Merge pull request #1869 from Infisical/misc/made-aws-sm-mapping-plaintext-one-to-one

misc: made aws sm mapping one to one plaintext
2025-09-06 06:00:42 +00:00 · 2024-05-24 02:15:04 +08:00 · 2024-05-24 00:35:55 +08:00 · 2024-05-23 23:48:47 +08:00 · 2024-05-23 22:18:24 +08:00 · 2024-05-23 15:54:14 +02:00
10 changed files with 232 additions and 140 deletions
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -662,6 +662,7 @@ export const INTEGRATION = {
      secretPrefix: "The prefix for the saved secret. Used by GCP.",
      secretSuffix: "The suffix for the saved secret. Used by GCP.",
      initialSyncBehavoir: "Type of syncing behavoir with the integration.",
+      mappingBehavior: "The mapping behavior of the integration.",
      shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
      secretGCPLabel: "The label for GCP secrets.",
      secretAWSTag: "The tags for AWS secrets.",
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@@ -8,6 +8,7 @@ import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { IntegrationMappingBehavior } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";

 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
@@ -49,6 +50,10 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            mappingBehavior: z
+              .nativeEnum(IntegrationMappingBehavior)
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.mappingBehavior),
            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
            secretGCPLabel: z
              .object({
@@ -160,6 +165,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            mappingBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.mappingBehavior),
            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
            secretGCPLabel: z
              .object({
--- a/backend/src/services/integration-auth/integration-list.ts
+++ b/backend/src/services/integration-auth/integration-list.ts
@@ -43,6 +43,11 @@ export enum IntegrationInitialSyncBehavior {
  PREFER_SOURCE = "prefer-source"
 }

+export enum IntegrationMappingBehavior {
+  ONE_TO_ONE = "one-to-one",
+  MANY_TO_ONE = "many-to-one"
+}
+
 export enum IntegrationUrls {
  // integration oauth endpoints
  GCP_TOKEN_URL = "https://oauth2.googleapis.com/token",
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@@ -30,7 +30,12 @@ import { BadRequestError } from "@app/lib/errors";
 import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/secret/secret-types";

 import { TIntegrationDALFactory } from "../integration/integration-dal";
-import { IntegrationInitialSyncBehavior, Integrations, IntegrationUrls } from "./integration-list";
+import {
+  IntegrationInitialSyncBehavior,
+  IntegrationMappingBehavior,
+  Integrations,
+  IntegrationUrls
+} from "./integration-list";

 const getSecretKeyValuePair = (secrets: Record<string, { value: string | null; comment?: string } | null>) =>
  Object.keys(secrets).reduce<Record<string, string | null | undefined>>((prev, key) => {
@@ -570,13 +575,11 @@ const syncSecretsAWSSecretManager = async ({
  accessId: string | null;
  accessToken: string;
 }) => {
-  let secretsManager;
-  const secKeyVal = getSecretKeyValuePair(secrets);
  const metadata = z.record(z.any()).parse(integration.metadata || {});
-  try {
+
  if (!accessId) return;

-    secretsManager = new SecretsManagerClient({
+  const secretsManager = new SecretsManagerClient({
    region: integration.region as string,
    credentials: {
      accessKeyId: accessId,
@@ -584,23 +587,31 @@ const syncSecretsAWSSecretManager = async ({
    }
  });

+  const processAwsSecret = async (
+    secretId: string,
+    secretValue: Record<string, string | null | undefined> | string
+  ) => {
+    try {
      const awsSecretManagerSecret = await secretsManager.send(
        new GetSecretValueCommand({
-        SecretId: integration.app as string
+          SecretId: secretId
        })
      );

-    let awsSecretManagerSecretObj: { [key: string]: AWS.SecretsManager } = {};
-
+      let secretToCompare;
      if (awsSecretManagerSecret?.SecretString) {
-      awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
+        if (typeof secretValue === "string") {
+          secretToCompare = awsSecretManagerSecret.SecretString;
+        } else {
+          secretToCompare = JSON.parse(awsSecretManagerSecret.SecretString);
+        }
      }

-    if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
+      if (!isEqual(secretToCompare, secretValue)) {
        await secretsManager.send(
          new UpdateSecretCommand({
-          SecretId: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal)
+            SecretId: secretId,
+            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue)
          })
        );
      }
@@ -611,7 +622,7 @@ const syncSecretsAWSSecretManager = async ({
        const describedSecret = await secretsManager.send(
          // requires secretsmanager:DescribeSecret policy
          new DescribeSecretCommand({
-          SecretId: integration.app as string
+            SecretId: secretId
          })
        );

