Update external-migration-router.ts

feat: Process Envkey import in queue

.env.migration.example

@@ -1 +1,2 @@
 DB_CONNECTION_URI=
+AUDIT_LOGS_DB_CONNECTION_URI=

.github/pull_request_template.md

@@ -6,6 +6,7 @@
 
 - [ ] Bug fix
 - [ ] New feature
+- [ ] Improvement
 - [ ] Breaking change
 - [ ] Documentation
 

.github/workflows/build-binaries.yml

@@ -7,7 +7,6 @@ on:
                 description: "Version number"
                 required: true
                 type: string
-
 defaults:
     run:
         working-directory: ./backend
@@ -49,9 +48,9 @@ jobs:
             - name: Package into node binary
               run: |
                   if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                    pkg --no-bytecode --public-packages "*" --public --compress GZip --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
                   else
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                    pkg --no-bytecode --public-packages "*" --public --compress GZip --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
                   fi
 
             # Set up .deb package structure (Debian/Ubuntu only)
@@ -83,6 +82,86 @@ jobs:
                   dpkg-deb --build infisical-core
                   mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb
 
+            ### RPM
+
+            # Set up .rpm package structure
+            - name: Set up .rpm package structure
+              if: matrix.os == 'linux'
+              run: |
+                  mkdir -p infisical-core-rpm/usr/local/bin
+                  cp ./binary/infisical-core infisical-core-rpm/usr/local/bin/
+                  chmod +x infisical-core-rpm/usr/local/bin/infisical-core
+
+            # Install RPM build tools
+            - name: Install RPM build tools
+              if: matrix.os == 'linux'
+              run: sudo apt-get update && sudo apt-get install -y rpm
+
+            # Create .spec file for RPM
+            - name: Create .spec file for RPM
+              if: matrix.os == 'linux'
+              run: |
+                  cat <<EOF > infisical-core.spec
+
+                  %global _enable_debug_package 0
+                  %global debug_package %{nil}
+                  %global __os_install_post /usr/lib/rpm/brp-compress %{nil}
+
+                  Name:           infisical-core
+                  Version:        ${{ github.event.inputs.version }}
+                  Release:        1%{?dist}
+                  Summary:        Infisical Core standalone executable
+                  License:        Proprietary
+                  URL:            https://app.infisical.com
+
+                  %description
+                  Infisical Core standalone executable (app.infisical.com)
+
+                  %install
+                  mkdir -p %{buildroot}/usr/local/bin
+                  cp %{_sourcedir}/infisical-core %{buildroot}/usr/local/bin/
+
+                  %files
+                  /usr/local/bin/infisical-core
+
+                  %pre
+
+                  %post
+
+                  %preun
+
+                  %postun
+                  EOF
+
+            # Build .rpm file
+            - name: Build .rpm package
+              if: matrix.os == 'linux'
+              run: |
+                  # Create necessary directories
+                  mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+
+                  # Copy the binary directly to SOURCES
+                  cp ./binary/infisical-core rpmbuild/SOURCES/
+
+                  # Run rpmbuild with verbose output
+                  rpmbuild -vv -bb \
+                    --define "_topdir $(pwd)/rpmbuild" \
+                    --define "_sourcedir $(pwd)/rpmbuild/SOURCES" \
+                    --define "_rpmdir $(pwd)/rpmbuild/RPMS" \
+                    --target ${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }} \
+                    infisical-core.spec
+
+                  # Try to find the RPM file
+                  find rpmbuild -name "*.rpm"
+
+                  # Move the RPM file if found
+                  if [ -n "$(find rpmbuild -name '*.rpm')" ]; then
+                    mv $(find rpmbuild -name '*.rpm') ./binary/infisical-core-${{matrix.arch}}.rpm
+                  else
+                    echo "RPM file not found!"
+                    exit 1
+                  fi
+
             - uses: actions/setup-python@v4
               with:
                   python-version: "3.x" # Specify the Python version you need
@@ -97,6 +176,12 @@ jobs:
               working-directory: ./backend
               run: cloudsmith push deb --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.deb
 
+            # Publish .rpm file to Cloudsmith (Red Hat-based systems only)
+            - name: Publish .rpm to Cloudsmith
+              if: matrix.os == 'linux'
+              working-directory: ./backend
+              run: cloudsmith push rpm --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.rpm
+
             # Publish .exe file to Cloudsmith (Windows only)
             - name: Publish to Cloudsmith (Windows)
               if: matrix.os == 'win'

.github/workflows/build-staging-and-deploy-aws.yml

@@ -127,6 +127,7 @@ jobs:
       - name: Change directory to backend and install dependencies
         env:
           DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
         run: |
           cd backend
           npm install

README.md

@@ -73,6 +73,11 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
 
+### Key Management (KMS):
+
+- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
+
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
@@ -130,9 +135,7 @@ Lean about Infisical's code scanning feature [here](https://infisical.com/docs/c
 
 This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license.
 
-If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo):
-
-<a href="[https://infisical.cal.com/vlad/infisical-demo](https://infisical.cal.com/vlad/infisical-demo)"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
+If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo).
 
 ## Security
 
@@ -158,4 +161,3 @@ Not sure where to get started? You can:
 - [Twitter](https://twitter.com/infisical) for fast news
 - [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
 - [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
-- [Roadmap](https://www.notion.so/infisical/be2d2585a6694e40889b03aef96ea36b?v=5b19a8127d1a4060b54769567a8785fa) for planned features

backend/e2e-test/routes/v1/project-env.spec.ts

@@ -123,7 +123,7 @@ describe("Project Environment Router", async () => {
         id: deletedProjectEnvironment.id,
         name: mockProjectEnv.name,
         slug: mockProjectEnv.slug,
-        position: 4,
+        position: 5,
         createdAt: expect.any(String),
         updatedAt: expect.any(String)
       })

backend/package-lock.json

@@ -21,6 +21,7 @@
         "@fastify/etag": "^5.1.0",
         "@fastify/formbody": "^7.4.0",
         "@fastify/helmet": "^11.1.1",
+        "@fastify/multipart": "8.3.0",
         "@fastify/passport": "^2.4.0",
         "@fastify/rate-limit": "^9.0.0",
         "@fastify/session": "^10.7.0",
@@ -61,12 +62,11 @@
         "jwks-rsa": "^3.1.0",
         "knex": "^3.0.1",
         "ldapjs": "^3.0.7",
-        "ldif": "^0.5.1",
+        "ldif": "0.5.1",
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "mongodb": "^6.8.1",
         "ms": "^2.1.3",
-        "mustache": "^4.2.0",
         "mysql2": "^3.9.8",
         "nanoid": "^3.3.4",
         "nodemailer": "^6.9.9",
@@ -111,7 +111,6 @@
         "@types/jsrp": "^0.2.6",
         "@types/libsodium-wrappers": "^0.7.13",
         "@types/lodash.isequal": "^4.5.8",
-        "@types/mustache": "^4.2.5",
         "@types/node": "^20.9.5",
         "@types/nodemailer": "^6.4.14",
         "@types/passport-github": "^1.1.12",
@@ -4313,6 +4312,15 @@
         "fast-uri": "^2.0.0"
       }
     },
+    "node_modules/@fastify/busboy": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
+      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/@fastify/cookie": {
       "version": "9.3.1",
       "resolved": "https://registry.npmjs.org/@fastify/cookie/-/cookie-9.3.1.tgz",
@@ -4383,6 +4391,20 @@
         "helmet": "^7.0.0"
       }
     },
+    "node_modules/@fastify/multipart": {
+      "version": "8.3.0",
+      "resolved": "https://registry.npmjs.org/@fastify/multipart/-/multipart-8.3.0.tgz",
+      "integrity": "sha512-A8h80TTyqUzaMVH0Cr9Qcm6RxSkVqmhK/MVBYHYeRRSUbUYv08WecjWKSlG2aSnD4aGI841pVxAjC+G1GafUeQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@fastify/busboy": "^2.1.0",
+        "@fastify/deepmerge": "^1.0.0",
+        "@fastify/error": "^3.0.0",
+        "fastify-plugin": "^4.0.0",
+        "secure-json-parse": "^2.4.0",
+        "stream-wormhole": "^1.1.0"
+      }
+    },
     "node_modules/@fastify/passport": {
       "version": "2.4.0",
       "resolved": "https://registry.npmjs.org/@fastify/passport/-/passport-2.4.0.tgz",
@@ -7079,13 +7101,6 @@
       "resolved": "https://registry.npmjs.org/@types/ms/-/ms-0.7.34.tgz",
       "integrity": "sha512-nG96G3Wp6acyAgJqGasjODb+acrI7KltPiRxzHPXnP3NgI28bpQDRv53olbqGXbfcgF5aiiHmO3xpwEpS5Ld9g=="
     },
-    "node_modules/@types/mustache": {
-      "version": "4.2.5",
-      "resolved": "https://registry.npmjs.org/@types/mustache/-/mustache-4.2.5.tgz",
-      "integrity": "sha512-PLwiVvTBg59tGFL/8VpcGvqOu3L4OuveNvPi0EYbWchRdEVP++yRUXJPFl+CApKEq13017/4Nf7aQ5lTtHUNsA==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/node": {
       "version": "20.9.5",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-20.9.5.tgz",
@@ -13729,15 +13744,6 @@
         "node": ">= 6"
       }
     },
-    "node_modules/mustache": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/mustache/-/mustache-4.2.0.tgz",
-      "integrity": "sha512-71ippSywq5Yb7/tVYyGbkBggbU8H3u5Rz56fH60jGFgr8uHwxs+aSKeqmluIVzM0m0kB7xQjKS6qPfd0b2ZoqQ==",
-      "license": "MIT",
-      "bin": {
-        "mustache": "bin/mustache"
-      }
-    },
     "node_modules/mylas": {
       "version": "2.1.13",
       "resolved": "https://registry.npmjs.org/mylas/-/mylas-2.1.13.tgz",
@@ -16622,6 +16628,15 @@
       "resolved": "https://registry.npmjs.org/stream-shift/-/stream-shift-1.0.3.tgz",
       "integrity": "sha512-76ORR0DO1o1hlKwTbi/DM3EXWGf3ZJYO8cXX5RJwnul2DEg2oyoZyjLNoQM8WsvZiFKCRfC1O0J7iCvie3RZmQ=="
     },
+    "node_modules/stream-wormhole": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/stream-wormhole/-/stream-wormhole-1.1.0.tgz",
+      "integrity": "sha512-gHFfL3px0Kctd6Po0M8TzEvt3De/xu6cnRrjlfYNhwbhLPLwigI2t1nc6jrzNuaYg5C4YF78PPFuQPzRiqn9ew==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
     "node_modules/string_decoder": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",

backend/package.json

@@ -45,13 +45,19 @@
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
     "generate:schema": "tsx ./scripts/generate-schema-types.ts",
+    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
+    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
+    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
+    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
+    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
+    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
     "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
     "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
     "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
@@ -71,7 +77,6 @@
     "@types/jsrp": "^0.2.6",
     "@types/libsodium-wrappers": "^0.7.13",
     "@types/lodash.isequal": "^4.5.8",
-    "@types/mustache": "^4.2.5",
     "@types/node": "^20.9.5",
     "@types/nodemailer": "^6.4.14",
     "@types/passport-github": "^1.1.12",
@@ -120,6 +125,7 @@
     "@fastify/etag": "^5.1.0",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
+    "@fastify/multipart": "8.3.0",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/session": "^10.7.0",
@@ -160,12 +166,11 @@
     "jwks-rsa": "^3.1.0",
     "knex": "^3.0.1",
     "ldapjs": "^3.0.7",
-    "ldif": "^0.5.1",
+    "ldif": "0.5.1",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "mongodb": "^6.8.1",
     "ms": "^2.1.3",
-    "mustache": "^4.2.0",
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.4",
     "nodemailer": "^6.9.9",

backend/scripts/generate-schema-types.ts

@@ -90,7 +90,12 @@ const main = async () => {
       .whereRaw("table_schema =  current_schema()")
       .select<{ tableName: string }[]>("table_name as tableName")
       .orderBy("table_name")
-  ).filter((el) => !el.tableName.includes("_migrations"));
+  ).filter(
+    (el) =>
+      !el.tableName.includes("_migrations") &&
+      !el.tableName.includes("audit_logs_") &&
+      el.tableName !== "intermediate_audit_logs"
+  );
 
   for (let i = 0; i < tables.length; i += 1) {
     const { tableName } = tables[i];

backend/src/@types/fastify.d.ts

@@ -38,6 +38,7 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
@@ -182,6 +183,7 @@ declare module "fastify" {
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;
+      cmek: TCmekServiceFactory;
       migration: TExternalMigrationServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data

backend/src/db/auditlog-knexfile.ts

@@ -0,0 +1,75 @@
+// eslint-disable-next-line
+import "ts-node/register";
+
+import dotenv from "dotenv";
+import type { Knex } from "knex";
+import path from "path";
+
+// Update with your config settings. .
+dotenv.config({
+  path: path.join(__dirname, "../../../.env.migration")
+});
+dotenv.config({
+  path: path.join(__dirname, "../../../.env")
+});
+
+if (!process.env.AUDIT_LOGS_DB_CONNECTION_URI && !process.env.AUDIT_LOGS_DB_HOST) {
+  console.info("Dedicated audit log database not found. No further migrations necessary");
+  process.exit(0);
+}
+
+console.info("Executing migration on audit log database...");
+
+export default {
+  development: {
+    client: "postgres",
+    connection: {
+      connectionString: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
+      host: process.env.AUDIT_LOGS_DB_HOST,
+      port: process.env.AUDIT_LOGS_DB_PORT,
+      user: process.env.AUDIT_LOGS_DB_USER,
+      database: process.env.AUDIT_LOGS_DB_NAME,
+      password: process.env.AUDIT_LOGS_DB_PASSWORD,
+      ssl: process.env.AUDIT_LOGS_DB_ROOT_CERT
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(process.env.AUDIT_LOGS_DB_ROOT_CERT, "base64").toString("ascii")
+          }
+        : false
+    },
+    pool: {
+      min: 2,
+      max: 10
+    },
+    seeds: {
+      directory: "./seeds"
+    },
+    migrations: {
+      tableName: "infisical_migrations"
+    }
+  },
+  production: {
+    client: "postgres",
+    connection: {
+      connectionString: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
+      host: process.env.AUDIT_LOGS_DB_HOST,
+      port: process.env.AUDIT_LOGS_DB_PORT,
+      user: process.env.AUDIT_LOGS_DB_USER,
+      database: process.env.AUDIT_LOGS_DB_NAME,
+      password: process.env.AUDIT_LOGS_DB_PASSWORD,
+      ssl: process.env.AUDIT_LOGS_DB_ROOT_CERT
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(process.env.AUDIT_LOGS_DB_ROOT_CERT, "base64").toString("ascii")
+          }
+        : false
+    },
+    pool: {
+      min: 2,
+      max: 10
+    },
+    migrations: {
+      tableName: "infisical_migrations"
+    }
+  }
+} as Knex.Config;

backend/src/db/index.ts

@@ -1,2 +1,2 @@
 export type { TDbClient } from "./instance";
-export { initDbConnection } from "./instance";
+export { initAuditLogDbConnection, initDbConnection } from "./instance";

backend/src/db/instance.ts

@@ -70,3 +70,45 @@ export const initDbConnection = ({
 
   return db;
 };
+
+export const initAuditLogDbConnection = ({
+  dbConnectionUri,
+  dbRootCert
+}: {
+  dbConnectionUri: string;
+  dbRootCert?: string;
+}) => {
+  // akhilmhdh: the default Knex is knex.Knex<any, any[]>. but when assigned with knex({<config>}) the value is knex.Knex<any, unknown[]>
+  // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[]
+  // eslint-disable-next-line
+  const db: Knex<any, unknown[]> = knex({
+    client: "pg",
+    connection: {
+      connectionString: dbConnectionUri,
+      host: process.env.AUDIT_LOGS_DB_HOST,
+      // @ts-expect-error I have no clue why only for the port there is a type error
+      // eslint-disable-next-line
+      port: process.env.AUDIT_LOGS_DB_PORT,
+      user: process.env.AUDIT_LOGS_DB_USER,
+      database: process.env.AUDIT_LOGS_DB_NAME,
+      password: process.env.AUDIT_LOGS_DB_PASSWORD,
+      ssl: dbRootCert
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
+          }
+        : false
+    }
+  });
+
+  // we add these overrides so that auditLogDb and the primary DB are interchangeable
+  db.primaryNode = () => {
+    return db;
+  };
+
+  db.replicaNode = () => {
+    return db;
+  };
+
+  return db;
+};

