Update SecretDetailSidebar.tsx

docs: go sdk bulk create secrets

backend/package.json

@@ -139,9 +139,9 @@
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
     "@node-saml/passport-saml": "^4.0.4",
-    "@octokit/auth-app": "^7.1.1",
-    "@octokit/plugin-retry": "^5.0.5",
-    "@octokit/rest": "^20.0.2",
+    "@octokit/auth-app": "^7.1.5",
+    "@octokit/plugin-retry": "^7.1.4",
+    "@octokit/rest": "^21.1.1",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
     "@opentelemetry/api": "^1.9.0",

backend/src/@types/fastify.d.ts

@@ -16,6 +16,9 @@ import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/extern
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
+import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
+import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
+import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@@ -126,6 +129,11 @@ declare module "fastify" {
       isUserCompleted: string;
       providerAuthToken: string;
     };
+    kmipUser: {
+      projectId: string;
+      clientId: string;
+      name: string;
+    };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
     ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
@@ -218,11 +226,14 @@ declare module "fastify" {
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
       secretSync: TSecretSyncServiceFactory;
+      kmip: TKmipServiceFactory;
+      kmipOperation: TKmipOperationServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer
     store: {
       user: Pick<TUserDALFactory, "findById">;
+      kmipClient: Pick<TKmipClientDALFactory, "findByProjectAndClientId">;
     };
   }
 }

backend/src/@types/knex.d.ts

@@ -143,6 +143,18 @@ import {
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
+  TKmipClientCertificates,
+  TKmipClientCertificatesInsert,
+  TKmipClientCertificatesUpdate,
+  TKmipClients,
+  TKmipClientsInsert,
+  TKmipClientsUpdate,
+  TKmipOrgConfigs,
+  TKmipOrgConfigsInsert,
+  TKmipOrgConfigsUpdate,
+  TKmipOrgServerCertificates,
+  TKmipOrgServerCertificatesInsert,
+  TKmipOrgServerCertificatesUpdate,
   TKmsKeys,
   TKmsKeysInsert,
   TKmsKeysUpdate,
@@ -902,5 +914,21 @@ declare module "knex/types/tables" {
       TAppConnectionsUpdate
     >;
     [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
+    [TableName.KmipClient]: KnexOriginal.CompositeTableType<TKmipClients, TKmipClientsInsert, TKmipClientsUpdate>;
+    [TableName.KmipOrgConfig]: KnexOriginal.CompositeTableType<
+      TKmipOrgConfigs,
+      TKmipOrgConfigsInsert,
+      TKmipOrgConfigsUpdate
+    >;
+    [TableName.KmipOrgServerCertificates]: KnexOriginal.CompositeTableType<
+      TKmipOrgServerCertificates,
+      TKmipOrgServerCertificatesInsert,
+      TKmipOrgServerCertificatesUpdate
+    >;
+    [TableName.KmipClientCertificates]: KnexOriginal.CompositeTableType<
+      TKmipClientCertificates,
+      TKmipClientCertificatesInsert,
+      TKmipClientCertificatesUpdate
+    >;
   }
 }

backend/src/db/migrations/20250203141127_add-kmip.ts

@@ -0,0 +1,108 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (!hasKmipClientTable) {
+    await knex.schema.createTable(TableName.KmipClient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.specificType("permissions", "text[]");
+      t.string("description");
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+    });
+  }
+
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (!hasKmipOrgPkiConfig) {
+    await knex.schema.createTable(TableName.KmipOrgConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.unique("orgId");
+
+      t.string("caKeyAlgorithm").notNullable();
+
+      t.datetime("rootCaIssuedAt").notNullable();
+      t.datetime("rootCaExpiration").notNullable();
+      t.string("rootCaSerialNumber").notNullable();
+      t.binary("encryptedRootCaCertificate").notNullable();
+      t.binary("encryptedRootCaPrivateKey").notNullable();
+
+      t.datetime("serverIntermediateCaIssuedAt").notNullable();
+      t.datetime("serverIntermediateCaExpiration").notNullable();
+      t.string("serverIntermediateCaSerialNumber");
+      t.binary("encryptedServerIntermediateCaCertificate").notNullable();
+      t.binary("encryptedServerIntermediateCaChain").notNullable();
+      t.binary("encryptedServerIntermediateCaPrivateKey").notNullable();
+
+      t.datetime("clientIntermediateCaIssuedAt").notNullable();
+      t.datetime("clientIntermediateCaExpiration").notNullable();
+      t.string("clientIntermediateCaSerialNumber").notNullable();
+      t.binary("encryptedClientIntermediateCaCertificate").notNullable();
+      t.binary("encryptedClientIntermediateCaChain").notNullable();
+      t.binary("encryptedClientIntermediateCaPrivateKey").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (!hasKmipOrgServerCertTable) {
+    await knex.schema.createTable(TableName.KmipOrgServerCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("commonName").notNullable();
+      t.string("altNames").notNullable();
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+      t.binary("encryptedCertificate").notNullable();
+      t.binary("encryptedChain").notNullable();
+    });
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (!hasKmipClientCertTable) {
+    await knex.schema.createTable(TableName.KmipClientCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("kmipClientId").notNullable();
+      t.foreign("kmipClientId").references("id").inTable(TableName.KmipClient).onDelete("CASCADE");
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (hasKmipOrgPkiConfig) {
+    await knex.schema.dropTable(TableName.KmipOrgConfig);
+    await dropOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (hasKmipOrgServerCertTable) {
+    await knex.schema.dropTable(TableName.KmipOrgServerCertificates);
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (hasKmipClientCertTable) {
+    await knex.schema.dropTable(TableName.KmipClientCertificates);
+  }
+
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (hasKmipClientTable) {
+    await knex.schema.dropTable(TableName.KmipClient);
+  }
+}

backend/src/db/schemas/index.ts

@@ -45,6 +45,10 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./internal-kms";
+export * from "./kmip-client-certificates";
+export * from "./kmip-clients";
+export * from "./kmip-org-configs";
+export * from "./kmip-org-server-certificates";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";

backend/src/db/schemas/kmip-client-certificates.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  kmipClientId: z.string().uuid(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date()
+});
+
+export type TKmipClientCertificates = z.infer<typeof KmipClientCertificatesSchema>;
+export type TKmipClientCertificatesInsert = Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipClientCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/kmip-clients.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  permissions: z.string().array().nullable().optional(),
+  description: z.string().nullable().optional(),
+  projectId: z.string()
+});
+
+export type TKmipClients = z.infer<typeof KmipClientsSchema>;
+export type TKmipClientsInsert = Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>;
+export type TKmipClientsUpdate = Partial<Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-configs.ts

@@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgConfigsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  caKeyAlgorithm: z.string(),
+  rootCaIssuedAt: z.date(),
+  rootCaExpiration: z.date(),
+  rootCaSerialNumber: z.string(),
+  encryptedRootCaCertificate: zodBuffer,
+  encryptedRootCaPrivateKey: zodBuffer,
+  serverIntermediateCaIssuedAt: z.date(),
+  serverIntermediateCaExpiration: z.date(),
+  serverIntermediateCaSerialNumber: z.string().nullable().optional(),
+  encryptedServerIntermediateCaCertificate: zodBuffer,
+  encryptedServerIntermediateCaChain: zodBuffer,
+  encryptedServerIntermediateCaPrivateKey: zodBuffer,
+  clientIntermediateCaIssuedAt: z.date(),
+  clientIntermediateCaExpiration: z.date(),
+  clientIntermediateCaSerialNumber: z.string(),
+  encryptedClientIntermediateCaCertificate: zodBuffer,
+  encryptedClientIntermediateCaChain: zodBuffer,
+  encryptedClientIntermediateCaPrivateKey: zodBuffer,
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TKmipOrgConfigs = z.infer<typeof KmipOrgConfigsSchema>;
+export type TKmipOrgConfigsInsert = Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>;
+export type TKmipOrgConfigsUpdate = Partial<Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-server-certificates.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgServerCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  commonName: z.string(),
+  altNames: z.string(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date(),
+  encryptedCertificate: zodBuffer,
+  encryptedChain: zodBuffer
+});
+
+export type TKmipOrgServerCertificates = z.infer<typeof KmipOrgServerCertificatesSchema>;
+export type TKmipOrgServerCertificatesInsert = Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipOrgServerCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -132,7 +132,11 @@ export enum TableName {
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
   AppConnection = "app_connections",
-  SecretSync = "secret_syncs"
+  SecretSync = "secret_syncs",
+  KmipClient = "kmip_clients",
+  KmipOrgConfig = "kmip_org_configs",
+  KmipOrgServerCertificates = "kmip_org_server_certificates",
+  KmipClientCertificates = "kmip_client_certificates"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";

backend/src/ee/routes/v1/index.ts

@@ -9,6 +9,8 @@ import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerKmipRouter } from "./kmip-router";
+import { registerKmipSpecRouter } from "./kmip-spec-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
@@ -110,4 +112,12 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   });
 
   await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
+
+  await server.register(
+    async (kmipRouter) => {
+      await kmipRouter.register(registerKmipRouter);
+      await kmipRouter.register(registerKmipSpecRouter, { prefix: "/spec" });
+    },
+    { prefix: "/kmip" }
+  );
 };

backend/src/ee/routes/v1/kmip-router.ts

@@ -0,0 +1,428 @@
+import ms from "ms";
+import { z } from "zod";
+
+import { KmipClientsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
+import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
+import { OrderByDirection } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { validateAltNamesField } from "@app/services/certificate-authority/certificate-authority-validators";
+
+const KmipClientResponseSchema = KmipClientsSchema.pick({
+  projectId: true,
+  name: true,
+  id: true,
+  description: true,
+  permissions: true
+});
+
+export const registerKmipRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/clients",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectId: z.string(),
+        name: z.string().trim().min(1),
+        description: z.string().optional(),
+        permissions: z.nativeEnum(KmipPermission).array()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.createKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.CREATE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id,
+            name: kmipClient.name,
+            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/clients/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        name: z.string().trim().min(1),
+        description: z.string().optional(),
+        permissions: z.nativeEnum(KmipPermission).array()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.updateKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.UPDATE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id,
+            name: kmipClient.name,
+            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/clients/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.deleteKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.DELETE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/clients/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.getKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.GET_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/clients",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List KMIP clients",
+      querystring: z.object({
+        projectId: z.string(),
+        offset: z.coerce.number().min(0).optional().default(0),
+        limit: z.coerce.number().min(1).max(100).optional().default(100),
+        orderBy: z.nativeEnum(KmipClientOrderBy).optional().default(KmipClientOrderBy.Name),
+        orderDirection: z.nativeEnum(OrderByDirection).optional().default(OrderByDirection.ASC),
+        search: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          kmipClients: KmipClientResponseSchema.array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { kmipClients, totalCount } = await server.services.kmip.listKmipClientsByProjectId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_KMIP_CLIENTS,
+          metadata: {
+            ids: kmipClients.map((key) => key.id)
+          }
+        }
+      });
+
+      return { kmipClients, totalCount };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/clients/:id/certificates",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm),
+        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string(),
+          certificateChain: z.string(),
+          certificate: z.string(),
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const certificate = await server.services.kmip.createKmipClientCertificate({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        clientId: req.params.id,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: certificate.projectId,
+        event: {
+          type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE,
+          metadata: {
+            clientId: req.params.id,
+            serialNumber: certificate.serialNumber,
+            ttl: req.body.ttl,
+            keyAlgorithm: req.body.keyAlgorithm
+          }
+        }
+      });
+
+      return certificate;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        caKeyAlgorithm: z.nativeEnum(CertKeyAlgorithm)
+      }),
+      response: {
+        200: z.object({
+          serverCertificateChain: z.string(),
+          clientCertificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const chains = await server.services.kmip.setupOrgKmip({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.SETUP_KMIP,
+          metadata: {
+            keyAlgorithm: req.body.caKeyAlgorithm
+          }
+        }
+      });
+
+      return chains;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          serverCertificateChain: z.string(),
+          clientCertificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmip = await server.services.kmip.getOrgKmip({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_KMIP,
+          metadata: {
+            id: kmip.id
+          }
+        }
+      });
+
+      return kmip;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/server-registration",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        hostnamesOrIps: validateAltNamesField,
+        commonName: z.string().trim().min(1).optional(),
+        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm).optional().default(CertKeyAlgorithm.RSA_2048),
+        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
+      }),
+      response: {
+        200: z.object({
+          clientCertificateChain: z.string(),
+          certificateChain: z.string(),
+          certificate: z.string(),
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const configs = await server.services.kmip.registerServer({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.REGISTER_KMIP_SERVER,
+          metadata: {
+            serverCertificateSerialNumber: configs.serverCertificateSerialNumber,
+            hostnamesOrIps: req.body.hostnamesOrIps,
+            commonName: req.body.commonName ?? "kmip-server",
+            keyAlgorithm: req.body.keyAlgorithm,
+            ttl: req.body.ttl
+          }
+        }
+      });
+
+      return configs;
+    }
+  });
+};

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -0,0 +1,477 @@
+import z from "zod";
+
+import { KmsKeysSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+
+export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
+  server.decorateRequest("kmipUser", null);
+
+  server.addHook("onRequest", async (req) => {
+    const clientId = req.headers["x-kmip-client-id"] as string;
+    const projectId = req.headers["x-kmip-project-id"] as string;
+    const clientCertSerialNumber = req.headers["x-kmip-client-certificate-serial-number"] as string;
+    const serverCertSerialNumber = req.headers["x-kmip-server-certificate-serial-number"] as string;
+
+    if (!serverCertSerialNumber) {
+      throw new ForbiddenRequestError({
+        message: "Missing server certificate serial number from request"
+      });
+    }
+
+    if (!clientCertSerialNumber) {
+      throw new ForbiddenRequestError({
+        message: "Missing client certificate serial number from request"
+      });
+    }
+
+    if (!clientId) {
+      throw new ForbiddenRequestError({
+        message: "Missing client ID from request"
+      });
+    }
+
+    if (!projectId) {
+      throw new ForbiddenRequestError({
+        message: "Missing project ID from request"
+      });
+    }
+
+    // TODO: assert that server certificate used is not revoked
+    // TODO: assert that client certificate used is not revoked
+
+    const kmipClient = await server.store.kmipClient.findByProjectAndClientId(projectId, clientId);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: "KMIP client cannot be found."
+      });
+    }
+
+    if (kmipClient.orgId !== req.permission.orgId) {
+      throw new ForbiddenRequestError({
+        message: "Client specified in the request does not belong in the organization"
+      });
+    }
+
+    req.kmipUser = {
+      projectId,
+      clientId,
+      name: kmipClient.name
+    };
+  });
+
+  server.route({
+    method: "POST",
+    url: "/create",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for creating managed objects",
+      body: z.object({
+        algorithm: z.nativeEnum(SymmetricEncryption)
+      }),
+      response: {
+        200: KmsKeysSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.create({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        algorithm: req.body.algorithm
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_CREATE,
+          metadata: {
+            id: object.id,
+            algorithm: req.body.algorithm
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/get",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for getting managed objects",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          value: z.string(),
+          algorithm: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.get({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_GET,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/get-attributes",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for getting attributes of managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          algorithm: z.string(),
+          isActive: z.boolean(),
+          createdAt: z.date(),
+          updatedAt: z.date()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.getAttributes({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_GET_ATTRIBUTES,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/destroy",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for destroying managed objects",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.destroy({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_DESTROY,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/activate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for activating managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          isActive: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.activate({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_ACTIVATE,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/revoke",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for revoking managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          updatedAt: z.date()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.revoke({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_REVOKE,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/locate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for locating managed objects",
+      response: {
+        200: z.object({
+          objects: z
+            .object({
+              id: z.string(),
+              name: z.string(),
+              isActive: z.boolean(),
+              algorithm: z.string(),
+              createdAt: z.date(),
+              updatedAt: z.date()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const objects = await server.services.kmipOperation.locate({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_LOCATE,
+          metadata: {
+            ids: objects.map((obj) => obj.id)
+          }
+        }
+      });
+
+      return {
+        objects
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/register",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for registering managed object",
+      body: z.object({
+        key: z.string(),
+        name: z.string(),
+        algorithm: z.nativeEnum(SymmetricEncryption)
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.register({
+        ...req.kmipUser,
+        ...req.body,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_REGISTER,
+          metadata: {
+            id: object.id,
+            algorithm: req.body.algorithm,
+            name: object.name
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+};

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -21,6 +21,8 @@ import {
   TUpdateSecretSyncDTO
 } from "@app/services/secret-sync/secret-sync-types";
 
+import { KmipPermission } from "../kmip/kmip-enum";
+
 export type TListProjectAuditLogDTO = {
   filter: {
     userAgentType?: UserAgentType;
@@ -39,7 +41,14 @@ export type TListProjectAuditLogDTO = {
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
+  actor:
+    | UserActor
+    | IdentityActor
+    | ServiceActor
+    | ScimClientActor
+    | PlatformActor
+    | UnknownUserActor
+    | KmipClientActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -252,7 +261,26 @@ export enum EventType {
   SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
   SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets",
   OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER = "oidc-group-membership-mapping-assign-user",
-  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user"
+  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user",
+  CREATE_KMIP_CLIENT = "create-kmip-client",
+  UPDATE_KMIP_CLIENT = "update-kmip-client",
+  DELETE_KMIP_CLIENT = "delete-kmip-client",
+  GET_KMIP_CLIENT = "get-kmip-client",
+  GET_KMIP_CLIENTS = "get-kmip-clients",
+  CREATE_KMIP_CLIENT_CERTIFICATE = "create-kmip-client-certificate",
+
+  SETUP_KMIP = "setup-kmip",
+  GET_KMIP = "get-kmip",
+  REGISTER_KMIP_SERVER = "register-kmip-server",
+
+  KMIP_OPERATION_CREATE = "kmip-operation-create",
+  KMIP_OPERATION_GET = "kmip-operation-get",
+  KMIP_OPERATION_DESTROY = "kmip-operation-destroy",
+  KMIP_OPERATION_GET_ATTRIBUTES = "kmip-operation-get-attributes",
+  KMIP_OPERATION_ACTIVATE = "kmip-operation-activate",
+  KMIP_OPERATION_REVOKE = "kmip-operation-revoke",
+  KMIP_OPERATION_LOCATE = "kmip-operation-locate",
+  KMIP_OPERATION_REGISTER = "kmip-operation-register"
 }
 
 interface UserActorMetadata {
@@ -275,6 +303,11 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
+interface KmipClientActorMetadata {
+  clientId: string;
+  name: string;
+}
+
 interface UnknownUserActorMetadata {}
 
 export interface UserActor {
@@ -292,6 +325,11 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
+export interface KmipClientActor {
+  type: ActorType.KMIP_CLIENT;
+  metadata: KmipClientActorMetadata;
+}
+
 export interface UnknownUserActor {
   type: ActorType.UNKNOWN_USER;
   metadata: UnknownUserActorMetadata;
@@ -307,7 +345,7 @@ export interface ScimClientActor {
   metadata: ScimClientActorMetadata;
 }
 
