6 +8,7 @@ import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { IntegrationMappingBehavior } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";

 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
@@ -49,6 +50,10 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            mappingBehavior: z
+              .nativeEnum(IntegrationMappingBehavior)
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.mappingBehavior),
            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
            secretGCPLabel: z
              .object({
@@ -160,6 +165,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            mappingBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.mappingBehavior),
            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
            secretGCPLabel: z
              .object({
@@ -262,5 +268,64 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
    }
  });

-  // TODO(akhilmhdh-pg): manual sync
+  server.route({
+    method: "POST",
+    url: "/:integrationId/sync",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Manually trigger sync of an integration by integration id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        integrationId: z.string().trim().describe(INTEGRATION.SYNC.integrationId)
+      }),
+      response: {
+        200: z.object({
+          integration: IntegrationsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const integration = await server.services.integration.syncIntegration({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: integration.projectId,
+        event: {
+          type: EventType.MANUAL_SYNC_INTEGRATION,
+          // eslint-disable-next-line
+          metadata: shake({
+            integrationId: integration.id,
+            integration: integration.integration,
+            environment: integration.environment.slug,
+            secretPath: integration.secretPath,
+            url: integration.url,
+            app: integration.app,
+            appId: integration.appId,
+            targetEnvironment: integration.targetEnvironment,
+            targetEnvironmentId: integration.targetEnvironmentId,
+            targetService: integration.targetService,
+            targetServiceId: integration.targetServiceId,
+            path: integration.path,
+            region: integration.region
+            // eslint-disable-next-line
+          }) as any
+        }
+      });
+
+      return { integration };
+    }
+  });
 };
--- a/backend/src/services/integration-auth/integration-list.ts
+++ b/backend/src/services/integration-auth/integration-list.ts
@@ -43,6 +43,11 @@ export enum IntegrationInitialSyncBehavior {
  PREFER_SOURCE = "prefer-source"
 }

+export enum IntegrationMappingBehavior {
+  ONE_TO_ONE = "one-to-one",
+  MANY_TO_ONE = "many-to-one"
+}
+
 export enum IntegrationUrls {
  // integration oauth endpoints
  GCP_TOKEN_URL = "https://oauth2.googleapis.com/token",
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@@ -30,7 +30,12 @@ import { BadRequestError } from "@app/lib/errors";
 import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/secret/secret-types";

 import { TIntegrationDALFactory } from "../integration/integration-dal";
-import { IntegrationInitialSyncBehavior, Integrations, IntegrationUrls } from "./integration-list";
+import {
+  IntegrationInitialSyncBehavior,
+  IntegrationMappingBehavior,
+  Integrations,
+  IntegrationUrls
+} from "./integration-list";

 const getSecretKeyValuePair = (secrets: Record<string, { value: string | null; comment?: string } | null>) =>
  Object.keys(secrets).reduce<Record<string, string | null | undefined>>((prev, key) => {
@@ -570,134 +575,145 @@ const syncSecretsAWSSecretManager = async ({
  accessId: string | null;
  accessToken: string;
 }) => {
-  let secretsManager;
-  const secKeyVal = getSecretKeyValuePair(secrets);
  const metadata = z.record(z.any()).parse(integration.metadata || {});
-  try {
-    if (!accessId) return;

-    secretsManager = new SecretsManagerClient({
-      region: integration.region as string,
-      credentials: {
-        accessKeyId: accessId,
-        secretAccessKey: accessToken
+  if (!accessId) return;
+
+  const secretsManager = new SecretsManagerClient({
+    region: integration.region as string,
+    credentials: {
+      accessKeyId: accessId,
+      secretAccessKey: accessToken
+    }
+  });
+
+  const processAwsSecret = async (secretId: string, keyValuePairs: Record<string, string | null | undefined>) => {
+    try {
+      const awsSecretManagerSecret = await secretsManager.send(
+        new GetSecretValueCommand({
+          SecretId: secretId
+        })
+      );
+
+      let awsSecretManagerSecretObj: { [key: string]: AWS.SecretsManager } = {};
+
+      if (awsSecretManagerSecret?.SecretString) {
+        awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
      }
-    });

-    const awsSecretManagerSecret = await secretsManager.send(
-      new GetSecretValueCommand({
-        SecretId: integration.app as string
-      })
-    );
+      if (!isEqual(awsSecretManagerSecretObj, keyValuePairs)) {
+        await secretsManager.send(
+          new UpdateSecretCommand({
+            SecretId: secretId,
+            SecretString: JSON.stringify(keyValuePairs)
+          })
+        );
+      }

-    let awsSecretManagerSecretObj: { [key: string]: AWS.SecretsManager } = {};
+      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;

-    if (awsSecretManagerSecret?.SecretString) {
-      awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
-    }
+      if (secretAWSTag && secretAWSTag.length) {
+        const describedSecret = await secretsManager.send(
+          // requires secretsmanager:DescribeSecret policy
+          new DescribeSecretCommand({
+            SecretId: secretId
+          })
+        );