backend/src/db/manual-migrations/partition-audit-logs.ts

@@ -0,0 +1,161 @@
+import kx, { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const INTERMEDIATE_AUDIT_LOG_TABLE = "intermediate_audit_logs";
+
+const formatPartitionDate = (date: Date) => {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+
+  return `${year}-${month}-${day}`;
+};
+
+const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Date) => {
+  const startDateStr = formatPartitionDate(startDate);
+  const endDateStr = formatPartitionDate(endDate);
+
+  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;
+
+  await knex.schema.raw(
+    `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`
+  );
+};
+
+const up = async (knex: Knex): Promise<void> => {
+  console.info("Dropping primary key of audit log table...");
+  await knex.schema.alterTable(TableName.AuditLog, (t) => {
+    // remove existing keys
+    t.dropPrimary();
+  });
+
+  // Get all indices of the audit log table and drop them
+  const indexNames: { rows: { indexname: string }[] } = await knex.raw(
+    `
+    SELECT indexname
+    FROM pg_indexes
+    WHERE tablename = '${TableName.AuditLog}'
+  `
+  );
+
+  console.log(
+    "Deleting existing audit log indices:",
+    indexNames.rows.map((e) => e.indexname)
+  );
+
+  for await (const row of indexNames.rows) {
+    await knex.raw(`DROP INDEX IF EXISTS ${row.indexname}`);
+  }
+
+  // renaming audit log to intermediate table
+  console.log("Renaming audit log table to the intermediate name");
+  await knex.schema.renameTable(TableName.AuditLog, INTERMEDIATE_AUDIT_LOG_TABLE);
+
+  if (!(await knex.schema.hasTable(TableName.AuditLog))) {
+    const createTableSql = knex.schema
+      .createTable(TableName.AuditLog, (t) => {
+        t.uuid("id").defaultTo(knex.fn.uuid());
+        t.string("actor").notNullable();
+        t.jsonb("actorMetadata").notNullable();
+        t.string("ipAddress");
+        t.string("eventType").notNullable();
+        t.jsonb("eventMetadata");
+        t.string("userAgent");
+        t.string("userAgentType");
+        t.datetime("expiresAt");
+        t.timestamps(true, true, true);
+        t.uuid("orgId");
+        t.string("projectId");
+        t.string("projectName");
+        t.primary(["id", "createdAt"]);
+      })
+      .toString();
+
+    console.info("Creating partition table...");
+    await knex.schema.raw(`
+        ${createTableSql} PARTITION BY RANGE ("createdAt");
+    `);
+
+    console.log("Adding indices...");
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      t.index(["projectId", "createdAt"]);
+      t.index(["orgId", "createdAt"]);
+      t.index("expiresAt");
+      t.index("orgId");
+      t.index("projectId");
+    });
+
+    console.log("Adding GIN indices...");
+
+    await knex.raw(
+      `CREATE INDEX IF NOT EXISTS "audit_logs_actorMetadata_idx" ON ${TableName.AuditLog} USING gin("actorMetadata" jsonb_path_ops)`
+    );
+    console.log("GIN index for actorMetadata done");
+
+    await knex.raw(
+      `CREATE INDEX IF NOT EXISTS "audit_logs_eventMetadata_idx" ON ${TableName.AuditLog} USING gin("eventMetadata" jsonb_path_ops)`
+    );
+    console.log("GIN index for eventMetadata done");
+
+    // create default partition
+    console.log("Creating default partition...");
+    await knex.schema.raw(`CREATE TABLE ${TableName.AuditLog}_default PARTITION OF ${TableName.AuditLog} DEFAULT`);
+
+    const nextDate = new Date();
+    nextDate.setDate(nextDate.getDate() + 1);
+    const nextDateStr = formatPartitionDate(nextDate);
+
+    console.log("Attaching existing audit log table as a partition...");
+    await knex.schema.raw(`
+    ALTER TABLE ${INTERMEDIATE_AUDIT_LOG_TABLE} ADD CONSTRAINT audit_log_old
+    CHECK ( "createdAt" < DATE '${nextDateStr}' );
+
+    ALTER TABLE ${TableName.AuditLog} ATTACH PARTITION ${INTERMEDIATE_AUDIT_LOG_TABLE}
+    FOR VALUES FROM (MINVALUE) TO ('${nextDateStr}' );
+    `);
+
+    // create partition from now until end of month
+    console.log("Creating audit log partitions ahead of time... next date:", nextDateStr);
+    await createAuditLogPartition(knex, nextDate, new Date(nextDate.getFullYear(), nextDate.getMonth() + 1));
+
+    // create partitions 4 years ahead
+    const partitionMonths = 4 * 12;
+    const partitionPromises: Promise<void>[] = [];
+    for (let x = 1; x <= partitionMonths; x += 1) {
+      partitionPromises.push(
+        createAuditLogPartition(
+          knex,
+          new Date(nextDate.getFullYear(), nextDate.getMonth() + x, 1),
+          new Date(nextDate.getFullYear(), nextDate.getMonth() + (x + 1), 1)
+        )
+      );
+    }
+
+    await Promise.all(partitionPromises);
+    console.log("Partition migration complete");
+  }
+};
+
+export const executeMigration = async (url: string) => {
+  console.log("Executing migration...");
+  const knex = kx({
+    client: "pg",
+    connection: url
+  });
+
+  await knex.transaction(async (tx) => {
+    await up(tx);
+  });
+};
+
+const dbUrl = process.env.AUDIT_LOGS_DB_CONNECTION_URI;
+if (!dbUrl) {
+  console.error("Please provide a DB connection URL to the AUDIT_LOGS_DB_CONNECTION_URI env");
+  process.exit(1);
+}
+
+void executeMigration(dbUrl).then(() => {
+  console.log("Migration: partition-audit-logs DONE");
+  process.exit(0);
+});

backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts

@@ -0,0 +1,46 @@
+import { Knex } from "knex";
+
+import { dropConstraintIfExists } from "@app/db/migrations/utils/dropConstraintIfExists";
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    // drop constraint if exists (won't exist if rolled back, see below)
+    await dropConstraintIfExists(TableName.KmsKey, "kms_keys_orgid_slug_unique", knex);
+
+    // projectId for CMEK functionality
+    await knex.schema.alterTable(TableName.KmsKey, (table) => {
+      table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
+
+      if (hasOrgId) {
+        table.unique(["orgId", "projectId", "slug"]);
+      }
+
+      if (hasSlug) {
+        table.renameColumn("slug", "name");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasName = await knex.schema.hasColumn(TableName.KmsKey, "name");
+
+    // remove projectId for CMEK functionality
+    await knex.schema.alterTable(TableName.KmsKey, (table) => {
+      if (hasName) {
+        table.renameColumn("name", "slug");
+      }
+
+      if (hasOrgId) {
+        table.dropUnique(["orgId", "projectId", "slug"]);
+      }
+      table.dropColumn("projectId");
+    });
+  }
+}

backend/src/db/migrations/20241005170802_kms-keys-temp-slug-col.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (!hasSlug) {
+      // add slug back temporarily and set value equal to name
+      await knex.schema
+        .alterTable(TableName.KmsKey, (table) => {
+          table.string("slug", 32);
+        })
+        .then(() => knex(TableName.KmsKey).update("slug", knex.ref("name")));
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (hasSlug) {
+      await knex.schema.alterTable(TableName.KmsKey, (table) => {
+        table.dropColumn("slug");
+      });
+    }
+  }
+}

backend/src/db/migrations/20241007052025_make-audit-log-independent.ts

@@ -0,0 +1,48 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+    const doesProjectNameExist = await knex.schema.hasColumn(TableName.AuditLog, "projectName");
+
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesOrgIdExist) {
+        t.dropForeign("orgId");
+      }
+
+      if (doesProjectIdExist) {
+        t.dropForeign("projectId");
+      }
+
+      // add normalized field
+      if (!doesProjectNameExist) {
+        t.string("projectName");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectNameExist = await knex.schema.hasColumn(TableName.AuditLog, "projectName");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesOrgIdExist) {
+        t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      }
+      if (doesProjectIdExist) {
+        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      }
+
+      // remove normalized field
+      if (doesProjectNameExist) {
+        t.dropColumn("projectName");
+      }
+    });
+  }
+}

backend/src/db/migrations/20241007202149_default-org-membership-roles.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // org default role
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasDefaultRoleCol = await knex.schema.hasColumn(TableName.Organization, "defaultMembershipRole");
+
+    if (!hasDefaultRoleCol) {
+      await knex.schema.alterTable(TableName.Organization, (tb) => {
+        tb.string("defaultMembershipRole").notNullable().defaultTo("member");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // org default role
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasDefaultRoleCol = await knex.schema.hasColumn(TableName.Organization, "defaultMembershipRole");
+
+    if (hasDefaultRoleCol) {
+      await knex.schema.alterTable(TableName.Organization, (tb) => {
+        tb.dropColumn("defaultMembershipRole");
+      });
+    }
+  }
+}

backend/src/db/migrations/utils/dropConstraintIfExists.ts

@@ -0,0 +1,6 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export const dropConstraintIfExists = (tableName: TableName, constraintName: string, knex: Knex) =>
+  knex.raw(`ALTER TABLE ${tableName} DROP CONSTRAINT IF EXISTS ${constraintName};`);

backend/src/db/migrations/utils/kms.ts

@@ -54,7 +54,7 @@ export const getSecretManagerDataKey = async (knex: Knex, projectId: string) =>
   } else {
     const [kmsDoc] = await knex(TableName.KmsKey)
       .insert({
-        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
+        name: slugify(alphaNumericNanoId(8).toLowerCase()),
         orgId: project.orgId,
         isReserved: false
       })

backend/src/db/schemas/audit-logs.ts

@@ -20,7 +20,8 @@ export const AuditLogsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   orgId: z.string().uuid().nullable().optional(),
-  projectId: z.string().nullable().optional()
+  projectId: z.string().nullable().optional(),
+  projectName: z.string().nullable().optional()
 });
 
 export type TAuditLogs = z.infer<typeof AuditLogsSchema>;

backend/src/db/schemas/kms-keys.ts

@@ -13,9 +13,11 @@ export const KmsKeysSchema = z.object({
   isDisabled: z.boolean().default(false).nullable().optional(),
   isReserved: z.boolean().default(true).nullable().optional(),
   orgId: z.string().uuid(),
-  slug: z.string(),
+  name: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  projectId: z.string().nullable().optional(),
+  slug: z.string().nullable().optional()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/organizations.ts

@@ -19,7 +19,8 @@ export const OrganizationsSchema = z.object({
   authEnforced: z.boolean().default(false).nullable().optional(),
   scimEnabled: z.boolean().default(false).nullable().optional(),
   kmsDefaultKeyId: z.string().uuid().nullable().optional(),
-  kmsEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
+  defaultMembershipRole: z.string().default("member")
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/ee/routes/v1/external-kms-router.ts

@@ -26,7 +26,7 @@ const sanitizedExternalSchemaForGetAll = KmsKeysSchema.pick({
   isDisabled: true,
   createdAt: true,
   updatedAt: true,
-  slug: true
+  name: true
 })
   .extend({
     externalKms: ExternalKmsSchema.pick({
@@ -57,7 +57,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        slug: z.string().min(1).trim().toLowerCase(),
+        name: z.string().min(1).trim().toLowerCase(),
         description: z.string().trim().optional(),
         provider: ExternalKmsInputSchema
       }),
@@ -74,7 +74,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
         provider: req.body.provider,
         description: req.body.description
       });
@@ -87,7 +87,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           metadata: {
             kmsId: externalKms.id,
             provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
             description: req.body.description
           }
         }
@@ -108,7 +108,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
         id: z.string().trim().min(1)
       }),
       body: z.object({
-        slug: z.string().min(1).trim().toLowerCase().optional(),
+        name: z.string().min(1).trim().toLowerCase().optional(),
         description: z.string().trim().optional(),
         provider: ExternalKmsInputUpdateSchema
       }),
@@ -125,7 +125,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
         provider: req.body.provider,
         description: req.body.description,
         id: req.params.id
@@ -139,7 +139,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           metadata: {
             kmsId: externalKms.id,
             provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
             description: req.body.description
           }
         }
@@ -182,7 +182,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           type: EventType.DELETE_KMS,
           metadata: {
             kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
           }
         }
       });
@@ -224,7 +224,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           type: EventType.GET_KMS,
           metadata: {
             kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
           }
         }
       });
@@ -260,13 +260,13 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
 
   server.route({
     method: "GET",
-    url: "/slug/:slug",
+    url: "/name/:name",
     config: {
       rateLimit: readLimit
     },
     schema: {
       params: z.object({
-        slug: z.string().trim().min(1)
+        name: z.string().trim().min(1)
       }),
       response: {
         200: z.object({
@@ -276,12 +276,12 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const externalKms = await server.services.externalKms.findBySlug({
+      const externalKms = await server.services.externalKms.findByName({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        slug: req.params.slug
+        name: req.params.name
       });
       return { externalKms };
     }

backend/src/ee/routes/v1/project-router.ts

@@ -203,7 +203,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           secretManagerKmsKey: z.object({
             id: z.string(),
-            slug: z.string(),
+            name: z.string(),
             isExternal: z.boolean()
           })
         })
@@ -243,7 +243,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           secretManagerKmsKey: z.object({
             id: z.string(),
-            slug: z.string(),
+            name: z.string(),
             isExternal: z.boolean()
           })
         })
@@ -268,7 +268,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           metadata: {
             secretManagerKmsKey: {
               id: secretManagerKmsKey.id,
-              slug: secretManagerKmsKey.slug
+              name: secretManagerKmsKey.name
             }
           }
         }
@@ -336,7 +336,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           secretManagerKmsKey: z.object({
             id: z.string(),
-            slug: z.string(),
+            name: z.string(),
             isExternal: z.boolean()
           })
         })

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -1,8 +1,9 @@
-import { Knex } from "knex";
+// weird commonjs-related error in the CI requires us to do the import like this
+import knex from "knex";
 
 import { TDbClient } from "@app/db";
-import { AuditLogsSchema, TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
@@ -46,7 +47,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
       eventType?: EventType[];
       eventMetadata?: Record<string, string>;
     },
-    tx?: Knex
+    tx?: knex.Knex
   ) => {
     if (!orgId && !projectId) {
       throw new Error("Either orgId or projectId must be provided");
@@ -55,11 +56,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
     try {
       // Find statements
       const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
-        .leftJoin(TableName.Project, `${TableName.AuditLog}.projectId`, `${TableName.Project}.id`)
         // eslint-disable-next-line func-names
         .where(function () {
           if (orgId) {
-            void this.where(`${TableName.Project}.orgId`, orgId).orWhere(`${TableName.AuditLog}.orgId`, orgId);
+            void this.where(`${TableName.AuditLog}.orgId`, orgId);
           } else if (projectId) {
             void this.where(`${TableName.AuditLog}.projectId`, projectId);
           }
@@ -72,23 +72,19 @@ export const auditLogDALFactory = (db: TDbClient) => {
       // Select statements
       void sqlQuery
         .select(selectAllTableCols(TableName.AuditLog))
-        .select(
-          db.ref("name").withSchema(TableName.Project).as("projectName"),
-          db.ref("slug").withSchema(TableName.Project).as("projectSlug")
-        )
         .limit(limit)
         .offset(offset)
         .orderBy(`${TableName.AuditLog}.createdAt`, "desc");
 
       // Special case: Filter by actor ID
       if (actorId) {
-        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actorId]);
+        void sqlQuery.whereRaw(`"actorMetadata" @> jsonb_build_object('userId', ?::text)`, [actorId]);
       }
 
       // Special case: Filter by key/value pairs in eventMetadata field
       if (eventMetadata && Object.keys(eventMetadata).length) {
         Object.entries(eventMetadata).forEach(([key, value]) => {
-          void sqlQuery.whereRaw(`"eventMetadata"->>'${key}' = ?`, [value]);
+          void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object(?::text, ?::text)`, [key, value]);
         });
       }
 
@@ -109,30 +105,25 @@ export const auditLogDALFactory = (db: TDbClient) => {
       if (endDate) {
         void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
       }
-      const docs = await sqlQuery;
 
-      return docs.map((doc) => {
-        // Our type system refuses to acknowledge that the project name and slug are present in the doc, due to the disjointed query structure above.
-        // This is a quick and dirty way to get around the types.
-        const projectDoc = doc as unknown as { projectName: string; projectSlug: string };
+      // we timeout long running queries to prevent DB resource issues (2 minutes)
+      const docs = await sqlQuery.timeout(1000 * 120);
 
-        return {
-          ...AuditLogsSchema.parse(doc),
-          ...(projectDoc?.projectSlug && {
-            project: {
-              name: projectDoc.projectName,
-              slug: projectDoc.projectSlug
-            }
-          })
-        };
-      });
+      return docs;
     } catch (error) {
+      if (error instanceof knex.KnexTimeoutError) {
+        throw new GatewayTimeoutError({
+          error,
+          message: "Failed to fetch audit logs due to timeout. Add more search filters."
+        });
+      }
+
       throw new DatabaseError({ error });
     }
   };
 
   // delete all audit log that have expired
-  const pruneAuditLog = async (tx?: Knex) => {
+  const pruneAuditLog = async (tx?: knex.Knex) => {
     const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
     const MAX_RETRY_ON_FAILURE = 3;
 
@@ -148,6 +139,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
           .where("expiresAt", "<", today)
           .select("id")
           .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
+
         // eslint-disable-next-line no-await-in-loop
         deletedAuditLogIds = await (tx || db)(TableName.AuditLog)
           .whereIn("id", findExpiredLogSubQuery)

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -74,6 +74,7 @@ export const auditLogQueueServiceFactory = ({
       actorMetadata: actor.metadata,
       userAgent,
       projectId,
+      projectName: project?.name,
       ipAddress,
       orgId,
       eventType: event.type,

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,3 +1,4 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
@@ -122,6 +123,7 @@ export enum EventType {
   UPDATE_WEBHOOK_STATUS = "update-webhook-status",
   DELETE_WEBHOOK = "delete-webhook",
   GET_SECRET_IMPORTS = "get-secret-imports",
+  GET_SECRET_IMPORT = "get-secret-import",
   CREATE_SECRET_IMPORT = "create-secret-import",
   UPDATE_SECRET_IMPORT = "update-secret-import",
   DELETE_SECRET_IMPORT = "delete-secret-import",
@@ -182,7 +184,13 @@ export enum EventType {
   DELETE_SLACK_INTEGRATION = "delete-slack-integration",
   GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
   UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
-  INTEGRATION_SYNCED = "integration-synced"
+  INTEGRATION_SYNCED = "integration-synced",
+  CREATE_CMEK = "create-cmek",
+  UPDATE_CMEK = "update-cmek",
+  DELETE_CMEK = "delete-cmek",
+  GET_CMEKS = "get-cmeks",
+  CMEK_ENCRYPT = "cmek-encrypt",
+  CMEK_DECRYPT = "cmek-decrypt"
 }
 
 interface UserActorMetadata {
@@ -1004,6 +1012,14 @@ interface GetSecretImportsEvent {
   };
 }
 
+interface GetSecretImportEvent {
+  type: EventType.GET_SECRET_IMPORT;
+  metadata: {
+    secretImportId: string;
+    folderId: string;
+  };
+}
+
 interface CreateSecretImportEvent {
   type: EventType.CREATE_SECRET_IMPORT;
   metadata: {
@@ -1350,7 +1366,7 @@ interface CreateKmsEvent {
   metadata: {
     kmsId: string;
     provider: string;
-    slug: string;
+    name: string;
     description?: string;
   };
 }
@@ -1359,7 +1375,7 @@ interface DeleteKmsEvent {
   type: EventType.DELETE_KMS;
   metadata: {
     kmsId: string;
-    slug: string;
+    name: string;
   };
 }
 
