misc: finalize org migration script

feat: added tag support on create secret

backend/e2e-test/routes/v1/secret-replication.spec.ts

@@ -118,9 +118,9 @@ describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
         value: "stage-value"
       });
 
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
       await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
       });
 
       const secret = await getSecretByNameV2({
@@ -173,9 +173,9 @@ describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
         value: "prod-value"
       });
 
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
       await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
       });
 
       const secret = await getSecretByNameV2({
@@ -343,9 +343,9 @@ describe.each([{ path: "/" }, { path: "/deep" }])(
         value: "prod-value"
       });
 
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
       await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
       });
 
       const secret = await getSecretByNameV2({

backend/scripts/migrate-organization.ts

@@ -8,61 +8,80 @@ const prompt = promptSync({
   sigint: true
 });
 
+const sanitizeInputParam = (value: string) => {
+  // Escape double quotes and wrap the entire value in double quotes
+  if (value) {
+    return `"${value.replace(/"/g, '\\"')}"`;
+  }
+  return '""';
+};
+
 const exportDb = () => {
-  const exportHost = prompt("Enter your Postgres Host to migrate from: ");
-  const exportPort = prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432";
-  const exportUser = prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical";
-  const exportPassword = prompt("Enter your Postgres Password to migrate from: ");
-  const exportDatabase = prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical";
+  const exportHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate from: "));
+  const exportPort = sanitizeInputParam(
+    prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432"
+  );
+  const exportUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical"
+  );
+  const exportPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate from: "));
+  const exportDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical"
+  );
 
   // we do not include the audit_log and secret_sharing entries
   execSync(
-    `PGDATABASE="${exportDatabase}" PGPASSWORD="${exportPassword}" PGHOST="${exportHost}" PGPORT=${exportPort} PGUSER=${exportUser} pg_dump infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
+    `PGDATABASE=${exportDatabase} PGPASSWORD=${exportPassword} PGHOST=${exportHost} PGPORT=${exportPort} PGUSER=${exportUser} pg_dump -Fc infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
       __dirname,
-      "../src/db/dump.sql"
+      "../src/db/backup.dump"
     )}`,
     { stdio: "inherit" }
   );
 };
 
 const importDbForOrg = () => {
-  const importHost = prompt("Enter your Postgres Host to migrate to: ");
-  const importPort = prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432";
-  const importUser = prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical";
-  const importPassword = prompt("Enter your Postgres Password to migrate to: ");
-  const importDatabase = prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical";
-  const orgId = prompt("Enter the organization ID to migrate: ");
+  const importHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate to: "));
+  const importPort = sanitizeInputParam(prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432");
+  const importUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical"
+  );
+  const importPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate to: "));
+  const importDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical"
+  );
+  const orgId = sanitizeInputParam(prompt("Enter the organization ID to migrate: "));
 
-  if (!existsSync(path.join(__dirname, "../src/db/dump.sql"))) {
+  if (!existsSync(path.join(__dirname, "../src/db/backup.dump"))) {
     console.log("File not found, please export the database first.");
     return;
   }
 
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -f ${path.join(
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} pg_restore -d ${importDatabase} --verbose ${path.join(
       __dirname,
-      "../src/db/dump.sql"
-    )}`
+      "../src/db/backup.dump"
+    )}`,
+    { maxBuffer: 1024 * 1024 * 4096 }
   );
 
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
   );
 
   // delete global/instance-level resources not relevant to the organization to migrate
   // users
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
   );
 
   // identities
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
   );
 
   // reset slack configuration in superAdmin
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
   );
 
   console.log("Organization migrated successfully.");

backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+}

backend/src/keystore/keystore.ts

@@ -29,7 +29,7 @@ export const KeyStorePrefixes = {
 };
 
 export const KeyStoreTtls = {
-  SetSyncSecretIntegrationLastRunTimestampInSeconds: 10,
+  SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
   AccessTokenStatusUpdateInSeconds: 120
 };
 

backend/src/services/secret/secret-queue.ts

@@ -112,6 +112,8 @@ export type TGetSecrets = {
 };
 
 const MAX_SYNC_SECRET_DEPTH = 5;
+const SYNC_SECRET_DEBOUNCE_INTERVAL_MS = 3000;
+
 export const uniqueSecretQueueKey = (environment: string, secretPath: string) =>
   `secret-queue-dedupe-${environment}-${secretPath}`;
 
@@ -169,6 +171,39 @@ export const secretQueueFactory = ({
     );
   };
 
+  const $generateActor = async (actorId?: string, isManual?: boolean): Promise<Actor> => {
+    if (isManual && actorId) {
+      const user = await userDAL.findById(actorId);
+
+      if (!user) {
+        throw new Error("User not found");
+      }
+
+      return {
+        type: ActorType.USER,
+        metadata: {
+          email: user.email,
+          username: user.username,
+          userId: user.id
+        }
+      };
+    }
+
+    return {
+      type: ActorType.PLATFORM,
+      metadata: {}
+    };
+  };
+
+  const $getJobKey = (projectId: string, environmentSlug: string, secretPath: string) => {
+    // the idea here is a timestamp based id which will be constant in a 3s interval
+    const timestampId = Math.floor(Date.now() / SYNC_SECRET_DEBOUNCE_INTERVAL_MS);
+
+    return `secret-queue-sync_${projectId}_${environmentSlug}_${secretPath}_${timestampId}`
+      .replace("/", "-")
+      .replace(":", "-");
+  };
+
   const addSecretReminder = async ({ oldSecret, newSecret, projectId }: TCreateSecretReminderDTO) => {
     try {
       const appCfg = getConfig();
@@ -466,7 +501,7 @@ export const secretQueueFactory = ({
     dto: TGetSecrets & { isManual?: boolean; actorId?: string; deDupeQueue?: Record<string, boolean> }
   ) => {
     await queueService.queue(QueueName.IntegrationSync, QueueJobs.IntegrationSync, dto, {
-      attempts: 3,
+      attempts: 5,
       delay: 1000,
       backoff: {
         type: "exponential",
@@ -479,10 +514,10 @@ export const secretQueueFactory = ({
 