-    if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
-      await secretsManager.send(
-        new UpdateSecretCommand({
-          SecretId: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal)
-        })
-      );
-    }
+        if (!describedSecret.Tags) return;

-    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+        const integrationTagObj = secretAWSTag.reduce(
+          (acc, item) => {
+            acc[item.key] = item.value;
+            return acc;
+          },
+          {} as Record<string, string>
+        );

-    if (secretAWSTag && secretAWSTag.length) {
-      const describedSecret = await secretsManager.send(
-        // requires secretsmanager:DescribeSecret policy
-        new DescribeSecretCommand({
-          SecretId: integration.app as string
-        })
-      );
+        const awsTagObj = (describedSecret.Tags || []).reduce(
+          (acc, item) => {
+            if (item.Key && item.Value) {
+              acc[item.Key] = item.Value;
+            }
+            return acc;
+          },
+          {} as Record<string, string>
+        );

-      if (!describedSecret.Tags) return;
+        const tagsToUpdate: { Key: string; Value: string }[] = [];
+        const tagsToDelete: { Key: string; Value: string }[] = [];

-      const integrationTagObj = secretAWSTag.reduce(
-        (acc, item) => {
-          acc[item.key] = item.value;
-          return acc;
-        },
-        {} as Record<string, string>
-      );
-
-      const awsTagObj = (describedSecret.Tags || []).reduce(
-        (acc, item) => {
-          if (item.Key && item.Value) {
-            acc[item.Key] = item.Value;
+        describedSecret.Tags?.forEach((tag) => {
+          if (tag.Key && tag.Value) {
+            if (!(tag.Key in integrationTagObj)) {
+              // delete tag from AWS secret manager
+              tagsToDelete.push({
+                Key: tag.Key,
+                Value: tag.Value
+              });
+            } else if (tag.Value !== integrationTagObj[tag.Key]) {
+              // update tag in AWS secret manager
+              tagsToUpdate.push({
+                Key: tag.Key,
+                Value: integrationTagObj[tag.Key]
+              });
+            }
          }
-          return acc;
-        },
-        {} as Record<string, string>
-      );
+        });

-      const tagsToUpdate: { Key: string; Value: string }[] = [];
-      const tagsToDelete: { Key: string; Value: string }[] = [];
-
-      describedSecret.Tags?.forEach((tag) => {
-        if (tag.Key && tag.Value) {
-          if (!(tag.Key in integrationTagObj)) {
-            // delete tag from AWS secret manager
-            tagsToDelete.push({
-              Key: tag.Key,
-              Value: tag.Value
-            });
-          } else if (tag.Value !== integrationTagObj[tag.Key]) {
-            // update tag in AWS secret manager
+        secretAWSTag?.forEach((tag) => {
+          if (!(tag.key in awsTagObj)) {
+            // create tag in AWS secret manager
            tagsToUpdate.push({
-              Key: tag.Key,
-              Value: integrationTagObj[tag.Key]
+              Key: tag.key,
+              Value: tag.value
            });
          }
-        }
-      });
+        });

-      secretAWSTag?.forEach((tag) => {
-        if (!(tag.key in awsTagObj)) {
-          // create tag in AWS secret manager
-          tagsToUpdate.push({
-            Key: tag.key,
-            Value: tag.value
-          });
+        if (tagsToUpdate.length) {
+          await secretsManager.send(
+            new TagResourceCommand({
+              SecretId: secretId,
+              Tags: tagsToUpdate
+            })
+          );
        }
-      });

-      if (tagsToUpdate.length) {
-        await secretsManager.send(
-          new TagResourceCommand({
-            SecretId: integration.app as string,
-            Tags: tagsToUpdate
-          })
-        );
+        if (tagsToDelete.length) {
+          await secretsManager.send(
+            new UntagResourceCommand({
+              SecretId: secretId,
+              TagKeys: tagsToDelete.map((tag) => tag.Key)
+            })
+          );
+        }
      }
-
-      if (tagsToDelete.length) {
+    } catch (err) {
+      // case when AWS manager can't find the specified secret
+      if (err instanceof ResourceNotFoundException && secretsManager) {
        await secretsManager.send(
-          new UntagResourceCommand({
-            SecretId: integration.app as string,
-            TagKeys: tagsToDelete.map((tag) => tag.Key)
+          new CreateSecretCommand({
+            Name: secretId,
+            SecretString: JSON.stringify(keyValuePairs),
+            ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
+            Tags: metadata.secretAWSTag
+              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
+              : []
          })
        );
      }
    }
-  } catch (err) {
-    // case when AWS manager can't find the specified secret
-    if (err instanceof ResourceNotFoundException && secretsManager) {
-      await secretsManager.send(
-        new CreateSecretCommand({
-          Name: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal),
-          ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-          Tags: metadata.secretAWSTag
-            ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-            : []
-        })
-      );
+  };
+
+  if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
+    for await (const [key, value] of Object.entries(secrets)) {
+      await processAwsSecret(key, {
+        [key]: value.value
+      });
    }
+  } else {
+    await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
  }
 };