@@ -1368,7 +1384,7 @@ interface UpdateKmsEvent {
   metadata: {
     kmsId: string;
     provider: string;
-    slug?: string;
+    name?: string;
     description?: string;
   };
 }
@@ -1377,7 +1393,7 @@ interface GetKmsEvent {
   type: EventType.GET_KMS;
   metadata: {
     kmsId: string;
-    slug: string;
+    name: string;
   };
 }
 
@@ -1386,7 +1402,7 @@ interface UpdateProjectKmsEvent {
   metadata: {
     secretManagerKmsKey: {
       id: string;
-      slug: string;
+      name: string;
     };
   };
 }
@@ -1541,6 +1557,53 @@ interface IntegrationSyncedEvent {
   };
 }
 
+interface CreateCmekEvent {
+  type: EventType.CREATE_CMEK;
+  metadata: {
+    keyId: string;
+    name: string;
+    description?: string;
+    encryptionAlgorithm: SymmetricEncryption;
+  };
+}
+
+interface DeleteCmekEvent {
+  type: EventType.DELETE_CMEK;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface UpdateCmekEvent {
+  type: EventType.UPDATE_CMEK;
+  metadata: {
+    keyId: string;
+    name?: string;
+    description?: string;
+  };
+}
+
+interface GetCmeksEvent {
+  type: EventType.GET_CMEKS;
+  metadata: {
+    keyIds: string[];
+  };
+}
+
+interface CmekEncryptEvent {
+  type: EventType.CMEK_ENCRYPT;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface CmekDecryptEvent {
+  type: EventType.CMEK_DECRYPT;
+  metadata: {
+    keyId: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1620,6 +1683,7 @@ export type Event =
   | UpdateWebhookStatusEvent
   | DeleteWebhookEvent
   | GetSecretImportsEvent
+  | GetSecretImportEvent
   | CreateSecretImportEvent
   | UpdateSecretImportEvent
   | DeleteSecretImportEvent
@@ -1680,4 +1744,10 @@ export type Event =
   | GetSlackIntegration
   | UpdateProjectSlackConfig
   | GetProjectSlackConfig
-  | IntegrationSyncedEvent;
+  | IntegrationSyncedEvent
+  | CreateCmekEvent
+  | UpdateCmekEvent
+  | DeleteCmekEvent
+  | GetCmeksEvent
+  | CmekEncryptEvent
+  | CmekDecryptEvent;

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -1,6 +1,6 @@
+import handlebars from "handlebars";
 import ldapjs from "ldapjs";
 import ldif from "ldif";
-import mustache from "mustache";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
@@ -40,7 +40,8 @@ const generateLDIF = ({
     EncodedPassword: encodePassword(password)
   };
 
-  const renderedLdif = mustache.render(ldifTemplate, data);
+  const renderTemplate = handlebars.compile(ldifTemplate);
+  const renderedLdif = renderTemplate(data);
 
   return renderedLdif;
 };

backend/src/ee/services/external-kms/external-kms-dal.ts

@@ -30,7 +30,7 @@ export const externalKmsDALFactory = (db: TDbClient) => {
         isDisabled: el.isDisabled,
         isReserved: el.isReserved,
         orgId: el.orgId,
-        slug: el.slug,
+        name: el.name,
         createdAt: el.createdAt,
         updatedAt: el.updatedAt,
         externalKms: {

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -43,7 +43,7 @@ export const externalKmsServiceFactory = ({
     provider,
     description,
     actor,
-    slug,
+    name,
     actorId,
     actorOrgId,
     actorAuthMethod
@@ -64,7 +64,7 @@ export const externalKmsServiceFactory = ({
       });
     }
 
-    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const kmsName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
 
     let sanitizedProviderInput = "";
     switch (provider.type) {
@@ -96,7 +96,7 @@ export const externalKmsServiceFactory = ({
         {
           isReserved: false,
           description,
-          slug: kmsSlug,
+          name: kmsName,
           orgId: actorOrgId
         },
         tx
@@ -120,7 +120,7 @@ export const externalKmsServiceFactory = ({
     description,
     actor,
     id: kmsId,
-    slug,
+    name,
     actorId,
     actorOrgId,
     actorAuthMethod
@@ -142,7 +142,7 @@ export const externalKmsServiceFactory = ({
       });
     }
 
-    const kmsSlug = slug ? slugify(slug) : undefined;
+    const kmsName = name ? slugify(name) : undefined;
 
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
     if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
@@ -188,7 +188,7 @@ export const externalKmsServiceFactory = ({
         kmsDoc.id,
         {
           description,
-          slug: kmsSlug
+          name: kmsName
         },
         tx
       );
@@ -280,14 +280,14 @@ export const externalKmsServiceFactory = ({
     }
   };
 
-  const findBySlug = async ({
+  const findByName = async ({
     actor,
     actorId,
     actorOrgId,
     actorAuthMethod,
-    slug: kmsSlug
+    name: kmsName
   }: TGetExternalKmsBySlugDTO) => {
-    const kmsDoc = await kmsDAL.findOne({ slug: kmsSlug, orgId: actorOrgId });
+    const kmsDoc = await kmsDAL.findOne({ name: kmsName, orgId: actorOrgId });
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -327,6 +327,6 @@ export const externalKmsServiceFactory = ({
     deleteById,
     list,
     findById,
-    findBySlug
+    findByName
   };
 };

backend/src/ee/services/external-kms/external-kms-types.ts

@@ -3,14 +3,14 @@ import { TOrgPermission } from "@app/lib/types";
 import { TExternalKmsInputSchema, TExternalKmsInputUpdateSchema } from "./providers/model";
 
 export type TCreateExternalKmsDTO = {
-  slug?: string;
+  name?: string;
   description?: string;
   provider: TExternalKmsInputSchema;
 } & Omit<TOrgPermission, "orgId">;
 
 export type TUpdateExternalKmsDTO = {
   id: string;
-  slug?: string;
+  name?: string;
   description?: string;
   provider?: TExternalKmsInputUpdateSchema;
 } & Omit<TOrgPermission, "orgId">;
@@ -26,5 +26,5 @@ export type TGetExternalKmsByIdDTO = {
 } & Omit<TOrgPermission, "orgId">;
 
 export type TGetExternalKmsBySlugDTO = {
-  slug: string;
+  name: string;
 } & Omit<TOrgPermission, "orgId">;

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -1,14 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
-import {
-  OrgMembershipRole,
-  OrgMembershipStatus,
-  SecretKeyEncoding,
-  TableName,
-  TLdapConfigsUpdate,
-  TUsers
-} from "@app/db/schemas";
+import { OrgMembershipStatus, SecretKeyEncoding, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -28,6 +21,7 @@ import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -444,11 +438,14 @@ export const ldapConfigServiceFactory = ({
           { tx }
         );
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
+
           await orgDAL.createMembership(
             {
               userId: userAlias.userId,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: OrgMembershipStatus.Accepted,
               isActive: true
             },
@@ -529,12 +526,15 @@ export const ldapConfigServiceFactory = ({
         );
 
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
+
           await orgMembershipDAL.create(
             {
               userId: newUser.id,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -3,7 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
 
-import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
+import { OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { TOidcConfigsUpdate } from "@app/db/schemas/oidc-configs";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
@@ -23,6 +23,7 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
@@ -187,12 +188,15 @@ export const oidcConfigServiceFactory = ({
           { tx }
         );
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
+
           await orgMembershipDAL.create(
             {
               userId: userAlias.userId,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },
@@ -261,12 +265,15 @@ export const oidcConfigServiceFactory = ({
         );
 
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
+
           await orgMembershipDAL.create(
             {
               userId: newUser.id,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },

backend/src/ee/services/permission/project-permission.ts

@@ -14,6 +14,15 @@ export enum ProjectPermissionActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionCmekActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  Encrypt = "encrypt",
+  Decrypt = "decrypt"
+}
+
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -38,7 +47,8 @@ export enum ProjectPermissionSub {
   CertificateTemplates = "certificate-templates",
   PkiAlerts = "pki-alerts",
   PkiCollections = "pki-collections",
-  Kms = "kms"
+  Kms = "kms",
+  Cmek = "cmek"
 }
 
 export type SecretSubjectFields = {
@@ -95,6 +105,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
+  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
@@ -282,6 +293,12 @@ export const ProjectPermissionSchema = z.discriminatedUnion("subject", [
     action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Read]).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ]);
 
@@ -325,6 +342,17 @@ const buildAdminPermissionRules = () => {
   can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
   can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
+  can(
+    [
+      ProjectPermissionCmekActions.Create,
+      ProjectPermissionCmekActions.Edit,
+      ProjectPermissionCmekActions.Delete,
+      ProjectPermissionCmekActions.Read,
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt
+    ],
+    ProjectPermissionSub.Cmek
+  );
   return rules;
 };
 
@@ -444,6 +472,18 @@ const buildMemberPermissionRules = () => {
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
 
+  can(
+    [
+      ProjectPermissionCmekActions.Create,
+      ProjectPermissionCmekActions.Edit,
+      ProjectPermissionCmekActions.Delete,
+      ProjectPermissionCmekActions.Read,
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt
+    ],
+    ProjectPermissionSub.Cmek
+  );
+
   return rules;
 };
 
@@ -470,6 +510,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
+  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
 
   return rules;
 };

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
 import {
-  OrgMembershipRole,
   OrgMembershipStatus,
   SecretKeyEncoding,
   TableName,
@@ -26,6 +25,7 @@ import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TIdentityMetadataDALFactory } from "@app/services/identity/identity-metadata-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
@@ -369,12 +369,15 @@ export const samlConfigServiceFactory = ({
           { tx }
         );
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
+
           await orgMembershipDAL.create(
             {
               userId: userAlias.userId,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },
@@ -472,12 +475,15 @@ export const samlConfigServiceFactory = ({
         );
 
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
+
           await orgMembershipDAL.create(
             {
               userId: newUser.id,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },

backend/src/ee/services/scim/scim-service.ts

@@ -16,6 +16,7 @@ import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
+import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -318,12 +319,15 @@ export const scimServiceFactory = ({
         );
 
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(org.defaultMembershipRole);
+
           orgMembership = await orgMembershipDAL.create(
             {
               userId: userAlias.userId,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.NoAccess,
+              role,
+              roleId,
               status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },
@@ -391,12 +395,15 @@ export const scimServiceFactory = ({
         orgMembership = foundOrgMembership;
 
         if (!orgMembership) {
+          const { role, roleId } = await getDefaultOrgMembershipRole(org.defaultMembershipRole);
+
           orgMembership = await orgMembershipDAL.create(
             {
               userId: user.id,
               inviteEmail: email,
               orgId,
-              role: OrgMembershipRole.Member,
+              role,
+              roleId,
               status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
               isActive: true
             },

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -240,7 +240,8 @@ export const secretSnapshotServiceFactory = ({
             },
             tx
           );
-          const snapshotSecrets = await snapshotSecretV2BridgeDAL.insertMany(
+
+          const snapshotSecrets = await snapshotSecretV2BridgeDAL.batchInsert(
             secretVersions.map(({ id }) => ({
               secretVersionId: id,
               envId: folder.environment.envId,
@@ -248,7 +249,8 @@ export const secretSnapshotServiceFactory = ({
             })),
             tx
           );
-          const snapshotFolders = await snapshotFolderDAL.insertMany(
+
+          const snapshotFolders = await snapshotFolderDAL.batchInsert(
             folderVersions.map(({ id }) => ({
               folderVersionId: id,
               envId: folder.environment.envId,

backend/src/lib/api-docs/constants.ts

@@ -533,7 +533,8 @@ export const ENVIRONMENTS = {
   CREATE: {
     workspaceId: "The ID of the project to create the environment in.",
     name: "The name of the environment to create.",
-    slug: "The slug of the environment to create."
+    slug: "The slug of the environment to create.",
+    position: "The position of the environment. The lowest number will be displayed as the first environment."
   },
   UPDATE: {
     workspaceId: "The ID of the project to update the environment in.",
@@ -675,6 +676,9 @@ export const SECRET_IMPORTS = {
     environment: "The slug of the environment to list secret imports from.",
     path: "The path to list secret imports from."
   },
+  GET: {
+    secretImportId: "The ID of the secret import to fetch."
+  },
   CREATE: {
     environment: "The slug of the environment to import into.",
     path: "The path to import into.",
@@ -1347,3 +1351,37 @@ export const PROJECT_ROLE = {
     projectSlug: "The slug of the project to list the roles of."
   }
 };
+
+export const KMS = {
+  CREATE_KEY: {
+    projectId: "The ID of the project to create the key in.",
+    name: "The name of the key to be created. Must be slug-friendly.",
+    description: "An optional description of the key.",
+    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
+  },
+  UPDATE_KEY: {
+    keyId: "The ID of the key to be updated.",
+    name: "The updated name of this key. Must be slug-friendly.",
+    description: "The updated description of this key.",
+    isDisabled: "The flag to enable or disable this key."
+  },
+  DELETE_KEY: {
+    keyId: "The ID of the key to be deleted."
+  },
+  LIST_KEYS: {
+    projectId: "The ID of the project to list keys from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th key.",
+    limit: "The number of keys to return.",
+    orderBy: "The column to order keys by.",
+    orderDirection: "The direction to order keys in.",
+    search: "The text string to filter key names by."
+  },
+  ENCRYPT: {
+    keyId: "The ID of the key to encrypt the data with.",
+    plaintext: "The plaintext to be encrypted (base64 encoded)."
+  },
+  DECRYPT: {
+    keyId: "The ID of the key to decrypt the data with.",
+    ciphertext: "The ciphertext to be decrypted (base64 encoded)."
+  }
+};

backend/src/lib/base64/index.ts

@@ -0,0 +1,28 @@
+// Credit: https://github.com/miguelmota/is-base64
+export const isBase64 = (
+  v: string,
+  opts = { allowEmpty: false, mimeRequired: false, allowMime: true, paddingRequired: false }
+) => {
+  if (opts.allowEmpty === false && v === "") {
+    return false;
+  }
+
+  let regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+/]{3}=)?";
+  const mimeRegex = "(data:\\w+\\/[a-zA-Z\\+\\-\\.]+;base64,)";
+
+  if (opts.mimeRequired === true) {
+    regex = mimeRegex + regex;
+  } else if (opts.allowMime === true) {
+    regex = `${mimeRegex}?${regex}`;
+  }
+
+  if (opts.paddingRequired === false) {
+    regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}(==)?|[A-Za-z0-9+\\/]{3}=?)?";
+  }
+
+  return new RegExp(`^${regex}$`, "gi").test(v);
+};
+
+export const getBase64SizeInBytes = (base64String: string) => {
+  return Buffer.from(base64String, "base64").length;
+};

backend/src/lib/config/env.ts

@@ -34,6 +34,12 @@ const envSchema = z
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
       `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
     ),
+    AUDIT_LOGS_DB_CONNECTION_URI: zpStr(
+      z.string().describe("Postgres database connection string for Audit logs").optional()
+    ),
+    AUDIT_LOGS_DB_ROOT_CERT: zpStr(
+      z.string().describe("Postgres database base64-encoded CA cert for Audit logs").optional()
+    ),
     MAX_LEASE_LIMIT: z.coerce.number().default(10000),
     DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
     DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),

backend/src/lib/errors/index.ts

@@ -23,6 +23,18 @@ export class InternalServerError extends Error {
   }
 }
 
+export class GatewayTimeoutError extends Error {
+  name: string;
+
+  error: unknown;
+
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+    super(message || "Timeout error");
+    this.name = name || "GatewayTimeoutError";
+    this.error = error;
+  }
+}
+
 export class UnauthorizedError extends Error {
   name: string;
 

backend/src/lib/fn/array.ts

@@ -70,3 +70,14 @@ export const objectify = <T, Key extends string | number | symbol, Value = T>(
     {} as Record<Key, Value>
   );
 };
+
+/**
+ * Chunks an array into smaller arrays of the given size.
+ */
+export const chunkArray = <T>(array: T[], chunkSize: number): T[][] => {
+  const chunks: T[][] = [];
+  for (let i = 0; i < array.length; i += chunkSize) {
+    chunks.push(array.slice(i, i + chunkSize));
+  }
+  return chunks;
+};

backend/src/lib/knex/scim.ts

@@ -8,12 +8,14 @@ const appendParentToGroupingOperator = (parentPath: string, filter: Filter) => {
   return filter;
 };
 