   const replicateSecrets = async (dto: Omit<TSyncSecretsDTO, "deDupeQueue">) => {
     await queueService.queue(QueueName.SecretReplication, QueueJobs.SecretReplication, dto, {
-      attempts: 3,
+      attempts: 5,
       backoff: {
         type: "exponential",
-        delay: 2000
+        delay: 3000
       },
       removeOnComplete: true,
       removeOnFail: true
@@ -499,6 +534,7 @@ export const secretQueueFactory = ({
     logger.info(
       `syncSecrets: syncing project secrets where [projectId=${dto.projectId}]  [environment=${dto.environmentSlug}] [path=${dto.secretPath}]`
     );
+
     const deDuplicationKey = uniqueSecretQueueKey(dto.environmentSlug, dto.secretPath);
     if (
       !dto.excludeReplication
@@ -523,7 +559,8 @@ export const secretQueueFactory = ({
       {
         removeOnFail: true,
         removeOnComplete: true,
-        delay: 1000,
+        jobId: $getJobKey(dto.projectId, dto.environmentSlug, dto.secretPath),
+        delay: SYNC_SECRET_DEBOUNCE_INTERVAL_MS,
         attempts: 5,
         backoff: {
           type: "exponential",
@@ -532,7 +569,6 @@ export const secretQueueFactory = ({
       }
     );
   };
-
   const sendFailedIntegrationSyncEmails = async (payload: TFailedIntegrationSyncEmailsPayload) => {
     const appCfg = getConfig();
     if (!appCfg.isSmtpConfigured) return;
@@ -540,7 +576,6 @@ export const secretQueueFactory = ({
     await queueService.queue(QueueName.IntegrationSync, QueueJobs.SendFailedIntegrationSyncEmails, payload, {
       jobId: `send-failed-integration-sync-emails-${payload.projectId}-${payload.secretPath}-${payload.environmentSlug}`,
       delay: 1_000 * 60, // 1 minute
-
       removeOnFail: true,
       removeOnComplete: true
     });
@@ -733,80 +768,51 @@ export const secretQueueFactory = ({
         );
       }
 
-      const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
-      const toBeSyncedIntegrations = integrations.filter(
-        // note: sync only the integrations sourced from secretPath
-        ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
+      const lock = await keyStore.acquireLock(
+        [KeyStorePrefixes.SyncSecretIntegrationLock(projectId, environment, secretPath)],
+        60000,
+        {
+          retryCount: 10,
+          retryDelay: 3000,
+          retryJitter: 500
+        }
       );
 
       const integrationsFailedToSync: { integrationId: string; syncMessage?: string }[] = [];
-
-      if (!integrations.length) return;
-      logger.info(
-        `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
-      );
-
-      const lock = await keyStore.acquireLock(
-        [KeyStorePrefixes.SyncSecretIntegrationLock(projectId, environment, secretPath)],
-        10000,
-        {
-          retryCount: 3,
-          retryDelay: 2000
-        }
-      );
       const lockAcquiredTime = new Date();
 
-      const lastRunSyncIntegrationTimestamp = await keyStore.getItem(
-        KeyStorePrefixes.SyncSecretIntegrationLastRunTimestamp(projectId, environment, secretPath)
-      );
-
-      // check whether the integration should wait or not
-      if (lastRunSyncIntegrationTimestamp) {
-        const INTEGRATION_INTERVAL = 2000;
-        const isStaleSyncIntegration = new Date(job.timestamp) < new Date(lastRunSyncIntegrationTimestamp);
-        if (isStaleSyncIntegration) {
-          logger.info(
-            `getIntegrationSecrets: secret integration sync stale [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
-          );
-          return;
-        }
-
-        const timeDifferenceWithLastIntegration = getTimeDifferenceInSeconds(
-          lockAcquiredTime.toISOString(),
-          lastRunSyncIntegrationTimestamp
-        );
-        if (timeDifferenceWithLastIntegration < INTEGRATION_INTERVAL && timeDifferenceWithLastIntegration > 0)
-          await new Promise((resolve) => {
-            setTimeout(resolve, 2000 - timeDifferenceWithLastIntegration * 1000);
-          });
-      }
-
-      const generateActor = async (): Promise<Actor> => {
-        if (isManual && actorId) {
-          const user = await userDAL.findById(actorId);
-
-          if (!user) {
-            throw new Error("User not found");
-          }
-
-          return {
-            type: ActorType.USER,
-            metadata: {
-              email: user.email,
-              username: user.username,
-              userId: user.id
-            }
-          };
-        }
-
-        return {
-          type: ActorType.PLATFORM,
-          metadata: {}
-        };
-      };
-
       // akhilmhdh: this try catch is for lock release
       try {
+        const lastRunSyncIntegrationTimestamp = await keyStore.getItem(
+          KeyStorePrefixes.SyncSecretIntegrationLastRunTimestamp(projectId, environment, secretPath)
+        );
+
+        // check whether the integration should wait or not
+        if (lastRunSyncIntegrationTimestamp) {
+          const INTEGRATION_INTERVAL = 2000;
+
+          const timeDifferenceWithLastIntegration = getTimeDifferenceInSeconds(
+            lockAcquiredTime.toISOString(),
+            lastRunSyncIntegrationTimestamp
+          );
+
+          // give some time for integration to breath
+          if (timeDifferenceWithLastIntegration < INTEGRATION_INTERVAL)
+            await new Promise((resolve) => {
+              setTimeout(resolve, INTEGRATION_INTERVAL);
+            });
+        }
+
+        const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
+        const toBeSyncedIntegrations = integrations.filter(
+          // note: sync only the integrations sourced from secretPath
+          ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
+        );
+
+        if (!integrations.length) return;
+        logger.info(
+          `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+        );
         const secrets = shouldUseSecretV2Bridge
           ? await getIntegrationSecretsV2({
               environment,
@@ -892,7 +898,7 @@ export const secretQueueFactory = ({
 
             await auditLogService.createAuditLog({
               projectId,
-              actor: await generateActor(),
+              actor: await $generateActor(actorId, isManual),
               event: {
                 type: EventType.INTEGRATION_SYNCED,
                 metadata: {
@@ -931,7 +937,7 @@ export const secretQueueFactory = ({
 
             await auditLogService.createAuditLog({
               projectId,
-              actor: await generateActor(),
+              actor: await $generateActor(actorId, isManual),
               event: {
                 type: EventType.INTEGRATION_SYNCED,
                 metadata: {

docs/changelog/overview.mdx

@@ -4,6 +4,17 @@ title: "Changelog"
 
 The changelog below reflects new product developments and updates on a monthly basis.
 