@@ -669,7 +680,7 @@ const syncSecretsAWSSecretManager = async ({
        if (tagsToUpdate.length) {
          await secretsManager.send(
            new TagResourceCommand({
-            SecretId: integration.app as string,
+              SecretId: secretId,
              Tags: tagsToUpdate
            })
          );
@@ -678,7 +689,7 @@ const syncSecretsAWSSecretManager = async ({
        if (tagsToDelete.length) {
          await secretsManager.send(
            new UntagResourceCommand({
-            SecretId: integration.app as string,
+              SecretId: secretId,
              TagKeys: tagsToDelete.map((tag) => tag.Key)
            })
          );
@@ -689,8 +700,8 @@ const syncSecretsAWSSecretManager = async ({
      if (err instanceof ResourceNotFoundException && secretsManager) {
        await secretsManager.send(
          new CreateSecretCommand({
-          Name: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal),
+            Name: secretId,
+            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
            ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
            Tags: metadata.secretAWSTag
              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
@@ -701,6 +712,15 @@ const syncSecretsAWSSecretManager = async ({
    }
  };

+  if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
+    for await (const [key, value] of Object.entries(secrets)) {
+      await processAwsSecret(key, value.value);
+    }
+  } else {
+    await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
+  }
+};
+
 /**
 * Sync/push [secrets] to Heroku app named [integration.app]
 */
--- a/docs/images/integrations/aws/integrations-aws-secret-manager-create.png
+++ b/docs/images/integrations/aws/integrations-aws-secret-manager-create.png
--- a/docs/integrations/cloud/aws-secret-manager.mdx
+++ b/docs/integrations/cloud/aws-secret-manager.mdx
@@ -72,6 +72,9 @@ Prerequisites:
    <ParamField path="AWS Region" type="string" required>
      The region that you want to integrate with in AWS Secrets Manager.
    </ParamField>
+    <ParamField path="Mapping Behavior" type="string" required>
+      How you want the integration to map the secrets. The selected value could be either one to one or one to many.
+    </ParamField>
    <ParamField path="AWS SM Secret Name" type="string" required>
      The secret name/path in AWS into which you want to sync the secrets from Infisical.
    </ParamField>
--- a/frontend/src/hooks/api/integrations/queries.tsx
+++ b/frontend/src/hooks/api/integrations/queries.tsx
@@ -64,6 +64,7 @@ export const useCreateIntegration = () => {
        secretSuffix?: string;
        initialSyncBehavior?: string;
        shouldAutoRedeploy?: boolean;
+        mappingBehavior?: string;
        secretAWSTag?: {
          key: string;
          value: string;
--- a/frontend/src/hooks/api/integrations/types.ts
+++ b/frontend/src/hooks/api/integrations/types.ts
@@ -36,6 +36,7 @@ export type TIntegration = {
  metadata?: {
    secretSuffix?: string;
    syncBehavior?: IntegrationSyncBehavior;
+    mappingBehavior?: IntegrationMappingBehavior;
    scope: string;
    org: string;
    project: string;
@@ -48,3 +49,8 @@ export enum IntegrationSyncBehavior {
  PREFER_TARGET = "prefer-target",
  PREFER_SOURCE = "prefer-source"
 }
+
+export enum IntegrationMappingBehavior {
+  ONE_TO_ONE = "one-to-one",
+  MANY_TO_ONE = "many-to-one"
+}
--- a/frontend/src/pages/integrations/aws-secret-manager/create.tsx
+++ b/frontend/src/pages/integrations/aws-secret-manager/create.tsx
@@ -15,6 +15,7 @@ import queryString from "query-string";

 import { useCreateIntegration } from "@app/hooks/api";
 import { useGetIntegrationAuthAwsKmsKeys } from "@app/hooks/api/integrationAuth/queries";
+import { IntegrationMappingBehavior } from "@app/hooks/api/integrations/types";

 import {
  Button,
@@ -70,6 +71,17 @@ const awsRegions = [
  { name: "AWS GovCloud (US-West)", slug: "us-gov-west-1" }
 ];

+const mappingBehaviors = [
+  {
+    label: "Many to One (All Infisical secrets will be mapped to a single AWS secret)",
+    value: IntegrationMappingBehavior.MANY_TO_ONE
+  },
+  {
+    label: "One to One - (Each Infisical secret will be mapped to its own AWS secret)",
+    value: IntegrationMappingBehavior.ONE_TO_ONE
+  }
+];
+
 export default function AWSSecretManagerCreateIntegrationPage() {
  const router = useRouter();
  const { mutateAsync } = useCreateIntegration();
@@ -84,6 +96,9 @@ export default function AWSSecretManagerCreateIntegrationPage() {
  const [selectedSourceEnvironment, setSelectedSourceEnvironment] = useState("");
  const [secretPath, setSecretPath] = useState("/");
  const [selectedAWSRegion, setSelectedAWSRegion] = useState("");
+  const [selectedMappingBehavior, setSelectedMappingBehavior] = useState(
+    IntegrationMappingBehavior.MANY_TO_ONE
+  );
  const [targetSecretName, setTargetSecretName] = useState("");
  const [targetSecretNameErrorText, setTargetSecretNameErrorText] = useState("");
  const [tagKey, setTagKey] = useState("");
@@ -116,7 +131,14 @@ export default function AWSSecretManagerCreateIntegrationPage() {