-export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor;
+export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor | KmipClientActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;
@@ -2091,6 +2129,139 @@ interface OidcGroupMembershipMappingRemoveUserEvent {
   };
 }
 
+interface CreateKmipClientEvent {
+  type: EventType.CREATE_KMIP_CLIENT;
+  metadata: {
+    name: string;
+    id: string;
+    permissions: KmipPermission[];
+  };
+}
+
+interface UpdateKmipClientEvent {
+  type: EventType.UPDATE_KMIP_CLIENT;
+  metadata: {
+    name: string;
+    id: string;
+    permissions: KmipPermission[];
+  };
+}
+
+interface DeleteKmipClientEvent {
+  type: EventType.DELETE_KMIP_CLIENT;
+  metadata: {
+    id: string;
+  };
+}
+
+interface GetKmipClientEvent {
+  type: EventType.GET_KMIP_CLIENT;
+  metadata: {
+    id: string;
+  };
+}
+
+interface GetKmipClientsEvent {
+  type: EventType.GET_KMIP_CLIENTS;
+  metadata: {
+    ids: string[];
+  };
+}
+
+interface CreateKmipClientCertificateEvent {
+  type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE;
+  metadata: {
+    clientId: string;
+    ttl: string;
+    keyAlgorithm: string;
+    serialNumber: string;
+  };
+}
+
+interface KmipOperationGetEvent {
+  type: EventType.KMIP_OPERATION_GET;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationDestroyEvent {
+  type: EventType.KMIP_OPERATION_DESTROY;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationCreateEvent {
+  type: EventType.KMIP_OPERATION_CREATE;
+  metadata: {
+    id: string;
+    algorithm: string;
+  };
+}
+
+interface KmipOperationGetAttributesEvent {
+  type: EventType.KMIP_OPERATION_GET_ATTRIBUTES;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationActivateEvent {
+  type: EventType.KMIP_OPERATION_ACTIVATE;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationRevokeEvent {
+  type: EventType.KMIP_OPERATION_REVOKE;
+  metadata: {
+    id: string;
+  };
+}
+
+interface KmipOperationLocateEvent {
+  type: EventType.KMIP_OPERATION_LOCATE;
+  metadata: {
+    ids: string[];
+  };
+}
+
+interface KmipOperationRegisterEvent {
+  type: EventType.KMIP_OPERATION_REGISTER;
+  metadata: {
+    id: string;
+    algorithm: string;
+    name: string;
+  };
+}
+
+interface SetupKmipEvent {
+  type: EventType.SETUP_KMIP;
+  metadata: {
+    keyAlgorithm: CertKeyAlgorithm;
+  };
+}
+
+interface GetKmipEvent {
+  type: EventType.GET_KMIP;
+  metadata: {
+    id: string;
+  };
+}
+
+interface RegisterKmipServerEvent {
+  type: EventType.REGISTER_KMIP_SERVER;
+  metadata: {
+    serverCertificateSerialNumber: string;
+    hostnamesOrIps: string;
+    commonName: string;
+    keyAlgorithm: CertKeyAlgorithm;
+    ttl: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2282,4 +2453,21 @@ export type Event =
   | SecretSyncImportSecretsEvent
   | SecretSyncRemoveSecretsEvent
   | OidcGroupMembershipMappingAssignUserEvent
-  | OidcGroupMembershipMappingRemoveUserEvent;
+  | OidcGroupMembershipMappingRemoveUserEvent
+  | CreateKmipClientEvent
+  | UpdateKmipClientEvent
+  | DeleteKmipClientEvent
+  | GetKmipClientEvent
+  | GetKmipClientsEvent
+  | CreateKmipClientCertificateEvent
+  | SetupKmipEvent
+  | GetKmipEvent
+  | RegisterKmipServerEvent
+  | KmipOperationGetEvent
+  | KmipOperationDestroyEvent
+  | KmipOperationCreateEvent
+  | KmipOperationGetAttributesEvent
+  | KmipOperationActivateEvent
+  | KmipOperationRevokeEvent
+  | KmipOperationLocateEvent
+  | KmipOperationRegisterEvent;

backend/src/ee/services/kmip/kmip-client-certificate-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TKmipClientCertificateDALFactory = ReturnType<typeof kmipClientCertificateDALFactory>;
+
+export const kmipClientCertificateDALFactory = (db: TDbClient) => {
+  const kmipClientCertOrm = ormify(db, TableName.KmipClientCertificates);
+
+  return kmipClientCertOrm;
+};

backend/src/ee/services/kmip/kmip-client-dal.ts

@@ -0,0 +1,86 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName, TKmipClients } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+
+import { KmipClientOrderBy } from "./kmip-types";
+
+export type TKmipClientDALFactory = ReturnType<typeof kmipClientDALFactory>;
+
+export const kmipClientDALFactory = (db: TDbClient) => {
+  const kmipClientOrm = ormify(db, TableName.KmipClient);
+
+  const findByProjectAndClientId = async (projectId: string, clientId: string) => {
+    try {
+      const client = await db
+        .replicaNode()(TableName.KmipClient)
+        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.KmipClient}.projectId`)
+        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.Project}.orgId`)
+        .where({
+          [`${TableName.KmipClient}.projectId` as "projectId"]: projectId,
+          [`${TableName.KmipClient}.id` as "id"]: clientId
+        })
+        .select(selectAllTableCols(TableName.KmipClient))
+        .select(db.ref("id").withSchema(TableName.Organization).as("orgId"))
+        .first();
+
+      return client;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by project and client ID" });
+    }
+  };
+
+  const findByProjectId = async (
+    {
+      projectId,
+      offset = 0,
+      limit,
+      orderBy = KmipClientOrderBy.Name,
+      orderDirection = OrderByDirection.ASC,
+      search
+    }: {
+      projectId: string;
+      offset?: number;
+      limit?: number;
+      orderBy?: KmipClientOrderBy;
+      orderDirection?: OrderByDirection;
+      search?: string;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.KmipClient)
+        .where("projectId", projectId)
+        .where((qb) => {
+          if (search) {
+            void qb.whereILike("name", `%${search}%`);
+          }
+        })
+        .select<
+          (TKmipClients & {
+            total_count: number;
+          })[]
+        >(selectAllTableCols(TableName.KmipClient), db.raw(`count(*) OVER() as total_count`))
+        .orderBy(orderBy, orderDirection);
+
+      if (limit) {
+        void query.limit(limit).offset(offset);
+      }
+
+      const data = await query;
+
+      return { kmipClients: data, totalCount: Number(data?.[0]?.total_count ?? 0) };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find KMIP clients by project id" });
+    }
+  };
+
+  return {
+    ...kmipClientOrm,
+    findByProjectId,
+    findByProjectAndClientId
+  };
+};

backend/src/ee/services/kmip/kmip-enum.ts

@@ -0,0 +1,11 @@
+export enum KmipPermission {
+  Create = "create",
+  Locate = "locate",
+  Check = "check",
+  Get = "get",
+  GetAttributes = "get-attributes",
+  Activate = "activate",
+  Revoke = "revoke",
+  Destroy = "destroy",
+  Register = "register"
+}

backend/src/ee/services/kmip/kmip-operation-service.ts

@@ -0,0 +1,422 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+
+import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TKmipClientDALFactory } from "./kmip-client-dal";
+import { KmipPermission } from "./kmip-enum";
+import {
+  TKmipCreateDTO,
+  TKmipDestroyDTO,
+  TKmipGetAttributesDTO,
+  TKmipGetDTO,
+  TKmipLocateDTO,
+  TKmipRegisterDTO,
+  TKmipRevokeDTO
+} from "./kmip-types";
+
+type TKmipOperationServiceFactoryDep = {
+  kmsService: TKmsServiceFactory;
+  kmsDAL: TKmsKeyDALFactory;
+  kmipClientDAL: TKmipClientDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId" | "findById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TKmipOperationServiceFactory = ReturnType<typeof kmipOperationServiceFactory>;
+
+export const kmipOperationServiceFactory = ({
+  kmsService,
+  kmsDAL,
+  projectDAL,
+  kmipClientDAL,
+  permissionService
+}: TKmipOperationServiceFactoryDep) => {
+  const create = async ({
+    projectId,
+    clientId,
+    algorithm,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TKmipCreateDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Create)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP create"
+      });
+    }
+
+    const kmsKey = await kmsService.generateKmsKey({
+      encryptionAlgorithm: algorithm,
+      orgId: actorOrgId,
+      projectId,
+      isReserved: false
+    });
+
+    return kmsKey;
+  };
+
+  const destroy = async ({ projectId, id, clientId, actor, actorId, actorOrgId, actorAuthMethod }: TKmipDestroyDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Destroy)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP destroy"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot destroy reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot destroy external keys"
+      });
+    }
+
+    if (!completeKeyDetails.isDisabled) {
+      throw new BadRequestError({
+        message: "Cannot destroy active keys"
+      });
+    }
+
+    const kms = kmsDAL.deleteById(id);
+
+    return kms;
+  };
+
+  const get = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipGetDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Get)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP get"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot get reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot get external keys"
+      });
+    }
+
+    const kmsKey = await kmsService.getKeyMaterial({
+      kmsId: key.id
+    });
+
+    return {
+      id: key.id,
+      value: kmsKey.toString("base64"),
+      algorithm: completeKeyDetails.internalKms.encryptionAlgorithm,
+      isActive: !key.isDisabled,
+      createdAt: key.createdAt,
+      updatedAt: key.updatedAt
+    };
+  };
+
+  const activate = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipGetDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Activate)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP activate"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    return {
+      id: key.id,
+      isActive: !key.isDisabled
+    };
+  };
+
+  const revoke = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipRevokeDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Revoke)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP revoke"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot revoke reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot revoke external keys"
+      });
+    }
+
+    const revokedKey = await kmsDAL.updateById(key.id, {
+      isDisabled: true
+    });
+
+    return {
+      id: key.id,
+      updatedAt: revokedKey.updatedAt
+    };
+  };
+
+  const getAttributes = async ({
+    projectId,
+    id,
+    clientId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TKmipGetAttributesDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.GetAttributes)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP get attributes"
+      });
+    }
+
+    const key = await kmsDAL.findOne({
+      id,
+      projectId
+    });
+
+    if (!key) {
+      throw new NotFoundError({ message: `Key with ID ${id} not found` });
+    }
+
+    if (key.isReserved) {
+      throw new BadRequestError({ message: "Cannot get reserved keys" });
+    }
+
+    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
+
+    if (!completeKeyDetails.internalKms) {
+      throw new BadRequestError({
+        message: "Cannot get external keys"
+      });
+    }
+
+    return {
+      id: key.id,
+      algorithm: completeKeyDetails.internalKms.encryptionAlgorithm,
+      isActive: !key.isDisabled,
+      createdAt: key.createdAt,
+      updatedAt: key.updatedAt
+    };
+  };
+
+  const locate = async ({ projectId, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipLocateDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Locate)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP locate"
+      });
+    }
+
+    const keys = await kmsDAL.findProjectCmeks(projectId);
+
+    return keys;
+  };
+
+  const register = async ({
+    projectId,
+    clientId,
+    key,
+    algorithm,
+    name,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TKmipRegisterDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipClient = await kmipClientDAL.findOne({
+      id: clientId,
+      projectId
+    });
+
+    if (!kmipClient.permissions?.includes(KmipPermission.Register)) {
+      throw new ForbiddenRequestError({
+        message: "Client does not have sufficient permission to perform KMIP register"
+      });
+    }
+
+    const project = await projectDAL.findById(projectId);
+
+    const kmsKey = await kmsService.importKeyMaterial({
+      name,
+      key: Buffer.from(key, "base64"),
+      algorithm,
+      isReserved: false,
+      projectId,
+      orgId: project.orgId
+    });
+
+    return kmsKey;
+  };
+
+  return {
+    create,
+    get,
+    activate,
+    getAttributes,
+    destroy,
+    revoke,
+    locate,
+    register
+  };
+};

backend/src/ee/services/kmip/kmip-org-config-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TKmipOrgConfigDALFactory = ReturnType<typeof kmipOrgConfigDALFactory>;
+
+export const kmipOrgConfigDALFactory = (db: TDbClient) => {
+  const kmipOrgConfigOrm = ormify(db, TableName.KmipOrgConfig);
+
+  return kmipOrgConfigOrm;
+};

backend/src/ee/services/kmip/kmip-org-server-certificate-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TKmipOrgServerCertificateDALFactory = ReturnType<typeof kmipOrgServerCertificateDALFactory>;
+
+export const kmipOrgServerCertificateDALFactory = (db: TDbClient) => {
+  const kmipOrgServerCertificateOrm = ormify(db, TableName.KmipOrgServerCertificates);
+
+  return kmipOrgServerCertificateOrm;
+};