-export const generateKnexQueryFromScim = (
+const processDynamicQuery = (
   rootQuery: Knex.QueryBuilder,
-  rootScimFilter: string,
-  getAttributeField: (attr: string) => string | null
+  scimRootFilterAst: Filter,
+  getAttributeField: (attr: string) => string | null,
+  depth = 0
 ) => {
-  const scimRootFilterAst = parse(rootScimFilter);
+  if (depth > 20) return;
+
   const stack = [
     {
       scimFilterAst: scimRootFilterAst,
@@ -75,42 +77,35 @@ export const generateKnexQueryFromScim = (
         break;
       }
       case "and": {
-        void query.andWhere((subQueryBuilder) => {
-          scimFilterAst.filters.forEach((el) => {
-            stack.push({
-              query: subQueryBuilder,
-              scimFilterAst: el
-            });
+        scimFilterAst.filters.forEach((el) => {
+          void query.andWhere((subQueryBuilder) => {
+            processDynamicQuery(subQueryBuilder, el, getAttributeField, depth + 1);
           });
         });
         break;
       }
       case "or": {
-        void query.orWhere((subQueryBuilder) => {
-          scimFilterAst.filters.forEach((el) => {
-            stack.push({
-              query: subQueryBuilder,
-              scimFilterAst: el
-            });
+        scimFilterAst.filters.forEach((el) => {
+          void query.orWhere((subQueryBuilder) => {
+            processDynamicQuery(subQueryBuilder, el, getAttributeField, depth + 1);
           });
         });
         break;
       }
       case "not": {
         void query.whereNot((subQueryBuilder) => {
-          stack.push({
-            query: subQueryBuilder,
-            scimFilterAst: scimFilterAst.filter
-          });
+          processDynamicQuery(subQueryBuilder, scimFilterAst.filter, getAttributeField, depth + 1);
         });
         break;
       }
       case "[]": {
-        void query.whereNot((subQueryBuilder) => {
-          stack.push({
-            query: subQueryBuilder,
-            scimFilterAst: appendParentToGroupingOperator(scimFilterAst.attrPath, scimFilterAst.valFilter)
-          });
+        void query.where((subQueryBuilder) => {
+          processDynamicQuery(
+            subQueryBuilder,
+            appendParentToGroupingOperator(scimFilterAst.attrPath, scimFilterAst.valFilter),
+            getAttributeField,
+            depth + 1
+          );
         });
         break;
       }
@@ -119,3 +114,12 @@ export const generateKnexQueryFromScim = (
     }
   }
 };
+
+export const generateKnexQueryFromScim = (
+  rootQuery: Knex.QueryBuilder,
+  rootScimFilter: string,
+  getAttributeField: (attr: string) => string | null
+) => {
+  const scimRootFilterAst = parse(rootScimFilter);
+  return processDynamicQuery(rootQuery, scimRootFilterAst, getAttributeField);
+};

backend/src/main.ts

@@ -1,7 +1,7 @@
 import dotenv from "dotenv";
 import path from "path";
 
-import { initDbConnection } from "./db";
+import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig, IS_PACKAGED } from "./lib/config/env";
 import { isMigrationMode } from "./lib/fn";
@@ -25,6 +25,13 @@ const run = async () => {
     }))
   });
 
+  const auditLogDb = appCfg.AUDIT_LOGS_DB_CONNECTION_URI
+    ? initAuditLogDbConnection({
+        dbConnectionUri: appCfg.AUDIT_LOGS_DB_CONNECTION_URI,
+        dbRootCert: appCfg.AUDIT_LOGS_DB_ROOT_CERT
+      })
+    : undefined;
+
   // Case: App is running in packaged mode (binary), and migration mode is enabled.
   // Run the migrations and exit the process after completion.
   if (IS_PACKAGED && isMigrationMode()) {
@@ -46,7 +53,7 @@ const run = async () => {
   const queue = queueServiceFactory(appCfg.REDIS_URL);
   const keyStore = keyStoreFactory(appCfg.REDIS_URL);
 
-  const server = await main({ db, smtp, logger, queue, keyStore });
+  const server = await main({ db, auditLogDb, smtp, logger, queue, keyStore });
   const bootstrap = await bootstrapCheck({ db });
 
   // eslint-disable-next-line

backend/src/queue/queue-service.ts

@@ -1,7 +1,7 @@
 import { Job, JobsOptions, Queue, QueueOptions, RepeatOptions, Worker, WorkerListener } from "bullmq";
 import Redis from "ioredis";
 
-import { SecretKeyEncoding } from "@app/db/schemas";
+import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import {
   TScanFullRepoEventPayload,
@@ -32,7 +32,8 @@ export enum QueueName {
   SecretReplication = "secret-replication",
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
-  AccessTokenStatusUpdate = "access-token-status-update"
+  AccessTokenStatusUpdate = "access-token-status-update",
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
 }
 
 export enum QueueJobs {
@@ -56,7 +57,8 @@ export enum QueueJobs {
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
   IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
-  ServiceTokenStatusUpdate = "service-token-status-update"
+  ServiceTokenStatusUpdate = "service-token-status-update",
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
 }
 
 export type TQueueJobTypes = {
@@ -166,6 +168,19 @@ export type TQueueJobTypes = {
     name: QueueJobs.ProjectV3Migration;
     payload: { projectId: string };
   };
+  [QueueName.ImportSecretsFromExternalSource]: {
+    name: QueueJobs.ImportSecretsFromExternalSource;
+    payload: {
+      actorEmail: string;
+      data: {
+        iv: string;
+        tag: string;
+        ciphertext: string;
+        algorithm: SecretEncryptionAlgo;
+        encoding: SecretKeyEncoding;
+      };
+    };
+  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/app.ts

@@ -30,6 +30,7 @@ import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";
 
 type TMain = {
+  auditLogDb?: Knex;
   db: Knex;
   smtp: TSmtpService;
   logger?: Logger;
@@ -38,7 +39,7 @@ type TMain = {
 };
 
 // Run the server!
-export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
+export const main = async ({ db, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
   const appCfg = getConfig();
   const server = fastify({
     logger: appCfg.NODE_ENV === "test" ? false : logger,
@@ -94,7 +95,7 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
 
     await server.register(maintenanceMode);
 
-    await server.register(registerRoutes, { smtp, queue, db, keyStore });
+    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore });
 
     if (appCfg.isProductionMode) {
       await server.register(registerExternalNextjs, {

backend/src/server/plugins/add-errors-to-response-schemas.ts

@@ -3,9 +3,12 @@ import fp from "fastify-plugin";
 
 import { DefaultResponseErrorsSchema } from "../routes/sanitizedSchemas";
 
+const isScimRoutes = (pathname: string) =>
+  pathname.startsWith("/api/v1/scim/Users") || pathname.startsWith("/api/v1/scim/Groups");
+
 export const addErrorsToResponseSchemas = fp(async (server) => {
   server.addHook("onRoute", (routeOptions) => {
-    if (routeOptions.schema && routeOptions.schema.response) {
+    if (routeOptions.schema && routeOptions.schema.response && !isScimRoutes(routeOptions.path)) {
       routeOptions.schema.response = {
         ...DefaultResponseErrorsSchema,
         ...routeOptions.schema.response

backend/src/server/plugins/error-handler.ts

@@ -7,6 +7,7 @@ import {
   BadRequestError,
   DatabaseError,
   ForbiddenRequestError,
+  GatewayTimeoutError,
   InternalServerError,
   NotFoundError,
   ScimRequestError,
@@ -25,7 +26,8 @@ enum HttpStatusCodes {
   Unauthorized = 401,
   Forbidden = 403,
   // eslint-disable-next-line @typescript-eslint/no-shadow
-  InternalServerError = 500
+  InternalServerError = 500,
+  GatewayTimeout = 504
 }
 
 export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
@@ -47,6 +49,10 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
       void res
         .status(HttpStatusCodes.InternalServerError)
         .send({ statusCode: HttpStatusCodes.InternalServerError, message: "Something went wrong", error: error.name });
+    } else if (error instanceof GatewayTimeoutError) {
+      void res
+        .status(HttpStatusCodes.GatewayTimeout)
+        .send({ statusCode: HttpStatusCodes.GatewayTimeout, message: error.message, error: error.name });
     } else if (error instanceof ZodError) {
       void res
         .status(HttpStatusCodes.Unauthorized)
@@ -91,7 +97,11 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
         message
       });
     } else {
-      void res.send(error);
+      void res.status(HttpStatusCodes.InternalServerError).send({
+        statusCode: HttpStatusCodes.InternalServerError,
+        error: "InternalServerError",
+        message: "Something went wrong"
+      });
     }
   });
 });

backend/src/server/routes/index.ts

@@ -96,6 +96,8 @@ import { certificateAuthorityServiceFactory } from "@app/services/certificate-au
 import { certificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { certificateTemplateEstConfigDALFactory } from "@app/services/certificate-template/certificate-template-est-config-dal";
 import { certificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { cmekServiceFactory } from "@app/services/cmek/cmek-service";
+import { externalMigrationQueueFactory } from "@app/services/external-migration/external-migration-queue";
 import { externalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { groupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { groupProjectMembershipRoleDALFactory } from "@app/services/group-project/group-project-membership-role-dal";
@@ -213,11 +215,12 @@ import { registerV3Routes } from "./v3";
 export const registerRoutes = async (
   server: FastifyZodProvider,
   {
+    auditLogDb,
     db,
     smtp: smtpService,
     queue: queueService,
     keyStore
-  }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
+  }: { auditLogDb?: Knex; db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
   const appCfg = getConfig();
   if (!appCfg.DISABLE_SECRET_SCANNING) {
@@ -282,7 +285,7 @@ export const registerRoutes = async (
   const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
   const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
 
-  const auditLogDAL = auditLogDALFactory(db);
+  const auditLogDAL = auditLogDALFactory(auditLogDb ?? db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
   const trustedIpDAL = trustedIpDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
@@ -530,7 +533,7 @@ export const registerRoutes = async (
     orgService,
     licenseService
   });
-  const orgRoleService = orgRoleServiceFactory({ permissionService, orgRoleDAL });
+  const orgRoleService = orgRoleServiceFactory({ permissionService, orgRoleDAL, orgDAL });
   const superAdminService = superAdminServiceFactory({
     userDAL,
     authService: loginService,
@@ -1194,12 +1197,32 @@ export const registerRoutes = async (
     workflowIntegrationDAL
   });
 
-  const migrationService = externalMigrationServiceFactory({
-    projectService,
-    orgService,
+  const cmekService = cmekServiceFactory({
+    kmsDAL,
+    kmsService,
+    permissionService
+  });
+
+  const externalMigrationQueue = externalMigrationQueueFactory({
     projectEnvService,
-    permissionService,
-    secretService
+    projectDAL,
+    projectService,
+    smtpService,
+    kmsService,
+    projectEnvDAL,
+    secretVersionDAL: secretVersionV2BridgeDAL,
+    secretTagDAL,
+    secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+    folderDAL,
+    secretDAL: secretV2BridgeDAL,
+    queueService,
+    secretV2BridgeService
+  });
+
+  const migrationService = externalMigrationServiceFactory({
+    externalMigrationQueue,
+    userDAL,
+    permissionService
   });
 
   await superAdminService.initServerCfg();
@@ -1283,6 +1306,7 @@ export const registerRoutes = async (
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
     externalKms: externalKmsService,
+    cmek: cmekService,
     orgAdmin: orgAdminService,
     slack: slackService,
     workflowIntegration: workflowIntegrationService,

backend/src/server/routes/v1/cmek-router.ts

@@ -0,0 +1,331 @@
+import slugify from "@sindresorhus/slugify";
+import { z } from "zod";
+
+import { InternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KMS } from "@app/lib/api-docs";
+import { getBase64SizeInBytes, isBase64 } from "@app/lib/base64";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { OrderByDirection } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CmekOrderBy } from "@app/services/cmek/cmek-types";
+
+const keyNameSchema = z
+  .string()
+  .trim()
+  .min(1)
+  .max(32)
+  .toLowerCase()
+  .refine((v) => slugify(v) === v, {
+    message: "Name must be slug friendly"
+  });
+const keyDescriptionSchema = z.string().trim().max(500).optional();
+
+const base64Schema = z.string().superRefine((val, ctx) => {
+  if (!isBase64(val)) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "plaintext must be base64 encoded"
+    });
+  }
+
+  if (getBase64SizeInBytes(val) > 4096) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "data cannot exceed 4096 bytes"
+    });
+  }
+});
+
+export const registerCmekRouter = async (server: FastifyZodProvider) => {
+  // create encryption key
+  server.route({
+    method: "POST",
+    url: "/keys",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create KMS key",
+      body: z.object({
+        projectId: z.string().describe(KMS.CREATE_KEY.projectId),
+        name: keyNameSchema.describe(KMS.CREATE_KEY.name),
+        description: keyDescriptionSchema.describe(KMS.CREATE_KEY.description),
+        encryptionAlgorithm: z
+          .nativeEnum(SymmetricEncryption)
+          .optional()
+          .default(SymmetricEncryption.AES_GCM_256)
+          .describe(KMS.CREATE_KEY.encryptionAlgorithm) // eventually will support others
+      }),
+      response: {
+        200: z.object({
+          key: KmsKeysSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        body: { projectId, name, description, encryptionAlgorithm },
+        permission
+      } = req;
+
+      const cmek = await server.services.cmek.createCmek(
+        { orgId: permission.orgId, projectId, name, description, encryptionAlgorithm },
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.CREATE_CMEK,
+          metadata: {
+            keyId: cmek.id,
+            name,
+            description,
+            encryptionAlgorithm
+          }
+        }
+      });
+
+      return { key: cmek };
+    }
+  });
+
+  // update KMS key
+  server.route({
+    method: "PATCH",
+    url: "/keys/:keyId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.UPDATE_KEY.keyId)
+      }),
+      body: z.object({
+        name: keyNameSchema.optional().describe(KMS.UPDATE_KEY.name),
+        isDisabled: z.boolean().optional().describe(KMS.UPDATE_KEY.isDisabled),
+        description: keyDescriptionSchema.describe(KMS.UPDATE_KEY.description)
+      }),
+      response: {
+        200: z.object({
+          key: KmsKeysSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        body,
+        permission
+      } = req;
+
+      const cmek = await server.services.cmek.updateCmekById({ keyId, ...body }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.UPDATE_CMEK,
+          metadata: {
+            keyId,
+            ...body
+          }
+        }
+      });
+
+      return { key: cmek };
+    }
+  });
+
+  // delete KMS key
+  server.route({
+    method: "DELETE",
+    url: "/keys/:keyId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.DELETE_KEY.keyId)
+      }),
+      response: {
+        200: z.object({
+          key: KmsKeysSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        permission
+      } = req;
+
+      const cmek = await server.services.cmek.deleteCmekById(keyId, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.DELETE_CMEK,
+          metadata: {
+            keyId
+          }
+        }
+      });
+
+      return { key: cmek };
+    }
+  });
+
+  // list KMS keys
+  server.route({
+    method: "GET",
+    url: "/keys",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List KMS keys",
+      querystring: z.object({
+        projectId: z.string().describe(KMS.LIST_KEYS.projectId),
+        offset: z.coerce.number().min(0).optional().default(0).describe(KMS.LIST_KEYS.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(KMS.LIST_KEYS.limit),
+        orderBy: z.nativeEnum(CmekOrderBy).optional().default(CmekOrderBy.Name).describe(KMS.LIST_KEYS.orderBy),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .optional()
+          .default(OrderByDirection.ASC)
+          .describe(KMS.LIST_KEYS.orderDirection),
+        search: z.string().trim().optional().describe(KMS.LIST_KEYS.search)
+      }),
+      response: {
+        200: z.object({
+          keys: KmsKeysSchema.merge(InternalKmsSchema.pick({ version: true, encryptionAlgorithm: true })).array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId, ...dto },
+        permission
+      } = req;
+
+      const { cmeks, totalCount } = await server.services.cmek.listCmeksByProjectId({ projectId, ...dto }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_CMEKS,
+          metadata: {
+            keyIds: cmeks.map((key) => key.id)
+          }
+        }
+      });
+
+      return { keys: cmeks, totalCount };
+    }
+  });
+
+  // encrypt data
+  server.route({
+    method: "POST",
+    url: "/keys/:keyId/encrypt",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Encrypt data with KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.ENCRYPT.keyId)
+      }),
+      body: z.object({
+        plaintext: base64Schema.describe(KMS.ENCRYPT.plaintext)
+      }),
+      response: {
+        200: z.object({
+          ciphertext: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        body: { plaintext },
+        permission
+      } = req;
+
+      const ciphertext = await server.services.cmek.cmekEncrypt({ keyId, plaintext }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.CMEK_ENCRYPT,
+          metadata: {
+            keyId
+          }
+        }
+      });
+
+      return { ciphertext };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/keys/:keyId/decrypt",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Decrypt data with KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.ENCRYPT.keyId)
+      }),
+      body: z.object({
+        ciphertext: base64Schema.describe(KMS.ENCRYPT.plaintext)
+      }),
+      response: {
+        200: z.object({
+          plaintext: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        body: { ciphertext },
+        permission
+      } = req;
+
+      const plaintext = await server.services.cmek.cmekDecrypt({ keyId, ciphertext }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.CMEK_DECRYPT,
+          metadata: {
+            keyId
+          }
+        }
+      });
+
+      return { plaintext };
+    }
+  });
+};

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -22,7 +22,7 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
     schema: {
       description: "Login with AWS Auth",
       body: z.object({
-        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
+        identityId: z.string().trim().describe(AWS_AUTH.LOGIN.identityId),
         iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
         iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
         iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -21,7 +21,7 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
     schema: {
       description: "Login with Azure Auth",
       body: z.object({
-        identityId: z.string().describe(AZURE_AUTH.LOGIN.identityId),
+        identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId),
         jwt: z.string()
       }),
       response: {