+
+## October 2024
+- Significantly improved performance of audit log operations in UI. 
+- Released [Databricks integration](https://infisical.com/docs/integrations/cloud/databricks). 
+- Added ability to enforce 2FA organization-wide.
+- Added multiple resource to the [Infisical Terraform Provider](https://registry.terraform.io/providers/Infisical/infisical/latest/docs), including AWS and GCP integrations. 
+- Released [Infisical KMS](https://infisical.com/docs/documentation/platform/kms/overview).
+- Added support for [LDAP dynamic secrets](https://infisical.com/docs/documentation/platform/ldap/overview).
+- Enabled changing auth methods for machine identities in the UI.
+- Launched [Infisical EU Cloud](https://eu.infisical.com). 
+
 ## September 2024
 - Improved paginations for identities and secrets. 
 - Significant improvements to the [Infisical Terraform Provider](https://registry.terraform.io/providers/Infisical/infisical/latest/docs). 

docs/internals/permissions.mdx

@@ -3,81 +3,209 @@ title: "Permissions"
 description: "Infisical's permissions system provides granular access control."
 ---
 
-## Summary
+## Overview
 
 The Infisical permissions system is based on a role-based access control (RBAC) model. The system allows you to define roles and assign them to users and machines. Each role has a set of permissions that define what actions a user can perform.
 
-Permissions are built on a subject-action-object model. The subject is the resource permission is being applied to, the action is what the permission allows.
+Permissions are built on a subject-action-object model. The subject is the resource the permission is being applied to, the action is what the permission allows.
 An example of a subject/action combination would be `secrets/read`. This permission allows the subject to read secrets.
 
-Currently Infisical supports 4 actions:
-1. `read`, allows the subject to read the object.
-2. `create`, allows the subject to create the object.
-3. `edit`, allows the subject to edit the object.
-4. `delete`, allows the subject to delete the object.
-
-Most subjects support all 4 actions, but some subjects only support a subset of actions. Please view the table below for a list of subjects and the actions they support.
-
+Refer to the table below for a list of subjects and the actions they support.
 
 ## Subjects and Actions
+
 <Tabs>
 <Tab title="Project Permissions">
 
 <Note>
-  Not all actions are applicable to all subjects. As an example, the `secrets-rollback` subject only supports `read`, and `create` as actions. While `secrets` support `read`, `create`, `edit`, `delete`.
+  Not all actions are applicable to all subjects. As an example, the
+  `secrets-rollback` subject only supports `read`, and `create` as actions.
+  While `secrets` support `read`, `create`, `edit`, `delete`.
 </Note>
 
-  | Subject | Actions |
-  |-----------------------------|---------|
-  | `secrets`                     | `read`, `create`, `edit`, `delete` |
-  | `secret-approval`             | `read`, `create`, `edit`, `delete` |
-  | `secret-rotation`             | `read`, `create`, `edit`, `delete` |
-  | `secret-rollback`             | `read`, `create`                   |
-  | `member`                      | `read`, `create`, `edit`, `delete` |
-  | `groups`                      | `read`, `create`, `edit`, `delete` |
-  | `role`                        | `read`, `create`, `edit`, `delete` |
-  | `integrations`                | `read`, `create`, `edit`, `delete` |
-  | `webhooks`                    | `read`, `create`, `edit`, `delete` | 
-  | `identity`                    | `read`, `create`, `edit`, `delete` |
-  | `service-tokens`              | `read`, `create`, `edit`, `delete` |
-  | `settings`                    | `read`, `create`, `edit`, `delete` |
-  | `environments`                | `read`, `create`, `edit`, `delete` |
-  | `tags`                        | `read`, `create`, `edit`, `delete` |
-  | `audit-logs`                  | `read`, `create`, `edit`, `delete` |
-  | `ip-allowlist`                | `read`, `create`, `edit`, `delete` |
-  | `certificate-authorities`     | `read`, `create`, `edit`, `delete` |
-  | `certificates`                | `read`, `create`, `edit`, `delete` |
-  | `certificate-templates`       | `read`, `create`, `edit`, `delete` |
-  | `pki-alerts`                  | `read`, `create`, `edit`, `delete` |
-  | `pki-collections`             | `read`, `create`, `edit`, `delete` |
-  | `workspace`                   | `edit`, `delete`                   |
-  | `kms`                         | `edit`                             | 
+| Subject                   | Actions                                                                                                     |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| `role`                    | `read`, `create`, `edit`, `delete`                                                                          |
+| `member`                  | `read`, `create`, `edit`, `delete`                                                                          |
+| `groups`                  | `read`, `create`, `edit`, `delete`                                                                          |
+| `settings`                | `read`, `create`, `edit`, `delete`                                                                          |
+| `integrations`            | `read`, `create`, `edit`, `delete`                                                                          |
+| `webhooks`                | `read`, `create`, `edit`, `delete`                                                                          |
+| `service-tokens`          | `read`, `create`, `edit`, `delete`                                                                          |
+| `environments`            | `read`, `create`, `edit`, `delete`                                                                          |
+| `tags`                    | `read`, `create`, `edit`, `delete`                                                                          |
+| `audit-logs`              | `read`, `create`, `edit`, `delete`                                                                          |
+| `ip-allowlist`            | `read`, `create`, `edit`, `delete`                                                                          |
+| `workspace`               | `edit`, `delete`                                                                                            |
+| `secrets`                 | `read`, `create`, `edit`, `delete`                                                                          |
+| `secret-folders`          | `read`, `create`, `edit`, `delete`                                                                          |
+| `secret-imports`          | `read`, `create`, `edit`, `delete`                                                                          |
+| `dynamic-secrets`         | `read-root-credential`, `create-root-credential`, `edit-root-credential`, `delete-root-credential`, `lease` |
+| `secret-rollback`         | `read`, `create`                                                                                            |
+| `secret-approval`         | `read`, `create`, `edit`, `delete`                                                                          |
+| `secret-rotation`         | `read`, `create`, `edit`, `delete`                                                                          |
+| `identity`                | `read`, `create`, `edit`, `delete`                                                                          |
+| `certificate-authorities` | `read`, `create`, `edit`, `delete`                                                                          |
+| `certificates`            | `read`, `create`, `edit`, `delete`                                                                          |
+| `certificate-templates`   | `read`, `create`, `edit`, `delete`                                                                          |
+| `pki-alerts`              | `read`, `create`, `edit`, `delete`                                                                          |
+| `pki-collections`         | `read`, `create`, `edit`, `delete`                                                                          |
+| `kms`                     | `edit`                                                                                                      |
+| `cmek`                    | `read`, `create`, `edit`, `delete`, `encrypt`, `decrypt`                                                    |
 