backend/src/ee/services/kmip/kmip-service.ts

@@ -0,0 +1,817 @@
+import { ForbiddenError } from "@casl/ability";
+import * as x509 from "@peculiar/x509";
+import crypto, { KeyObject } from "crypto";
+import ms from "ms";
+
+import { ActionProjectType } from "@app/db/schemas";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { isValidHostname, isValidIp } from "@app/lib/ip";
+import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
+import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
+import {
+  createSerialNumber,
+  keyAlgorithmToAlgCfg
+} from "@app/services/certificate-authority/certificate-authority-fns";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TLicenseServiceFactory } from "../license/license-service";
+import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionKmipActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TKmipClientCertificateDALFactory } from "./kmip-client-certificate-dal";
+import { TKmipClientDALFactory } from "./kmip-client-dal";
+import { TKmipOrgConfigDALFactory } from "./kmip-org-config-dal";
+import { TKmipOrgServerCertificateDALFactory } from "./kmip-org-server-certificate-dal";
+import {
+  TCreateKmipClientCertificateDTO,
+  TCreateKmipClientDTO,
+  TDeleteKmipClientDTO,
+  TGenerateOrgKmipServerCertificateDTO,
+  TGetKmipClientDTO,
+  TGetOrgKmipDTO,
+  TListKmipClientsByProjectIdDTO,
+  TRegisterServerDTO,
+  TSetupOrgKmipDTO,
+  TUpdateKmipClientDTO
+} from "./kmip-types";
+
+type TKmipServiceFactoryDep = {
+  kmipClientDAL: TKmipClientDALFactory;
+  kmipClientCertificateDAL: TKmipClientCertificateDALFactory;
+  kmipOrgServerCertificateDAL: TKmipOrgServerCertificateDALFactory;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  kmipOrgConfigDAL: TKmipOrgConfigDALFactory;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TKmipServiceFactory = ReturnType<typeof kmipServiceFactory>;
+
+export const kmipServiceFactory = ({
+  kmipClientDAL,
+  permissionService,
+  kmipClientCertificateDAL,
+  kmipOrgConfigDAL,
+  kmsService,
+  kmipOrgServerCertificateDAL,
+  licenseService
+}: TKmipServiceFactoryDep) => {
+  const createKmipClient = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    name,
+    description,
+    permissions
+  }: TCreateKmipClientDTO) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.CreateClients,
+      ProjectPermissionSub.Kmip
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to create KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const kmipClient = await kmipClientDAL.create({
+      projectId,
+      name,
+      description,
+      permissions
+    });
+
+    return kmipClient;
+  };
+
+  const updateKmipClient = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    name,
+    description,
+    permissions,
+    id
+  }: TUpdateKmipClientDTO) => {
+    const kmipClient = await kmipClientDAL.findById(id);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${id} does not exist`
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to update KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.UpdateClients,
+      ProjectPermissionSub.Kmip
+    );
+
+    const updatedKmipClient = await kmipClientDAL.updateById(id, {
+      name,
+      description,
+      permissions
+    });
+
+    return updatedKmipClient;
+  };
+
+  const deleteKmipClient = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TDeleteKmipClientDTO) => {
+    const kmipClient = await kmipClientDAL.findById(id);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${id} does not exist`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.DeleteClients,
+      ProjectPermissionSub.Kmip
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to delete KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const deletedKmipClient = await kmipClientDAL.deleteById(id);
+
+    return deletedKmipClient;
+  };
+
+  const getKmipClient = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TGetKmipClientDTO) => {
+    const kmipClient = await kmipClientDAL.findById(id);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${id} does not exist`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
+
+    return kmipClient;
+  };
+
+  const listKmipClientsByProjectId = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    ...rest
+  }: TListKmipClientsByProjectIdDTO) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
+
+    return kmipClientDAL.findByProjectId({ projectId, ...rest });
+  };
+
+  const createKmipClientCertificate = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    ttl,
+    keyAlgorithm,
+    clientId
+  }: TCreateKmipClientCertificateDTO) => {
+    const kmipClient = await kmipClientDAL.findById(clientId);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: `KMIP client with ID ${clientId} does not exist`
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to create KMIP client. Upgrade your plan to enterprise."
+      });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: kmipClient.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionKmipActions.GenerateClientCertificates,
+      ProjectPermissionSub.Kmip
+    );
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (!kmipConfig) {
+      throw new InternalServerError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+
+    const caCertObj = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaCertificate })
+    );
+
+    const notBeforeDate = new Date();
+    const notAfterDate = new Date(new Date().getTime() + ms(ttl));
+
+    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
+    const caCertNotAfterDate = new Date(caCertObj.notAfter);
+
+    // check not before constraint
+    if (notBeforeDate < caCertNotBeforeDate) {
+      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
+    }
+
+    if (notBeforeDate > notAfterDate) throw new BadRequestError({ message: "notBefore date is after notAfter date" });
+
+    // check not after constraint
+    if (notAfterDate > caCertNotAfterDate) {
+      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
+    }
+
+    const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
+    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const extensions: x509.Extension[] = [
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(leafKeys.publicKey),
+      new x509.CertificatePolicyExtension(["2.5.29.32.0"]), // anyPolicy
+      new x509.KeyUsagesExtension(
+        // eslint-disable-next-line no-bitwise
+        x509.KeyUsageFlags[CertKeyUsage.DIGITAL_SIGNATURE] |
+          x509.KeyUsageFlags[CertKeyUsage.KEY_ENCIPHERMENT] |
+          x509.KeyUsageFlags[CertKeyUsage.KEY_AGREEMENT],
+        true
+      ),
+      new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
+    ];
+
+    const caAlg = keyAlgorithmToAlgCfg(kmipConfig.caKeyAlgorithm as CertKeyAlgorithm);
+
+    const caSkObj = crypto.createPrivateKey({
+      key: decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaPrivateKey }),
+      format: "der",
+      type: "pkcs8"
+    });
+
+    const caPrivateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      caSkObj.export({ format: "der", type: "pkcs8" }),
+      caAlg,
+      true,
+      ["sign"]
+    );
+
+    const serialNumber = createSerialNumber();
+    const leafCert = await x509.X509CertificateGenerator.create({
+      serialNumber,
+      subject: `OU=${kmipClient.projectId},CN=${clientId}`,
+      issuer: caCertObj.subject,
+      notBefore: notBeforeDate,
+      notAfter: notAfterDate,
+      signingKey: caPrivateKey,
+      publicKey: leafKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions
+    });
+
+    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+
+    const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
+    const serverIntermediateCaCert = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedServerIntermediateCaCertificate })
+    );
+
+    await kmipClientCertificateDAL.create({
+      kmipClientId: clientId,
+      keyAlgorithm,
+      issuedAt: notBeforeDate,
+      expiration: notAfterDate,
+      serialNumber
+    });
+
+    return {
+      serialNumber,
+      privateKey: skLeafObj.export({ format: "pem", type: "pkcs8" }) as string,
+      certificate: leafCert.toString("pem"),
+      certificateChain: constructPemChainFromCerts([serverIntermediateCaCert, rootCaCert]),
+      projectId: kmipClient.projectId
+    };
+  };
+
+  const getServerCertificateBySerialNumber = async (orgId: string, serialNumber: string) => {
+    const serverCert = await kmipOrgServerCertificateDAL.findOne({
+      serialNumber,
+      orgId
+    });
+
+    if (!serverCert) {
+      throw new NotFoundError({
+        message: "Server certificate not found"
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId
+    });
+
+    const parsedCertificate = new x509.X509Certificate(decryptor({ cipherTextBlob: serverCert.encryptedCertificate }));
+
+    return {
+      publicKey: parsedCertificate.publicKey.toString("pem"),
+      keyAlgorithm: serverCert.keyAlgorithm as CertKeyAlgorithm
+    };
+  };
+
+  const setupOrgKmip = async ({ caKeyAlgorithm, actorOrgId, actor, actorId, actorAuthMethod }: TSetupOrgKmipDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Setup, OrgPermissionSubjects.Kmip);
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (kmipConfig) {
+      throw new BadRequestError({
+        message: "KMIP has already been configured for the organization"
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to setup KMIP. Upgrade your plan to enterprise."
+      });
+
+    const alg = keyAlgorithmToAlgCfg(caKeyAlgorithm);
+
+    // generate root CA
+    const rootCaSerialNumber = createSerialNumber();
+    const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const rootCaSkObj = KeyObject.from(rootCaKeys.privateKey);
+    const rootCaIssuedAt = new Date();
+    const rootCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 20));
+
+    const rootCaCert = await x509.X509CertificateGenerator.createSelfSigned({
+      name: `CN=KMIP Root CA,OU=${actorOrgId}`,
+      serialNumber: rootCaSerialNumber,
+      notBefore: rootCaIssuedAt,
+      notAfter: rootCaExpiration,
+      signingAlgorithm: alg,
+      keys: rootCaKeys,
+      extensions: [
+        // eslint-disable-next-line no-bitwise
+        new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
+        await x509.SubjectKeyIdentifierExtension.create(rootCaKeys.publicKey)
+      ]
+    });
+
+    // generate intermediate server CA
+    const serverIntermediateCaSerialNumber = createSerialNumber();
+    const serverIntermediateCaIssuedAt = new Date();
+    const serverIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
+    const serverIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const serverIntermediateCaSkObj = KeyObject.from(serverIntermediateCaKeys.privateKey);
+
+    const serverIntermediateCaCert = await x509.X509CertificateGenerator.create({
+      serialNumber: serverIntermediateCaSerialNumber,
+      subject: `CN=KMIP Server Intermediate CA,OU=${actorOrgId}`,
+      issuer: rootCaCert.subject,
+      notBefore: serverIntermediateCaIssuedAt,
+      notAfter: serverIntermediateCaExpiration,
+      signingKey: rootCaKeys.privateKey,
+      publicKey: serverIntermediateCaKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions: [
+        new x509.KeyUsagesExtension(
+          // eslint-disable-next-line no-bitwise
+          x509.KeyUsageFlags.keyCertSign |
+            x509.KeyUsageFlags.cRLSign |
+            x509.KeyUsageFlags.digitalSignature |
+            x509.KeyUsageFlags.keyEncipherment,
+          true
+        ),
+        new x509.BasicConstraintsExtension(true, 0, true),
+        await x509.AuthorityKeyIdentifierExtension.create(rootCaCert, false),
+        await x509.SubjectKeyIdentifierExtension.create(serverIntermediateCaKeys.publicKey)
+      ]
+    });
+
+    // generate intermediate client CA
+    const clientIntermediateCaSerialNumber = createSerialNumber();
+    const clientIntermediateCaIssuedAt = new Date();
+    const clientIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
+    const clientIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const clientIntermediateCaSkObj = KeyObject.from(clientIntermediateCaKeys.privateKey);
+
+    const clientIntermediateCaCert = await x509.X509CertificateGenerator.create({
+      serialNumber: clientIntermediateCaSerialNumber,
+      subject: `CN=KMIP Client Intermediate CA,OU=${actorOrgId}`,
+      issuer: rootCaCert.subject,
+      notBefore: clientIntermediateCaIssuedAt,
+      notAfter: clientIntermediateCaExpiration,
+      signingKey: rootCaKeys.privateKey,
+      publicKey: clientIntermediateCaKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions: [
+        new x509.KeyUsagesExtension(
+          // eslint-disable-next-line no-bitwise
+          x509.KeyUsageFlags.keyCertSign |
+            x509.KeyUsageFlags.cRLSign |
+            x509.KeyUsageFlags.digitalSignature |
+            x509.KeyUsageFlags.keyEncipherment,
+          true
+        ),
+        new x509.BasicConstraintsExtension(true, 0, true),
+        await x509.AuthorityKeyIdentifierExtension.create(rootCaCert, false),
+        await x509.SubjectKeyIdentifierExtension.create(clientIntermediateCaKeys.publicKey)
+      ]
+    });
+
+    const { encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+
+    await kmipOrgConfigDAL.create({
+      orgId: actorOrgId,
+      caKeyAlgorithm,
+      rootCaIssuedAt,
+      rootCaExpiration,
+      rootCaSerialNumber,
+      encryptedRootCaCertificate: encryptor({ plainText: Buffer.from(rootCaCert.rawData) }).cipherTextBlob,
+      encryptedRootCaPrivateKey: encryptor({
+        plainText: rootCaSkObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      }).cipherTextBlob,
+      serverIntermediateCaIssuedAt,
+      serverIntermediateCaExpiration,
+      serverIntermediateCaSerialNumber,
+      encryptedServerIntermediateCaCertificate: encryptor({
+        plainText: Buffer.from(new Uint8Array(serverIntermediateCaCert.rawData))
+      }).cipherTextBlob,
+      encryptedServerIntermediateCaChain: encryptor({ plainText: Buffer.from(rootCaCert.toString("pem")) })
+        .cipherTextBlob,
+      encryptedServerIntermediateCaPrivateKey: encryptor({
+        plainText: serverIntermediateCaSkObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      }).cipherTextBlob,
+      clientIntermediateCaIssuedAt,
+      clientIntermediateCaExpiration,
+      clientIntermediateCaSerialNumber,
+      encryptedClientIntermediateCaCertificate: encryptor({
+        plainText: Buffer.from(new Uint8Array(clientIntermediateCaCert.rawData))
+      }).cipherTextBlob,
+      encryptedClientIntermediateCaChain: encryptor({ plainText: Buffer.from(rootCaCert.toString("pem")) })
+        .cipherTextBlob,
+      encryptedClientIntermediateCaPrivateKey: encryptor({
+        plainText: clientIntermediateCaSkObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      }).cipherTextBlob
+    });
+
+    return {
+      serverCertificateChain: constructPemChainFromCerts([serverIntermediateCaCert, rootCaCert]),
+      clientCertificateChain: constructPemChainFromCerts([clientIntermediateCaCert, rootCaCert])
+    };
+  };
+
+  const getOrgKmip = async ({ actorOrgId, actor, actorId, actorAuthMethod }: TGetOrgKmipDTO) => {
+    await permissionService.getOrgPermission(actor, actorId, actorOrgId, actorAuthMethod, actorOrgId);
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (!kmipConfig) {
+      throw new BadRequestError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+
+    const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
+    const serverIntermediateCaCert = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedServerIntermediateCaCertificate })
+    );
+
+    const clientIntermediateCaCert = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaCertificate })
+    );
+
+    return {
+      id: kmipConfig.id,
+      serverCertificateChain: constructPemChainFromCerts([serverIntermediateCaCert, rootCaCert]),
+      clientCertificateChain: constructPemChainFromCerts([clientIntermediateCaCert, rootCaCert])
+    };
+  };
+
+  const generateOrgKmipServerCertificate = async ({
+    orgId,
+    ttl,
+    commonName,
+    altNames,
+    keyAlgorithm
+  }: TGenerateOrgKmipServerCertificateDTO) => {
+    const kmipOrgConfig = await kmipOrgConfigDAL.findOne({
+      orgId
+    });
+
+    if (!kmipOrgConfig) {
+      throw new BadRequestError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to generate KMIP server certificate. Upgrade your plan to enterprise."
+      });
+
+    const { decryptor, encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId
+    });
+
+    const caCertObj = new x509.X509Certificate(
+      decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaCertificate })
+    );
+
+    const notBeforeDate = new Date();
+    const notAfterDate = new Date(new Date().getTime() + ms(ttl));
+
+    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
+    const caCertNotAfterDate = new Date(caCertObj.notAfter);
+
+    // check not before constraint
+    if (notBeforeDate < caCertNotBeforeDate) {
+      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
+    }
+
+    if (notBeforeDate > notAfterDate) throw new BadRequestError({ message: "notBefore date is after notAfter date" });
+
+    // check not after constraint
+    if (notAfterDate > caCertNotAfterDate) {
+      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
+    }
+
+    const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
+    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const extensions: x509.Extension[] = [
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(leafKeys.publicKey),
+      new x509.CertificatePolicyExtension(["2.5.29.32.0"]), // anyPolicy
+      new x509.KeyUsagesExtension(
+        // eslint-disable-next-line no-bitwise
+        x509.KeyUsageFlags[CertKeyUsage.DIGITAL_SIGNATURE] | x509.KeyUsageFlags[CertKeyUsage.KEY_ENCIPHERMENT],
+        true
+      ),
+      new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.SERVER_AUTH]], true)
+    ];
+
+    const altNamesArray: {
+      type: "email" | "dns" | "ip";
+      value: string;
+    }[] = altNames
+      .split(",")
+      .map((name) => name.trim())
+      .map((altName) => {
+        if (isValidHostname(altName)) {
+          return {
+            type: "dns",
+            value: altName
+          };
+        }
+
+        if (isValidIp(altName)) {
+          return {
+            type: "ip",
+            value: altName
+          };
+        }
+
+        throw new Error(`Invalid altName: ${altName}`);
+      });
+
+    const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+    extensions.push(altNamesExtension);
+
+    const caAlg = keyAlgorithmToAlgCfg(kmipOrgConfig.caKeyAlgorithm as CertKeyAlgorithm);
+
+    const decryptedCaCertChain = decryptor({
+      cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaChain
+    }).toString("utf-8");
+
+    const caSkObj = crypto.createPrivateKey({
+      key: decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaPrivateKey }),
+      format: "der",
+      type: "pkcs8"
+    });
+
+    const caPrivateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      caSkObj.export({ format: "der", type: "pkcs8" }),
+      caAlg,
+      true,
+      ["sign"]
+    );
+
+    const serialNumber = createSerialNumber();
+    const leafCert = await x509.X509CertificateGenerator.create({
+      serialNumber,
+      subject: `CN=${commonName}`,
+      issuer: caCertObj.subject,
+      notBefore: notBeforeDate,
+      notAfter: notAfterDate,
+      signingKey: caPrivateKey,
+      publicKey: leafKeys.publicKey,
+      signingAlgorithm: alg,
+      extensions
+    });
+
+    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const certificateChain = `${caCertObj.toString("pem")}\n${decryptedCaCertChain}`.trim();
+
+    await kmipOrgServerCertificateDAL.create({
+      orgId,
+      keyAlgorithm,
+      issuedAt: notBeforeDate,
+      expiration: notAfterDate,
+      serialNumber,
+      commonName,
+      altNames,
+      encryptedCertificate: encryptor({ plainText: Buffer.from(new Uint8Array(leafCert.rawData)) }).cipherTextBlob,
+      encryptedChain: encryptor({ plainText: Buffer.from(certificateChain) }).cipherTextBlob
+    });
+
+    return {
+      serialNumber,
+      privateKey: skLeafObj.export({ format: "pem", type: "pkcs8" }) as string,
+      certificate: leafCert.toString("pem"),
+      certificateChain
+    };
+  };
+
+  const registerServer = async ({
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    ttl,
+    commonName,
+    keyAlgorithm,
+    hostnamesOrIps
+  }: TRegisterServerDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
+    const kmipConfig = await kmipOrgConfigDAL.findOne({
+      orgId: actorOrgId
+    });
+
+    if (!kmipConfig) {
+      throw new BadRequestError({
+        message: "KMIP has not been configured for the organization"
+      });
+    }
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.kmip)
+      throw new BadRequestError({
+        message: "Failed to register KMIP server. Upgrade your plan to enterprise."
+      });
+
+    const { privateKey, certificate, certificateChain, serialNumber } = await generateOrgKmipServerCertificate({
+      orgId: actorOrgId,
+      commonName: commonName ?? "kmip-server",
+      altNames: hostnamesOrIps,
+      keyAlgorithm: keyAlgorithm ?? (kmipConfig.caKeyAlgorithm as CertKeyAlgorithm),
+      ttl
+    });
+
+    const { clientCertificateChain } = await getOrgKmip({
+      actor,
+      actorAuthMethod,
+      actorId,
+      actorOrgId
+    });
+
+    return {
+      serverCertificateSerialNumber: serialNumber,
+      clientCertificateChain,
+      privateKey,
+      certificate,
+      certificateChain
+    };
+  };
+
+  return {
+    createKmipClient,
+    updateKmipClient,
+    deleteKmipClient,
+    getKmipClient,
+    listKmipClientsByProjectId,
+    createKmipClientCertificate,
+    setupOrgKmip,
+    generateOrgKmipServerCertificate,
+    getOrgKmip,
+    getServerCertificateBySerialNumber,
+    registerServer
+  };
+};

backend/src/ee/services/kmip/kmip-types.ts

@@ -0,0 +1,102 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { OrderByDirection, TOrgPermission, TProjectPermission } from "@app/lib/types";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+
+import { KmipPermission } from "./kmip-enum";
+
+export type TCreateKmipClientCertificateDTO = {
+  clientId: string;
+  keyAlgorithm: CertKeyAlgorithm;
+  ttl: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TCreateKmipClientDTO = {
+  name: string;
+  description?: string;
+  permissions: KmipPermission[];
+} & TProjectPermission;
+
+export type TUpdateKmipClientDTO = {
+  id: string;
+  name?: string;
+  description?: string;
+  permissions?: KmipPermission[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteKmipClientDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetKmipClientDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export enum KmipClientOrderBy {
+  Name = "name"
+}
+
+export type TListKmipClientsByProjectIdDTO = {
+  offset?: number;
+  limit?: number;
+  orderBy?: KmipClientOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
+} & TProjectPermission;
+
+type KmipOperationBaseDTO = {
+  clientId: string;
+  projectId: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TKmipCreateDTO = {
+  algorithm: SymmetricEncryption;
+} & KmipOperationBaseDTO;
+
+export type TKmipGetDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipGetAttributesDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipDestroyDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipActivateDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipRevokeDTO = {
+  id: string;
+} & KmipOperationBaseDTO;
+
+export type TKmipLocateDTO = KmipOperationBaseDTO;
+
+export type TKmipRegisterDTO = {
+  name: string;
+  key: string;
+  algorithm: SymmetricEncryption;
+} & KmipOperationBaseDTO;
+
+export type TSetupOrgKmipDTO = {
+  caKeyAlgorithm: CertKeyAlgorithm;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TGetOrgKmipDTO = Omit<TOrgPermission, "orgId">;
+
+export type TGenerateOrgKmipServerCertificateDTO = {
+  commonName: string;
+  altNames: string;
+  keyAlgorithm: CertKeyAlgorithm;
+  ttl: string;
+  orgId: string;
+};
+
+export type TRegisterServerDTO = {
+  hostnamesOrIps: string;
+  commonName?: string;
+  keyAlgorithm?: CertKeyAlgorithm;
+  ttl: string;
+} & Omit<TOrgPermission, "orgId">;

backend/src/ee/services/license/license-fns.ts

@@ -50,7 +50,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   },
   pkiEst: false,
   enforceMfa: false,
-  projectTemplates: false
+  projectTemplates: false,
+  kmip: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -68,6 +68,7 @@ export type TFeatureSet = {
   pkiEst: boolean;
   enforceMfa: boolean;
   projectTemplates: false;
+  kmip: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -23,6 +23,11 @@ export enum OrgPermissionAppConnectionActions {
   Connect = "connect"
 }
 