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -19,7 +19,7 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
     schema: {
       description: "Login with GCP Auth",
       body: z.object({
-        identityId: z.string().describe(GCP_AUTH.LOGIN.identityId),
+        identityId: z.string().trim().describe(GCP_AUTH.LOGIN.identityId).trim(),
         jwt: z.string()
       }),
       response: {

backend/src/server/routes/v1/index.ts

@@ -1,3 +1,4 @@
+import { registerCmekRouter } from "@app/server/routes/v1/cmek-router";
 import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
 
 import { registerAdminRouter } from "./admin-router";
@@ -103,6 +104,6 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerIdentityRouter, { prefix: "/identities" });
   await server.register(registerSecretSharingRouter, { prefix: "/secret-sharing" });
   await server.register(registerUserEngagementRouter, { prefix: "/user-engagement" });
-
   await server.register(registerDashboardRouter, { prefix: "/dashboard" });
+  await server.register(registerCmekRouter, { prefix: "/kms" });
 };

backend/src/server/routes/v1/integration-router.ts

@@ -52,7 +52,13 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          integration: IntegrationsSchema
+          integration: IntegrationsSchema.extend({
+            environment: z.object({
+              slug: z.string().trim(),
+              name: z.string().trim(),
+              id: z.string().trim()
+            })
+          })
         })
       }
     },
@@ -138,7 +144,13 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          integration: IntegrationsSchema
+          integration: IntegrationsSchema.extend({
+            environment: z.object({
+              slug: z.string().trim(),
+              name: z.string().trim(),
+              id: z.string().trim()
+            })
+          })
         })
       }
     },

backend/src/server/routes/v1/organization-router.ts

@@ -1,3 +1,4 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import {
@@ -11,8 +12,6 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { getLastMidnightDateISO } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -125,12 +124,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           })
             .merge(
               z.object({
-                project: z
-                  .object({
-                    name: z.string(),
-                    slug: z.string()
-                  })
-                  .optional(),
                 event: z.object({
                   type: z.string(),
                   metadata: z.any()
@@ -147,11 +140,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const appCfg = getConfig();
-      if (appCfg.isCloud) {
-        throw new BadRequestError({ message: "Infisical cloud audit log is in maintenance mode." });
-      }
-
       const auditLogs = await server.services.auditLog.listAuditLogs({
         filter: {
           ...req.query,
@@ -168,6 +156,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type
       });
+
       return { auditLogs };
     }
   });
@@ -229,7 +218,15 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           .regex(/^[a-zA-Z0-9-]+$/, "Slug must only contain alphanumeric characters or hyphens")
           .optional(),
         authEnforced: z.boolean().optional(),
-        scimEnabled: z.boolean().optional()
+        scimEnabled: z.boolean().optional(),
+        defaultMembershipRoleSlug: z
+          .string()
+          .min(1)
+          .trim()
+          .refine((v) => slugify(v) === v, {
+            message: "Membership role must be a valid slug"
+          })
+          .optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-env-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ENVIRONMENTS } from "@app/lib/api-docs";
-import { writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -23,6 +23,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
+        // NOTE(daniel): workspaceId isn't used, but we need to keep it for backwards compatibility. The endpoint defined below, uses no project ID, and is takes a pure environment ID.
         workspaceId: z.string().trim().describe(ENVIRONMENTS.GET.workspaceId),
         envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
       }),
@@ -39,7 +40,53 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        projectId: req.params.workspaceId,
+        id: req.params.envId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: environment.projectId,
+        event: {
+          type: EventType.GET_ENVIRONMENT,
+          metadata: {
+            id: environment.id
+          }
+        }
+      });
+
+      return { environment };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/environments/:envId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get Environment by ID",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
+      }),
+      response: {
+        200: z.object({
+          environment: ProjectEnvironmentsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const environment = await server.services.projectEnv.getEnvironmentById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
         id: req.params.envId
       });
 
@@ -76,6 +123,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
+        position: z.number().min(1).optional().describe(ENVIRONMENTS.CREATE.position),
         slug: z
           .string()
           .trim()

backend/src/server/routes/v1/secret-folder-router.ts

@@ -365,7 +365,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          folder: SecretFoldersSchema
+          folder: SecretFoldersSchema.extend({
+            environment: z.object({
+              envId: z.string(),
+              envName: z.string(),
+              envSlug: z.string()
+            }),
+            path: z.string(),
+            projectId: z.string()
+          })
         })
       }
     },

backend/src/server/routes/v1/secret-import-router.ts

@@ -312,6 +312,64 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/:secretImportId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get single secret import",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        secretImportId: z.string().trim().describe(SECRET_IMPORTS.GET.secretImportId)
+      }),
+      response: {
+        200: z.object({
+          secretImport: SecretImportsSchema.omit({ importEnv: true }).extend({
+            environment: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            }),
+            projectId: z.string(),
+            importEnv: z.object({ name: z.string(), slug: z.string(), id: z.string() }),
+            secretPath: z.string()
+          })
+        })
+      }
+    },
+
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const secretImport = await server.services.secretImport.getImportById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.secretImportId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretImport.projectId,
+        event: {
+          type: EventType.GET_SECRET_IMPORT,
+          metadata: {
+            secretImportId: secretImport.id,
+            folderId: secretImport.folderId
+          }
+        }
+      });
+
+      return { secretImport };
+    }
+  });
+
   server.route({
     url: "/secrets",
     method: "GET",

backend/src/server/routes/v3/external-migration-router.ts

@@ -1,30 +1,50 @@
-import { z } from "zod";
+import fastifyMultipart from "@fastify/multipart";
 
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
+const MB25_IN_BYTES = 26214400;
+
 export const registerExternalMigrationRouter = async (server: FastifyZodProvider) => {
+  await server.register(fastifyMultipart);
+
   server.route({
     method: "POST",
+    bodyLimit: MB25_IN_BYTES,
     url: "/env-key",
     config: {
       rateLimit: readLimit
     },
-    schema: {
-      body: z.object({
-        decryptionKey: z.string().trim().min(1),
-        encryptedJson: z.object({
-          nonce: z.string().trim().min(1),
-          data: z.string().trim().min(1)
-        })
-      })
-    },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const data = await req.file({
+        limits: {
+          fileSize: MB25_IN_BYTES
+        }
+      });
+
+      if (!data) {
+        throw new BadRequestError({ message: "No file provided" });
+      }
+
+      const fullFile = Buffer.from(await data.toBuffer()).toString("utf8");
+      const parsedJsonFile = JSON.parse(fullFile) as { nonce: string; data: string };
+
+      const decryptionKey = (data.fields.decryptionKey as { value: string }).value;
+
+      if (!parsedJsonFile.nonce || !parsedJsonFile.data) {
+        throw new BadRequestError({ message: "Invalid file format. Nonce or data missing." });
+      }
+
+      if (!decryptionKey) {
+        throw new BadRequestError({ message: "Decryption key is required" });
+      }
+
       await server.services.migration.importEnvKeyData({
-        decryptionKey: req.body.decryptionKey,
-        encryptedJson: req.body.encryptedJson,
+        decryptionKey,
+        encryptedJson: parsedJsonFile,
         actorId: req.permission.id,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,

backend/src/services/cmek/cmek-service.ts

@@ -0,0 +1,169 @@
+import { ForbiddenError } from "@casl/ability";
+import { FastifyRequest } from "fastify";
+
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import {
+  TCmekDecryptDTO,
+  TCmekEncryptDTO,
+  TCreateCmekDTO,
+  TListCmeksByProjectIdDTO,
+  TUpdabteCmekByIdDTO
+} from "@app/services/cmek/cmek-types";
+import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+type TCmekServiceFactoryDep = {
+  kmsService: TKmsServiceFactory;
+  kmsDAL: TKmsKeyDALFactory;
+  permissionService: TPermissionServiceFactory;
+};
+
+export type TCmekServiceFactory = ReturnType<typeof cmekServiceFactory>;
+
+export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TCmekServiceFactoryDep) => {
+  const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: FastifyRequest["permission"]) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
+
+    const cmek = await kmsService.generateKmsKey({
+      ...dto,
+      projectId,
+      isReserved: false
+    });
+
+    return cmek;
+  };
+
+  const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
+
+    const cmek = await kmsDAL.updateById(keyId, data);
+
+    return cmek;
+  };
+
+  const deleteCmekById = async (keyId: string, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
+
+    const cmek = kmsDAL.deleteById(keyId);
+
+    return cmek;
+  };
+
+  const listCmeksByProjectId = async (
+    { projectId, ...filters }: TListCmeksByProjectIdDTO,
+    actor: FastifyRequest["permission"]
+  ) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+
+    const { keys: cmeks, totalCount } = await kmsDAL.findKmsKeysByProjectId({ projectId, ...filters });
+
+    return { cmeks, totalCount };
+  };
+
+  const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
+
+    const encrypt = await kmsService.encryptWithKmsKey({ kmsId: keyId });
+
+    const { cipherTextBlob } = await encrypt({ plainText: Buffer.from(plaintext, "base64") });
+
+    return cipherTextBlob.toString("base64");
+  };
+
+  const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);
+
+    const decrypt = await kmsService.decryptWithKmsKey({ kmsId: keyId });
+
+    const plaintextBlob = await decrypt({ cipherTextBlob: Buffer.from(ciphertext, "base64") });
+
+    return plaintextBlob.toString("base64");
+  };
+
+  return {
+    createCmek,
+    updateCmekById,
+    deleteCmekById,
+    listCmeksByProjectId,
+    cmekEncrypt,
+    cmekDecrypt
+  };
+};

backend/src/services/cmek/cmek-types.ts

@@ -0,0 +1,40 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { OrderByDirection } from "@app/lib/types";
+
+export type TCreateCmekDTO = {
+  orgId: string;
+  projectId: string;
+  name: string;
+  description?: string;
+  encryptionAlgorithm: SymmetricEncryption;
+};
+
+export type TUpdabteCmekByIdDTO = {
+  keyId: string;
+  name?: string;
+  isDisabled?: boolean;
+  description?: string;
+};
+
+export type TListCmeksByProjectIdDTO = {
+  projectId: string;
+  offset?: number;
+  limit?: number;
+  orderBy?: CmekOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
+};
+
+export type TCmekEncryptDTO = {
+  keyId: string;
+  plaintext: string;
+};
+
+export type TCmekDecryptDTO = {
+  keyId: string;
+  ciphertext: string;
+};
+
+export enum CmekOrderBy {
+  Name = "name"
+}

backend/src/services/external-migration/external-migration-fns.ts

@@ -4,22 +4,41 @@ import sjcl from "sjcl";
 import tweetnacl from "tweetnacl";
 import tweetnaclUtil from "tweetnacl-util";
 
-import { OrgMembershipRole, ProjectMembershipRole, SecretType } from "@app/db/schemas";
-import { BadRequestError } from "@app/lib/errors";
+import { SecretType } from "@app/db/schemas";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { chunkArray } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { TOrgServiceFactory } from "../org/org-service";
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { KmsDataKey } from "../kms/kms-types";
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
+import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TSecretServiceFactory } from "../secret/secret-service";
+import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
+import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
+import { fnSecretBulkInsert, getAllNestedSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
+import type { TSecretV2BridgeServiceFactory } from "../secret-v2-bridge/secret-v2-bridge-service";
+import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
+import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
 import { InfisicalImportData, TEnvKeyExportJSON, TImportInfisicalDataCreate } from "./external-migration-types";
 
 export type TImportDataIntoInfisicalDTO = {
-  projectService: TProjectServiceFactory;
-  orgService: TOrgServiceFactory;
-  projectEnvService: TProjectEnvServiceFactory;
-  secretService: TSecretServiceFactory;
+  projectDAL: Pick<TProjectDALFactory, "transaction">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findLastEnvPosition" | "create" | "findOne">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+
+  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences" | "findBySecretKeys">;
+  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "create">;
+  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
+  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;
+
+  folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath">;
+  projectService: Pick<TProjectServiceFactory, "createProject">;
+  projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
+  secretV2BridgeService: Pick<TSecretV2BridgeServiceFactory, "createManySecret">;
 
   input: TImportInfisicalDataCreate;
 };
@@ -46,13 +65,13 @@ export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<Infisica
   const parsedJson: TEnvKeyExportJSON = JSON.parse(decryptedJson) as TEnvKeyExportJSON;
 
   const infisicalImportData: InfisicalImportData = {
-    projects: new Map<string, { name: string; id: string }>(),
-    environments: new Map<string, { name: string; id: string; projectId: string }>(),
-    secrets: new Map<string, { name: string; id: string; projectId: string; environmentId: string; value: string }>()
+    projects: [],
+    environments: [],
+    secrets: []
   };
 
   parsedJson.apps.forEach((app: { name: string; id: string }) => {
-    infisicalImportData.projects.set(app.id, { name: app.name, id: app.id });
+    infisicalImportData.projects.push({ name: app.name, id: app.id });
   });
 
   // string to string map for env templates
@@ -63,7 +82,7 @@ export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<Infisica
 
   // environments
   for (const env of parsedJson.baseEnvironments) {
-    infisicalImportData.environments?.set(env.id, {
+    infisicalImportData.environments.push({
       id: env.id,
       name: envTemplates.get(env.environmentRoleId)!,
       projectId: env.envParentId
@@ -75,9 +94,8 @@ export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<Infisica
     if (!env.includes("|")) {
       const envData = parsedJson.envs[env];
       for (const secret of Object.keys(envData.variables)) {
-        const id = randomUUID();
-        infisicalImportData.secrets?.set(id, {
-          id,
+        infisicalImportData.secrets.push({
+          id: randomUUID(),
           name: secret,
           environmentId: env,
           value: envData.variables[secret].val
@@ -91,9 +109,14 @@ export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<Infisica
 
 export const importDataIntoInfisicalFn = async ({
   projectService,
-  orgService,
-  projectEnvService,
-  secretService,
+  projectEnvDAL,
+  projectDAL,
+  secretDAL,
+  kmsService,
+  secretVersionDAL,
+  secretTagDAL,
+  secretVersionTagDAL,
+  folderDAL,
   input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
   // Import data to infisical
@@ -104,94 +127,132 @@ export const importDataIntoInfisicalFn = async ({
   const originalToNewProjectId = new Map<string, string>();
   const originalToNewEnvironmentId = new Map<string, string>();
 
-  for await (const [id, project] of data.projects) {
-    const newProject = await projectService
-      .createProject({
-        actor,
-        actorId,
-        actorOrgId,
-        actorAuthMethod,
-        workspaceName: project.name,
-        createDefaultEnvs: false
-      })
-      .catch(() => {
-        throw new BadRequestError({ message: `Failed to import to project [name:${project.name}] [id:${id}]` });
-      });
-
-    originalToNewProjectId.set(project.id, newProject.id);
-  }
-
-  // Invite user importing projects
-  const invites = await orgService.inviteUserToOrganization({
-    actorAuthMethod,
-    actorId,
-    actorOrgId,
-    actor,
-    inviteeEmails: [],
-    orgId: actorOrgId,
-    organizationRoleSlug: OrgMembershipRole.NoAccess,
-    projects: Array.from(originalToNewProjectId.values()).map((project) => ({
-      id: project,
-      projectRoleSlug: [ProjectMembershipRole.Member]
-    }))
-  });
-  if (!invites) {
-    throw new BadRequestError({ message: `Failed to invite user to projects: [userId:${actorId}]` });
-  }
-
-  // Import environments
-  if (data.environments) {
-    for await (const [id, environment] of data.environments) {
-      try {
-        const newEnvironment = await projectEnvService.createEnvironment({
+  await projectDAL.transaction(async (tx) => {
+    for await (const project of data.projects) {
+      const newProject = await projectService
+        .createProject({
           actor,
           actorId,
           actorOrgId,
           actorAuthMethod,
-          name: environment.name,
-          projectId: originalToNewProjectId.get(environment.projectId)!,
-          slug: slugify(`${environment.name}-${alphaNumericNanoId(4)}`)
+          workspaceName: project.name,
+          createDefaultEnvs: false,
+          tx
+        })
+        .catch((e) => {
+          logger.error(e, `Failed to import to project [name:${project.name}]`);
+          throw new BadRequestError({ message: `Failed to import to project [name:${project.name}]` });
         });
 
-        if (!newEnvironment) {
-          logger.error(`Failed to import environment: [name:${environment.name}] [id:${id}]`);
+      originalToNewProjectId.set(project.id, newProject.id);
+    }
+
+    // Import environments
+    if (data.environments) {
+      for await (const environment of data.environments) {
+        const projectId = originalToNewProjectId.get(environment.projectId)!;
+        const slug = slugify(`${environment.name}-${alphaNumericNanoId(4)}`);
+
+        const existingEnv = await projectEnvDAL.findOne({ projectId, slug }, tx);
+
+        if (existingEnv) {
           throw new BadRequestError({
-            message: `Failed to import environment: [name:${environment.name}] [id:${id}]`
+            message: `Environment with slug '${slug}' already exist`,
+            name: "CreateEnvironment"
           });
         }
-        originalToNewEnvironmentId.set(id, newEnvironment.slug);
-      } catch (error) {
-        throw new BadRequestError({
-          message: `Failed to import environment: ${environment.name}]`,
-          name: "EnvKeyMigrationImportEnvironment"
+
+        const lastPos = await projectEnvDAL.findLastEnvPosition(projectId, tx);
+        const doc = await projectEnvDAL.create({ slug, name: environment.name, projectId, position: lastPos + 1 }, tx);
+        await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
+
+        originalToNewEnvironmentId.set(environment.id, doc.slug);
+      }
+    }
+
+    if (data.secrets && data.secrets.length > 0) {
+      const mappedToEnvironmentId = new Map<
+        string,
+        {
+          secretKey: string;
+          secretValue: string;
+        }[]
+      >();
+
+      for (const secret of data.secrets) {
+        if (!mappedToEnvironmentId.has(secret.environmentId)) {
+          mappedToEnvironmentId.set(secret.environmentId, []);
+        }
+        mappedToEnvironmentId.get(secret.environmentId)!.push({
+          secretKey: secret.name,
+          secretValue: secret.value || ""
         });
       }
-    }
-  }
 