@@ -2965,7 +2981,7 @@ const syncSecretsDigitalOceanAppPlatform = async ({
      spec: {
        name: integration.app,
        ...appSettings,
-        envs: Object.entries(secrets).map(([key, data]) => ({ key, value: data.value }))
+        envs: Object.entries(secrets).map(([key, data]) => ({ key, value: data.value, type: "SECRET" }))
      }
    },
    {
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@@ -9,7 +9,12 @@ import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TIntegrationDALFactory } from "./integration-dal";
-import { TCreateIntegrationDTO, TDeleteIntegrationDTO, TUpdateIntegrationDTO } from "./integration-types";
+import {
+  TCreateIntegrationDTO,
+  TDeleteIntegrationDTO,
+  TSyncIntegrationDTO,
+  TUpdateIntegrationDTO
+} from "./integration-types";

 type TIntegrationServiceFactoryDep = {
  integrationDAL: TIntegrationDALFactory;
@@ -201,10 +206,35 @@ export const integrationServiceFactory = ({
    return integrations;
  };

+  const syncIntegration = async ({ id, actorId, actor, actorOrgId, actorAuthMethod }: TSyncIntegrationDTO) => {
+    const integration = await integrationDAL.findById(id);
+    if (!integration) {
+      throw new BadRequestError({ message: "Integration not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integration.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+
+    await secretQueueService.syncIntegrations({
+      environment: integration.environment.slug,
+      secretPath: integration.secretPath,
+      projectId: integration.projectId
+    });
+
+    return { ...integration, envId: integration.environment.id };
+  };
+
  return {
    createIntegration,
    updateIntegration,
    deleteIntegration,
-    listIntegrationByProject
+    listIntegrationByProject,
+    syncIntegration
  };
 };
--- a/backend/src/services/integration/integration-types.ts
+++ b/backend/src/services/integration/integration-types.ts
@@ -59,3 +59,7 @@ export type TUpdateIntegrationDTO = {
 export type TDeleteIntegrationDTO = {
  id: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TSyncIntegrationDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/project-bot/project-bot-fns.ts
+++ b/backend/src/services/project-bot/project-bot-fns.ts
@@ -3,6 +3,7 @@ import { decryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/en
 import { BadRequestError } from "@app/lib/errors";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";

+import { TProjectDALFactory } from "../project/project-dal";
 import { TGetPrivateKeyDTO } from "./project-bot-types";

 export const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
@@ -13,11 +14,17 @@ export const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
    ciphertext: bot.encryptedPrivateKey
  });

-export const getBotKeyFnFactory = (projectBotDAL: TProjectBotDALFactory) => {
+export const getBotKeyFnFactory = (
+  projectBotDAL: TProjectBotDALFactory,
+  projectDAL: Pick<TProjectDALFactory, "findById">
+) => {
  const getBotKeyFn = async (projectId: string) => {
-    const bot = await projectBotDAL.findOne({ projectId });
+    const project = await projectDAL.findById(projectId);
+    if (!project) throw new BadRequestError({ message: "Project not found during bot lookup." });

-    if (!bot) throw new BadRequestError({ message: "failed to find bot key" });
+    const bot = await projectBotDAL.findOne({ projectId: project.id });
+
+    if (!bot) throw new BadRequestError({ message: "Failed to find bot key" });
    if (!bot.isActive) throw new BadRequestError({ message: "Bot is not active" });
    if (!bot.encryptedProjectKeyNonce || !bot.encryptedProjectKey)
      throw new BadRequestError({ message: "Encryption key missing" });
--- a/backend/src/services/project-bot/project-bot-service.ts
+++ b/backend/src/services/project-bot/project-bot-service.ts
@@ -25,7 +25,7 @@ export const projectBotServiceFactory = ({
  projectDAL,
  permissionService
 }: TProjectBotServiceFactoryDep) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);

  const getBotKey = async (projectId: string) => {
    return getBotKeyFn(projectId);
--- a/backend/src/services/project-membership/project-membership-dal.ts
+++ b/backend/src/services/project-membership/project-membership-dal.ts
@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -104,9 +106,9 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
    }
  };

-  const findProjectGhostUser = async (projectId: string) => {
+  const findProjectGhostUser = async (projectId: string, tx?: Knex) => {
    try {
-      const ghostUser = await db(TableName.ProjectMembership)
+      const ghostUser = await (tx || db)(TableName.ProjectMembership)
        .where({ projectId })
        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
        .select(selectAllTableCols(TableName.Users))
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -340,7 +340,7 @@ export const projectServiceFactory = ({

    const deletedProject = await projectDAL.transaction(async (tx) => {
      const delProject = await projectDAL.deleteById(project.id, tx);
-      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id).catch(() => null);
+      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id, tx).catch(() => null);