+export enum OrgPermissionKmipActions {
+  Proxy = "proxy",
+  Setup = "setup"
+}
+
 export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
@@ -44,7 +49,8 @@ export enum OrgPermissionSubjects {
   AdminConsole = "organization-admin-console",
   AuditLogs = "audit-logs",
   ProjectTemplates = "project-templates",
-  AppConnections = "app-connections"
+  AppConnections = "app-connections",
+  Kmip = "kmip"
 }
 
 export type AppConnectionSubjectFields = {
@@ -74,7 +80,8 @@ export type OrgPermissionSet =
         | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
       )
     ]
-  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
+  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];
 
 const AppConnectionConditionSchema = z
   .object({
@@ -167,6 +174,12 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ]);
 
@@ -253,6 +266,11 @@ const buildAdminPermission = () => {
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
+  can(OrgPermissionKmipActions.Setup, OrgPermissionSubjects.Kmip);
+
+  // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
+  can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
+
   return rules;
 };
 

backend/src/ee/services/permission/project-permission.ts

@@ -44,6 +44,14 @@ export enum ProjectPermissionSecretSyncActions {
   RemoveSecrets = "remove-secrets"
 }
 
+export enum ProjectPermissionKmipActions {
+  CreateClients = "create-clients",
+  UpdateClients = "update-clients",
+  DeleteClients = "delete-clients",
+  ReadClients = "read-clients",
+  GenerateClientCertificates = "generate-client-certificates"
+}
+
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -75,7 +83,8 @@ export enum ProjectPermissionSub {
   PkiCollections = "pki-collections",
   Kms = "kms",
   Cmek = "cmek",
-  SecretSyncs = "secret-syncs"
+  SecretSyncs = "secret-syncs",
+  Kmip = "kmip"
 }
 
 export type SecretSubjectFields = {
@@ -156,6 +165,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
   | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
+  | [ProjectPermissionKmipActions, ProjectPermissionSub.Kmip]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -410,6 +420,12 @@ const GeneralPermissionSchema = [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Kmip).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionKmipActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ];
 
@@ -575,6 +591,18 @@ const buildAdminPermissionRules = () => {
     ],
     ProjectPermissionSub.SecretSyncs
   );
+
+  can(
+    [
+      ProjectPermissionKmipActions.CreateClients,
+      ProjectPermissionKmipActions.UpdateClients,
+      ProjectPermissionKmipActions.DeleteClients,
+      ProjectPermissionKmipActions.ReadClients,
+      ProjectPermissionKmipActions.GenerateClientCertificates
+    ],
+    ProjectPermissionSub.Kmip
+  );
+
   return rules;
 };
 

backend/src/lib/api-docs/constants.ts

@@ -1722,6 +1722,18 @@ export const SecretSyncs = {
       initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`
     };
   },
+  ADDITIONAL_SYNC_OPTIONS: {
+    AWS_PARAMETER_STORE: {
+      keyId: "The AWS KMS key ID or alias to use when encrypting parameters synced by Infisical.",
+      tags: "Optional resource tags to add to parameters synced by Infisical.",
+      syncSecretMetadataAsTags: `Whether Infisical secret metadata should be added as resource tags to parameters synced by Infisical.`
+    },
+    AWS_SECRETS_MANAGER: {
+      keyId: "The AWS KMS key ID or alias to use when encrypting parameters synced by Infisical.",
+      tags: "Optional tags to add to secrets synced by Infisical.",
+      syncSecretMetadataAsTags: `Whether Infisical secret metadata should be added as tags to secrets synced by Infisical.`
+    }
+  },
   DESTINATION_CONFIG: {
     AWS_PARAMETER_STORE: {
       region: "The AWS region to sync secrets to.",

backend/src/lib/ip/index.ts

@@ -103,6 +103,16 @@ export const isValidIpOrCidr = (ip: string): boolean => {
   return false;
 };
 
+export const isValidIp = (ip: string) => {
+  return net.isIPv4(ip) || net.isIPv6(ip);
+};
+
+export const isValidHostname = (name: string) => {
+  const hostnameRegex = /^(?!:\/\/)(\*\.)?([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
+
+  return hostnameRegex.test(name);
+};
+
 export type TIp = {
   ipAddress: string;
   type: IPType;

backend/src/server/routes/index.ts

@@ -35,6 +35,12 @@ import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
+import { kmipClientCertificateDALFactory } from "@app/ee/services/kmip/kmip-client-certificate-dal";
+import { kmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
+import { kmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
+import { kmipOrgConfigDALFactory } from "@app/ee/services/kmip/kmip-org-config-dal";
+import { kmipOrgServerCertificateDALFactory } from "@app/ee/services/kmip/kmip-org-server-certificate-dal";
+import { kmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { ldapGroupMapDALFactory } from "@app/ee/services/ldap-config/ldap-group-map-dal";
@@ -382,6 +388,10 @@ export const registerRoutes = async (
 
   const projectTemplateDAL = projectTemplateDALFactory(db);
   const resourceMetadataDAL = resourceMetadataDALFactory(db);
+  const kmipClientDAL = kmipClientDALFactory(db);
+  const kmipClientCertificateDAL = kmipClientCertificateDALFactory(db);
+  const kmipOrgConfigDAL = kmipOrgConfigDALFactory(db);
+  const kmipOrgServerCertificateDAL = kmipOrgServerCertificateDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -1429,6 +1439,24 @@ export const registerRoutes = async (
     keyStore
   });
 
+  const kmipService = kmipServiceFactory({
+    kmipClientDAL,
+    permissionService,
+    kmipClientCertificateDAL,
+    kmipOrgConfigDAL,
+    kmsService,
+    kmipOrgServerCertificateDAL,
+    licenseService
+  });
+
+  const kmipOperationService = kmipOperationServiceFactory({
+    kmsService,
+    kmsDAL,
+    projectDAL,
+    kmipClientDAL,
+    permissionService
+  });
+
   await superAdminService.initServerCfg();
 
   // setup the communication with license key server
@@ -1527,7 +1555,9 @@ export const registerRoutes = async (
     projectTemplate: projectTemplateService,
     totp: totpService,
     appConnection: appConnectionService,
-    secretSync: secretSyncService
+    secretSync: secretSyncService,
+    kmip: kmipService,
+    kmipOperation: kmipOperationService
   });
 
   const cronJobs: CronJob[] = [];
@@ -1539,7 +1569,8 @@ export const registerRoutes = async (
   }
 
   server.decorate<FastifyZodProvider["store"]>("store", {
-    user: userDAL
+    user: userDAL,
+    kmipClient: kmipClientDAL
   });
 
   await server.register(injectIdentity, { userDAL, serviceTokenDAL });

backend/src/server/routes/v1/app-connection-routers/aws-connection-router.ts

@@ -1,13 +1,19 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
 import {
   CreateAwsConnectionSchema,
   SanitizedAwsConnectionSchema,
   UpdateAwsConnectionSchema
 } from "@app/services/app-connection/aws";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 
-export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
+export const registerAwsConnectionRouter = async (server: FastifyZodProvider) => {
   registerAppConnectionEndpoints({
     app: AppConnection.AWS,
     server,
@@ -15,3 +21,42 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
     createSchema: CreateAwsConnectionSchema,
     updateSchema: UpdateAwsConnectionSchema
   });
+
+  // The below endpoints are not exposed and for Infisical App use
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/kms-keys`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        region: z.nativeEnum(AWSRegion),
+        destination: z.enum([SecretSync.AWSParameterStore, SecretSync.AWSSecretsManager])
+      }),
+      response: {
+        200: z.object({
+          kmsKeys: z.object({ alias: z.string(), id: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const kmsKeys = await server.services.appConnection.aws.listKmsKeys(
+        {
+          connectionId,
+          ...req.query
+        },
+        req.permission
+      );
+
+      return { kmsKeys };
+    }
+  });
+};

backend/src/services/app-connection/app-connection-service.ts

@@ -22,18 +22,19 @@ import {
   TUpdateAppConnectionDTO,
   TValidateAppConnectionCredentials
 } from "@app/services/app-connection/app-connection-types";
-import { ValidateAwsConnectionCredentialsSchema } from "@app/services/app-connection/aws";
-import { ValidateDatabricksConnectionCredentialsSchema } from "@app/services/app-connection/databricks";
-import { databricksConnectionService } from "@app/services/app-connection/databricks/databricks-connection-service";
-import { ValidateGitHubConnectionCredentialsSchema } from "@app/services/app-connection/github";
-import { githubConnectionService } from "@app/services/app-connection/github/github-connection-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
 import { TAppConnectionDALFactory } from "./app-connection-dal";
+import { ValidateAwsConnectionCredentialsSchema } from "./aws";
+import { awsConnectionService } from "./aws/aws-connection-service";
 import { ValidateAzureAppConfigurationConnectionCredentialsSchema } from "./azure-app-configuration";
 import { ValidateAzureKeyVaultConnectionCredentialsSchema } from "./azure-key-vault";
+import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
+import { databricksConnectionService } from "./databricks/databricks-connection-service";
 import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
 import { gcpConnectionService } from "./gcp/gcp-connection-service";
+import { ValidateGitHubConnectionCredentialsSchema } from "./github";
+import { githubConnectionService } from "./github/github-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -369,6 +370,7 @@ export const appConnectionServiceFactory = ({
     listAvailableAppConnectionsForUser,
     github: githubConnectionService(connectAppConnectionById),
     gcp: gcpConnectionService(connectAppConnectionById),
-    databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService)
+    databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
+    aws: awsConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -1,3 +1,4 @@
+import { AWSRegion } from "@app/services/app-connection/app-connection-enums";
 import {
   TAwsConnection,
   TAwsConnectionConfig,
@@ -16,6 +17,7 @@ import {
   TGitHubConnectionInput,
   TValidateGitHubConnectionCredentials
 } from "@app/services/app-connection/github";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import {
   TAzureAppConfigurationConnection,
@@ -73,3 +75,9 @@ export type TValidateAppConnectionCredentials =
   | TValidateAzureKeyVaultConnectionCredentials
   | TValidateAzureAppConfigurationConnectionCredentials
   | TValidateDatabricksConnectionCredentials;
+
+export type TListAwsConnectionKmsKeys = {
+  connectionId: string;
+  region: AWSRegion;
+  destination: SecretSync.AWSParameterStore | SecretSync.AWSSecretsManager;
+};

backend/src/services/app-connection/aws/aws-connection-service.ts

@@ -0,0 +1,88 @@
+import AWS from "aws-sdk";
+
+import { OrgServiceActor } from "@app/lib/types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { TListAwsConnectionKmsKeys } from "@app/services/app-connection/app-connection-types";
+import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
+import { TAwsConnection } from "@app/services/app-connection/aws/aws-connection-types";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TAwsConnection>;
+
+const listAwsKmsKeys = async (
+  appConnection: TAwsConnection,
+  { region, destination }: Pick<TListAwsConnectionKmsKeys, "region" | "destination">
+) => {
+  const { credentials } = await getAwsConnectionConfig(appConnection, region);
+
+  const awsKms = new AWS.KMS({
+    credentials,
+    region
+  });
+
+  const aliasEntries: AWS.KMS.AliasList = [];
+  let aliasMarker: string | undefined;
+  do {
+    // eslint-disable-next-line no-await-in-loop
+    const response = await awsKms.listAliases({ Limit: 100, Marker: aliasMarker }).promise();
+    aliasEntries.push(...(response.Aliases || []));
+    aliasMarker = response.NextMarker;
+  } while (aliasMarker);
+
+  const keyMetadataRecord: Record<string, AWS.KMS.KeyMetadata | undefined> = {};
+  for await (const aliasEntry of aliasEntries) {
+    if (aliasEntry.TargetKeyId) {
+      const keyDescription = await awsKms.describeKey({ KeyId: aliasEntry.TargetKeyId }).promise();
+
+      keyMetadataRecord[aliasEntry.TargetKeyId] = keyDescription.KeyMetadata;
+    }
+  }
+
+  const validAliasEntries = aliasEntries.filter((aliasEntry) => {
+    if (!aliasEntry.TargetKeyId) return false;
+
+    if (destination === SecretSync.AWSParameterStore && aliasEntry.AliasName === "alias/aws/ssm") return true;
+
+    if (destination === SecretSync.AWSSecretsManager && aliasEntry.AliasName === "alias/aws/secretsmanager")
+      return true;
+
+    if (aliasEntry.AliasName?.includes("alias/aws/")) return false;
+
+    const keyMetadata = keyMetadataRecord[aliasEntry.TargetKeyId];
+
+    if (!keyMetadata || keyMetadata.KeyUsage !== "ENCRYPT_DECRYPT" || keyMetadata.KeySpec !== "SYMMETRIC_DEFAULT")
+      return false;
+
+    return true;
+  });
+
+  const kmsKeys = validAliasEntries.map((aliasEntry) => {
+    return {
+      id: aliasEntry.TargetKeyId!,
+      alias: aliasEntry.AliasName!
+    };
+  });
+
+  return kmsKeys;
+};
+
+export const awsConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listKmsKeys = async (
+    { connectionId, region, destination }: TListAwsConnectionKmsKeys,
+    actor: OrgServiceActor
+  ) => {
+    const appConnection = await getAppConnection(AppConnection.AWS, connectionId, actor);
+
+    const kmsKeys = await listAwsKmsKeys(appConnection, { region, destination });
+
+    return kmsKeys;
+  };
+
+  return {
+    listKmsKeys
+  };
+};

backend/src/services/auth/auth-type.ts

@@ -35,6 +35,7 @@ export enum AuthMode {
 
 export enum ActorType { // would extend to AWS, Azure, ...
   PLATFORM = "platform", // Useful for when we want to perform logging on automated actions such as integration syncs.
+  KMIP_CLIENT = "kmipClient",
   USER = "user", // userIdentity
   SERVICE = "service",
   IDENTITY = "identity",

backend/src/services/certificate-authority/certificate-authority-validators.ts

@@ -1,5 +1,7 @@
 import { z } from "zod";
 
+import { isValidIp } from "@app/lib/ip";
+
 const isValidDate = (dateString: string) => {
   const date = new Date(dateString);
   return !Number.isNaN(date.getTime());
@@ -25,7 +27,7 @@ export const validateAltNamesField = z
       if (data === "") return true;
       // Split and validate each alt name
       return data.split(", ").every((name) => {
-        return hostnameRegex.test(name) || z.string().email().safeParse(name).success;
+        return hostnameRegex.test(name) || z.string().email().safeParse(name).success || isValidIp(name);
       });
     },
     {

backend/src/services/certificate/certificate-fns.ts

@@ -40,3 +40,9 @@ export const isCertChainValid = async (certificates: x509.X509Certificate[]) =>
   // chain.build() implicitly verifies the chain
   return chainItems.length === certificates.length;
 };
+
+export const constructPemChainFromCerts = (certificates: x509.X509Certificate[]) =>
+  certificates
+    .map((cert) => cert.toString("pem"))
+    .join("\n")
+    .trim();

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -2257,7 +2257,9 @@ const syncSecretsFlyio = async ({
     }
   `;
 
-  await request.post(
+  type TFlyioErrors = { message: string }[];
+
+  const setSecretsResp = await request.post<{ errors?: TFlyioErrors }>(
     IntegrationUrls.FLYIO_API_URL,
     {
       query: SetSecrets,
@@ -2279,6 +2281,10 @@ const syncSecretsFlyio = async ({
     }
   );
 
+  if (setSecretsResp.data.errors?.length) {
+    throw new Error(JSON.stringify(setSecretsResp.data.errors));
+  }
+
   // get secrets
   interface FlyioSecret {
     name: string;

backend/src/services/kms/kms-key-dal.ts

@@ -93,6 +93,32 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findProjectCmeks = async (projectId: string, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.KmsKey)
+        .where({
+          [`${TableName.KmsKey}.projectId` as "projectId"]: projectId,
+          [`${TableName.KmsKey}.isReserved` as "isReserved"]: false
+        })
+        .join(TableName.Organization, `${TableName.KmsKey}.orgId`, `${TableName.Organization}.id`)
+        .join(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+        .select(selectAllTableCols(TableName.KmsKey))
+        .select(
+          db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms).as("internalKmsEncryptionAlgorithm"),
+          db.ref("version").withSchema(TableName.InternalKms).as("internalKmsVersion")
+        );
+
+      return result.map((entry) => ({
+        ...KmsKeysSchema.parse(entry),
+        isActive: !entry.isDisabled,
+        algorithm: entry.internalKmsEncryptionAlgorithm,
+        version: entry.internalKmsVersion
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find project cmeks" });
+    }
+  };
+
   const listCmeksByProjectId = async (
     {
       projectId,
@@ -167,5 +193,5 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...kmsOrm, findByIdWithAssociatedKms, listCmeksByProjectId, findCmekById, findCmekByName };
+  return { ...kmsOrm, findByIdWithAssociatedKms, listCmeksByProjectId, findCmekById, findCmekByName, findProjectCmeks };
 };

backend/src/services/kms/kms-service.ts

@@ -37,6 +37,8 @@ import {
   TEncryptWithKmsDataKeyDTO,
   TEncryptWithKmsDTO,
   TGenerateKMSDTO,
+  TGetKeyMaterialDTO,
+  TImportKeyMaterialDTO,
   TUpdateProjectSecretManagerKmsKeyDTO
 } from "./kms-types";
 
@@ -325,6 +327,72 @@ export const kmsServiceFactory = ({
     };
   };
 