-  // Import secrets
-  if (data.secrets) {
-    for await (const [id, secret] of data.secrets) {
-      const dataProjectId = data.environments?.get(secret.environmentId)?.projectId;
-      if (!dataProjectId) {
-        throw new BadRequestError({ message: `Failed to import secret "${secret.name}", project not found` });
-      }
-      const projectId = originalToNewProjectId.get(dataProjectId);
-      const newSecret = await secretService.createSecretRaw({
-        actorId,
-        actor,
-        actorOrgId,
-        environment: originalToNewEnvironmentId.get(secret.environmentId)!,
-        actorAuthMethod,
-        projectId: projectId!,
-        secretPath: "/",
-        secretName: secret.name,
-        type: SecretType.Shared,
-        secretValue: secret.value
-      });
-      if (!newSecret) {
-        throw new BadRequestError({ message: `Failed to import secret: [name:${secret.name}] [id:${id}]` });
+      // for each of the mappedEnvironmentId
+      for await (const [envId, secrets] of mappedToEnvironmentId) {
+        const environment = data.environments.find((env) => env.id === envId);
+        const projectId = originalToNewProjectId.get(environment?.projectId as string)!;
+
+        if (!projectId) {
+          throw new BadRequestError({ message: `Failed to import secret, project not found` });
+        }
+
+        const { encryptor: secretManagerEncrypt } = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId
+          },
+          tx
+        );
+
+        const envSlug = originalToNewEnvironmentId.get(envId)!;
+        const folder = await folderDAL.findBySecretPath(projectId, envSlug, "/", tx);
+        if (!folder)
+          throw new NotFoundError({
+            message: `Folder not found for the given environment slug (${envSlug}) & secret path (/)`,
+            name: "Create secret"
+          });
+
+        const secretsByKeys = await secretDAL.findBySecretKeys(
+          folder.id,
+          secrets.map((el) => ({
+            key: el.secretKey,
+            type: SecretType.Shared
+          })),
+          tx
+        );
+        if (secretsByKeys.length) {
+          throw new BadRequestError({
+            message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
+          });
+        }
+
+        const secretBatches = chunkArray(secrets, 2500);
+        for await (const secretBatch of secretBatches) {
+          await fnSecretBulkInsert({
+            inputSecrets: secretBatch.map((el) => {
+              const references = getAllNestedSecretReferences(el.secretValue);
+
+              return {
+                version: 1,
+                encryptedValue: el.secretValue
+                  ? secretManagerEncrypt({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
+                  : undefined,
+                key: el.secretKey,
+                references,
+                type: SecretType.Shared
+              };
+            }),
+            folderId: folder.id,
+            secretDAL,
+            secretVersionDAL,
+            secretTagDAL,
+            secretVersionTagDAL,
+            tx
+          });
+        }
       }
     }
-  }
+  });
 };

backend/src/services/external-migration/external-migration-queue.ts

@@ -0,0 +1,141 @@
+import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { TProjectDALFactory } from "../project/project-dal";
+import { TProjectServiceFactory } from "../project/project-service";
+import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
+import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
+import { TSecretV2BridgeServiceFactory } from "../secret-v2-bridge/secret-v2-bridge-service";
+import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
+import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
+import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
+import { importDataIntoInfisicalFn } from "./external-migration-fns";
+import { ExternalPlatforms, TImportInfisicalDataCreate } from "./external-migration-types";
+
+export type TExternalMigrationQueueFactoryDep = {
+  smtpService: TSmtpService;
+  queueService: TQueueServiceFactory;
+
+  projectDAL: Pick<TProjectDALFactory, "transaction">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findLastEnvPosition" | "create" | "findOne">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+
+  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences" | "findBySecretKeys">;
+  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "create">;
+  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
+  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;
+
+  folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath">;
+  projectService: Pick<TProjectServiceFactory, "createProject">;
+  projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
+  secretV2BridgeService: Pick<TSecretV2BridgeServiceFactory, "createManySecret">;
+};
+
+export type TExternalMigrationQueueFactory = ReturnType<typeof externalMigrationQueueFactory>;
+
+export const externalMigrationQueueFactory = ({
+  queueService,
+  projectService,
+  smtpService,
+  projectDAL,
+  projectEnvService,
+  secretV2BridgeService,
+  kmsService,
+  projectEnvDAL,
+  secretDAL,
+  secretVersionDAL,
+  secretTagDAL,
+  secretVersionTagDAL,
+  folderDAL
+}: TExternalMigrationQueueFactoryDep) => {
+  const startImport = async (dto: {
+    actorEmail: string;
+    data: {
+      iv: string;
+      tag: string;
+      ciphertext: string;
+      algorithm: SecretEncryptionAlgo;
+      encoding: SecretKeyEncoding;
+    };
+  }) => {
+    await queueService.queue(
+      QueueName.ImportSecretsFromExternalSource,
+      QueueJobs.ImportSecretsFromExternalSource,
+      dto,
+      {
+        removeOnComplete: true,
+        removeOnFail: true
+      }
+    );
+  };
+
+  queueService.start(QueueName.ImportSecretsFromExternalSource, async (job) => {
+    try {
+      const { data, actorEmail } = job.data;
+
+      await smtpService.sendMail({
+        recipients: [actorEmail],
+        subjectLine: "Infisical import started",
+        substitutions: {
+          provider: ExternalPlatforms.EnvKey
+        },
+        template: SmtpTemplates.ExternalImportStarted
+      });
+
+      const decrypted = infisicalSymmetricDecrypt({
+        ciphertext: data.ciphertext,
+        iv: data.iv,
+        keyEncoding: data.encoding,
+        tag: data.tag
+      });
+
+      const decryptedJson = JSON.parse(decrypted) as TImportInfisicalDataCreate;
+
+      await importDataIntoInfisicalFn({
+        input: decryptedJson,
+        projectDAL,
+        projectEnvDAL,
+        secretDAL,
+        secretVersionDAL,
+        secretTagDAL,
+        secretVersionTagDAL,
+        folderDAL,
+        kmsService,
+        projectService,
+        projectEnvService,
+        secretV2BridgeService
+      });
+
+      await smtpService.sendMail({
+        recipients: [actorEmail],
+        subjectLine: "Infisical import successful",
+        substitutions: {
+          provider: ExternalPlatforms.EnvKey
+        },
+        template: SmtpTemplates.ExternalImportSuccessful
+      });
+    } catch (err) {
+      await smtpService.sendMail({
+        recipients: [job.data.actorEmail],
+        subjectLine: "Infisical import failed",
+        substitutions: {
+          provider: ExternalPlatforms.EnvKey,
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-assignment
+          error: (err as any)?.message || "Unknown error"
+        },
+        template: SmtpTemplates.ExternalImportFailed
+      });
+
+      logger.error(err, "Failed to import data from external source");
+    }
+  });
+  return {
+    startImport
+  };
+};

backend/src/services/external-migration/external-migration-service.ts

@@ -1,30 +1,25 @@
 import { OrgMembershipRole } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { ForbiddenRequestError } from "@app/lib/errors";
 
-import { TOrgServiceFactory } from "../org/org-service";
-import { TProjectServiceFactory } from "../project/project-service";
-import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TSecretServiceFactory } from "../secret/secret-service";
-import { decryptEnvKeyDataFn, importDataIntoInfisicalFn, parseEnvKeyDataFn } from "./external-migration-fns";
+import { TUserDALFactory } from "../user/user-dal";
+import { decryptEnvKeyDataFn, parseEnvKeyDataFn } from "./external-migration-fns";
+import { TExternalMigrationQueueFactory } from "./external-migration-queue";
 import { TImportEnvKeyDataCreate } from "./external-migration-types";
 
 type TExternalMigrationServiceFactoryDep = {
-  projectService: TProjectServiceFactory;
-  orgService: TOrgServiceFactory;
-  projectEnvService: TProjectEnvServiceFactory;
-  secretService: TSecretServiceFactory;
   permissionService: TPermissionServiceFactory;
+  externalMigrationQueue: TExternalMigrationQueueFactory;
+  userDAL: Pick<TUserDALFactory, "findById">;
 };
 
 export type TExternalMigrationServiceFactory = ReturnType<typeof externalMigrationServiceFactory>;
 
 export const externalMigrationServiceFactory = ({
-  projectService,
-  orgService,
-  projectEnvService,
   permissionService,
-  secretService
+  externalMigrationQueue,
+  userDAL
 }: TExternalMigrationServiceFactoryDep) => {
   const importEnvKeyData = async ({
     decryptionKey,
@@ -41,21 +36,28 @@ export const externalMigrationServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-
     if (membership.role !== OrgMembershipRole.Admin) {
       throw new ForbiddenRequestError({ message: "Only admins can import data" });
     }
 
+    const user = await userDAL.findById(actorId);
     const json = await decryptEnvKeyDataFn(decryptionKey, encryptedJson);
     const envKeyData = await parseEnvKeyDataFn(json);
-    const response = await importDataIntoInfisicalFn({
-      input: { data: envKeyData, actor, actorId, actorOrgId, actorAuthMethod },
-      projectService,
-      orgService,
-      projectEnvService,
-      secretService
+
+    const stringifiedJson = JSON.stringify({
+      data: envKeyData,
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod
+    });
+
+    const encrypted = infisicalSymmetricEncypt(stringifiedJson);
+
+    await externalMigrationQueue.startImport({
+      actorEmail: user.email!,
+      data: encrypted
     });
-    return response;
   };
 
   return {

backend/src/services/external-migration/external-migration-types.ts

@@ -1,26 +1,9 @@
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 
 export type InfisicalImportData = {
-  projects: Map<string, { name: string; id: string }>;
-
-  environments?: Map<
-    string,
-    {
-      name: string;
-      id: string;
-      projectId: string;
-    }
-  >;
-
-  secrets?: Map<
-    string,
-    {
-      name: string;
-      id: string;
-      environmentId: string;
-      value: string;
-    }
-  >;
+  projects: Array<{ name: string; id: string }>;
+  environments: Array<{ name: string; id: string; projectId: string }>;
+  secrets: Array<{ name: string; id: string; environmentId: string; value: string }>;
 };
 
 export type TImportEnvKeyDataCreate = {
@@ -104,3 +87,7 @@ export type TEnvKeyExportJSON = {
     }
   >;
 };
+
+export enum ExternalPlatforms {
+  EnvKey = "EnvKey"
+}

backend/src/services/identity/identity-org-dal.ts

@@ -1,11 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TIdentityOrgMemberships } from "@app/db/schemas";
+import { TableName, TIdentityOrgMemberships, TOrgRoles } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
-import { TListOrgIdentitiesByOrgIdDTO } from "@app/services/identity/identity-types";
+import { OrgIdentityOrderBy, TListOrgIdentitiesByOrgIdDTO } from "@app/services/identity/identity-types";
 
 export type TIdentityOrgDALFactory = ReturnType<typeof identityOrgDALFactory>;
 
@@ -33,7 +33,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     {
       limit,
       offset = 0,
-      orderBy,
+      orderBy = OrgIdentityOrderBy.Name,
       orderDirection = OrderByDirection.ASC,
       search,
       ...filter
@@ -42,26 +42,50 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     tx?: Knex
   ) => {
     try {
-      const paginatedFetchIdentity = (tx || db.replicaNode())(TableName.Identity)
-        .where((queryBuilder) => {
-          if (limit) {
-            void queryBuilder.offset(offset).limit(limit);
-          }
-        })
-        .as(TableName.Identity);
-
-      const query = (tx || db.replicaNode())(TableName.IdentityOrgMembership)
+      const paginatedIdentity = (tx || db.replicaNode())(TableName.Identity)
+        .join(
+          TableName.IdentityOrgMembership,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.Identity}.id`
+        )
+        .orderBy(`${TableName.Identity}.${orderBy}`, orderDirection)
+        .select(
+          selectAllTableCols(TableName.IdentityOrgMembership),
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("authMethod").withSchema(TableName.Identity).as("identityAuthMethod")
+        )
         .where(filter)
-        .join<Awaited<typeof paginatedFetchIdentity>>(paginatedFetchIdentity, (queryBuilder) => {
-          queryBuilder.on(`${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`);
-        })
-        .leftJoin(TableName.OrgRoles, `${TableName.IdentityOrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
+        .as("paginatedIdentity");
+
+      if (search?.length) {
+        void paginatedIdentity.whereILike(`${TableName.Identity}.name`, `%${search}%`);
+      }
+
+      if (limit) {
+        void paginatedIdentity.offset(offset).limit(limit);
+      }
+
+      // akhilmhdh: refer this for pagination with multiple left queries
+      type TSubquery = Awaited<typeof paginatedIdentity>;
+      const query = (tx || db.replicaNode())
+        .from<TSubquery[number], TSubquery>(paginatedIdentity)
+        .leftJoin<TOrgRoles>(TableName.OrgRoles, `paginatedIdentity.roleId`, `${TableName.OrgRoles}.id`)
         .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
           void queryBuilder
-            .on(`${TableName.IdentityOrgMembership}.identityId`, `${TableName.IdentityMetadata}.identityId`)
-            .andOn(`${TableName.IdentityOrgMembership}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+            .on(`paginatedIdentity.identityId`, `${TableName.IdentityMetadata}.identityId`)
+            .andOn(`paginatedIdentity.orgId`, `${TableName.IdentityMetadata}.orgId`);
         })
-        .select(selectAllTableCols(TableName.IdentityOrgMembership))
+        .select(
+          db.ref("id").withSchema("paginatedIdentity"),
+          db.ref("role").withSchema("paginatedIdentity"),
+          db.ref("roleId").withSchema("paginatedIdentity"),
+          db.ref("orgId").withSchema("paginatedIdentity"),
+          db.ref("createdAt").withSchema("paginatedIdentity"),
+          db.ref("updatedAt").withSchema("paginatedIdentity"),
+          db.ref("identityId").withSchema("paginatedIdentity"),
+          db.ref("identityName").withSchema("paginatedIdentity"),
+          db.ref("identityAuthMethod").withSchema("paginatedIdentity")
+        )
         // cr stands for custom role
         .select(db.ref("id").as("crId").withSchema(TableName.OrgRoles))
         .select(db.ref("name").as("crName").withSchema(TableName.OrgRoles))
@@ -69,32 +93,13 @@ export const identityOrgDALFactory = (db: TDbClient) => {
         .select(db.ref("description").as("crDescription").withSchema(TableName.OrgRoles))
         .select(db.ref("permissions").as("crPermission").withSchema(TableName.OrgRoles))
         .select(db.ref("permissions").as("crPermission").withSchema(TableName.OrgRoles))
-        .select(db.ref("id").as("identityId").withSchema(TableName.Identity))
-        .select(
-          db.ref("name").as("identityName").withSchema(TableName.Identity),
-          db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity)
-        )
         .select(
           db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
           db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
           db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
         );
-
-      if (orderBy) {
-        switch (orderBy) {
-          case "name":
-            void query.orderBy(`${TableName.Identity}.${orderBy}`, orderDirection);
-            break;
-          case "role":
-            void query.orderBy(`${TableName.IdentityOrgMembership}.${orderBy}`, orderDirection);
-            break;
-          default:
-          // do nothing
-        }
-      }
-
-      if (search?.length) {
-        void query.whereILike(`${TableName.Identity}.name`, `%${search}%`);
+      if (orderBy === OrgIdentityOrderBy.Name) {
+        void query.orderBy("identityName", orderDirection);
       }
 
       const docs = await query;

backend/src/services/identity/identity-types.ts

@@ -41,6 +41,6 @@ export type TListOrgIdentitiesByOrgIdDTO = {
 } & TOrgPermission;
 
 export enum OrgIdentityOrderBy {
-  Name = "name",
-  Role = "role"
+  Name = "name"
+  // Role = "role"
 }

backend/src/services/integration-auth/integration-app-list.ts

@@ -455,6 +455,31 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+/**
+ * Return list of projects for Databricks integration
+ */
+const getAppsDatabricks = async ({ url, accessToken }: { url?: string | null; accessToken: string }) => {
+  const databricksApiUrl = `${url}/api`;
+
+  const res = await request.get<{ scopes: { name: string; backend_type: string }[] }>(
+    `${databricksApiUrl}/2.0/secrets/scopes/list`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      }
+    }
+  );
+
+  const scopes =
+    res.data?.scopes?.map((a) => ({
+      name: a.name, // name maps to unique scope name in Databricks
+      backend_type: a.backend_type
+    })) ?? [];
+
+  return scopes;
+};
+
 const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
   const res = (
     await request.get<{ id: string; slug: string }[]>(`${IntegrationUrls.TRAVISCI_API_URL}/repos`, {
@@ -1104,6 +1129,12 @@ export const getApps = async ({
         accessToken
       });
 
+    case Integrations.DATABRICKS:
+      return getAppsDatabricks({
+        url,
+        accessToken
+      });
+
     case Integrations.LARAVELFORGE:
       return getAppsLaravelForge({
         accessToken,

backend/src/services/integration-auth/integration-list.ts

@@ -15,6 +15,7 @@ export enum Integrations {
   FLYIO = "flyio",
   LARAVELFORGE = "laravel-forge",
   CIRCLECI = "circleci",
+  DATABRICKS = "databricks",
   TRAVISCI = "travisci",
   TEAMCITY = "teamcity",
   SUPABASE = "supabase",
@@ -73,6 +74,7 @@ export enum IntegrationUrls {
   RAILWAY_API_URL = "https://backboard.railway.app/graphql/v2",
   FLYIO_API_URL = "https://api.fly.io/graphql",
   CIRCLECI_API_URL = "https://circleci.com/api",
+  DATABRICKS_API_URL = "https:/xxxx.com/api",
   TRAVISCI_API_URL = "https://api.travis-ci.com",
   SUPABASE_API_URL = "https://api.supabase.com",
   LARAVELFORGE_API_URL = "https://forge.laravel.com",
@@ -210,6 +212,15 @@ export const getIntegrationOptions = async () => {
       clientId: "",
       docsLink: ""
     },
+    {
+      name: "Databricks",
+      slug: "databricks",
+      image: "Databricks.png",
+      isAvailable: true,
+      type: "pat",
+      clientId: "",
+      docsLink: ""
+    },
     {
       name: "GitLab",
       slug: "gitlab",

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -9,6 +9,7 @@
 
 import {
   CreateSecretCommand,
+  DeleteSecretCommand,
   DescribeSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
@@ -899,12 +900,21 @@ const syncSecretsAWSSecretManager = async ({
       }
 
       if (!isEqual(secretToCompare, secretValue)) {
-        await secretsManager.send(
-          new UpdateSecretCommand({
-            SecretId: secretId,
-            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue)
-          })
-        );
+        if (secretValue) {
+          await secretsManager.send(
+            new UpdateSecretCommand({
+              SecretId: secretId,
+              SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue)
+            })
+          );
+          // delete it
+        } else {
+          await secretsManager.send(
+            new DeleteSecretCommand({
+              SecretId: secretId
+            })
+          );
+        }
       }
 
       const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
@@ -989,16 +999,21 @@ const syncSecretsAWSSecretManager = async ({
     } catch (err) {
       // case 1: when AWS manager can't find the specified secret
       if (err instanceof ResourceNotFoundException && secretsManager) {
-        await secretsManager.send(
-          new CreateSecretCommand({
-            Name: secretId,
-            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
-            ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-            Tags: metadata.secretAWSTag
-              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-              : []
-          })
-        );
+        if (secretValue) {
+          await secretsManager.send(
+            new CreateSecretCommand({
+              Name: secretId,
+              SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
+              ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
+              Tags: metadata.secretAWSTag
+                ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({
+                    Key: tag.key,
+                    Value: tag.value
+                  }))
+                : []
+            })
+          );
+        }
         // case 2: something unexpected went wrong, so we'll throw the error to reflect the error in the integration sync status
       } else {
         throw err;
@@ -2085,6 +2100,80 @@ const syncSecretsCircleCI = async ({
   );
 };
 