      // Delete the org membership for the ghost user if it's found.
      if (projectGhostUser) {
--- a/backend/src/services/secret/secret-fns.ts
+++ b/backend/src/services/secret/secret-fns.ts
@@ -608,7 +608,7 @@ export const createManySecretsRawFnFactory = ({
  secretVersionTagDAL,
  folderDAL
 }: TCreateManySecretsRawFnFactory) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
  const createManySecretsRawFn = async ({
    projectId,
    environment,
@@ -706,7 +706,7 @@ export const updateManySecretsRawFnFactory = ({
  secretVersionTagDAL,
  folderDAL
 }: TUpdateManySecretsRawFnFactory) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
  const updateManySecretsRawFn = async ({
    projectId,
    environment,
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@@ -463,20 +463,37 @@ export const secretQueueFactory = ({
        });
      }

-      await syncIntegrationSecrets({
-        createManySecretsRawFn,
-        updateManySecretsRawFn,
-        integrationDAL,
-        integration,
-        integrationAuth,
-        secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets,
-        accessId: accessId as string,
-        accessToken,
-        appendices: {
-          prefix: metadata?.secretPrefix || "",
-          suffix: metadata?.secretSuffix || ""
-        }
-      });
+      try {
+        await syncIntegrationSecrets({
+          createManySecretsRawFn,
+          updateManySecretsRawFn,
+          integrationDAL,
+          integration,
+          integrationAuth,
+          secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets,
+          accessId: accessId as string,
+          accessToken,
+          appendices: {
+            prefix: metadata?.secretPrefix || "",
+            suffix: metadata?.secretSuffix || ""
+          }
+        });
+
+        await integrationDAL.updateById(integration.id, {
+          lastSyncJobId: job.id,
+          lastUsed: new Date(),
+          syncMessage: "",
+          isSynced: true
+        });
+      } catch (err: unknown) {
+        logger.info("Secret integration sync error:", err);
+        await integrationDAL.updateById(integration.id, {
+          lastSyncJobId: job.id,
+          lastUsed: new Date(),
+          syncMessage: (err as Error)?.message,
+          isSynced: false
+        });
+      }
    }

    logger.info("Secret integration sync ended: %s", job.id);
--- a/docs/images/integrations/aws/integrations-aws-secret-manager-create.png
+++ b/docs/images/integrations/aws/integrations-aws-secret-manager-create.png
--- a/docs/integrations/cloud/aws-secret-manager.mdx
+++ b/docs/integrations/cloud/aws-secret-manager.mdx
@@ -72,6 +72,9 @@ Prerequisites:
    <ParamField path="AWS Region" type="string" required>
      The region that you want to integrate with in AWS Secrets Manager.
    </ParamField>
+    <ParamField path="Mapping Behavior" type="string" required>
+      How you want the integration to map the secrets. The selected value could be either one to one or one to many.
+    </ParamField>
    <ParamField path="AWS SM Secret Name" type="string" required>
      The secret name/path in AWS into which you want to sync the secrets from Infisical.
    </ParamField>
--- a/frontend/src/hooks/api/integrations/queries.tsx
+++ b/frontend/src/hooks/api/integrations/queries.tsx
@@ -1,5 +1,6 @@
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";

+import { createNotification } from "@app/components/notifications";
 import { apiRequest } from "@app/config/request";

 import { workspaceKeys } from "../workspace/queries";
@@ -63,6 +64,7 @@ export const useCreateIntegration = () => {
        secretSuffix?: string;
        initialSyncBehavior?: string;
        shouldAutoRedeploy?: boolean;
+        mappingBehavior?: string;
        secretAWSTag?: {
          key: string;
          value: string;
@@ -110,3 +112,15 @@ export const useDeleteIntegration = () => {
    }
  });
 };
+
+export const useSyncIntegration = () => {
+  return useMutation<{}, {}, { id: string; workspaceId: string; lastUsed: string }>({
+    mutationFn: ({ id }) => apiRequest.post(`/api/v1/integration/${id}/sync`),
+    onSuccess: () => {
+      createNotification({
+        text: "Successfully triggered manual sync",
+        type: "success"
+      });
+    }
+  });
+};
--- a/frontend/src/hooks/api/integrations/types.ts
+++ b/frontend/src/hooks/api/integrations/types.ts
@@ -29,10 +29,14 @@ export type TIntegration = {
  secretPath: string;
  createdAt: string;
  updatedAt: string;
+  lastUsed?: string;
+  isSynced?: boolean;
+  syncMessage?: string;
  __v: number;
  metadata?: {
    secretSuffix?: string;
    syncBehavior?: IntegrationSyncBehavior;
+    mappingBehavior?: IntegrationMappingBehavior;
    scope: string;
    org: string;
    project: string;
@@ -45,3 +49,8 @@ export enum IntegrationSyncBehavior {
  PREFER_TARGET = "prefer-target",
  PREFER_SOURCE = "prefer-source"
 }
+
+export enum IntegrationMappingBehavior {
+  ONE_TO_ONE = "one-to-one",
+  MANY_TO_ONE = "many-to-one"
+}
--- a/frontend/src/hooks/api/workspace/queries.tsx
+++ b/frontend/src/hooks/api/workspace/queries.tsx
@@ -198,7 +198,8 @@ export const useGetWorkspaceIntegrations = (workspaceId: string) =>
  useQuery({
    queryKey: workspaceKeys.getWorkspaceIntegrations(workspaceId),
    queryFn: () => fetchWorkspaceIntegrations(workspaceId),
-    enabled: Boolean(workspaceId)
+    enabled: Boolean(workspaceId),
+    refetchInterval: 4000
  });