-  These details are especially useful if you're using the API to [create new project roles](../api-reference/endpoints/project-roles/create).
-  The rules outlined on this page, also apply when using our Terraform Provider to manage your Infisical project roles, or any other of our clients that manage project roles.
 </Tab>
 
-
 <Tab title="Organization Permissions">
 
-  <Note>
-    Not all actions are applicable to all subjects. As an example, the `workspace` subject only supports `read`, and `create` as actions. While `member` support `read`, `create`, `edit`, `delete`.
-  </Note>
+<Note>
+  Not all actions are applicable to all subjects. As an example, the `workspace`
+  subject only supports `read`, and `create` as actions. While `member` support
+  `read`, `create`, `edit`, `delete`.
+</Note>
+
+| Subject            | Actions                            |
+| ------------------ | ---------------------------------- |
+| `workspace`        | `read`, `create`                   |
+| `role`             | `read`, `create`, `edit`, `delete` |
+| `member`           | `read`, `create`, `edit`, `delete` |
+| `secret-scanning`  | `read`, `create`, `edit`, `delete` |
+| `settings`         | `read`, `create`, `edit`, `delete` |
+| `incident-account` | `read`, `create`, `edit`, `delete` |
+| `sso`              | `read`, `create`, `edit`, `delete` |
+| `scim`             | `read`, `create`, `edit`, `delete` |
+| `ldap`             | `read`, `create`, `edit`, `delete` |
+| `groups`           | `read`, `create`, `edit`, `delete` |
+| `billing`          | `read`, `create`, `edit`, `delete` |
+| `identity`         | `read`, `create`, `edit`, `delete` |
+| `kms`              | `read`                             |
 
-  | Subject | Actions |
-  |-----------------------------|------------------------------------|
-  | `workspace`                 | `read`, `create`                   |
-  | `role`                      | `read`, `create`, `edit`, `delete` |
-  | `member`                    | `read`, `create`, `edit`, `delete` |
-  | `secret-scanning`           | `read`, `create`, `edit`, `delete` |
-  | `settings`                  | `read`, `create`, `edit`, `delete` |
-  | `incident-account`          | `read`, `create`, `edit`, `delete` |
-  | `sso`                       | `read`, `create`, `edit`, `delete` |
-  | `scim`                      | `read`, `create`, `edit`, `delete` |
-  | `ldap`                      | `read`, `create`, `edit`, `delete` |
-  | `groups`                    | `read`, `create`, `edit`, `delete` |
-  | `billing`                   | `read`, `create`, `edit`, `delete` |
-  | `identity`                  | `read`, `create`, `edit`, `delete` |
-  | `kms`                       | `read`                             |
 </Tab>
-</Tabs>
+</Tabs>
+
+## Inversion
+
+Permission inversion allows you to explicitly deny actions instead of allowing them. This is supported for the following subjects:
+
+- secrets
+- secret-folders
+- secret-imports
+- dynamic-secrets
+- cmek
+
+When a permission is inverted, it changes from an "allow" rule to a "deny" rule. For example:
+
+```typescript
+// Regular permission - allows reading secrets
+{
+  subject: "secrets",
+  action: ["read"]
+}
+
+// Inverted permission - denies reading secrets
+{
+  subject: "secrets",
+  action: ["read"],
+  inverted: true
+}
+```
+
+## Conditions
+
+Conditions allow you to create more granular permissions by specifying criteria that must be met for the permission to apply. This is supported for the following subjects:
+
+- secrets
+- secret-folders
+- secret-imports
+- dynamic-secrets
+
+### Properties
+
+Conditions can be applied to the following properties:
+
+- `environment`: Control access based on environment slugs
+- `secretPath`: Control access based on secret paths
+- `secretName`: Control access based on secret names
+- `secretTags`: Control access based on tags (only supports $in operator)
+
+### Operators
+
+The following operators are available for conditions:
+
+| Operator | Description                        | Example                                               |
+| -------- | ---------------------------------- | ----------------------------------------------------- |
+| `$eq`    | Equal                              | `{ environment: { $eq: "production" } }`              |
+| `$ne`    | Not equal                          | `{ environment: { $ne: "development" } }`             |
+| `$in`    | Matches any value in array         | `{ environment: { $in: ["staging", "production"] } }` |
+| `$glob`  | Pattern matching using glob syntax | `{ secretPath: { $glob: "/app/\*" } }`                |
+
+These details are especially useful if you're using the API to [create new project roles](../api-reference/endpoints/project-roles/create).
+The rules outlined on this page, also apply when using our Terraform Provider to manage your Infisical project roles, or any other of our clients that manage project roles.
+
+## Migrating from permission V1 to permission V2
+
+When upgrading to V2 permissions (i.e. when moving from using the `permissions` to `permissions_v2` field in your Terraform configurations, or upgrading to the V2 permission API), you'll need to update your permission structure as follows:
+
+Any permissions for `secrets` should be expanded to include equivalent permissions for:
+
+- `secret-imports`
+- `secret-folders` (except for read permissions)
+- `dynamic-secrets`
+
+For dynamic secrets, the actions need to be mapped differently:
+
+- `read` → `read-root-credential`
+- `create` → `create-root-credential`
+- `edit` → `edit-root-credential` (also adds `lease` permission)
+- `delete` → `delete-root-credential`
+
+Example:
+
+```hcl
+# Old V1 configuration
+resource "infisical_project_role" "example" {
+  name = "example"
+  permissions = [
+    {
+      subject = "secrets"
+      action = "read"
+    },
+    {
+      subject = "secrets"
+      action = "edit"
+    }
+  ]
+}
+
+# New V2 configuration
+resource "infisical_project_role" "example" {
+  name = "example"
+  permissions_v2 = [
+    # Original secrets permission
+    {
+      subject = "secrets"
+      action = ["read", "edit"]
+      inverted = false
+    },
+    # Add equivalent secret-imports permission
+    {
+      subject = "secret-imports"
+      action = ["read", "edit"]
+      inverted = false
+    },
+    # Add secret-folders permission (without read)
+    {
+      subject = "secret-folders"
+      action = ["edit"]
+      inverted = false
+    },
+    # Add dynamic-secrets permission with mapped actions
+    {
+      subject = "dynamic-secrets"
+      action = ["read-root-credential", "edit-root-credential", "lease"]
+      inverted = false
+    }
+  ]
+}
+```
+
+Note: When moving to V2 permissions, make sure to include all the necessary expanded permissions based on your original `secrets` permissions.