+/**
+ * Sync/push [secrets] to Databricks project
+ */
+const syncSecretsDatabricks = async ({
+  integration,
+  integrationAuth,
+  secrets,
+  accessToken
+}: {
+  integration: TIntegrations;
+  integrationAuth: TIntegrationAuths;
+  secrets: Record<string, { value: string; comment?: string }>;
+  accessToken: string;
+}) => {
+  const databricksApiUrl = `${integrationAuth.url}/api`;
+
+  // sync secrets to Databricks
+  await Promise.all(
+    Object.keys(secrets).map(async (key) =>
+      request.post(
+        `${databricksApiUrl}/2.0/secrets/put`,
+        {
+          scope: integration.app,
+          key,
+          string_value: secrets[key].value
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json"
+          }
+        }
+      )
+    )
+  );
+
+  // get secrets from Databricks
+  const getSecretsRes = (
+    await request.get<{ secrets: { key: string; last_updated_timestamp: number }[] }>(
+      `${databricksApiUrl}/2.0/secrets/list`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json"
+        },
+        params: {
+          scope: integration.app
+        }
+      }
+    )
+  ).data.secrets;
+
+  // delete secrets from Databricks
+  await Promise.all(
+    getSecretsRes.map(async (sec) => {
+      if (!(sec.key in secrets)) {
+        return request.post(
+          `${databricksApiUrl}/2.0/secrets/delete`,
+          {
+            scope: integration.app,
+            key: sec.key
+          },
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Content-Type": "application/json"
+            }
+          }
+        );
+      }
+    })
+  );
+};
+
 /**
  * Sync/push [secrets] to TravisCI project
  */
@@ -4021,6 +4110,14 @@ export const syncIntegrationSecrets = async ({
         accessToken
       });
       break;
+    case Integrations.DATABRICKS:
+      await syncSecretsDatabricks({
+        integration,
+        integrationAuth,
+        secrets,
+        accessToken
+      });
+      break;
     case Integrations.LARAVELFORGE:
       await syncSecretsLaravelForge({
         integration,

backend/src/services/integration/integration-service.ts

@@ -120,7 +120,13 @@ export const integrationServiceFactory = ({
       secretPath,
       projectId: integrationAuth.projectId
     });
-    return { integration, integrationAuth };
+    return {
+      integration: {
+        ...integration,
+        environment: folder.environment
+      },
+      integrationAuth
+    };
   };
 
   const updateIntegration = async ({
@@ -183,7 +189,10 @@ export const integrationServiceFactory = ({
       projectId: folder.projectId
     });
 
-    return updatedIntegration;
+    return {
+      ...updatedIntegration,
+      environment: folder.environment
+    };
   };
 
   const getIntegration = async ({ id, actor, actorAuthMethod, actorId, actorOrgId }: TGetIntegrationDTO) => {

backend/src/services/kms/kms-fns.ts

@@ -0,0 +1,11 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+
+export const getByteLengthForAlgorithm = (encryptionAlgorithm: SymmetricEncryption) => {
+  switch (encryptionAlgorithm) {
+    case SymmetricEncryption.AES_GCM_128:
+      return 16;
+    case SymmetricEncryption.AES_GCM_256:
+    default:
+      return 32;
+  }
+};

backend/src/services/kms/kms-key-dal.ts

@@ -1,9 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { KmsKeysSchema, TableName } from "@app/db/schemas";
+import { KmsKeysSchema, TableName, TInternalKms, TKmsKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { CmekOrderBy, TListCmeksByProjectIdDTO } from "@app/services/cmek/cmek-types";
 
 export type TKmsKeyDALFactory = ReturnType<typeof kmskeyDALFactory>;
 
@@ -71,5 +73,50 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...kmsOrm, findByIdWithAssociatedKms };
+  const findKmsKeysByProjectId = async (
+    {
+      projectId,
+      offset = 0,
+      limit,
+      orderBy = CmekOrderBy.Name,
+      orderDirection = OrderByDirection.ASC,
+      search
+    }: TListCmeksByProjectIdDTO,
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.KmsKey)
+        .where("projectId", projectId)
+        .where((qb) => {
+          if (search) {
+            void qb.whereILike("name", `%${search}%`);
+          }
+        })
+        .join(TableName.InternalKms, `${TableName.InternalKms}.kmsKeyId`, `${TableName.KmsKey}.id`)
+        .select<
+          (TKmsKeys &
+            Pick<TInternalKms, "version" | "encryptionAlgorithm"> & {
+              total_count: number;
+            })[]
+        >(
+          selectAllTableCols(TableName.KmsKey),
+          db.raw(`count(*) OVER() as total_count`),
+          db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms),
+          db.ref("version").withSchema(TableName.InternalKms)
+        )
+        .orderBy(orderBy, orderDirection);
+
+      if (limit) {
+        void query.limit(limit).offset(offset);
+      }
+
+      const data = await query;
+
+      return { keys: data, totalCount: Number(data?.[0]?.total_count ?? 0) };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find kms keys by project id" });
+    }
+  };
+
+  return { ...kmsOrm, findByIdWithAssociatedKms, findKmsKeysByProjectId };
 };

backend/src/services/kms/kms-service.ts

@@ -17,6 +17,7 @@ import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { getByteLengthForAlgorithm } from "@app/services/kms/kms-fns";
 
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -71,17 +72,29 @@ export const kmsServiceFactory = ({
    * This function is responsibile for generating the infisical internal KMS for various entities
    * Like for secret manager, cert manager or for organization
    */
-  const generateKmsKey = async ({ orgId, isReserved = true, tx, slug }: TGenerateKMSDTO) => {
+  const generateKmsKey = async ({
+    orgId,
+    isReserved = true,
+    tx,
+    name,
+    projectId,
+    encryptionAlgorithm = SymmetricEncryption.AES_GCM_256,
+    description
+  }: TGenerateKMSDTO) => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const kmsKeyMaterial = randomSecureBytes(32);
+
+    const kmsKeyMaterial = randomSecureBytes(getByteLengthForAlgorithm(encryptionAlgorithm));
+
     const encryptedKeyMaterial = cipher.encrypt(kmsKeyMaterial, ROOT_ENCRYPTION_KEY);
-    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const sanitizedName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
     const dbQuery = async (db: Knex) => {
       const kmsDoc = await kmsDAL.create(
         {
-          slug: sanitizedSlug,
+          name: sanitizedName,
           orgId,
-          isReserved
+          isReserved,
+          projectId,
+          description
         },
         db
       );
@@ -90,7 +103,7 @@ export const kmsServiceFactory = ({
         {
           version: 1,
           encryptedKey: encryptedKeyMaterial,
-          encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+          encryptionAlgorithm,
           kmsKeyId: kmsDoc.id
         },
         db
@@ -147,8 +160,8 @@ export const kmsServiceFactory = ({
    * In mean time the rest of the request will wait until creation is finished followed by getting the created on
    * In real time this would be milliseconds
    */
-  const getOrgKmsKeyId = async (orgId: string) => {
-    let org = await orgDAL.findById(orgId);
+  const getOrgKmsKeyId = async (orgId: string, trx?: Knex) => {
+    let org = await orgDAL.findById(orgId, trx);
 
     if (!org) {
       throw new NotFoundError({ message: "Org not found" });
@@ -167,9 +180,9 @@ export const kmsServiceFactory = ({
             waitingCb: () => logger.info("KMS. Waiting for org key to be created")
           });
 
-          org = await orgDAL.findById(orgId);
+          org = await orgDAL.findById(orgId, trx);
         } else {
-          const keyId = await orgDAL.transaction(async (tx) => {
+          const keyId = await (trx || orgDAL).transaction(async (tx) => {
             org = await orgDAL.findById(orgId, tx);
             if (org.kmsDefaultKeyId) {
               return org.kmsDefaultKeyId;
@@ -227,11 +240,12 @@ export const kmsServiceFactory = ({
 
   const decryptWithKmsKey = async ({
     kmsId,
-    depth = 0
-  }: Omit<TDecryptWithKmsDTO, "cipherTextBlob"> & { depth?: number }) => {
+    depth = 0,
+    tx
+  }: Omit<TDecryptWithKmsDTO, "cipherTextBlob"> & { depth?: number; tx?: Knex }) => {
     if (depth > 2) throw new BadRequestError({ message: "KMS depth max limit" });
 
-    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId, tx);
     if (!kmsDoc) {
       throw new NotFoundError({ message: "KMS ID not found" });
     }
@@ -248,7 +262,8 @@ export const kmsServiceFactory = ({
       // we put a limit of depth to avoid too many cycles
       const orgKmsDecryptor = await decryptWithKmsKey({
         kmsId: kmsDoc.orgKms.id,
-        depth: depth + 1
+        depth: depth + 1,
+        tx
       });
 
       const orgKmsDataKey = await orgKmsDecryptor({
@@ -286,12 +301,13 @@ export const kmsServiceFactory = ({
     }
 
     // internal KMS
-    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+    const keyCipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const dataCipher = symmetricCipherService(kmsDoc.internalKms?.encryptionAlgorithm as SymmetricEncryption);
+    const kmsKey = keyCipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
 
     return ({ cipherTextBlob: versionedCipherTextBlob }: Pick<TDecryptWithKmsDTO, "cipherTextBlob">) => {
       const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, kmsKey);
+      const decryptedBlob = dataCipher.decrypt(cipherTextBlob, kmsKey);
       return Promise.resolve(decryptedBlob);
     };
   };
@@ -347,11 +363,11 @@ export const kmsServiceFactory = ({
     }
 
     // internal KMS
-    // akhilmhdh: as more encryption are added do a check here on kmsDoc.encryptionAlgorithm
-    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const keyCipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const dataCipher = symmetricCipherService(kmsDoc.internalKms?.encryptionAlgorithm as SymmetricEncryption);
     return ({ plainText }: Pick<TEncryptWithKmsDTO, "plainText">) => {
-      const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, kmsKey);
+      const kmsKey = keyCipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+      const encryptedPlainTextBlob = dataCipher.encrypt(plainText, kmsKey);
 
       // Buffer#1 encrypted text + Buffer#2 version number
       const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
@@ -361,9 +377,9 @@ export const kmsServiceFactory = ({
     };
   };
 
-  const $getOrgKmsDataKey = async (orgId: string) => {
-    const kmsKeyId = await getOrgKmsKeyId(orgId);
-    let org = await orgDAL.findById(orgId);
+  const $getOrgKmsDataKey = async (orgId: string, trx?: Knex) => {
+    const kmsKeyId = await getOrgKmsKeyId(orgId, trx);
+    let org = await orgDAL.findById(orgId, trx);
 
     if (!org) {
       throw new NotFoundError({ message: "Org not found" });
@@ -382,9 +398,9 @@ export const kmsServiceFactory = ({
             waitingCb: () => logger.info("KMS. Waiting for org data key to be created")
           });
 
-          org = await orgDAL.findById(orgId);
+          org = await orgDAL.findById(orgId, trx);
         } else {
-          const orgDataKey = await orgDAL.transaction(async (tx) => {
+          const orgDataKey = await (trx || orgDAL).transaction(async (tx) => {
             org = await orgDAL.findById(orgId, tx);
             if (org.kmsEncryptedDataKey) {
               return;
@@ -441,8 +457,8 @@ export const kmsServiceFactory = ({
     });
   };
 
-  const getProjectSecretManagerKmsKeyId = async (projectId: string) => {
-    let project = await projectDAL.findById(projectId);
+  const getProjectSecretManagerKmsKeyId = async (projectId: string, trx?: Knex) => {
+    let project = await projectDAL.findById(projectId, trx);
     if (!project) {
       throw new NotFoundError({ message: "Project not found" });
     }
@@ -463,7 +479,7 @@ export const kmsServiceFactory = ({
 
           project = await projectDAL.findById(projectId);
         } else {
-          const kmsKeyId = await projectDAL.transaction(async (tx) => {
+          const kmsKeyId = await (trx || projectDAL).transaction(async (tx) => {
             project = await projectDAL.findById(projectId, tx);
             if (project.kmsSecretManagerKeyId) {
               return project.kmsSecretManagerKeyId;
@@ -506,9 +522,9 @@ export const kmsServiceFactory = ({
     return project.kmsSecretManagerKeyId;
   };
 
-  const $getProjectSecretManagerKmsDataKey = async (projectId: string) => {
-    const kmsKeyId = await getProjectSecretManagerKmsKeyId(projectId);
-    let project = await projectDAL.findById(projectId);
+  const $getProjectSecretManagerKmsDataKey = async (projectId: string, trx?: Knex) => {
+    const kmsKeyId = await getProjectSecretManagerKmsKeyId(projectId, trx);
+    let project = await projectDAL.findById(projectId, trx);
 
     if (!project.kmsSecretManagerEncryptedDataKey) {
       const lock = await keyStore
@@ -524,18 +540,21 @@ export const kmsServiceFactory = ({
             delay: 500
           });
 
-          project = await projectDAL.findById(projectId);
+          project = await projectDAL.findById(projectId, trx);
         } else {
-          const projectDataKey = await projectDAL.transaction(async (tx) => {
+          const projectDataKey = await (trx || projectDAL).transaction(async (tx) => {
             project = await projectDAL.findById(projectId, tx);
             if (project.kmsSecretManagerEncryptedDataKey) {
               return;
             }
 
             const dataKey = randomSecureBytes();
-            const kmsEncryptor = await encryptWithKmsKey({
-              kmsId: kmsKeyId
-            });
+            const kmsEncryptor = await encryptWithKmsKey(
+              {
+                kmsId: kmsKeyId
+              },
+              tx
+            );
 
             const { cipherTextBlob } = await kmsEncryptor({
               plainText: dataKey
@@ -571,7 +590,8 @@ export const kmsServiceFactory = ({
     }
 
     const kmsDecryptor = await decryptWithKmsKey({
-      kmsId: kmsKeyId
+      kmsId: kmsKeyId,
+      tx: trx
     });
 
     return kmsDecryptor({
@@ -579,13 +599,13 @@ export const kmsServiceFactory = ({
     });
   };
 
-  const $getDataKey = async (dto: TEncryptWithKmsDataKeyDTO) => {
+  const $getDataKey = async (dto: TEncryptWithKmsDataKeyDTO, trx?: Knex) => {
     switch (dto.type) {
       case KmsDataKey.SecretManager: {
-        return $getProjectSecretManagerKmsDataKey(dto.projectId);
+        return $getProjectSecretManagerKmsDataKey(dto.projectId, trx);
       }
       default: {
-        return $getOrgKmsDataKey(dto.orgId);
+        return $getOrgKmsDataKey(dto.orgId, trx);
       }
     }
   };
@@ -593,8 +613,9 @@ export const kmsServiceFactory = ({
   // by keeping the decrypted data key in inner scope
   // none of the entities outside can interact directly or expose the data key
   // NOTICE: If changing here update migrations/utils/kms
-  const createCipherPairWithDataKey = async (encryptionContext: TEncryptWithKmsDataKeyDTO) => {
-    const dataKey = await $getDataKey(encryptionContext);
+  const createCipherPairWithDataKey = async (encryptionContext: TEncryptWithKmsDataKeyDTO, trx?: Knex) => {
+    const dataKey = await $getDataKey(encryptionContext, trx);
+
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
 
     return {
@@ -767,8 +788,8 @@ export const kmsServiceFactory = ({
         message: "KMS not found"
       });
     }
-    const { id, slug, orgId, isExternal } = kms;
-    return { id, slug, orgId, isExternal };
+    const { id, name, orgId, isExternal } = kms;
+    return { id, name, orgId, isExternal };
   };
 
   // akhilmhdh: a copy of this is made in migrations/utils/kms

backend/src/services/kms/kms-types.ts

@@ -1,5 +1,7 @@
 import { Knex } from "knex";
 