 export const createWorkspace = ({
--- a/frontend/src/pages/integrations/aws-secret-manager/create.tsx
+++ b/frontend/src/pages/integrations/aws-secret-manager/create.tsx
@@ -15,6 +15,7 @@ import queryString from "query-string";

 import { useCreateIntegration } from "@app/hooks/api";
 import { useGetIntegrationAuthAwsKmsKeys } from "@app/hooks/api/integrationAuth/queries";
+import { IntegrationMappingBehavior } from "@app/hooks/api/integrations/types";

 import {
  Button,
@@ -70,6 +71,17 @@ const awsRegions = [
  { name: "AWS GovCloud (US-West)", slug: "us-gov-west-1" }
 ];

+const mappingBehaviors = [
+  {
+    label: "Many to One (All Infisical secrets will be mapped to a single AWS secret)",
+    value: IntegrationMappingBehavior.MANY_TO_ONE
+  },
+  {
+    label: "One to One - (Each Infisical secret will be mapped to its own AWS secret)",
+    value: IntegrationMappingBehavior.ONE_TO_ONE
+  }
+];
+
 export default function AWSSecretManagerCreateIntegrationPage() {
  const router = useRouter();
  const { mutateAsync } = useCreateIntegration();
@@ -84,6 +96,9 @@ export default function AWSSecretManagerCreateIntegrationPage() {
  const [selectedSourceEnvironment, setSelectedSourceEnvironment] = useState("");
  const [secretPath, setSecretPath] = useState("/");
  const [selectedAWSRegion, setSelectedAWSRegion] = useState("");
+  const [selectedMappingBehavior, setSelectedMappingBehavior] = useState(
+    IntegrationMappingBehavior.MANY_TO_ONE
+  );
  const [targetSecretName, setTargetSecretName] = useState("");
  const [targetSecretNameErrorText, setTargetSecretNameErrorText] = useState("");
  const [tagKey, setTagKey] = useState("");
@@ -116,7 +131,14 @@ export default function AWSSecretManagerCreateIntegrationPage() {

  const handleButtonClick = async () => {
    try {
-      if (targetSecretName.trim() === "") {
+      if (!selectedMappingBehavior) {
+        return;
+      }
+
+      if (
+        selectedMappingBehavior === IntegrationMappingBehavior.MANY_TO_ONE &&
+        targetSecretName.trim() === ""
+      ) {
        setTargetSecretName("Secret name cannot be blank");
        return;
      }
@@ -143,7 +165,8 @@ export default function AWSSecretManagerCreateIntegrationPage() {
                ]
              }
            : {}),
-          ...(kmsKeyId && { kmsKeyId })
+          ...(kmsKeyId && { kmsKeyId }),
+          mappingBehavior: selectedMappingBehavior
        }
      });

@@ -248,19 +271,40 @@ export default function AWSSecretManagerCreateIntegrationPage() {
                  ))}
                </Select>
              </FormControl>
-              <FormControl
-                label="AWS SM Secret Name"
-                errorText={targetSecretNameErrorText}
-                isError={targetSecretNameErrorText !== "" ?? false}
-              >
-                <Input
-                  placeholder={`${workspace.name
-                    .toLowerCase()
-                    .replace(/ /g, "-")}/${selectedSourceEnvironment}`}
-                  value={targetSecretName}
-                  onChange={(e) => setTargetSecretName(e.target.value)}
-                />
+              <FormControl label="Mapping Behavior">
+                <Select
+                  value={selectedMappingBehavior}
+                  onValueChange={(val) => {
+                    setSelectedMappingBehavior(val as IntegrationMappingBehavior);
+                  }}
+                  className="w-full border border-mineshaft-500 text-left"
+                >
+                  {mappingBehaviors.map((option) => (
+                    <SelectItem
+                      value={option.value}
+                      className="text-left"
+                      key={`aws-environment-${option.value}`}
+                    >
+                      {option.label}
+                    </SelectItem>
+                  ))}
+                </Select>
              </FormControl>
+              {selectedMappingBehavior === IntegrationMappingBehavior.MANY_TO_ONE && (
+                <FormControl
+                  label="AWS SM Secret Name"
+                  errorText={targetSecretNameErrorText}
+                  isError={targetSecretNameErrorText !== "" ?? false}
+                >
+                  <Input
+                    placeholder={`${workspace.name
+                      .toLowerCase()
+                      .replace(/ /g, "-")}/${selectedSourceEnvironment}`}
+                    value={targetSecretName}
+                    onChange={(e) => setTargetSecretName(e.target.value)}
+                  />
+                </FormControl>
+              )}
            </motion.div>
          </TabPanel>
          <TabPanel value={TabSections.Options}>
--- a/frontend/src/pages/login/select-organization.tsx
+++ b/frontend/src/pages/login/select-organization.tsx
@@ -121,6 +121,14 @@ export default function LoginPage() {
    }
  }, [router]);