frontend/package-lock.json

@@ -65,7 +65,6 @@
         "i18next-browser-languagedetector": "^7.0.1",
         "i18next-http-backend": "^2.2.0",
         "infisical-node": "^1.0.37",
-        "ip": "^2.0.1",
         "jspdf": "^2.5.2",
         "jsrp": "^0.2.4",
         "jwt-decode": "^3.1.2",
@@ -15976,11 +15975,6 @@
         "loose-envify": "^1.0.0"
       }
     },
-    "node_modules/ip": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz",
-      "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ=="
-    },
     "node_modules/ipaddr.js": {
       "version": "1.9.1",
       "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",

frontend/package.json

@@ -78,7 +78,6 @@
     "i18next-browser-languagedetector": "^7.0.1",
     "i18next-http-backend": "^2.2.0",
     "infisical-node": "^1.0.37",
-    "ip": "^2.0.1",
     "jspdf": "^2.5.2",
     "jsrp": "^0.2.4",
     "jwt-decode": "^3.1.2",

frontend/src/hooks/api/secrets/mutations.tsx

@@ -31,7 +31,8 @@ export const useCreateSecretV3 = ({
       secretKey,
       secretValue,
       secretComment,
-      skipMultilineEncoding
+      skipMultilineEncoding,
+      tagIds
     }) => {
       const { data } = await apiRequest.post(`/api/v3/secrets/raw/${secretKey}`, {
         secretPath,
@@ -40,7 +41,8 @@ export const useCreateSecretV3 = ({
         workspaceId,
         secretValue,
         secretComment,
-        skipMultilineEncoding
+        skipMultilineEncoding,
+        tagIds
       });
       return data;
     },

frontend/src/hooks/api/secrets/types.ts

@@ -132,6 +132,7 @@ export type TCreateSecretsV3DTO = {
   workspaceId: string;
   environment: string;
   type: SecretType;
+  tagIds?: string[];
 };
 
 export type TUpdateSecretsV3DTO = {

frontend/src/views/SecretMainPage/SecretMainPage.tsx

@@ -9,7 +9,14 @@ import { twMerge } from "tailwind-merge";
 import NavHeader from "@app/components/navigation/NavHeader";
 import { createNotification } from "@app/components/notifications";
 import { PermissionDeniedBanner } from "@app/components/permissions";
-import { Checkbox, ContentLoader, Pagination, Tooltip } from "@app/components/v2";
+import {
+  Checkbox,
+  ContentLoader,
+  Modal,
+  ModalContent,
+  Pagination,
+  Tooltip
+} from "@app/components/v2";
 import {
   ProjectPermissionActions,
   ProjectPermissionDynamicSecretActions,
@@ -41,7 +48,10 @@ import { SecretDropzone } from "./components/SecretDropzone";
 import { SecretListView, SecretNoAccessListView } from "./components/SecretListView";
 import { SnapshotView } from "./components/SnapshotView";
 import {
+  PopUpNames,
   StoreProvider,
+  usePopUpAction,
+  usePopUpState,
   useSelectedSecretActions,
   useSelectedSecrets
 } from "./SecretMainPage.store";
@@ -123,6 +133,9 @@ const SecretMainPageContent = () => {
   const [debouncedSearchFilter, setDebouncedSearchFilter] = useDebounce(filter.searchFilter);
   const [filterHistory, setFilterHistory] = useState<Map<string, Filter>>(new Map());
 
+  const createSecretPopUp = usePopUpState(PopUpNames.CreateSecretForm);
+  const { togglePopUp } = usePopUpAction();
+
   useEffect(() => {
     if (
       !isWorkspaceLoading &&
@@ -520,13 +533,24 @@ const SecretMainPageContent = () => {
               onChangePerPage={(newPerPage) => setPerPage(newPerPage)}
             />
           )}
-          <CreateSecretForm
-            environment={environment}
-            workspaceId={workspaceId}
-            secretPath={secretPath}
-            autoCapitalize={currentWorkspace?.autoCapitalization}
-            isProtectedBranch={isProtectedBranch}
-          />
+          <Modal
+            isOpen={createSecretPopUp.isOpen}
+            onOpenChange={(state) => togglePopUp(PopUpNames.CreateSecretForm, state)}
+          >
+            <ModalContent
+              title="Create Secret"
+              subTitle="Add a secret to this particular environment and folder"
+              bodyClassName="overflow-visible"
+            >
+              <CreateSecretForm
+                environment={environment}
+                workspaceId={workspaceId}
+                secretPath={secretPath}
+                autoCapitalize={currentWorkspace?.autoCapitalization}
+                isProtectedBranch={isProtectedBranch}
+              />
+            </ModalContent>
+          </Modal>
           <SecretDropzone
             secrets={secrets}
             environment={environment}

frontend/src/views/SecretMainPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -1,20 +1,24 @@
 import { ClipboardEvent } from "react";
 import { Controller, useForm } from "react-hook-form";
+import { faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
 
 import { createNotification } from "@app/components/notifications";
-import { Button, FormControl, Input, Modal, ModalContent } from "@app/components/v2";
+import { Button, FormControl, Input, MultiSelect } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
+import { ProjectPermissionActions, ProjectPermissionSub, useProjectPermission } from "@app/context";
 import { getKeyValue } from "@app/helpers/parseEnvVar";
-import { useCreateSecretV3 } from "@app/hooks/api";
+import { useCreateSecretV3, useGetWsTags } from "@app/hooks/api";
 import { SecretType } from "@app/hooks/api/types";
 