+  const getKeyMaterial = async ({ kmsId }: TGetKeyMaterialDTO) => {
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
+    if (!kmsDoc) {
+      throw new NotFoundError({ message: `KMS with ID '${kmsId}' not found` });
+    }
+
+    if (kmsDoc.isReserved) {
+      throw new BadRequestError({
+        message: "Cannot get key material for reserved key"
+      });
+    }
+
+    if (kmsDoc.externalKms) {
+      throw new BadRequestError({
+        message: "Cannot get key material for external key"
+      });
+    }
+
+    const keyCipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const kmsKey = keyCipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+
+    return kmsKey;
+  };
+
+  const importKeyMaterial = async (
+    { key, algorithm, name, isReserved, projectId, orgId }: TImportKeyMaterialDTO,
+    tx?: Knex
+  ) => {
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+
+    const expectedByteLength = getByteLengthForAlgorithm(algorithm);
+    if (key.byteLength !== expectedByteLength) {
+      throw new BadRequestError({
+        message: `Invalid key length for ${algorithm}. Expected ${expectedByteLength} bytes but got ${key.byteLength} bytes`
+      });
+    }
+
+    const encryptedKeyMaterial = cipher.encrypt(key, ROOT_ENCRYPTION_KEY);
+    const sanitizedName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const dbQuery = async (db: Knex) => {
+      const kmsDoc = await kmsDAL.create(
+        {
+          name: sanitizedName,
+          orgId,
+          isReserved,
+          projectId
+        },
+        db
+      );
+
+      await internalKmsDAL.create(
+        {
+          version: 1,
+          encryptedKey: encryptedKeyMaterial,
+          encryptionAlgorithm: algorithm,
+          kmsKeyId: kmsDoc.id
+        },
+        db
+      );
+      return kmsDoc;
+    };
+    if (tx) return dbQuery(tx);
+    const doc = await kmsDAL.transaction(async (tx2) => dbQuery(tx2));
+    return doc;
+  };
+
   const encryptWithKmsKey = async ({ kmsId }: Omit<TEncryptWithKmsDTO, "plainText">, tx?: Knex) => {
     const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId, tx);
     if (!kmsDoc) {
@@ -944,6 +1012,8 @@ export const kmsServiceFactory = ({
     getProjectKeyBackup,
     loadProjectKeyBackup,
     getKmsById,
-    createCipherPairWithDataKey
+    createCipherPairWithDataKey,
+    getKeyMaterial,
+    importKeyMaterial
   };
 };

backend/src/services/kms/kms-types.ts

@@ -61,3 +61,15 @@ export enum RootKeyEncryptionStrategy {
   Software = "SOFTWARE",
   HSM = "HSM"
 }
+export type TGetKeyMaterialDTO = {
+  kmsId: string;
+};
+
+export type TImportKeyMaterialDTO = {
+  key: Buffer;
+  algorithm: SymmetricEncryption;
+  name?: string;
+  isReserved: boolean;
+  projectId: string;
+  orgId: string;
+};

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -34,6 +34,25 @@ export const secretSharingServiceFactory = ({
   orgDAL,
   kmsService
 }: TSecretSharingServiceFactoryDep) => {
+  const $validateSharedSecretExpiry = (expiresAt: string) => {
+    if (new Date(expiresAt) < new Date()) {
+      throw new BadRequestError({ message: "Expiration date cannot be in the past" });
+    }
+
+    // Limit Expiry Time to 1 month
+    const expiryTime = new Date(expiresAt).getTime();
+    const currentTime = new Date().getTime();
+    const thirtyDays = 30 * 24 * 60 * 60 * 1000;
+    if (expiryTime - currentTime > thirtyDays) {
+      throw new BadRequestError({ message: "Expiration date cannot be more than 30 days" });
+    }
+
+    const fiveMins = 5 * 60 * 1000;
+    if (expiryTime - currentTime < fiveMins) {
+      throw new BadRequestError({ message: "Expiration time cannot be less than 5 mins" });
+    }
+  };
+
   const createSharedSecret = async ({
     actor,
     actorId,
@@ -49,18 +68,7 @@ export const secretSharingServiceFactory = ({
   }: TCreateSharedSecretDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
-
-    if (new Date(expiresAt) < new Date()) {
-      throw new BadRequestError({ message: "Expiration date cannot be in the past" });
-    }
-
-    // Limit Expiry Time to 1 month
-    const expiryTime = new Date(expiresAt).getTime();
-    const currentTime = new Date().getTime();
-    const thirtyDays = 30 * 24 * 60 * 60 * 1000;
-    if (expiryTime - currentTime > thirtyDays) {
-      throw new BadRequestError({ message: "Expiration date cannot be more than 30 days" });
-    }
+    $validateSharedSecretExpiry(expiresAt);
 
     if (secretValue.length > 10_000) {
       throw new BadRequestError({ message: "Shared secret value too long" });
@@ -100,17 +108,7 @@ export const secretSharingServiceFactory = ({
     expiresAfterViews,
     accessType
   }: TCreatePublicSharedSecretDTO) => {
-    if (new Date(expiresAt) < new Date()) {
-      throw new BadRequestError({ message: "Expiration date cannot be in the past" });
-    }
-
-    // Limit Expiry Time to 1 month
-    const expiryTime = new Date(expiresAt).getTime();
-    const currentTime = new Date().getTime();
-    const thirtyDays = 30 * 24 * 60 * 60 * 1000;
-    if (expiryTime - currentTime > thirtyDays) {
-      throw new BadRequestError({ message: "Expiration date cannot exceed more than 30 days" });
-    }
+    $validateSharedSecretExpiry(expiresAt);
 
     const encryptWithRoot = kmsService.encryptWithRootKey();
     const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -7,6 +7,8 @@ import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 import { TAwsParameterStoreSyncWithCredentials } from "./aws-parameter-store-sync-types";
 
 type TAWSParameterStoreRecord = Record<string, AWS.SSM.Parameter>;
+type TAWSParameterStoreMetadataRecord = Record<string, AWS.SSM.ParameterMetadata>;
+type TAWSParameterStoreTagsRecord = Record<string, Record<string, string>>;
 
 const MAX_RETRIES = 5;
 const BATCH_SIZE = 10;
@@ -80,6 +82,129 @@ const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSPara
   return awsParameterStoreSecretsRecord;
 };
 
+const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreMetadataRecord> => {
+  const awsParameterStoreMetadataRecord: TAWSParameterStoreMetadataRecord = {};
+  let hasNext = true;
+  let nextToken: string | undefined;
+  let attempt = 0;
+
+  while (hasNext) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      const parameters = await ssm
+        .describeParameters({
+          MaxResults: 10,
+          NextToken: nextToken,
+          ParameterFilters: [
+            {
+              Key: "Path",
+              Option: "OneLevel",
+              Values: [path]
+            }
+          ]
+        })
+        .promise();
+
+      attempt = 0;
+
+      if (parameters.Parameters) {
+        parameters.Parameters.forEach((parameter) => {
+          if (parameter.Name) {
+            // no leading slash if path is '/'
+            const secKey = path.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
+            awsParameterStoreMetadataRecord[secKey] = parameter;
+          }
+        });
+      }
+
+      hasNext = Boolean(parameters.NextToken);
+      nextToken = parameters.NextToken;
+    } catch (e) {
+      if ((e as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+        attempt += 1;
+        // eslint-disable-next-line no-await-in-loop
+        await sleep();
+        // eslint-disable-next-line no-continue
+        continue;
+      }
+
+      throw e;
+    }
+  }
+
+  return awsParameterStoreMetadataRecord;
+};
+
+const getParameterStoreTagsRecord = async (
+  ssm: AWS.SSM,
+  awsParameterStoreSecretsRecord: TAWSParameterStoreRecord,
+  needsTagsPermissions: boolean
+): Promise<{ shouldManageTags: boolean; awsParameterStoreTagsRecord: TAWSParameterStoreTagsRecord }> => {
+  const awsParameterStoreTagsRecord: TAWSParameterStoreTagsRecord = {};
+
+  for await (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
+    const [key, parameter] = entry;
+
+    if (!parameter.Name) {
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    try {
+      const tags = await ssm
+        .listTagsForResource({
+          ResourceType: "Parameter",
+          ResourceId: parameter.Name
+        })
+        .promise();
+
+      awsParameterStoreTagsRecord[key] = Object.fromEntries(tags.TagList?.map((tag) => [tag.Key, tag.Value]) ?? []);
+    } catch (e) {
+      // users aren't required to provide tag permissions to use sync so we handle gracefully if unauthorized
+      // and they aren't trying to configure tags
+      if ((e as AWSError).code === "AccessDeniedException") {
+        if (!needsTagsPermissions) {
+          return { shouldManageTags: false, awsParameterStoreTagsRecord: {} };
+        }
+
+        throw new SecretSyncError({
+          message:
+            "IAM role has inadequate permissions to manage resource tags. Ensure the following polices are present: ssm:ListTagsForResource, ssm:AddTagsToResource, and ssm:RemoveTagsFromResource",
+          shouldRetry: false
+        });
+      }
+
+      throw e;
+    }
+  }
+
+  return { shouldManageTags: true, awsParameterStoreTagsRecord };
+};
+
+const processParameterTags = ({
+  syncTagsRecord,
+  awsTagsRecord
+}: {
+  syncTagsRecord: Record<string, string>;
+  awsTagsRecord: Record<string, string>;
+}) => {
+  const tagsToAdd: AWS.SSM.TagList = [];
+  const tagKeysToRemove: string[] = [];
+
+  for (const syncEntry of Object.entries(syncTagsRecord)) {
+    const [syncKey, syncValue] = syncEntry;
+
+    if (!(syncKey in awsTagsRecord) || syncValue !== awsTagsRecord[syncKey])
+      tagsToAdd.push({ Key: syncKey, Value: syncValue });
+  }
+
+  for (const awsKey of Object.keys(awsTagsRecord)) {
+    if (!(awsKey in syncTagsRecord)) tagKeysToRemove.push(awsKey);
+  }
+
+  return { tagsToAdd, tagKeysToRemove };
+};
+
 const putParameter = async (
   ssm: AWS.SSM,
   params: AWS.SSM.PutParameterRequest,
@@ -98,6 +223,42 @@ const putParameter = async (
   }
 };
 
+const addTagsToParameter = async (
+  ssm: AWS.SSM,
+  params: Omit<AWS.SSM.AddTagsToResourceRequest, "ResourceType">,
+  attempt = 0
+): Promise<AWS.SSM.AddTagsToResourceResult> => {
+  try {
+    return await ssm.addTagsToResource({ ...params, ResourceType: "Parameter" }).promise();
+  } catch (error) {
+    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+      await sleep();
+
+      // retry
+      return addTagsToParameter(ssm, params, attempt + 1);
+    }
+    throw error;
+  }
+};
+
+const removeTagsFromParameter = async (
+  ssm: AWS.SSM,
+  params: Omit<AWS.SSM.RemoveTagsFromResourceRequest, "ResourceType">,
+  attempt = 0
+): Promise<AWS.SSM.RemoveTagsFromResourceResult> => {
+  try {
+    return await ssm.removeTagsFromResource({ ...params, ResourceType: "Parameter" }).promise();
+  } catch (error) {
+    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+      await sleep();
+
+      // retry
+      return removeTagsFromParameter(ssm, params, attempt + 1);
+    }
+    throw error;
+  }
+};
+
 const deleteParametersBatch = async (
   ssm: AWS.SSM,
   parameters: AWS.SSM.Parameter[],
@@ -132,35 +293,92 @@ const deleteParametersBatch = async (
 
 export const AwsParameterStoreSyncFns = {
   syncSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions } = secretSync;
 
     const ssm = await getSSM(secretSync);
 
-    // TODO(scott): KMS Key ID, Tags
-
     const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
 
-    for await (const entry of Object.entries(secretMap)) {
-      const [key, { value }] = entry;
+    const awsParameterStoreMetadataRecord = await getParameterMetadataByPath(ssm, destinationConfig.path);
 
-      // skip empty values (not allowed by AWS) or secrets that haven't changed
-      if (!value || (key in awsParameterStoreSecretsRecord && awsParameterStoreSecretsRecord[key].Value === value)) {
+    const { shouldManageTags, awsParameterStoreTagsRecord } = await getParameterStoreTagsRecord(
+      ssm,
+      awsParameterStoreSecretsRecord,
+      Boolean(syncOptions.tags?.length || syncOptions.syncSecretMetadataAsTags)
+    );
+    const syncTagsRecord = Object.fromEntries(syncOptions.tags?.map((tag) => [tag.key, tag.value]) ?? []);
+
+    for await (const entry of Object.entries(secretMap)) {
+      const [key, { value, secretMetadata }] = entry;
+
+      // skip empty values (not allowed by AWS)
+      if (!value) {
         // eslint-disable-next-line no-continue
         continue;
       }
 
-      try {
-        await putParameter(ssm, {
-          Name: `${destinationConfig.path}${key}`,
-          Type: "SecureString",
-          Value: value,
-          Overwrite: true
-        });
-      } catch (error) {
-        throw new SecretSyncError({
-          error,
-          secretKey: key
+      const keyId = syncOptions.keyId ?? "alias/aws/ssm";
+
+      // create parameter or update if changed
+      if (
+        !(key in awsParameterStoreSecretsRecord) ||
+        value !== awsParameterStoreSecretsRecord[key].Value ||
+        keyId !== awsParameterStoreMetadataRecord[key]?.KeyId
+      ) {
+        try {
+          await putParameter(ssm, {
+            Name: `${destinationConfig.path}${key}`,
+            Type: "SecureString",
+            Value: value,
+            Overwrite: true,
+            KeyId: keyId
+          });
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: key
+          });
+        }
+      }
+
+      if (shouldManageTags) {
+        const { tagsToAdd, tagKeysToRemove } = processParameterTags({
+          syncTagsRecord: {
+            // configured sync tags take preference over secret metadata
+            ...(syncOptions.syncSecretMetadataAsTags &&
+              Object.fromEntries(secretMetadata?.map((tag) => [tag.key, tag.value]) ?? [])),
+            ...syncTagsRecord
+          },
+          awsTagsRecord: awsParameterStoreTagsRecord[key] ?? {}
         });
+
+        if (tagsToAdd.length) {
+          try {
+            await addTagsToParameter(ssm, {
+              ResourceId: `${destinationConfig.path}${key}`,
+              Tags: tagsToAdd
+            });
+          } catch (error) {
+            throw new SecretSyncError({
+              error,
+              secretKey: key
+            });
+          }
+        }
+
+        if (tagKeysToRemove.length) {
+          try {
+            await removeTagsFromParameter(ssm, {
+              ResourceId: `${destinationConfig.path}${key}`,
+              TagKeys: tagKeysToRemove
+            });
+          } catch (error) {
+            throw new SecretSyncError({
+              error,
+              secretKey: key
+            });
+          }
+        }
       }
     }
 

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-schemas.ts

@@ -8,6 +8,7 @@ import {
   GenericCreateSecretSyncFieldsSchema,
   GenericUpdateSecretSyncFieldsSchema
 } from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
 const AwsParameterStoreSyncDestinationConfigSchema = z.object({
   region: z.nativeEnum(AWSRegion).describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.region),
@@ -20,19 +21,68 @@ const AwsParameterStoreSyncDestinationConfigSchema = z.object({
     .describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.path)
 });
 
-export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(SecretSync.AWSParameterStore).extend({
+const AwsParameterStoreSyncOptionsSchema = z.object({
+  keyId: z
+    .string()
+    .regex(/^([a-zA-Z0-9:/_-]+)$/, "Invalid KMS Key ID")
+    .min(1, "Invalid KMS Key ID")
+    .max(256, "Invalid KMS Key ID")
+    .optional()
+    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.keyId),
+  tags: z
+    .object({
+      key: z
+        .string()
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+          "Invalid resource tag key: keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+        )
+        .min(1, "Resource tag key required")
+        .max(128, "Resource tag key cannot exceed 128 characters"),
+      value: z
+        .string()
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+          "Invalid resource tag value: tag values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+        )
+        .max(256, "Resource tag value cannot exceed 256 characters")
+    })
+    .array()
+    .max(50)
+    .refine((items) => new Set(items.map((item) => item.key)).size === items.length, {
+      message: "Resource tag keys must be unique"
+    })
+    .optional()
+    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.tags),
+  syncSecretMetadataAsTags: z
+    .boolean()
+    .optional()
+    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.syncSecretMetadataAsTags)
+});
+
+const AwsParameterStoreSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(
+  SecretSync.AWSParameterStore,
+  AwsParameterStoreSyncOptionsConfig,
+  AwsParameterStoreSyncOptionsSchema
+).extend({
   destination: z.literal(SecretSync.AWSParameterStore),
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
 });
 
 export const CreateAwsParameterStoreSyncSchema = GenericCreateSecretSyncFieldsSchema(
-  SecretSync.AWSParameterStore
+  SecretSync.AWSParameterStore,
+  AwsParameterStoreSyncOptionsConfig,
+  AwsParameterStoreSyncOptionsSchema
 ).extend({
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
 });
 
 export const UpdateAwsParameterStoreSyncSchema = GenericUpdateSecretSyncFieldsSchema(
-  SecretSync.AWSParameterStore
+  SecretSync.AWSParameterStore,
+  AwsParameterStoreSyncOptionsConfig,
+  AwsParameterStoreSyncOptionsSchema
 ).extend({
   destinationConfig: AwsParameterStoreSyncDestinationConfigSchema.optional()
 });

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts

@@ -1,16 +1,28 @@
+import { UntagResourceCommandOutput } from "@aws-sdk/client-kms";
 import {
   BatchGetSecretValueCommand,
   CreateSecretCommand,
   CreateSecretCommandInput,
   DeleteSecretCommand,
   DeleteSecretResponse,
+  DescribeSecretCommand,
+  DescribeSecretCommandInput,
   ListSecretsCommand,
   SecretsManagerClient,
+  TagResourceCommand,
+  TagResourceCommandOutput,
+  UntagResourceCommand,
   UpdateSecretCommand,
   UpdateSecretCommandInput
 } from "@aws-sdk/client-secrets-manager";
 import { AWSError } from "aws-sdk";
-import { CreateSecretResponse, SecretListEntry, SecretValueEntry } from "aws-sdk/clients/secretsmanager";
+import {
+  CreateSecretResponse,
+  DescribeSecretResponse,
+  SecretListEntry,
+  SecretValueEntry,
+  Tag
+} from "aws-sdk/clients/secretsmanager";
 
 import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
 import { AwsSecretsManagerSyncMappingBehavior } from "@app/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-enums";
@@ -21,6 +33,7 @@ import { TAwsSecretsManagerSyncWithCredentials } from "./aws-secrets-manager-syn
 
 type TAwsSecretsRecord = Record<string, SecretListEntry>;
 type TAwsSecretValuesRecord = Record<string, SecretValueEntry>;
+type TAwsSecretDescriptionsRecord = Record<string, DescribeSecretResponse>;
 
 const MAX_RETRIES = 5;
 const BATCH_SIZE = 20;
@@ -135,6 +148,46 @@ const getSecretValuesRecord = async (
   return awsSecretValuesRecord;
 };
 