+  // Case: User has no organizations.
+  // This can happen if the user was previously a member, but the organization was deleted or the user was removed.
+  useEffect(() => {
+    if (!organizations.isLoading && organizations.data?.length === 0) {
+      router.push("/org/none");
+    }
+  }, [organizations.isLoading, organizations.data]);
+
  if (userLoading || !user) {
    return <LoadingScreen />;
  }
--- a/frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx
+++ b/frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx
@@ -1,21 +1,27 @@
 import Link from "next/link";
-import { faArrowRight, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { faCalendarCheck } from "@fortawesome/free-regular-svg-icons";
+import { faArrowRight, faRefresh, faWarning, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { format } from "date-fns";
 import { integrationSlugNameMapping } from "public/data/frequentConstants";

 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
  Alert,
  AlertDescription,
+  Button,
  DeleteActionModal,
  EmptyState,
  FormLabel,
  IconButton,
  Skeleton,
+  Tag,
  Tooltip
 } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
 import { usePopUp } from "@app/hooks";
+import { useSyncIntegration } from "@app/hooks/api/integrations/queries";
+import { IntegrationMappingBehavior } from "@app/hooks/api/integrations/types";
 import { TIntegration } from "@app/hooks/api/types";

 type Props = {
@@ -39,6 +45,8 @@ export const IntegrationsSection = ({
    "deleteConfirmation"
  ] as const);