-import { PopUpNames, usePopUpAction, usePopUpState } from "../../SecretMainPage.store";
+import { PopUpNames, usePopUpAction } from "../../SecretMainPage.store";
 
 const typeSchema = z.object({
   key: z.string().trim().min(1, { message: "Secret key is required" }),
-  value: z.string().optional()
+  value: z.string().optional(),
+  tags: z.array(z.object({ label: z.string().trim(), value: z.string().trim() })).optional()
 });
 
 type TFormSchema = z.infer<typeof typeSchema>;
@@ -43,12 +47,16 @@ export const CreateSecretForm = ({
     setValue,
     formState: { errors, isSubmitting }
   } = useForm<TFormSchema>({ resolver: zodResolver(typeSchema) });
-  const { isOpen } = usePopUpState(PopUpNames.CreateSecretForm);
-  const { closePopUp, togglePopUp } = usePopUpAction();
+  const { closePopUp } = usePopUpAction();
 
   const { mutateAsync: createSecretV3 } = useCreateSecretV3();
+  const { permission } = useProjectPermission();
+  const canReadTags = permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
+  const { data: projectTags, isLoading: isTagsLoading } = useGetWsTags(
+    canReadTags ? workspaceId : ""
+  );
 
-  const handleFormSubmit = async ({ key, value }: TFormSchema) => {
+  const handleFormSubmit = async ({ key, value, tags }: TFormSchema) => {
     try {
       await createSecretV3({
         environment,
@@ -57,7 +65,8 @@ export const CreateSecretForm = ({
         secretKey: key,
         secretValue: value || "",
         secretComment: "",
-        type: SecretType.Shared
+        type: SecretType.Shared,
+        tagIds: tags?.map((el) => el.value)
       });
       closePopUp(PopUpNames.CreateSecretForm);
       reset();
@@ -88,67 +97,90 @@ export const CreateSecretForm = ({
   };
 
   return (
-    <Modal
-      isOpen={isOpen}
-      onOpenChange={(state) => togglePopUp(PopUpNames.CreateSecretForm, state)}
-    >
-      <ModalContent
-        title="Create secret"
-        subTitle="Add a secret to the particular environment and folder"
+    <form onSubmit={handleSubmit(handleFormSubmit)} noValidate>
+      <FormControl
+        label="Key"
+        isRequired
+        isError={Boolean(errors?.key)}
+        errorText={errors?.key?.message}
       >
-        <form onSubmit={handleSubmit(handleFormSubmit)} noValidate>
+        <Input
+          {...register("key")}
+          placeholder="Type your secret name"
+          onPaste={handlePaste}
+          autoCapitalization={autoCapitalize}
+        />
+      </FormControl>
+      <Controller
+        control={control}
+        name="value"
+        render={({ field }) => (
           <FormControl
-            label="Key"
-            isRequired
-            isError={Boolean(errors?.key)}
-            errorText={errors?.key?.message}
+            label="Value"
+            isError={Boolean(errors?.value)}
+            errorText={errors?.value?.message}
           >
-            <Input
-              {...register("key")}
-              placeholder="Type your secret name"
-              onPaste={handlePaste}
-              autoCapitalization={autoCapitalize}
+            <InfisicalSecretInput
+              {...field}
+              environment={environment}
+              secretPath={secretPath}
+              containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5"
             />
           </FormControl>
-          <Controller
-            control={control}
-            name="value"
-            render={({ field }) => (
-              <FormControl
-                label="Value"
-                isError={Boolean(errors?.value)}
-                errorText={errors?.value?.message}
-              >
-                <InfisicalSecretInput
-                  {...field}
-                  environment={environment}
-                  secretPath={secretPath}
-                  containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5"
-                />
-              </FormControl>
-            )}
-          />
-          <div className="mt-7 flex items-center">
-            <Button
-              isDisabled={isSubmitting}
-              isLoading={isSubmitting}
-              key="layout-create-project-submit"
-              className="mr-4"
-              type="submit"
-            >
-              Create Secret
-            </Button>
-            <Button
-              key="layout-cancel-create-project"
-              onClick={() => closePopUp(PopUpNames.CreateSecretForm)}
-              variant="plain"
-              colorSchema="secondary"
-            >
-              Cancel
-            </Button>
-          </div>
-        </form>
-      </ModalContent>
-    </Modal>
+        )}
+      />
+      <Controller
+        control={control}
+        name="tags"
+        render={({ field }) => (
+          <FormControl
+            label="Tags"
+            isError={Boolean(errors?.value)}
+            errorText={errors?.value?.message}
+            helperText={
+              !canReadTags ? (
+                <div className="flex items-center space-x-2">
+                  <FontAwesomeIcon icon={faTriangleExclamation} className="text-yellow-400" />
+                  <span>You do not have permission to read tags.</span>
+                </div>
+              ) : (
+                ""
+              )
+            }
+          >
+            <MultiSelect
+              className="w-full"
+              placeholder="Select tags to assign to secret..."
+              isMulti
+              name="tagIds"
+              isDisabled={!canReadTags}
+              isLoading={isTagsLoading}
+              options={projectTags?.map((el) => ({ label: el.slug, value: el.id }))}
+              value={field.value}
+              onChange={field.onChange}
+            />
+          </FormControl>
+        )}
+      />
+      <div className="mt-7 flex items-center">
+        <Button
+          isDisabled={isSubmitting}
+          isLoading={isSubmitting}
+          key="layout-create-project-submit"
+          className="mr-4"
+          type="submit"
+        >
+          Create Secret
+        </Button>
+        <Button
+          key="layout-cancel-create-project"
+          onClick={() => closePopUp(PopUpNames.CreateSecretForm)}
+          variant="plain"
+          colorSchema="secondary"
+        >
+          Cancel
+        </Button>
+      </div>
+    </form>
   );
 };