+const describeSecret = async (
+  client: SecretsManagerClient,
+  input: DescribeSecretCommandInput,
+  attempt = 0
+): Promise<DescribeSecretResponse> => {
+  try {
+    return await client.send(new DescribeSecretCommand(input));
+  } catch (error) {
+    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+      await sleep();
+
+      // retry
+      return describeSecret(client, input, attempt + 1);
+    }
+    throw error;
+  }
+};
+
+const getSecretDescriptionsRecord = async (
+  client: SecretsManagerClient,
+  awsSecretsRecord: TAwsSecretsRecord
+): Promise<TAwsSecretDescriptionsRecord> => {
+  const awsSecretDescriptionsRecord: TAwsSecretValuesRecord = {};
+
+  for await (const secretKey of Object.keys(awsSecretsRecord)) {
+    try {
+      awsSecretDescriptionsRecord[secretKey] = await describeSecret(client, {
+        SecretId: secretKey
+      });
+    } catch (error) {
+      throw new SecretSyncError({
+        secretKey,
+        error
+      });
+    }
+  }
+
+  return awsSecretDescriptionsRecord;
+};
+
 const createSecret = async (
   client: SecretsManagerClient,
   input: CreateSecretCommandInput,
@@ -189,9 +242,71 @@ const deleteSecret = async (
   }
 };
 
+const addTags = async (
+  client: SecretsManagerClient,
+  secretKey: string,
+  tags: Tag[],
+  attempt = 0
+): Promise<TagResourceCommandOutput> => {
+  try {
+    return await client.send(new TagResourceCommand({ SecretId: secretKey, Tags: tags }));
+  } catch (error) {
+    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+      await sleep();
+
+      // retry
+      return addTags(client, secretKey, tags, attempt + 1);
+    }
+    throw error;
+  }
+};
+
+const removeTags = async (
+  client: SecretsManagerClient,
+  secretKey: string,
+  tagKeys: string[],
+  attempt = 0
+): Promise<UntagResourceCommandOutput> => {
+  try {
+    return await client.send(new UntagResourceCommand({ SecretId: secretKey, TagKeys: tagKeys }));
+  } catch (error) {
+    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+      await sleep();
+
+      // retry
+      return removeTags(client, secretKey, tagKeys, attempt + 1);
+    }
+    throw error;
+  }
+};
+
+const processTags = ({
+  syncTagsRecord,
+  awsTagsRecord
+}: {
+  syncTagsRecord: Record<string, string>;
+  awsTagsRecord: Record<string, string>;
+}) => {
+  const tagsToAdd: Tag[] = [];
+  const tagKeysToRemove: string[] = [];
+
+  for (const syncEntry of Object.entries(syncTagsRecord)) {
+    const [syncKey, syncValue] = syncEntry;
+
+    if (!(syncKey in awsTagsRecord) || syncValue !== awsTagsRecord[syncKey])
+      tagsToAdd.push({ Key: syncKey, Value: syncValue });
+  }
+
+  for (const awsKey of Object.keys(awsTagsRecord)) {
+    if (!(awsKey in syncTagsRecord)) tagKeysToRemove.push(awsKey);
+  }
+
+  return { tagsToAdd, tagKeysToRemove };
+};
+
 export const AwsSecretsManagerSyncFns = {
   syncSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions } = secretSync;
 
     const client = await getSecretsManagerClient(secretSync);
 
@@ -199,9 +314,15 @@ export const AwsSecretsManagerSyncFns = {
 
     const awsValuesRecord = await getSecretValuesRecord(client, awsSecretsRecord);
 
+    const awsDescriptionsRecord = await getSecretDescriptionsRecord(client, awsSecretsRecord);
+
+    const syncTagsRecord = Object.fromEntries(syncOptions.tags?.map((tag) => [tag.key, tag.value]) ?? []);
+
+    const keyId = syncOptions.keyId ?? "alias/aws/secretsmanager";
+
     if (destinationConfig.mappingBehavior === AwsSecretsManagerSyncMappingBehavior.OneToOne) {
       for await (const entry of Object.entries(secretMap)) {
-        const [key, { value }] = entry;
+        const [key, { value, secretMetadata }] = entry;
 
         // skip secrets that don't have a value set
         if (!value) {
@@ -211,15 +332,26 @@ export const AwsSecretsManagerSyncFns = {
 
         if (awsSecretsRecord[key]) {
           // skip secrets that haven't changed
-          if (awsValuesRecord[key]?.SecretString === value) {
-            // eslint-disable-next-line no-continue
-            continue;
+          if (awsValuesRecord[key]?.SecretString !== value || keyId !== awsDescriptionsRecord[key]?.KmsKeyId) {
+            try {
+              await updateSecret(client, {
+                SecretId: key,
+                SecretString: value,
+                KmsKeyId: keyId
+              });
+            } catch (error) {
+              throw new SecretSyncError({
+                error,
+                secretKey: key
+              });
+            }
           }
-
+        } else {
           try {
-            await updateSecret(client, {
-              SecretId: key,
-              SecretString: value
+            await createSecret(client, {
+              Name: key,
+              SecretString: value,
+              KmsKeyId: keyId
             });
           } catch (error) {
             throw new SecretSyncError({
@@ -227,12 +359,34 @@ export const AwsSecretsManagerSyncFns = {
               secretKey: key
             });
           }
-        } else {
+        }
+
+        const { tagsToAdd, tagKeysToRemove } = processTags({
+          syncTagsRecord: {
+            // configured sync tags take preference over secret metadata
+            ...(syncOptions.syncSecretMetadataAsTags &&
+              Object.fromEntries(secretMetadata?.map((tag) => [tag.key, tag.value]) ?? [])),
+            ...syncTagsRecord
+          },
+          awsTagsRecord: Object.fromEntries(
+            awsDescriptionsRecord[key]?.Tags?.map((tag) => [tag.Key!, tag.Value!]) ?? []
+          )
+        });
+
+        if (tagsToAdd.length) {
           try {
-            await createSecret(client, {
-              Name: key,
-              SecretString: value
+            await addTags(client, key, tagsToAdd);
+          } catch (error) {
+            throw new SecretSyncError({
+              error,
+              secretKey: key
             });
+          }
+        }
+
+        if (tagKeysToRemove.length) {
+          try {
+            await removeTags(client, key, tagKeysToRemove);
           } catch (error) {
             throw new SecretSyncError({
               error,
@@ -261,30 +415,45 @@ export const AwsSecretsManagerSyncFns = {
         Object.fromEntries(Object.entries(secretMap).map(([key, secretData]) => [key, secretData.value]))
       );
 
-      if (awsValuesRecord[destinationConfig.secretName]) {
+      if (awsSecretsRecord[destinationConfig.secretName]) {
         await updateSecret(client, {
           SecretId: destinationConfig.secretName,
-          SecretString: secretValue
+          SecretString: secretValue,
+          KmsKeyId: keyId
         });
       } else {
         await createSecret(client, {
           Name: destinationConfig.secretName,
-          SecretString: secretValue
+          SecretString: secretValue,
+          KmsKeyId: keyId
         });
       }
 
-      for await (const secretKey of Object.keys(awsSecretsRecord)) {
-        if (secretKey === destinationConfig.secretName) {
-          // eslint-disable-next-line no-continue
-          continue;
-        }
+      const { tagsToAdd, tagKeysToRemove } = processTags({
+        syncTagsRecord,
+        awsTagsRecord: Object.fromEntries(
+          awsDescriptionsRecord[destinationConfig.secretName]?.Tags?.map((tag) => [tag.Key!, tag.Value!]) ?? []
+        )
+      });
 
+      if (tagsToAdd.length) {
         try {
-          await deleteSecret(client, secretKey);
+          await addTags(client, destinationConfig.secretName, tagsToAdd);
         } catch (error) {
           throw new SecretSyncError({
             error,
-            secretKey
+            secretKey: destinationConfig.secretName
+          });
+        }
+      }
+
+      if (tagKeysToRemove.length) {
+        try {
+          await removeTags(client, destinationConfig.secretName, tagKeysToRemove);
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: destinationConfig.secretName
           });
         }
       }

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-schemas.ts

@@ -9,6 +9,7 @@ import {
   GenericCreateSecretSyncFieldsSchema,
   GenericUpdateSecretSyncFieldsSchema
 } from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
 const AwsSecretsManagerSyncDestinationConfigSchema = z
   .discriminatedUnion("mappingBehavior", [
@@ -38,22 +39,95 @@ const AwsSecretsManagerSyncDestinationConfigSchema = z
     })
   );
 
-export const AwsSecretsManagerSyncSchema = BaseSecretSyncSchema(SecretSync.AWSSecretsManager).extend({
+const AwsSecretsManagerSyncOptionsSchema = z.object({
+  keyId: z
+    .string()
+    .regex(/^([a-zA-Z0-9:/_-]+)$/, "Invalid KMS Key ID")
+    .min(1, "Invalid KMS Key ID")
+    .max(256, "Invalid KMS Key ID")
+    .optional()
+    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_SECRETS_MANAGER.keyId),
+  tags: z
+    .object({
+      key: z
+        .string()
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+          "Invalid tag key: keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+        )
+        .min(1, "Tag key required")
+        .max(128, "Tag key cannot exceed 128 characters"),
+      value: z
+        .string()
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+          "Invalid tag value: tag values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+        )
+        .max(256, "Tag value cannot exceed 256 characters")
+    })
+    .array()
+    .max(50)
+    .refine((items) => new Set(items.map((item) => item.key)).size === items.length, {
+      message: "Tag keys must be unique"
+    })
+    .optional()
+    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_SECRETS_MANAGER.tags),
+  syncSecretMetadataAsTags: z
+    .boolean()
+    .optional()
+    .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_SECRETS_MANAGER.syncSecretMetadataAsTags)
+});
+
+const AwsSecretsManagerSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const AwsSecretsManagerSyncSchema = BaseSecretSyncSchema(
+  SecretSync.AWSSecretsManager,
+  AwsSecretsManagerSyncOptionsConfig,
+  AwsSecretsManagerSyncOptionsSchema
+).extend({
   destination: z.literal(SecretSync.AWSSecretsManager),
   destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
 });
 
 export const CreateAwsSecretsManagerSyncSchema = GenericCreateSecretSyncFieldsSchema(
-  SecretSync.AWSSecretsManager
-).extend({
-  destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
-});
+  SecretSync.AWSSecretsManager,
+  AwsSecretsManagerSyncOptionsConfig,
+  AwsSecretsManagerSyncOptionsSchema
+)
+  .extend({
+    destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema
+  })
+  .superRefine((sync, ctx) => {
+    if (
+      sync.destinationConfig.mappingBehavior === AwsSecretsManagerSyncMappingBehavior.ManyToOne &&
+      sync.syncOptions.syncSecretMetadataAsTags
+    ) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Syncing secret metadata is not supported with "Many-to-One" mapping behavior.'
+      });
+    }
+  });
 
 export const UpdateAwsSecretsManagerSyncSchema = GenericUpdateSecretSyncFieldsSchema(
-  SecretSync.AWSSecretsManager
-).extend({
-  destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema.optional()
-});
+  SecretSync.AWSSecretsManager,
+  AwsSecretsManagerSyncOptionsConfig,
+  AwsSecretsManagerSyncOptionsSchema
+)
+  .extend({
+    destinationConfig: AwsSecretsManagerSyncDestinationConfigSchema.optional()
+  })
+  .superRefine((sync, ctx) => {
+    if (
+      sync.destinationConfig?.mappingBehavior === AwsSecretsManagerSyncMappingBehavior.ManyToOne &&
+      sync.syncOptions.syncSecretMetadataAsTags
+    ) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Syncing secret metadata is not supported with "Many-to-One" mapping behavior.'
+      });
+    }
+  });
 
 export const AwsSecretsManagerSyncListItemSchema = z.object({
   name: z.literal("AWS Secrets Manager"),

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -233,6 +233,7 @@ export const secretSyncQueueFactory = ({
         }
 
         secretMap[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
+        secretMap[secretKey].secretMetadata = secret.secretMetadata;
       })
     );
 
@@ -258,7 +259,8 @@ export const secretSyncQueueFactory = ({
             secretMap[importedSecret.key] = {
               skipMultilineEncoding: importedSecret.skipMultilineEncoding,
               comment: importedSecret.secretComment,
-              value: importedSecret.secretValue || ""
+              value: importedSecret.secretValue || "",
+              secretMetadata: importedSecret.secretMetadata
             };
           }
         }

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -1,4 +1,4 @@
-import { z } from "zod";
+import { AnyZodObject, z } from "zod";
 
 import { SecretSyncsSchema } from "@app/db/schemas/secret-syncs";
 import { SecretSyncs } from "@app/lib/api-docs";
@@ -8,34 +8,45 @@ import { SecretSync, SecretSyncInitialSyncBehavior } from "@app/services/secret-
 import { SECRET_SYNC_CONNECTION_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
-const SyncOptionsSchema = (secretSync: SecretSync, options: TSyncOptionsConfig = { canImportSecrets: true }) =>
-  z.object({
-    initialSyncBehavior: (options.canImportSecrets
+const BaseSyncOptionsSchema = <T extends AnyZodObject | undefined = undefined>({
+  destination,
+  syncOptionsConfig: { canImportSecrets },
+  merge,
+  isUpdateSchema
+}: {
+  destination: SecretSync;
+  syncOptionsConfig: TSyncOptionsConfig;
+  merge?: T;
+  isUpdateSchema?: boolean;
+}) => {
+  const baseSchema = z.object({
+    initialSyncBehavior: (canImportSecrets
       ? z.nativeEnum(SecretSyncInitialSyncBehavior)
       : z.literal(SecretSyncInitialSyncBehavior.OverwriteDestination)
-    ).describe(SecretSyncs.SYNC_OPTIONS(secretSync).initialSyncBehavior)
-    // prependPrefix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional()
-    //   .describe(SecretSyncs.SYNC_OPTIONS(secretSync).PREPEND_PREFIX),
-    // appendSuffix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional()
-    //   .describe(SecretSyncs.SYNC_OPTIONS(secretSync).APPEND_SUFFIX)
+    ).describe(SecretSyncs.SYNC_OPTIONS(destination).initialSyncBehavior)
   });
 
-export const BaseSecretSyncSchema = (destination: SecretSync, syncOptionsConfig?: TSyncOptionsConfig) =>
+  const schema = merge ? baseSchema.merge(merge) : baseSchema;
+
+  return (
+    isUpdateSchema
+      ? schema.describe(SecretSyncs.UPDATE(destination).syncOptions).optional()
+      : schema.describe(SecretSyncs.CREATE(destination).syncOptions)
+  ) as T extends AnyZodObject ? z.ZodObject<z.objectUtil.MergeShapes<typeof schema.shape, T["shape"]>> : typeof schema;
+};
+
+export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefined>(
+  destination: SecretSync,
+  syncOptionsConfig: TSyncOptionsConfig,
+  merge?: T
+) =>
   SecretSyncsSchema.omit({
     destination: true,
     destinationConfig: true,
     syncOptions: true
   }).extend({
     // destination needs to be on the extended object for type differentiation
-    syncOptions: SyncOptionsSchema(destination, syncOptionsConfig),
+    syncOptions: BaseSyncOptionsSchema({ destination, syncOptionsConfig, merge }),
     // join properties
     projectId: z.string(),
     connection: z.object({
@@ -47,7 +58,11 @@ export const BaseSecretSyncSchema = (destination: SecretSync, syncOptionsConfig?
     folder: z.object({ id: z.string(), path: z.string() }).nullable()
   });
 
-export const GenericCreateSecretSyncFieldsSchema = (destination: SecretSync, syncOptionsConfig?: TSyncOptionsConfig) =>
+export const GenericCreateSecretSyncFieldsSchema = <T extends AnyZodObject | undefined = undefined>(
+  destination: SecretSync,
+  syncOptionsConfig: TSyncOptionsConfig,
+  merge?: T
+) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(SecretSyncs.CREATE(destination).name),
     projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.CREATE(destination).projectId),
@@ -66,10 +81,14 @@ export const GenericCreateSecretSyncFieldsSchema = (destination: SecretSync, syn
       .transform(removeTrailingSlash)
       .describe(SecretSyncs.CREATE(destination).secretPath),
     isAutoSyncEnabled: z.boolean().default(true).describe(SecretSyncs.CREATE(destination).isAutoSyncEnabled),
-    syncOptions: SyncOptionsSchema(destination, syncOptionsConfig).describe(SecretSyncs.CREATE(destination).syncOptions)
+    syncOptions: BaseSyncOptionsSchema({ destination, syncOptionsConfig, merge })
   });
 
-export const GenericUpdateSecretSyncFieldsSchema = (destination: SecretSync, syncOptionsConfig?: TSyncOptionsConfig) =>
+export const GenericUpdateSecretSyncFieldsSchema = <T extends AnyZodObject | undefined = undefined>(
+  destination: SecretSync,
+  syncOptionsConfig: TSyncOptionsConfig,
+  merge?: T
+) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(SecretSyncs.UPDATE(destination).name).optional(),
     connectionId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).connectionId).optional(),
@@ -90,7 +109,5 @@ export const GenericUpdateSecretSyncFieldsSchema = (destination: SecretSync, syn
       .optional()
       .describe(SecretSyncs.UPDATE(destination).secretPath),
     isAutoSyncEnabled: z.boolean().optional().describe(SecretSyncs.UPDATE(destination).isAutoSyncEnabled),
-    syncOptions: SyncOptionsSchema(destination, syncOptionsConfig)
-      .optional()
-      .describe(SecretSyncs.UPDATE(destination).syncOptions)
+    syncOptions: BaseSyncOptionsSchema({ destination, syncOptionsConfig, merge, isUpdateSchema: true })
   });

backend/src/services/secret-sync/secret-sync-types.ts

@@ -2,6 +2,7 @@ import { Job } from "bullmq";
 