  const handleButtonClick = async () => {
    try {
-      if (targetSecretName.trim() === "") {
+      if (!selectedMappingBehavior) {
+        return;
+      }
+
+      if (
+        selectedMappingBehavior === IntegrationMappingBehavior.MANY_TO_ONE &&
+        targetSecretName.trim() === ""
+      ) {
        setTargetSecretName("Secret name cannot be blank");
        return;
      }
@@ -143,7 +165,8 @@ export default function AWSSecretManagerCreateIntegrationPage() {
                ]
              }
            : {}),
-          ...(kmsKeyId && { kmsKeyId })
+          ...(kmsKeyId && { kmsKeyId }),
+          mappingBehavior: selectedMappingBehavior
        }
      });

@@ -248,6 +271,26 @@ export default function AWSSecretManagerCreateIntegrationPage() {
                  ))}
                </Select>
              </FormControl>
+              <FormControl label="Mapping Behavior">
+                <Select
+                  value={selectedMappingBehavior}
+                  onValueChange={(val) => {
+                    setSelectedMappingBehavior(val as IntegrationMappingBehavior);
+                  }}
+                  className="w-full border border-mineshaft-500 text-left"
+                >
+                  {mappingBehaviors.map((option) => (
+                    <SelectItem
+                      value={option.value}
+                      className="text-left"
+                      key={`aws-environment-${option.value}`}
+                    >
+                      {option.label}
+                    </SelectItem>
+                  ))}
+                </Select>
+              </FormControl>
+              {selectedMappingBehavior === IntegrationMappingBehavior.MANY_TO_ONE && (
                <FormControl
                  label="AWS SM Secret Name"
                  errorText={targetSecretNameErrorText}
@@ -261,6 +304,7 @@ export default function AWSSecretManagerCreateIntegrationPage() {
                    onChange={(e) => setTargetSecretName(e.target.value)}
                  />
                </FormControl>
+              )}
            </motion.div>
          </TabPanel>
          <TabPanel value={TabSections.Options}>
--- a/frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx
+++ b/frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx
@@ -21,6 +21,7 @@ import {
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
 import { usePopUp } from "@app/hooks";
 import { useSyncIntegration } from "@app/hooks/api/integrations/queries";
+import { IntegrationMappingBehavior } from "@app/hooks/api/integrations/types";
 import { TIntegration } from "@app/hooks/api/types";

 type Props = {
@@ -131,6 +132,10 @@ export const IntegrationsSection = ({
                    </div>
                  </div>
                )}
+                {!(
+                  integration.integration === "aws-secret-manager" &&
+                  integration.metadata?.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE
+                ) && (
                  <div className="ml-2 flex flex-col">
                    <FormLabel
                      label={
@@ -155,6 +160,7 @@ export const IntegrationsSection = ({
                        integration.app}
                    </div>
                  </div>
+                )}
                {(integration.integration === "vercel" ||
                  integration.integration === "netlify" ||
                  integration.integration === "railway" ||
Author	SHA1	Message	Date
Sheen Capadngan	049df6abec	Merge pull request #1869 from Infisical/misc/made-aws-sm-mapping-plaintext-one-to-one misc: made aws sm mapping one to one plaintext	2024-05-24 02:15:04 +08:00
Sheen Capadngan	e7c5645aa9	misc: made aws sm mapping one to one plaintext	2024-05-24 00:35:55 +08:00
Sheen Capadngan	0bc778b9bf	Merge pull request #1865 from Infisical/feat/add-one-to-one-support-for-aws-sm feat: added one to one support for aws secret manager integration	2024-05-23 23:48:47 +08:00
Sheen Capadngan	b0bc41da14	misc: finalized schema type	2024-05-23 22:18:24 +08:00
Daniel Hougaard	a234b686c2	Merge pull request #1867 from Infisical/daniel/better-no-project-found-error Fix: Better error message on project not found during bot lookup	2024-05-23 15:54:14 +02:00
Daniel Hougaard	5c10427eaf	Merge pull request #1866 from Infisical/daniel/fix-no-orgs-selectable Fix: No orgs selectable if a user has been removed from an organization	2024-05-23 15:19:13 +02:00
Sheen Capadngan	b75d601754	misc: documentation changes and minor UI adjustments	2024-05-23 21:03:48 +08:00
Sheen Capadngan	de2a5b4255	feat: added one to one support for aws SM integration	2024-05-23 20:30:55 +08:00