+  const { mutate: syncIntegration } = useSyncIntegration();
+
  return (
    <div className="mb-8">
      <div className="mx-4 mb-4 mt-6 flex flex-col items-start justify-between px-2 text-xl">
@@ -74,7 +82,7 @@ export const IntegrationsSection = ({
        </div>
      )}
      {!isLoading && isBotActive && (
-        <div className="flex flex-col min-w-max space-y-4 p-6 pt-0">
+        <div className="flex min-w-max flex-col space-y-4 p-6 pt-0">
          {integrations?.map((integration) => (
            <div
              className="max-w-8xl flex justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-3"
@@ -124,29 +132,35 @@ export const IntegrationsSection = ({
                    </div>
                  </div>
                )}
-                <div className="ml-2 flex flex-col">
-                  <FormLabel
-                    label={
-                      (integration.integration === "qovery" && integration?.scope) ||
-                      (integration.integration === "aws-secret-manager" && "Secret") ||
-                      (integration.integration === "aws-parameter-store" && "Path") ||
-                      (integration?.integration === "terraform-cloud" && "Project") ||
-                      (integration?.scope === "github-org" && "Organization") ||
-                      (["github-repo", "github-env"].includes(integration?.scope as string) &&
-                        "Repository") ||
-                      "App"
-                    }
-                  />
-                  <div className="min-w-[8rem] max-w-[12rem] overflow-scroll no-scrollbar no-scrollbar::-webkit-scrollbar whitespace-nowrap rounded-md border border-mineshaft-700 bg-mineshaft-900 px-3 py-2 font-inter text-sm text-bunker-200">
-                    {(integration.integration === "hashicorp-vault" &&
-                      `${integration.app} - path: ${integration.path}`) ||
-                      (integration.scope === "github-org" && `${integration.owner}`) ||
-                      (integration.integration === "aws-parameter-store" && `${integration.path}`) ||
-                      (integration.scope?.startsWith("github-") &&
-                        `${integration.owner}/${integration.app}`) ||
-                      integration.app}
+                {!(
+                  integration.integration === "aws-secret-manager" &&
+                  integration.metadata?.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE
+                ) && (
+                  <div className="ml-2 flex flex-col">
+                    <FormLabel
+                      label={
+                        (integration.integration === "qovery" && integration?.scope) ||
+                        (integration.integration === "aws-secret-manager" && "Secret") ||
+                        (integration.integration === "aws-parameter-store" && "Path") ||
+                        (integration?.integration === "terraform-cloud" && "Project") ||
+                        (integration?.scope === "github-org" && "Organization") ||
+                        (["github-repo", "github-env"].includes(integration?.scope as string) &&
+                          "Repository") ||
+                        "App"
+                      }
+                    />
+                    <div className="no-scrollbar::-webkit-scrollbar min-w-[8rem] max-w-[12rem] overflow-scroll whitespace-nowrap rounded-md border border-mineshaft-700 bg-mineshaft-900 px-3 py-2 font-inter text-sm text-bunker-200 no-scrollbar">
+                      {(integration.integration === "hashicorp-vault" &&
+                        `${integration.app} - path: ${integration.path}`) ||
+                        (integration.scope === "github-org" && `${integration.owner}`) ||
+                        (integration.integration === "aws-parameter-store" &&
+                          `${integration.path}`) ||
+                        (integration.scope?.startsWith("github-") &&
+                          `${integration.owner}/${integration.app}`) ||
+                        integration.app}
+                    </div>
                  </div>
-                </div>
+                )}
                {(integration.integration === "vercel" ||
                  integration.integration === "netlify" ||
                  integration.integration === "railway" ||
@@ -187,13 +201,70 @@ export const IntegrationsSection = ({
                  </div>
                )}
              </div>
-              <div className="flex cursor-default items-center">
+              <div className="mt-[1.5rem] flex cursor-default">
+                {integration.isSynced != null && integration.lastUsed != null && (
+                  <Tag
+                    key={integration.id}
+                    className={integration.isSynced ? "bg-green-800" : "bg-red/80"}
+                  >
+                    <Tooltip
+                      center
+                      className="max-w-xs whitespace-normal break-words"
+                      content={
+                        <div className="flex max-h-[10rem] flex-col overflow-auto ">
+                          <div className="flex self-start">
+                            <FontAwesomeIcon
+                              icon={faCalendarCheck}
+                              className="pt-0.5 pr-2 text-sm"
+                            />
+                            <div className="text-sm">Last sync</div>
+                          </div>
+                          <div className="pl-5 text-left text-xs">
+                            {format(new Date(integration.lastUsed), "yyyy-MM-dd, hh:mm aaa")}
+                          </div>
+                          {!integration.isSynced && (
+                            <>
+                              <div className="mt-2 flex self-start">
+                                <FontAwesomeIcon icon={faXmark} className="pt-1 pr-2 text-sm" />
+                                <div className="text-sm">Fail reason</div>
+                              </div>
+                              <div className="pl-5 text-left text-xs">
+                                {integration.syncMessage}
+                              </div>
+                            </>
+                          )}
+                        </div>
+                      }
+                    >
+                      <div className="flex items-center space-x-2 text-white">
+                        <div>Sync Status</div>
+                        {!integration.isSynced && <FontAwesomeIcon icon={faWarning} />}
+                      </div>
+                    </Tooltip>
+                  </Tag>
+                )}
+                <div className="mr-1 flex items-end opacity-80 duration-200 hover:opacity-100">
+                  <Tooltip className="text-center" content="Manually sync integration secrets">
+                    <Button
+                      onClick={() =>
+                        syncIntegration({
+                          workspaceId,
+                          id: integration.id,
+                          lastUsed: integration.lastUsed as string
+                        })
+                      }
+                      className="max-w-[2.5rem] border-none bg-mineshaft-500"
+                    >
+                      <FontAwesomeIcon icon={faRefresh} className="px-1 text-bunker-200" />
+                    </Button>
+                  </Tooltip>
+                </div>
                <ProjectPermissionCan
                  I={ProjectPermissionActions.Delete}
                  a={ProjectPermissionSub.Integrations}
                >
                  {(isAllowed: boolean) => (
-                    <div className="ml-2 opacity-80 duration-200 hover:opacity-100">
+                    <div className="flex items-end opacity-80 duration-200 hover:opacity-100">
                      <Tooltip content="Remove Integration">
                        <IconButton
                          onClick={() => handlePopUpOpen("deleteConfirmation", integration)}
@@ -217,7 +288,9 @@ export const IntegrationsSection = ({
        isOpen={popUp.deleteConfirmation.isOpen}
        title={`Are you sure want to remove ${
          (popUp?.deleteConfirmation.data as TIntegration)?.integration || " "
-        } integration for ${(popUp?.deleteConfirmation.data as TIntegration)?.app || "this project"}?`}
+        } integration for ${
+          (popUp?.deleteConfirmation.data as TIntegration)?.app || "this project"
+        }?`}
        onChange={(isOpen) => handlePopUpToggle("deleteConfirmation", isOpen)}
        deleteKey={
          (popUp?.deleteConfirmation?.data as TIntegration)?.app ||
--- a/frontend/src/views/SecretMainPage/components/SecretDropzone/SecretDropzone.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretDropzone/SecretDropzone.tsx
@@ -152,7 +152,7 @@ export const SecretDropzone = ({