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { QueueJobs } from "@app/queue";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import {
   TAwsSecretsManagerSync,
   TAwsSecretsManagerSyncInput,
@@ -197,5 +198,10 @@ export type TSendSecretSyncFailedNotificationsJobDTO = Job<
 
 export type TSecretMap = Record<
   string,
-  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
+  {
+    value: string;
+    comment?: string;
+    skipMultilineEncoding?: boolean | null | undefined;
+    secretMetadata?: ResourceMetadataDTO;
+  }
 >;

cli/go.mod

@@ -10,7 +10,8 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.4.7
+	github.com/infisical/go-sdk v0.4.8
+	github.com/infisical/infisical-kmip v0.3.5
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
@@ -65,6 +66,9 @@ require (
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.5 // indirect
+	github.com/gosimple/slug v1.15.0 // indirect
+	github.com/gosimple/unidecode v1.0.1 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
@@ -77,6 +81,7 @@ require (
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
@@ -91,12 +96,12 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
@@ -108,7 +113,7 @@ require (
 
 require (
 	github.com/fatih/color v1.17.0
-	github.com/go-resty/resty/v2 v2.13.1
+	github.com/go-resty/resty/v2 v2.16.5
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jedib0t/go-pretty v4.3.0+incompatible
 	github.com/manifoldco/promptui v0.9.0

cli/go.sum

@@ -152,8 +152,8 @@ github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02E
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-resty/resty/v2 v2.13.1 h1:x+LHXBI2nMB1vqndymf26quycC4aggYJ7DECYbiz03g=
-github.com/go-resty/resty/v2 v2.13.1/go.mod h1:GznXlLxkq6Nh4sU59rPmUw3VtgpO3aS96ORAI6Q7d+0=
+github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
+github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -237,6 +237,10 @@ github.com/googleapis/gax-go/v2 v2.12.5 h1:8gw9KZK8TiVKB6q3zHY3SBzLnrGp6HQjyfYBY
 github.com/googleapis/gax-go/v2 v2.12.5/go.mod h1:BUDKcWo+RaKq5SC9vVYL0wLADa3VcfswbOMMRmB9H3E=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo=
+github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ=
+github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o=
+github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
 github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
@@ -255,6 +259,8 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
@@ -265,8 +271,10 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.4.7 h1:+cxIdDfciMh0Syxbxbqjhvz9/ShnN1equ2zqlVQYGtw=
-github.com/infisical/go-sdk v0.4.7/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
+github.com/infisical/go-sdk v0.4.8 h1:aphRnaauC5//PkP1ZbY9RSK2RiT1LjPS5o4CbX0x5OQ=
+github.com/infisical/go-sdk v0.4.8/go.mod h1:bMO9xSaBeXkDBhTIM4FkkREAfw2V8mv5Bm7lvo4+uDk=
+github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BAJM2scIeiE=
+github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -340,6 +348,7 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 h1:lL+y4Xv20pVlCGyLzNHRC0I0rIHhIL1lTvHizoS/dU8=
 github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9/go.mod h1:EHPiTAKtiFmrMldLUNswFwfZ2eJIYBHktdaUTZxYWRw=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -413,7 +422,6 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
@@ -448,11 +456,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -490,8 +495,6 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -530,13 +533,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -562,8 +560,6 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -612,22 +608,11 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -639,17 +624,13 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -702,8 +683,6 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

cli/packages/cmd/kmip.go

@@ -0,0 +1,103 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/util"
+	kmip "github.com/infisical/infisical-kmip"
+	"github.com/spf13/cobra"
+)
+
+var kmipCmd = &cobra.Command{
+	Example:               `infisical kmip`,
+	Short:                 "Used to manage KMIP servers",
+	Use:                   "kmip",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+}
+
+var kmipStartCmd = &cobra.Command{
+	Example:               `infisical kmip start`,
+	Short:                 "Used to start a KMIP server",
+	Use:                   "start",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   startKmipServer,
+}
+
+func startKmipServer(cmd *cobra.Command, args []string) {
+	listenAddr, err := cmd.Flags().GetString("listen-address")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	identityAuthMethod, err := cmd.Flags().GetString("identity-auth-method")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	authMethodValid, strategy := util.IsAuthMethodValid(identityAuthMethod, false)
+	if !authMethodValid {
+		util.PrintErrorMessageAndExit(fmt.Sprintf("Invalid login method: %s", identityAuthMethod))
+	}
+
+	var identityClientId string
+	var identityClientSecret string
+
+	if strategy == util.AuthStrategy.UNIVERSAL_AUTH {
+		identityClientId, err = util.GetCmdFlagOrEnv(cmd, "identity-client-id", util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
+
+		if err != nil {
+			util.HandleError(err, "Unable to parse identity client ID")
+		}
+
+		identityClientSecret, err = util.GetCmdFlagOrEnv(cmd, "identity-client-secret", util.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME)
+		if err != nil {
+			util.HandleError(err, "Unable to parse identity client secret")
+		}
+	} else {
+		util.PrintErrorMessageAndExit(fmt.Sprintf("Unsupported login method: %s", identityAuthMethod))
+	}
+
+	serverName, err := cmd.Flags().GetString("server-name")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	certificateTTL, err := cmd.Flags().GetString("certificate-ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	hostnamesOrIps, err := cmd.Flags().GetString("hostnames-or-ips")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	kmip.StartServer(kmip.ServerConfig{
+		Addr:                 listenAddr,
+		InfisicalBaseAPIURL:  config.INFISICAL_URL,
+		IdentityClientId:     identityClientId,
+		IdentityClientSecret: identityClientSecret,
+		ServerName:           serverName,
+		CertificateTTL:       certificateTTL,
+		HostnamesOrIps:       hostnamesOrIps,
+	})
+}
+
+func init() {
+	kmipStartCmd.Flags().String("listen-address", "localhost:5696", "The address for the KMIP server to listen on. Defaults to localhost:5696")
+	kmipStartCmd.Flags().String("identity-auth-method", string(util.AuthStrategy.UNIVERSAL_AUTH), "The auth method to use for authenticating the machine identity. Defaults to universal-auth.")
+	kmipStartCmd.Flags().String("identity-client-id", "", "Universal auth client ID of machine identity")
+	kmipStartCmd.Flags().String("identity-client-secret", "", "Universal auth client secret of machine identity")
+	kmipStartCmd.Flags().String("server-name", "kmip-server", "The name of the KMIP server")
+	kmipStartCmd.Flags().String("certificate-ttl", "1y", "The TTL duration for the server certificate")
+	kmipStartCmd.Flags().String("hostnames-or-ips", "", "Comma-separated list of hostnames or IPs")
+
+	kmipCmd.AddCommand(kmipStartCmd)
+	rootCmd.AddCommand(kmipCmd)
+}

docs/documentation/platform/kms/kmip.mdx

@@ -0,0 +1,142 @@
+---
+title: "KMIP Integration"
+description: "Learn more about integrating with Infisical KMS using KMIP (Key Management Interoperability Protocol)."
+---
+
+<Note>
+  KMIP integration is an Enterprise-only feature. Please reach out to
+  sales@infisical.com if you have any questions.
+</Note>
+
+## Overview
+
+Infisical KMS provides **Key Management Interoperability Protocol (KMIP)** support, enabling seamless integration with KMIP-compatible clients. This allows for enhanced key management across various applications that support the **KMIP 1.4 protocol**.
+
+## Supported Operations
+
+The Infisical KMIP server supports the following operations for **symmetric keys**:
+
+- **Create** - Generate symmetric keys.
+- **Register** - Register externally created keys.
+- **Locate** - Find keys using attributes.
+- **Get** - Retrieve keys securely.
+- **Activate** - Enable keys for usage.
+- **Revoke** - Revoke existing keys.
+- **Destroy** - Permanently remove keys.
+- **Get Attributes** - Retrieve metadata associated with keys.
+- **Query** - Query server capabilities and supported operations.
+
+## Benefits of KMIP Integration
+
+Integrating Infisical KMS with KMIP-compatible clients provides the following benefits:
+
+- **Standardized Key Management**: Allows interoperability with security and cryptographic applications that support KMIP.
+- **Enterprise-Grade Security**: Utilizes Infisical’s encryption mechanisms to securely store and manage keys.
+- **Centralized Key Management**: Enables a unified approach for managing cryptographic keys across multiple environments.
+
+## Compatibility
+
+Infisical KMIP supports **KMIP versions 1.0 to 1.4**, ensuring compatibility with a wide range of clients and security tools.
+
+## Secure Communication & Authorization
+
+KMIP client-server communication is secured using **mutual TLS (mTLS)**, ensuring strong identity verification and encrypted data exchange via **PKI certificates**. Each KMIP entity must possess valid certificates signed by a trusted Root CA to establish trust.
+For strong isolation, each Infisical organization has its own KMIP PKI (Public Key Infrastructure), ensuring that cryptographic operations and certificate authorities remain separate across organizations.
+
+Infisical KMS enforces a **two-layer authorization model** for KMIP operations:
+
+1. **KMIP Server Authorization** – The KMIP server, acting as a proxy, must have the `proxy KMIP` permission to forward client requests to Infisical KMS. This is done using a **machine identity** attached to the KMIP server.
+2. **KMIP Client Authorization** – Clients must have the necessary KMIP-level permissions to perform specific key management operations.
+
+By combining **mTLS for secure communication** and **machine identity-based proxying**, Infisical KMS ensures **strong authentication, controlled access, and centralized key management** for KMIP operations.
+
+## Setup Instructions
+
+### Setup KMIP for your organization
+
+<Steps>
+  <Step title="Navigate to the organization settings > KMIP">
+    From there, press Setup KMIP.
+    ![KMIP org navigate](/images/platform/kms/kmip/kmip-org-setup-navigation.png)
+  </Step>
+  <Step title="Configure KMIP PKI for the organization">
+    In the modal, select the desired key algorithm to use for the KMIP PKI of your organization. Press continue.
+    ![KMIP org PKI setup](/images/platform/kms/kmip/kmip-org-setup-modal.png)
+
+    This generates the KMIP PKI for your organization. After this, you can proceed to setting up your KMIP server.
+
+  </Step>
+</Steps>
+
+### Deploying and Configuring the KMIP Server
+
+Follow these steps to configure and deploy a KMIP server.
+
+<Steps>
+  <Step title="Setup Machine Identity">
+    Configure a [machine identity](https://infisical.com/docs/documentation/platform/identities/machine-identities#machine-identities) for the KMIP server to use.
+    ![KMIP create machine identity](/images/platform/kms/kmip/kmip-create-mi.png)
+
+    Create a custom organization role and give it the **Proxy KMIP** permission.
+    ![KMIP create custom role](/images/platform/kms/kmip/kmip-create-custom-role.png)
+    ![KMIP assign proxy to role](/images/platform/kms/kmip/kmip-assign-custom-role-proxy.png)
+
+    Assign the machine identity to the custom organization role. This allows the machine identity to serve KMIP client requests and forward them from your KMIP server to Infisical.
+    ![KMIP assign role to machine identity](/images/platform/kms/kmip/kmip-assign-mi-to-role.png)
+
+  </Step>
+
+  <Step title="Start up the KMIP server">
+    To deploy the KMIP server, use the Infisical CLI’s `kmip start` command.  
+    Before proceeding, make sure you have the [Infisical CLI installed](https://infisical.com/docs/cli/overview).
+
+    Once installed, launch the KMIP server with the following command:
+
+    ```bash
+    infisical kmip start \
+      --identity-client-id=<machine-identity-client-id> \ # This can be set by defining the INFISICAL_UNIVERSAL_AUTH_CLIENT_ID ENV variable
+      --identity-client-secret=<machine-identity-client-secret> \ # This can be set by defining the INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET ENV variable
+      --domain=https://app.infisical.com \
+      --hostnames-or-ips="my-kmip-server.com"
+    ```
+
+    The following flags are available for the `infisical kmip start` command::
+    - **listen-address** (default: localhost:5696): The address the KMIP server listens on.
+    - **identity-auth-method** (default: universal-auth): The authentication method for the machine identity.
+    - **identity-client-id**:  The client ID of the machine identity. This can be set by defining the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` ENV variable.
+    - **identity-client-secret**: The client secret of the machine identity. This can be set by defining the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` ENV variable.
+    - **server-name** (default: "kmip-server"): The name of the KMIP server.
+    - **certificate-ttl** (default: "1y"): The duration for which the server certificate is valid.
+    - **hostnames-or-ips:** A comma-separated list of hostnames or IPs the KMIP server will use (required).
+
+  </Step>
+</Steps>
+
+### Add and Configure KMIP Clients
+
+<Steps>
+  <Step title="Navigate to the desired KMS project and select KMIP">
+    From there, press Add KMIP Client
+    ![KMIP client overview](/images/platform/kms/kmip/kmip-client-overview.png)
+  </Step>
+  <Step title="Configure KMIP client">
+    In the modal, provide the details of your client. The selected permissions determine what KMIP operations can be performed in your KMS project.
+    ![KMIP client modal](/images/platform/kms/kmip/kmip-client-modal.png)
+  </Step>
+    <Step title="Generate client certificate">
+    Once the KMIP client is created, you will have to generate a client certificate.
+    Press Generate Certificate.
+    ![KMIP generate client cert](/images/platform/kms/kmip/kmip-client-generate-cert.png)
+
+    Provide the desired TTL and key algorithm to use and press Generate Client Certificate.
+    ![KMIP client cert config](/images/platform/kms/kmip/kmip-client-cert-config-modal.png)
+
+    Configure your KMIP clients to use the generated client certificate, certificate chain and private key.
+    ![KMIP client cert modal](/images/platform/kms/kmip/kmip-client-certificate-modal.png)
+
+  </Step>
+</Steps>
+
+## Additional Resources
+
+- [KMIP 1.4 Specification](http://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html)

docs/integrations/app-connections/aws.mdx

@@ -82,22 +82,26 @@ Infisical supports two methods for connecting to AWS.
                                             "Sid": "AllowSecretsManagerAccess",
                                             "Effect": "Allow",
                                             "Action": [
-                                            "secretsmanager:GetSecretValue",
-                                            "secretsmanager:CreateSecret",
-                                            "secretsmanager:UpdateSecret",
-                                            "secretsmanager:DescribeSecret",
-                                            "secretsmanager:TagResource",
-                                            "secretsmanager:UntagResource",
-                                            "kms:ListKeys",
-                                            "kms:ListAliases",
-                                            "kms:Encrypt",
-                                            "kms:Decrypt"
+                                                "secretsmanager:ListSecrets",
+                                                "secretsmanager:GetSecretValue",
+                                                "secretsmanager:BatchGetSecretValue",
+                                                "secretsmanager:CreateSecret",
+                                                "secretsmanager:UpdateSecret",
+                                                "secretsmanager:DeleteSecret",
+                                                "secretsmanager:DescribeSecret",
+                                                "secretsmanager:TagResource",
+                                                "secretsmanager:UntagResource",
+                                                "kms:ListAliases", // if you need to specify the KMS key
+                                                "kms:Encrypt", // if you need to specify the KMS key
+                                                "kms:Decrypt", // if you need to specify the KMS key
+                                                "kms:DescribeKey" // if you need to specify the KMS key
                                             ],
                                             "Resource": "*"
                                         }
                                     ]
                                 }
                                 ```
+                                <Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. ![KMS Key IAM Role User](/images/app-connections/aws/kms-key-user.png)</Note>
                             </Accordion>
                             <Accordion title="AWS Parameter Store">
                                 Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
@@ -112,23 +116,25 @@ Infisical supports two methods for connecting to AWS.
                                             "Sid": "AllowSSMAccess",
                                             "Effect": "Allow",
                                             "Action": [
-                                            "ssm:PutParameter",
-                                            "ssm:DeleteParameter",
-                                            "ssm:GetParameters",
-                                            "ssm:GetParametersByPath",
-                                            "ssm:DescribeParameters",
-                                            "ssm:DeleteParameters",
-                                            "ssm:AddTagsToResource", // if you need to add tags to secrets
-                                            "kms:ListKeys", // if you need to specify the KMS key
-                                            "kms:ListAliases", // if you need to specify the KMS key
-                                            "kms:Encrypt", // if you need to specify the KMS key
-                                            "kms:Decrypt" // if you need to specify the KMS key
+                                                "ssm:PutParameter",
+                                                "ssm:GetParameters",
+                                                "ssm:GetParametersByPath",
+                                                "ssm:DescribeParameters",
+                                                "ssm:DeleteParameters",
+                                                "ssm:ListTagsForResource", // if you need to add tags to secrets
+                                                "ssm:AddTagsToResource", // if you need to add tags to secrets
+                                                "ssm:RemoveTagsFromResource", // if you need to add tags to secrets
+                                                "kms:ListAliases", // if you need to specify the KMS key
+                                                "kms:Encrypt", // if you need to specify the KMS key
+                                                "kms:Decrypt", // if you need to specify the KMS key
+                                                "kms:DescribeKey" // if you need to specify the KMS key
                                             ],
                                             "Resource": "*"
                                         }
                                     ]
                                 }
                                 ```
+                                <Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. ![KMS Key IAM Role User](/images/app-connections/aws/kms-key-user.png)</Note>
                             </Accordion>
                         </AccordionGroup>
                     </Tab>
@@ -223,22 +229,26 @@ Infisical supports two methods for connecting to AWS.
                                     "Sid": "AllowSecretsManagerAccess",
                                     "Effect": "Allow",
                                     "Action": [
-                                    "secretsmanager:GetSecretValue",
-                                    "secretsmanager:CreateSecret",
-                                    "secretsmanager:UpdateSecret",
-                                    "secretsmanager:DescribeSecret",
-                                    "secretsmanager:TagResource",
-                                    "secretsmanager:UntagResource",
-                                    "kms:ListKeys",
-                                    "kms:ListAliases",
-                                    "kms:Encrypt",
-                                    "kms:Decrypt"
+                                        "secretsmanager:ListSecrets",
+                                        "secretsmanager:GetSecretValue",
+                                        "secretsmanager:BatchGetSecretValue",
+                                        "secretsmanager:CreateSecret",
+                                        "secretsmanager:UpdateSecret",
+                                        "secretsmanager:DeleteSecret",
+                                        "secretsmanager:DescribeSecret",
+                                        "secretsmanager:TagResource",
+                                        "secretsmanager:UntagResource",
+                                        "kms:ListAliases", // if you need to specify the KMS key
+                                        "kms:Encrypt", // if you need to specify the KMS key
+                                        "kms:Decrypt", // if you need to specify the KMS key
+                                        "kms:DescribeKey" // if you need to specify the KMS key
                                     ],
                                     "Resource": "*"
                                 }
                                     ]
                                 }
                                 ```
+                                <Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. ![KMS Key IAM Role User](/images/app-connections/aws/kms-key-user.png)</Note>
                             </Accordion>
                             <Accordion title="AWS Parameter Store">
                                 Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
@@ -253,23 +263,25 @@ Infisical supports two methods for connecting to AWS.
                                     "Sid": "AllowSSMAccess",
                                     "Effect": "Allow",
                                     "Action": [
-                                    "ssm:PutParameter",
-                                    "ssm:DeleteParameter",
-                                    "ssm:GetParameters",
-                                    "ssm:GetParametersByPath",
-                                    "ssm:DescribeParameters",
-                                    "ssm:DeleteParameters",
-                                    "ssm:AddTagsToResource", // if you need to add tags to secrets
-                                    "kms:ListKeys", // if you need to specify the KMS key
-                                    "kms:ListAliases", // if you need to specify the KMS key
-                                    "kms:Encrypt", // if you need to specify the KMS key
-                                    "kms:Decrypt" // if you need to specify the KMS key
+                                        "ssm:PutParameter",
+                                        "ssm:GetParameters",
+                                        "ssm:GetParametersByPath",
+                                        "ssm:DescribeParameters",
+                                        "ssm:DeleteParameters",
+                                        "ssm:ListTagsForResource", // if you need to add tags to secrets
+                                        "ssm:AddTagsToResource", // if you need to add tags to secrets
+                                        "ssm:RemoveTagsFromResource", // if you need to add tags to secrets
+                                        "kms:ListAliases", // if you need to specify the KMS key
+                                        "kms:Encrypt", // if you need to specify the KMS key
+                                        "kms:Decrypt", // if you need to specify the KMS key
+                                        "kms:DescribeKey" // if you need to specify the KMS key
                                     ],
                                     "Resource": "*"
                                 }
                                     ]
                                 }
                                 ```
+                                <Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. ![KMS Key IAM Role User](/images/app-connections/aws/kms-key-user.png)</Note>
                             </Accordion>
                         </AccordionGroup>
                     </Tab>