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+
 export enum KmsDataKey {
   Organization,
   SecretManager
@@ -22,8 +24,11 @@ export type TEncryptWithKmsDataKeyDTO =
 
 export type TGenerateKMSDTO = {
   orgId: string;
+  projectId?: string;
+  encryptionAlgorithm?: SymmetricEncryption;
   isReserved?: boolean;
-  slug?: string;
+  name?: string;
+  description?: string;
   tx?: Knex;
 };
 

backend/src/services/org/org-dal.ts

@@ -108,7 +108,9 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("id").withSchema(TableName.Users).as("userId"),
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
         )
-        .where({ isGhost: false }); // MAKE SURE USER IS NOT A GHOST USER
+        .where({ isGhost: false }) // MAKE SURE USER IS NOT A GHOST USER
+        .orderBy("firstName")
+        .orderBy("lastName");
 
       return members.map(({ email, isEmailVerified, username, firstName, lastName, userId, publicKey, ...data }) => ({
         ...data,
@@ -370,6 +372,7 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("scimEnabled").withSchema(TableName.Organization),
+          db.ref("defaultMembershipRole").withSchema(TableName.Organization),
           db.ref("externalId").withSchema(TableName.UserAliases)
         )
         .where({ isGhost: false });

backend/src/services/org/org-role-fns.ts

@@ -0,0 +1,54 @@
+import { OrgMembershipRole } from "@app/db/schemas";
+import { TFeatureSet } from "@app/ee/services/license/license-types";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
+
+const RESERVED_ORG_ROLE_SLUGS = Object.values(OrgMembershipRole).filter((role) => role !== "custom");
+
+// this is only for updating an org
+export const getDefaultOrgMembershipRoleForUpdateOrg = async ({
+  membershipRoleSlug,
+  orgRoleDAL,
+  plan,
+  orgId
+}: {
+  orgId: string;
+  membershipRoleSlug: string;
+  orgRoleDAL: TOrgRoleDALFactory;
+  plan: TFeatureSet;
+}) => {
+  const isCustomRole = !RESERVED_ORG_ROLE_SLUGS.includes(membershipRoleSlug as OrgMembershipRole);
+
+  if (isCustomRole) {
+    if (!plan?.rbac)
+      throw new BadRequestError({
+        message:
+          "Failed to set custom default role due to plan RBAC restriction. Upgrade plan to set custom default org membership role."
+      });
+
+    const customRole = await orgRoleDAL.findOne({ slug: membershipRoleSlug, orgId });
+    if (!customRole) throw new NotFoundError({ name: "UpdateOrg", message: "Organization role not found" });
+
+    // use ID for default role
+    return customRole.id;
+  }
+
+  // not custom, use reserved slug
+  return membershipRoleSlug;
+};
+
+// this is only for creating an org membership
+export const getDefaultOrgMembershipRole = async (
+  defaultOrgMembershipRole: string // can either be ID or reserved slug
+) => {
+  const isCustomRole = !RESERVED_ORG_ROLE_SLUGS.includes(defaultOrgMembershipRole as OrgMembershipRole);
+
+  if (isCustomRole)
+    return {
+      roleId: defaultOrgMembershipRole,
+      role: OrgMembershipRole.Custom
+    };
+
+  // will be reserved slug
+  return { roleId: undefined, role: defaultOrgMembershipRole as OrgMembershipRole };
+};

backend/src/services/org/org-role-service.ts

@@ -11,6 +11,7 @@ import {
 } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { TOrgDALFactory } from "@app/services/org/org-dal";
 
 import { ActorAuthMethod } from "../auth/auth-type";
 import { TOrgRoleDALFactory } from "./org-role-dal";
@@ -18,11 +19,12 @@ import { TOrgRoleDALFactory } from "./org-role-dal";
 type TOrgRoleServiceFactoryDep = {
   orgRoleDAL: TOrgRoleDALFactory;
   permissionService: TPermissionServiceFactory;
+  orgDAL: TOrgDALFactory;
 };
 
 export type TOrgRoleServiceFactory = ReturnType<typeof orgRoleServiceFactory>;
 
-export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRoleServiceFactoryDep) => {
+export const orgRoleServiceFactory = ({ orgRoleDAL, orgDAL, permissionService }: TOrgRoleServiceFactoryDep) => {
   const createRole = async (
     userId: string,
     orgId: string,
@@ -129,6 +131,19 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
   ) => {
     const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Role);
+
+    const org = await orgDAL.findOrgById(orgId);
+
+    if (!org)
+      throw new NotFoundError({
+        message: "Failed to find organization"
+      });
+
+    if (org.defaultMembershipRole === roleId)
+      throw new BadRequestError({
+        message: "Cannot delete default org membership role. Please re-assign and try again."
+      });
+
     const [deletedRole] = await orgRoleDAL.delete({ id: roleId, orgId });
     if (!deletedRole) throw new NotFoundError({ message: "Organization role not found", name: "Update role" });
 

backend/src/services/org/org-service.ts

@@ -32,6 +32,7 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { groupBy } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";
+import { getDefaultOrgMembershipRoleForUpdateOrg } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
@@ -264,7 +265,7 @@ export const orgServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     orgId,
-    data: { name, slug, authEnforced, scimEnabled }
+    data: { name, slug, authEnforced, scimEnabled, defaultMembershipRoleSlug }
   }: TUpdateOrgDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
@@ -298,11 +299,22 @@ export const orgServiceFactory = ({
         });
     }
 
+    let defaultMembershipRole: string | undefined;
+    if (defaultMembershipRoleSlug) {
+      defaultMembershipRole = await getDefaultOrgMembershipRoleForUpdateOrg({
+        membershipRoleSlug: defaultMembershipRoleSlug,
+        orgId,
+        orgRoleDAL,
+        plan
+      });
+    }
+
     const org = await orgDAL.updateById(orgId, {
       name,
       slug: slug ? slugify(slug) : undefined,
       authEnforced,
-      scimEnabled
+      scimEnabled,
+      defaultMembershipRole
     });
     if (!org) throw new NotFoundError({ message: "Organization not found" });
     return org;

backend/src/services/org/org-types.ts

@@ -26,18 +26,13 @@ export type TDeleteOrgMembershipDTO = {
 };
 
 export type TInviteUserToOrgDTO = {
-  actorId: string;
-  actor: ActorType;
-  orgId: string;
-  actorOrgId: string | undefined;
-  actorAuthMethod: ActorAuthMethod;
   inviteeEmails: string[];
   organizationRoleSlug: string;
   projects?: {
     id: string;
     projectRoleSlug?: string[];
   }[];
-};
+} & TOrgPermission;
 
 export type TVerifyUserToOrgDTO = {
   email: string;
@@ -63,7 +58,13 @@ export type TFindAllWorkspacesDTO = {
 };
 
 export type TUpdateOrgDTO = {
-  data: Partial<{ name: string; slug: string; authEnforced: boolean; scimEnabled: boolean }>;
+  data: Partial<{
+    name: string;
+    slug: string;
+    authEnforced: boolean;
+    scimEnabled: boolean;
+    defaultMembershipRoleSlug: string;
+  }>;
 } & TOrgPermission;
 
 export type TGetOrgGroupsDTO = TOrgPermission;

backend/src/services/project-env/project-env-dal.ts

@@ -65,10 +65,16 @@ export const projectEnvDALFactory = (db: TDbClient) => {
     }
   };
 
+  const shiftPositions = async (projectId: string, pos: number, tx?: Knex) => {
+    // Shift all positions >= the new position up by 1
+    await (tx || db)(TableName.Environment).where({ projectId }).where("position", ">=", pos).increment("position", 1);
+  };
+
   return {
     ...projectEnvOrm,
     findBySlugs,
     findLastEnvPosition,
-    updateAllPosition
+    updateAllPosition,
+    shiftPositions
   };
 };

backend/src/services/project-env/project-env-service.ts

@@ -37,6 +37,7 @@ export const projectEnvServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
+    position,
     name,
     slug
   }: TCreateEnvDTO) => {
@@ -83,9 +84,25 @@ export const projectEnvServiceFactory = ({
       }
 
       const env = await projectEnvDAL.transaction(async (tx) => {
+        if (position !== undefined) {
+          // Check if there's an environment at the specified position
+          const existingEnvWithPosition = await projectEnvDAL.findOne({ projectId, position }, tx);
+
+          // If there is, then shift positions
+          if (existingEnvWithPosition) {
+            await projectEnvDAL.shiftPositions(projectId, position, tx);
+          }
+
+          const doc = await projectEnvDAL.create({ slug, name, projectId, position }, tx);
+          await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
+
+          return doc;
+        }
+        // If no position is specified, add to the end
         const lastPos = await projectEnvDAL.findLastEnvPosition(projectId, tx);
         const doc = await projectEnvDAL.create({ slug, name, projectId, position: lastPos + 1 }, tx);
         await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
+
         return doc;
       });
 
@@ -150,7 +167,11 @@ export const projectEnvServiceFactory = ({
 
       const env = await projectEnvDAL.transaction(async (tx) => {
         if (position) {
-          await projectEnvDAL.updateAllPosition(projectId, oldEnv.position, position, tx);
+          const existingEnvWithPosition = await projectEnvDAL.findOne({ projectId, position }, tx);
+
+          if (existingEnvWithPosition && existingEnvWithPosition.id !== oldEnv.id) {
+            await projectEnvDAL.updateAllPosition(projectId, oldEnv.position, position, tx);
+          }
         }
         return projectEnvDAL.updateById(oldEnv.id, { name, slug, position }, tx);
       });
@@ -199,7 +220,6 @@ export const projectEnvServiceFactory = ({
             name: "DeleteEnvironment"
           });
 
-        await projectEnvDAL.updateAllPosition(projectId, doc.position, -1, tx);
         return doc;
       });
 
@@ -215,29 +235,26 @@ export const projectEnvServiceFactory = ({
     }
   };
 
-  const getEnvironmentById = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod, id }: TGetEnvDTO) => {
+  const getEnvironmentById = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TGetEnvDTO) => {
+    const environment = await projectEnvDAL.findById(id);
+
+    if (!environment) {
+      throw new NotFoundError({
+        message: "Environment does not exist"
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      environment.projectId,
       actorAuthMethod,
       actorOrgId
     );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
 
-    const [env] = await projectEnvDAL.find({
-      id,
-      projectId
-    });
-
-    if (!env) {
-      throw new NotFoundError({
-        message: "Environment does not exist"
-      });
-    }
-
-    return env;
+    return environment;
   };
 
   return {

backend/src/services/project-env/project-env-types.ts

@@ -3,6 +3,7 @@ import { TProjectPermission } from "@app/lib/types";
 export type TCreateEnvDTO = {
   name: string;
   slug: string;
+  position?: number;
 } & TProjectPermission;
 
 export type TUpdateEnvDTO = {
@@ -23,4 +24,4 @@ export type TReorderEnvDTO = {
 
 export type TGetEnvDTO = {
   id: string;
-} & TProjectPermission;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/project/project-service.ts

@@ -147,6 +147,7 @@ export const projectServiceFactory = ({
     workspaceName,
     slug: projectSlug,
     kmsKeyId,
+    tx: trx,
     createDefaultEnvs = true
   }: TCreateProjectDTO) => {
     const organization = await orgDAL.findOne({ id: actorOrgId });
@@ -169,7 +170,7 @@ export const projectServiceFactory = ({
       });
     }
 
-    const results = await projectDAL.transaction(async (tx) => {
+    const results = await (trx || projectDAL).transaction(async (tx) => {
       const ghostUser = await orgService.addGhostUser(organization.id, tx);
 
       if (kmsKeyId) {

backend/src/services/project/project-types.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TProjectKeys } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
@@ -30,6 +32,7 @@ export type TCreateProjectDTO = {
   slug?: string;
   kmsKeyId?: string;
   createDefaultEnvs?: boolean;
+  tx?: Knex;
 };
 
 export type TDeleteProjectBySlugDTO = {

backend/src/services/secret-folder/secret-folder-service.ts

@@ -502,12 +502,21 @@ export const secretFolderServiceFactory = ({
 
   const getFolderById = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TGetFolderByIdDTO) => {
     const folder = await folderDAL.findById(id);
-    if (!folder) throw new NotFoundError({ message: "folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
     // folder list is allowed to be read by anyone
     // permission to check does user has access
     await permissionService.getProjectPermission(actor, actorId, folder.projectId, actorAuthMethod, actorOrgId);
 
-    return folder;
+    const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(folder.projectId, [folder.id]);
+
+    if (!folderWithPath) {
+      throw new NotFoundError({ message: "Folder path not found" });
+    }
+
+    return {
+      ...folder,
+      path: folderWithPath.path
+    };
   };
 
   return {

backend/src/services/secret-import/secret-import-dal.ts

@@ -97,6 +97,34 @@ export const secretImportDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const doc = await (tx || db.replicaNode())(TableName.SecretImport)
+        .where({ [`${TableName.SecretImport}.id` as "id"]: id })
+        .join(TableName.Environment, `${TableName.SecretImport}.importEnv`, `${TableName.Environment}.id`)
+        .select(
+          db.ref("*").withSchema(TableName.SecretImport) as unknown as keyof TSecretImports,
+          db.ref("slug").withSchema(TableName.Environment),
+          db.ref("name").withSchema(TableName.Environment),
+          db.ref("id").withSchema(TableName.Environment).as("envId")
+        )
+        .first();
+
+      if (!doc) {
+        return null;
+      }
+
+      const { envId, slug, name, ...el } = doc;
+
+      return {
+        ...el,
+        importEnv: { id: envId, slug, name }
+      };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find secret imports" });
+    }
+  };
+
   const getProjectImportCount = async (
     { search, ...filter }: Partial<TSecretImports & { projectId: string; search?: string }>,
     tx?: Knex
@@ -144,6 +172,7 @@ export const secretImportDALFactory = (db: TDbClient) => {
   return {
     ...secretImportOrm,
     find,
+    findById,
     findByFolderIds,
     findLastImportPosition,
     updateAllPosition,

backend/src/services/secret-import/secret-import-service.ts

@@ -24,6 +24,7 @@ import { fnSecretsFromImports, fnSecretsV2FromImports } from "./secret-import-fn
 import {
   TCreateSecretImportDTO,
   TDeleteSecretImportDTO,
+  TGetSecretImportByIdDTO,
   TGetSecretImportsDTO,
   TGetSecretsFromImportDTO,
   TResyncSecretImportReplicationDTO,
@@ -455,6 +456,64 @@ export const secretImportServiceFactory = ({
     return secImports;
   };
 
+  const getImportById = async ({
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    id: importId
+  }: TGetSecretImportByIdDTO) => {
+    const importDoc = await secretImportDAL.findById(importId);
+
+    if (!importDoc) {
+      throw new NotFoundError({ message: "Secret import not found" });
+    }
+
+    // the folder to import into
+    const folder = await folderDAL.findById(importDoc.folderId);
+
+    if (!folder) throw new NotFoundError({ message: "Secret import folder not found" });
+
+    // the folder to import into, with path
+    const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(folder.projectId, [folder.id]);
+
+    if (!folderWithPath) throw new NotFoundError({ message: "Folder path not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      folder.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment: folder.environment.envSlug,
+        secretPath: folderWithPath.path
+      })
+    );
+
+    const importIntoEnv = await projectEnvDAL.findOne({
+      projectId: folder.projectId,
+      slug: folder.environment.envSlug
+    });
+
+    if (!importIntoEnv) throw new NotFoundError({ message: "Environment to import into not found" });
+
+    return {
+      ...importDoc,
+      projectId: folder.projectId,
+      secretPath: folderWithPath.path,
+      environment: {
+        id: importIntoEnv.id,
+        slug: importIntoEnv.slug,
+        name: importIntoEnv.name
+      }
+    };
+  };
+
   const getSecretsFromImports = async ({
     path: secretPath,
     environment,
@@ -565,6 +624,7 @@ export const secretImportServiceFactory = ({
     updateImport,
     deleteImport,
     getImports,
+    getImportById,
     getSecretsFromImports,
     getRawSecretsFromImports,
     resyncSecretImportReplication,

backend/src/services/secret-import/secret-import-types.ts

@@ -37,6 +37,10 @@ export type TGetSecretImportsDTO = {
   offset?: number;
 } & TProjectPermission;
 
+export type TGetSecretImportByIdDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TGetSecretsFromImportDTO = {
   environment: string;
   path: string;

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -82,7 +82,10 @@ export const fnSecretBulkInsert = async ({
     })
   );
 
-  const newSecrets = await secretDAL.insertMany(sanitizedInputSecrets.map((el) => ({ ...el, folderId })));
+  const newSecrets = await secretDAL.insertMany(
+    sanitizedInputSecrets.map((el) => ({ ...el, folderId })),
+    tx
+  );
   const newSecretGroupedByKeyName = groupBy(newSecrets, (item) => item.key);
   const newSecretTags = inputSecrets.flatMap(({ tagIds: secretTags = [], key }) =>
     secretTags.map((tag) => ({

backend/src/services/secret/secret-queue.ts

@@ -85,7 +85,7 @@ type TSecretQueueFactoryDep = {
   secretTagDAL: TSecretTagDALFactory;
   userDAL: Pick<TUserDALFactory, "findById">;
   secretVersionTagDAL: TSecretVersionTagDALFactory;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  kmsService: TKmsServiceFactory;
   secretV2BridgeDAL: TSecretV2BridgeDALFactory;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "batchInsert" | "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "batchInsert">;

backend/src/services/smtp/smtp-service.ts

@@ -34,7 +34,10 @@ export enum SmtpTemplates {
   WorkspaceInvite = "workspaceInvitation.handlebars",
   ScimUserProvisioned = "scimUserProvisioned.handlebars",
   PkiExpirationAlert = "pkiExpirationAlert.handlebars",
-  IntegrationSyncFailed = "integrationSyncFailed.handlebars"
+  IntegrationSyncFailed = "integrationSyncFailed.handlebars",
+  ExternalImportSuccessful = "externalImportSuccessful.handlebars",
+  ExternalImportFailed = "externalImportFailed.handlebars",
+  ExternalImportStarted = "externalImportStarted.handlebars"
 }
 
 export enum SmtpHost {

backend/src/services/smtp/templates/externalImportFailed.handlebars

@@ -0,0 +1,21 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Import failed</title>
+  </head>
+
+  <body>
+    <h2>An import from {{provider}} to Infisical has failed</h2>
+    <p>An import from
+      {{provider}}
+      to Infisical has failed due to unforeseen circumstances. Please re-try your import, and if the issue persists, you
+      can contact the Infisical team at team@infisical.com.
+    </p>
+
+    <p>Error: {{error}}</p>
+
+  </body>
+
+</html>

backend/src/services/smtp/templates/externalImportStarted.handlebars

@@ -0,0 +1,17 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Import in progress</title>
+  </head>
+
+  <body>
+    <h2>An import from {{provider}} to Infisical is in progress</h2>
+    <p>An import from
+      {{provider}}
+      to Infisical is in progress. The import process may take up to 30 minutes, and you will receive once the import
+      has finished or if it fails.</p>
+  </body>
+
+</html>

backend/src/services/smtp/templates/externalImportSuccessful.handlebars

@@ -0,0 +1,14 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Import successful</title>
+  </head>
+
+  <body>
+    <h2>An import from {{provider}} to Infisical was successful</h2>
+    <p>An import from {{provider}} was successful. Your data is now available in Infisical.</p>
+  </body>
+
+</html>

docs/api-reference/endpoints/kms/keys/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create Key"
+openapi: "POST /api/v1/kms/keys"
+---

docs/api-reference/endpoints/kms/keys/decrypt.mdx

@@ -0,0 +1,4 @@
+---
+title: "Decrypt Data"
+openapi: "POST /api/v1/kms/keys/{keyId}/decrypt"
+---

docs/api-reference/endpoints/kms/keys/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete Key"
+openapi: "DELETE /api/v1/kms/keys/{keyId}"
+---