    e.dataTransfer.dropEffect = "copy";
    setDragActive.off();
-    parseFile(e.dataTransfer.files[0]);
+    parseFile(e.dataTransfer.files[0], e.dataTransfer.files[0].type === "application/json");
  };

  const handleFileUpload = (e: ChangeEvent<HTMLInputElement>) => {
Author	SHA1	Message	Date
Sheen Capadngan	c9b234dbea	fix: address json drag behavior	2024-05-24 17:42:38 +08:00
Sheen Capadngan	0bc778b9bf	Merge pull request #1865 from Infisical/feat/add-one-to-one-support-for-aws-sm feat: added one to one support for aws secret manager integration	2024-05-23 23:48:47 +08:00
Sheen Capadngan	b0bc41da14	misc: finalized schema type	2024-05-23 22:18:24 +08:00
Daniel Hougaard	a234b686c2	Merge pull request #1867 from Infisical/daniel/better-no-project-found-error Fix: Better error message on project not found during bot lookup	2024-05-23 15:54:14 +02:00
Daniel Hougaard	6230167794	Update project-bot-fns.ts	2024-05-23 15:48:54 +02:00
Daniel Hougaard	68d1849ba0	Fix: Better error message on project not found during bot lookup	2024-05-23 15:47:08 +02:00
Daniel Hougaard	5c10427eaf	Merge pull request #1866 from Infisical/daniel/fix-no-orgs-selectable Fix: No orgs selectable if a user has been removed from an organization	2024-05-23 15:19:13 +02:00
Daniel Hougaard	290d99e02c	Fix: No orgs selectable if a user has been removed from an organization	2024-05-23 15:11:20 +02:00
Sheen Capadngan	b75d601754	misc: documentation changes and minor UI adjustments	2024-05-23 21:03:48 +08:00
Sheen Capadngan	de2a5b4255	feat: added one to one support for aws SM integration	2024-05-23 20:30:55 +08:00
Maidul Islam	663f8abc51	bring back last updated at for service token	2024-05-22 20:44:07 -04:00
Maidul Islam	941a71efaf	add index for expire at needed for pruning	2024-05-22 20:38:04 -04:00
Maidul Islam	19bbc2ab26	add secrets index	2024-05-22 19:04:44 -04:00
Maidul Islam	f4de52e714	add index on secret snapshot folders	2024-05-22 18:15:04 -04:00
Maidul Islam	0b87121b67	add index to secret-snapshot-secret for field snapshotId	2024-05-22 17:46:16 -04:00
Maidul Islam	e649667da8	add indexs to secret versions and secret snapshot secrets	2024-05-22 16:52:18 -04:00
Maidul Islam	6af4b3f64c	add index for audit logs	2024-05-22 15:48:24 -04:00
Maidul Islam	efcc248486	add tx to find ghost user	2024-05-22 14:54:20 -04:00
Maidul Islam	82eeae6030	track identity	2024-05-22 13:34:44 -04:00
Maidul Islam	440c77965c	add logs to track permission inject	2024-05-21 22:35:13 -04:00
Maidul Islam	880289217e	revert identity based rate limit	2024-05-21 22:24:53 -04:00
Maidul Islam	d0947f1040	update service tokens	2024-05-21 22:02:01 -04:00
Sheen Capadngan	303edadb1e	Merge pull request #1848 from Infisical/feat/add-integration-sync-status feat: added integration sync status	2024-05-22 01:19:36 +08:00
Maidul Islam	50155a610d	Merge pull request #1858 from Infisical/misc/address-digital-ocean-env-encryption misc: made digital ocean envs encrypted by default	2024-05-21 13:15:09 -04:00
Sheen Capadngan	c2830a56b6	misc: made digital ocean envs encrypted by default	2024-05-22 01:12:28 +08:00
Sheen Capadngan	b9a9b6b4d9	misc: applied ui/ux changes	2024-05-22 00:06:06 +08:00
Maidul Islam	e7f7f271c8	Merge pull request #1857 from Infisical/misc/added-pino-logger-redaction misc: added logger redaction	2024-05-21 11:49:36 -04:00
Sheen Capadngan	b26e96c5a2	misc: added logger redaction	2024-05-21 23:04:11 +08:00
Sheen Capadngan	9b404c215b	adjustment: ui changes to sync button	2024-05-21 16:04:36 +08:00
Sheen Capadngan	d6dae04959	misc: removed unnecessary notification	2024-05-21 14:01:15 +08:00
Sheen Capadngan	629bd9b7c6	added support for manual syncing of integrations	2024-05-21 13:56:44 +08:00
Sheen Capadngan	9253c69325	misc: finalized ui design of integration sync status	2024-05-21 02:35:23 +08:00
Sheen Capadngan	7d3a62cc4c	feat: added integration sync status	2024-05-20 20:56:29 +08:00