frontend/src/views/SecretOverviewPage/SecretOverviewPage.tsx

@@ -1116,13 +1116,23 @@ export const SecretOverviewPage = () => {
           )}
         </div>
       </div>
-      <CreateSecretForm
-        secretPath={secretPath}
+      <Modal
         isOpen={popUp.addSecretsInAllEnvs.isOpen}
-        getSecretByKey={getSecretByKey}
-        onTogglePopUp={(isOpen) => handlePopUpToggle("addSecretsInAllEnvs", isOpen)}
-        onClose={() => handlePopUpClose("addSecretsInAllEnvs")}
-      />
+        onOpenChange={(isOpen) => handlePopUpToggle("addSecretsInAllEnvs", isOpen)}
+      >
+        <ModalContent
+          className="max-h-[80vh]"
+          bodyClassName="overflow-visible"
+          title="Create Secrets"
+          subTitle="Create a secret across multiple environments"
+        >
+          <CreateSecretForm
+            secretPath={secretPath}
+            getSecretByKey={getSecretByKey}
+            onClose={() => handlePopUpClose("addSecretsInAllEnvs")}
+          />
+        </ModalContent>
+      </Modal>
       <Modal
         isOpen={popUp.addFolder.isOpen}
         onOpenChange={(isOpen) => handlePopUpToggle("addFolder", isOpen)}

frontend/src/views/SecretOverviewPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -1,7 +1,7 @@
 import { ClipboardEvent } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { subject } from "@casl/ability";
-import { faWarning } from "@fortawesome/free-solid-svg-icons";
+import { faTriangleExclamation, faWarning } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
@@ -13,8 +13,7 @@ import {
   FormControl,
   FormLabel,
   Input,
-  Modal,
-  ModalContent,
+  MultiSelect,
   Tooltip
 } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
@@ -25,14 +24,20 @@ import {
   useWorkspace
 } from "@app/context";
 import { getKeyValue } from "@app/helpers/parseEnvVar";
-import { useCreateFolder, useCreateSecretV3, useUpdateSecretV3 } from "@app/hooks/api";
+import {
+  useCreateFolder,
+  useCreateSecretV3,
+  useGetWsTags,
+  useUpdateSecretV3
+} from "@app/hooks/api";
 import { SecretType, SecretV3RawSanitized } from "@app/hooks/api/types";
 
 const typeSchema = z
   .object({
     key: z.string().trim().min(1, "Key is required"),
     value: z.string().optional(),
-    environments: z.record(z.boolean().optional())
+    environments: z.record(z.boolean().optional()),
+    tags: z.array(z.object({ label: z.string().trim(), value: z.string().trim() })).optional()
   })
   .refine((data) => data.key !== undefined, {
     message: "Please enter secret name"
@@ -44,18 +49,10 @@ type Props = {
   secretPath?: string;
   getSecretByKey: (slug: string, key: string) => SecretV3RawSanitized | undefined;
   // modal props
-  isOpen?: boolean;
   onClose: () => void;
-  onTogglePopUp: (isOpen: boolean) => void;
 };
 
-export const CreateSecretForm = ({
-  secretPath = "/",
-  isOpen,
-  getSecretByKey,
-  onClose,
-  onTogglePopUp
-}: Props) => {
+export const CreateSecretForm = ({ secretPath = "/", getSecretByKey, onClose }: Props) => {
   const {
     register,
     handleSubmit,
@@ -69,14 +66,18 @@ export const CreateSecretForm = ({
 
   const { currentWorkspace } = useWorkspace();
   const { permission } = useProjectPermission();
+  const canReadTags = permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
   const workspaceId = currentWorkspace?.id || "";
   const environments = currentWorkspace?.environments || [];
 
   const { mutateAsync: createSecretV3 } = useCreateSecretV3();
   const { mutateAsync: updateSecretV3 } = useUpdateSecretV3();
   const { mutateAsync: createFolder } = useCreateFolder();
+  const { data: projectTags, isLoading: isTagsLoading } = useGetWsTags(
+    canReadTags ? workspaceId : ""
+  );
 
-  const handleFormSubmit = async ({ key, value, environments: selectedEnv }: TFormSchema) => {
+  const handleFormSubmit = async ({ key, value, environments: selectedEnv, tags }: TFormSchema) => {
     const environmentsSelected = environments.filter(({ slug }) => selectedEnv[slug]);
     const isEnvironmentsSelected = environmentsSelected.length;
 
@@ -120,7 +121,8 @@ export const CreateSecretForm = ({
             secretPath,
             secretKey: key,
             secretValue: value || "",
-            type: SecretType.Shared
+            type: SecretType.Shared,
+            tagIds: tags?.map((el) => el.value)
           })),
           environment
         };
@@ -134,7 +136,8 @@ export const CreateSecretForm = ({
           secretKey: key,
           secretValue: value || "",
           secretComment: "",
-          type: SecretType.Shared
+          type: SecretType.Shared,
+          tagIds: tags?.map((el) => el.value)
         })),
         environment
       };
@@ -197,114 +200,136 @@ export const CreateSecretForm = ({
   };
 
   return (
-    <Modal isOpen={isOpen} onOpenChange={onTogglePopUp}>
-      <ModalContent
-        className="max-h-[80vh] overflow-y-auto"
-        title="Bulk Create & Update"
-        subTitle="Create & update a secret across many environments"
+    <form onSubmit={handleSubmit(handleFormSubmit)} noValidate>
+      <FormControl
+        label="Key"
+        isRequired
+        isError={Boolean(errors?.key)}
+        errorText={errors?.key?.message}
       >
-        <form onSubmit={handleSubmit(handleFormSubmit)} noValidate>
+        <Input
+          {...register("key")}
+          placeholder="Type your secret name"
+          onPaste={handlePaste}
+          autoCapitalization={currentWorkspace?.autoCapitalization}
+        />
+      </FormControl>
+      <Controller
+        control={control}
+        name="value"
+        render={({ field }) => (
           <FormControl
-            label="Key"
-            isRequired
-            isError={Boolean(errors?.key)}
-            errorText={errors?.key?.message}
+            label="Value"
+            isError={Boolean(errors?.value)}
+            errorText={errors?.value?.message}
           >
-            <Input
-              {...register("key")}
-              placeholder="Type your secret name"
-              onPaste={handlePaste}
-              autoCapitalization={currentWorkspace?.autoCapitalization}
+            <InfisicalSecretInput
+              {...field}
+              containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5"
             />
           </FormControl>
-          <Controller
-            control={control}
-            name="value"
-            render={({ field }) => (
-              <FormControl
-                label="Value"
-                isError={Boolean(errors?.value)}
-                errorText={errors?.value?.message}
-              >
-                <InfisicalSecretInput
-                  {...field}
-                  containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5"
-                />
-              </FormControl>
-            )}
-          />
-          <FormLabel label="Environments" className="mb-2" />
-          <div className="thin-scrollbar grid max-h-64 grid-cols-3 gap-4 overflow-auto py-2">
-            {environments
-              .filter((environmentSlug) =>
-                permission.can(
-                  ProjectPermissionActions.Create,
-                  subject(ProjectPermissionSub.Secrets, {
-                    environment: environmentSlug.slug,
-                    secretPath,
-                    secretName: "*",
-                    secretTags: ["*"]
-                  })
-                )
+        )}
+      />
+      <Controller
+        control={control}
+        name="tags"
+        render={({ field }) => (
+          <FormControl
+            label="Tags"
+            isError={Boolean(errors?.value)}
+            errorText={errors?.value?.message}
+            helperText={
+              !canReadTags ? (
+                <div className="flex items-center space-x-2">
+                  <FontAwesomeIcon icon={faTriangleExclamation} className="text-yellow-400" />
+                  <span>You do not have permission to read tags.</span>
+                </div>
+              ) : (
+                ""
               )
-              .map((env) => {
-                return (
-                  <Controller
-                    name={`environments.${env.slug}`}
-                    key={`secret-input-${env.slug}`}
-                    control={control}
-                    render={({ field }) => (
-                      <Checkbox
-                        isChecked={field.value}
-                        onCheckedChange={field.onChange}
-                        id={`secret-input-${env.slug}`}
-                        className="!justify-start"
-                      >
-                        <span className="flex w-full flex-row items-center justify-start whitespace-pre-wrap">
-                          <span title={env.name} className="truncate">
-                            {env.name}
-                          </span>
-                          <span>
-                            {getSecretByKey(env.slug, newSecretKey) && (
-                              <Tooltip
-                                className="max-w-[150px]"
-                                content="Secret already exists, and it will be overwritten"
-                              >
-                                <FontAwesomeIcon
-                                  icon={faWarning}
-                                  className="ml-1 text-yellow-400"
-                                />
-                              </Tooltip>
-                            )}
-                          </span>
-                        </span>
-                      </Checkbox>
-                    )}
-                  />
-                );
-              })}
-          </div>
-          <div className="mt-7 flex items-center">
-            <Button
-              isDisabled={isSubmitting}
-              isLoading={isSubmitting}
-              key="layout-create-project-submit"
-              className="mr-4"
-              type="submit"
-            >
-              Create Secret
-            </Button>
-            <Button
-              key="layout-cancel-create-project"
-              onClick={onClose}
-              variant="plain"
-              colorSchema="secondary"
-            >
-              Cancel
-            </Button>
-          </div>
-        </form>
-      </ModalContent>
-    </Modal>
+            }
+          >
+            <MultiSelect
+              className="w-full"
+              placeholder="Select tags to assign to secrets..."
+              isMulti
+              name="tagIds"
+              isDisabled={!canReadTags}
+              isLoading={isTagsLoading}
+              options={projectTags?.map((el) => ({ label: el.slug, value: el.id }))}
+              value={field.value}
+              onChange={field.onChange}
+            />
+          </FormControl>
+        )}
+      />
+      <FormLabel label="Environments" className="mb-2" />
+      <div className="thin-scrollbar grid max-h-64 grid-cols-3 gap-4 overflow-auto py-2">
+        {environments
+          .filter((environmentSlug) =>
+            permission.can(
+              ProjectPermissionActions.Create,
+              subject(ProjectPermissionSub.Secrets, {
+                environment: environmentSlug.slug,
+                secretPath,
+                secretName: "*",
+                secretTags: ["*"]
+              })
+            )
+          )
+          .map((env) => {
+            return (
+              <Controller
+                name={`environments.${env.slug}`}
+                key={`secret-input-${env.slug}`}
+                control={control}
+                render={({ field }) => (
+                  <Checkbox
+                    isChecked={field.value}
+                    onCheckedChange={field.onChange}
+                    id={`secret-input-${env.slug}`}
+                    className="!justify-start"
+                  >
+                    <span className="flex w-full flex-row items-center justify-start whitespace-pre-wrap">
+                      <span title={env.name} className="truncate">
+                        {env.name}
+                      </span>
+                      <span>
+                        {getSecretByKey(env.slug, newSecretKey) && (
+                          <Tooltip
+                            className="max-w-[150px]"
+                            content="Secret already exists, and it will be overwritten"
+                          >
+                            <FontAwesomeIcon icon={faWarning} className="ml-1 text-yellow-400" />
+                          </Tooltip>
+                        )}
+                      </span>
+                    </span>
+                  </Checkbox>
+                )}
+              />
+            );
+          })}
+      </div>
+      <div className="mt-7 flex items-center">
+        <Button
+          isDisabled={isSubmitting}
+          isLoading={isSubmitting}
+          key="layout-create-project-submit"
+          className="mr-4"
+          type="submit"
+        >
+          Create Secret
+        </Button>
+        <Button
+          key="layout-cancel-create-project"
+          onClick={onClose}
+          variant="plain"
+          colorSchema="secondary"
+        >
+          Cancel
+        </Button>
+      </div>
+    </form>
   );
 };