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -40,6 +40,10 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Parameter Store when keys conflict.
                 - **Import Secrets (Prioritize AWS Parameter Store)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Parameter Store over Infisical when keys conflict.
+            - **KMS Key**: The AWS KMS key ID or alias to encrypt parameters with.
+            - **Tags**: Optional resource tags to add to parameters synced by Infisical.
+            - **Sync Secret Metadata as Resource Tags**: If enabled, metadata attached to secrets will be added as resource tags to parameters synced by Infisical.
+        <Note>Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.</Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
 
         6. Configure the **Details** of your Parameter Store Sync, then click **Next**.

docs/integrations/secret-syncs/aws-secrets-manager.mdx

@@ -43,6 +43,9 @@ description: "Learn how to configure an AWS Secrets Manager Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize AWS Secrets Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
+            - **KMS Key**: The AWS KMS key ID or alias to encrypt secrets with.
+            - **Tags**: Optional tags to add to secrets synced by Infisical.
+            - **Sync Secret Metadata as Tags**: If enabled, metadata attached to secrets will be added as tags to secrets synced by Infisical.
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
 
         6. Configure the **Details** of your Secrets Manager Sync, then click **Next**.

docs/integrations/secret-syncs/overview.mdx

@@ -77,6 +77,13 @@ via the UI or API for the third-party service you intend to sync secrets to.
     - <strong>Destination:</strong> The App Connection to utilize and the destination endpoint to deploy secrets to. These can vary between services.
     - <strong>Options:</strong> Customize how secrets should be synced. Examples include adding a suffix or prefix to your secrets, or importing secrets from the destination on the initial sync.
 
+<Note>
+    Secret Syncs are the source of truth for connected third-party services. Any secret,
+    including associated data, not present or imported in Infisical before syncing will be
+    overwritten, and changes made directly in the connected service outside of infisical may also
+    be overwritten by future syncs.
+</Note>
+
 <Info>
     Some third-party services do not support importing secrets.
 </Info>

docs/mint.json

@@ -124,7 +124,8 @@
           "pages": [
             "documentation/platform/kms/overview",
             "documentation/platform/kms/hsm-integration",
-            "documentation/platform/kms/kubernetes-encryption"
+            "documentation/platform/kms/kubernetes-encryption",
+            "documentation/platform/kms/kmip"
           ]
         },
         {

docs/sdks/languages/go.mdx

@@ -4,8 +4,6 @@ sidebarTitle: "Go"
 icon: "golang"
 ---
 
-
-
 If you're working with Go Lang, the official [Infisical Go SDK](https://github.com/infisical/go-sdk) package is the easiest way to fetch and work with secrets for your application.
 
 - [Package](https://pkg.go.dev/github.com/infisical/go-sdk)
@@ -57,7 +55,9 @@ func main() {
 This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named `API_KEY` from the `dev` environment of the `YOUR_PROJECT_ID` project.
 
 <Warning>
-    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+  We do not recommend hardcoding your [Machine Identity
+  Tokens](/platform/identities/overview). Setting it as an environment variable
+  would be best.
 </Warning>
 
 # Installation
@@ -95,6 +95,10 @@ client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
         <ParamField query="SilentMode" type="boolean" default={false} optional>
             Whether or not to suppress logs such as warnings from the token refreshing process. Defaults to false if not specified.
         </ParamField>
+
+        <ParamField query="CacheExpiryInSeconds" type="number" default={0} optional>
+            Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
+        </ParamField>
     </Expandable>
 
 </ParamField>
@@ -140,6 +144,7 @@ Call `.Auth().UniversalAuthLogin()` with empty arguments to use the following en
 - `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
 
 **Using the SDK directly**
+
 ```go
 _, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
 
@@ -150,9 +155,12 @@ if err != nil {
 ```
 
 #### GCP ID Token Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
-  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on Google Cloud Platform. Please [read
+  more](/documentation/platform/identities/gcp-auth) about this authentication
+  method.
 </Info>
 
 **Using environment variables**
@@ -162,6 +170,7 @@ Call `.Auth().GcpIdTokenAuthLogin()` with empty arguments to use the following e
 - `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
 
 **Using the SDK directly**
+
 ```go
 _, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")
 
@@ -181,6 +190,7 @@ Call `.Auth().GcpIamAuthLogin()` with empty arguments to use the following envir
 - `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
 
 **Using the SDK directly**
+
 ```go
 _, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")
 
@@ -191,9 +201,12 @@ if err != nil {
 ```
 
 #### AWS IAM Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on AWS.
-  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on AWS. Please [read
+  more](/documentation/platform/identities/aws-auth) about this authentication
+  method.
 </Info>
 
 **Using environment variables**
@@ -203,6 +216,7 @@ Call `.Auth().AwsIamAuthLogin()` with empty arguments to use the following envir
 - `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
 
 **Using the SDK directly**
+
 ```go
 _, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")
 
@@ -212,11 +226,13 @@ if err != nil {
 }
 ```
 
-
 #### Azure Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on Azure.
-  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on Azure. Please [read
+  more](/documentation/platform/identities/azure-auth) about this authentication
+  method.
 </Info>
 
 **Using environment variables**
@@ -226,6 +242,7 @@ Call `.Auth().AzureAuthLogin()` with empty arguments to use the following enviro
 - `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
 
 **Using the SDK directly**
+
 ```go
 _, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")
 
@@ -236,9 +253,12 @@ if err != nil {
 ```
 
 #### Kubernetes Auth
+
 <Info>
-  Please note that this authentication method will only work if you're running your application on Kubernetes.
-  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+  Please note that this authentication method will only work if you're running
+  your application on Kubernetes. Please [read
+  more](/documentation/platform/identities/kubernetes-auth) about this
+  authentication method.
 </Info>
 
 **Using environment variables**
@@ -249,6 +269,7 @@ Call `.Auth().KubernetesAuthLogin()` with empty arguments to use the following e
 - `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
 
 **Using the SDK directly**
+
 ```go
 // Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
 _, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")
@@ -262,6 +283,7 @@ if err != nil {
 ## Working With Secrets
 
 ### List Secrets
+
 `client.Secrets().List(options)`
 
 Retrieve all secrets within the Infisical project and environment that client is connected to.
@@ -275,7 +297,7 @@ secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object">
     <Expandable title="properties">
@@ -311,7 +333,9 @@ secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
 </ParamField>
 
 ###
+
 ### Retrieve Secret
+
 `client.Secrets().Retrieve(options)`
 
 Retrieve a secret from Infisical. By default `Secrets().Retrieve()` fetches and returns a shared secret.
@@ -324,30 +348,34 @@ secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string" required>
-            The key of the secret to retrieve.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be fetched from.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string" required>
+      The key of the secret to retrieve.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be fetched from.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Create Secret
+
 `client.Secrets().Create(options)`
 
 Create a new secret in Infisical.
@@ -363,36 +391,38 @@ secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
 })
 ```
 
-
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string" required>
-            The key of the secret to create.
-        </ParamField>
-        <ParamField query="SecretValue" type="string" required>
-            The value of the secret.
-        </ParamField>
-        <ParamField query="SecretComment" type="string" optional>
-            A comment for the secret.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be created.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string" required>
+      The key of the secret to create.
+    </ParamField>
+    <ParamField query="SecretValue" type="string" required>
+      The value of the secret.
+    </ParamField>
+    <ParamField query="SecretComment" type="string" optional>
+      A comment for the secret.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be created.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Update Secret
 
 `client.Secrets().Update(options)`
@@ -409,36 +439,45 @@ secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string" required>
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="NewSecretValue" type="string" required>
-            The new value of the secret.
-        </ParamField>
-        <ParamField query="NewSkipMultilineEncoding" type="boolean" default="false" optional>
-            Whether or not to skip multiline encoding for the new secret value.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be updated.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string" required>
+      The key of the secret to update.
+    </ParamField>
+    <ParamField query="NewSecretValue" type="string" required>
+      The new value of the secret.
+    </ParamField>
+    <ParamField
+      query="NewSkipMultilineEncoding"
+      type="boolean"
+      default="false"
+      optional
+    >
+      Whether or not to skip multiline encoding for the new secret value.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be updated.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Delete Secret
+
 `client.Secrets().Delete(options)`
 
 Delete a secret in Infisical.
@@ -451,33 +490,106 @@ secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="SecretKey" type="string">
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="ProjectID" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="SecretPath" type="string" optional>
-            The path from where secret should be deleted.
-        </ParamField>
-        <ParamField query="Type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="SecretKey" type="string">
+      The key of the secret to update.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets
+      should be fetched from.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be deleted.
+    </ParamField>
+    <ParamField query="Type" type="string" optional>
+      The type of the secret. Valid options are "shared" or "personal". If not
+      specified, the default value is "shared".
+    </ParamField>
+  </Expandable>
 </ParamField>
 
-## Working With folders
 
+### Batch Create Secrets
+
+`client.Secrets().Batch().Create(options)`
+
+Create multiple secrets in Infisical.
+
+```go
+	createdSecrets, err := client.Secrets().Batch().Create(infisical.BatchCreateSecretsOptions{
+		Environment: "<environment-slug>",
+		SecretPath:  "<secret-path>",
+		ProjectID:   "<project-id>",
+		Secrets: []infisical.BatchCreateSecret{
+			{
+				SecretKey:   "SECRET-1",
+				SecretValue: "test-value-1",
+			},
+			{
+				SecretKey:   "SECRET-2",
+				SecretValue: "test-value-2",
+			},
+		},
+	})
+```
+
+#### Parameters
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+    </ParamField>
+    <ParamField query="ProjectID" type="string" required>
+      The project ID where the secret lives in.
+    </ParamField>
+    <ParamField query="SecretPath" type="string" optional>
+      The path from where secret should be created.
+    </ParamField>
+    <ParamField query="Secrets" type="array" required>
+    <Expandable>
+      <ParamField query="SecretKey" type="string" required>
+        The key of the secret to create.
+      </ParamField>
+      <ParamField query="SecretValue" type="string" required>
+        The value of the secret.
+      </ParamField>
+      <ParamField query="SecretComment" type="string" optional>
+      The comment to add to the secret.
+      </ParamField>
+      <ParamField query="SkipMultiLineEncoding" type="boolean" optional>
+        Whether or not to skip multiline encoding for the secret value.
+      </ParamField>
+      <ParamField query="TagIDs" type="string[]" optional>
+        The tag IDs to associate with the secret.
+      </ParamField>
+
+      <ParamField query="SecretMetadata" type="object" optional>
+        <Expandable>
+          <ParamField query="Key" type="string" required>
+            The key of the metadata.
+          </ParamField>
+          <ParamField query="Value" type="string" required>
+            The value of the metadata.
+          </ParamField>
+        </Expandable>
+      </ParamField>
+    </Expandable>
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+## Working With Folders
 
 ###
+
 ### List Folders
+
 `client.Folders().List(options)`
 
 Retrieve all within the Infisical project and environment that client is connected to.
@@ -490,7 +602,7 @@ folders, err := client.Folders().List(infisical.ListFoldersOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object">
     <Expandable title="properties">
@@ -510,7 +622,9 @@ folders, err := client.Folders().List(infisical.ListFoldersOptions{
 </ParamField>
 
 ###
+
 ### Create Folder
+
 `client.Folders().Create(options)`
 
 Create a new folder in Infisical.
@@ -524,28 +638,30 @@ folder, err := client.Folders().Create(infisical.CreateFolderOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="ProjectID" type="string" required>
-            The ID of the project where the folder will be created.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment where the folder will be created.
-        </ParamField>
-        <ParamField query="Path" type="string" optional>
-            The path to create the folder in. The root path is `/`.
-        </ParamField>
-        <ParamField query="Name" type="string" optional>
-            The name of the folder to create.
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="ProjectID" type="string" required>
+      The ID of the project where the folder will be created.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment where the folder will be
+      created.
+    </ParamField>
+    <ParamField query="Path" type="string" optional>
+      The path to create the folder in. The root path is `/`.
+    </ParamField>
+    <ParamField query="Name" type="string" optional>
+      The name of the folder to create.
+    </ParamField>
+  </Expandable>
 </ParamField>
 
-
 ###
+
 ### Update Folder
+
 `client.Folders().Update(options)`
 
 Update an existing folder in Infisical.
@@ -560,30 +676,33 @@ folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="ProjectID" type="string" required>
-            The ID of the project where the folder will be updated.
-        </ParamField>
-        <ParamField query="Environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where the folder lives in.
-        </ParamField>
-        <ParamField query="Path" type="string" optional>
-            The path from where the folder should be updated.
-        </ParamField>
-        <ParamField query="FolderID" type="string" required>
-            The ID of the folder to update.
-        </ParamField>
-        <ParamField query="NewName" type="string" required>
-            The new name of the folder.
-        </ParamField>
-    </Expandable>
+  <Expandable title="properties">
+    <ParamField query="ProjectID" type="string" required>
+      The ID of the project where the folder will be updated.
+    </ParamField>
+    <ParamField query="Environment" type="string" required>
+      The slug name (dev, prod, etc) of the environment from where the folder
+      lives in.
+    </ParamField>
+    <ParamField query="Path" type="string" optional>
+      The path from where the folder should be updated.
+    </ParamField>
+    <ParamField query="FolderID" type="string" required>
+      The ID of the folder to update.
+    </ParamField>
+    <ParamField query="NewName" type="string" required>
+      The new name of the folder.
+    </ParamField>
+  </Expandable>
 </ParamField>
 
 ###
+
 ### Delete Folder
+
 `client.Folders().Delete(options)`
 
 Delete a folder in Infisical.
@@ -599,7 +718,7 @@ deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
 })
 ```
 
-### Parameters
+#### Parameters
 
 <ParamField query="Parameters" type="object" optional>
     <Expandable title="properties">
@@ -620,6 +739,5 @@ deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
             The path from where the folder should be deleted.
         </ParamField>
     </Expandable>
+
 </ParamField>
-
-

frontend/package-lock.json

@@ -23,7 +23,7 @@
         "@headlessui/react": "^1.7.19",
         "@hookform/resolvers": "^3.9.1",
         "@lottiefiles/dotlottie-react": "^0.12.0",
-        "@octokit/rest": "^21.0.2",
+        "@octokit/rest": "^21.1.1",
         "@peculiar/x509": "^1.12.3",
         "@radix-ui/react-accordion": "^1.2.2",
         "@radix-ui/react-alert-dialog": "^1.1.3",
@@ -1605,16 +1605,16 @@
       }
     },
     "node_modules/@octokit/core": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-6.1.2.tgz",
-      "integrity": "sha512-hEb7Ma4cGJGEUNOAVmyfdB/3WirWMg5hDuNFVejGEDFqupeOysLc2sG6HJxY2etBp5YQu5Wtxwi020jS9xlUwg==",
+      "version": "6.1.4",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-6.1.4.tgz",
+      "integrity": "sha512-lAS9k7d6I0MPN+gb9bKDt7X8SdxknYqAMh44S5L+lNqIN2NuV8nvv3g8rPp7MuRxcOpxpUIATWprO0C34a8Qmg==",
       "license": "MIT",
       "dependencies": {
         "@octokit/auth-token": "^5.0.0",
-        "@octokit/graphql": "^8.0.0",
-        "@octokit/request": "^9.0.0",
-        "@octokit/request-error": "^6.0.1",
-        "@octokit/types": "^13.0.0",
+        "@octokit/graphql": "^8.1.2",
+        "@octokit/request": "^9.2.1",
+        "@octokit/request-error": "^6.1.7",
+        "@octokit/types": "^13.6.2",
         "before-after-hook": "^3.0.2",
         "universal-user-agent": "^7.0.0"
       },
@@ -1623,12 +1623,12 @@
       }
     },
     "node_modules/@octokit/endpoint": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
-      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "version": "10.1.3",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.3.tgz",
+      "integrity": "sha512-nBRBMpKPhQUxCsQQeW+rCJ/OPSMcj3g0nfHn01zGYZXuNDvvXudF/TYY6APj5THlurerpFN4a/dQAIAaM6BYhA==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.0.0",
+        "@octokit/types": "^13.6.2",
         "universal-user-agent": "^7.0.2"
       },
       "engines": {
@@ -1636,13 +1636,13 @@
       }
     },
     "node_modules/@octokit/graphql": {
-      "version": "8.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-8.1.1.tgz",
-      "integrity": "sha512-ukiRmuHTi6ebQx/HFRCXKbDlOh/7xEV6QUXaE7MJEKGNAncGI/STSbOkl12qVXZrfZdpXctx5O9X1AIaebiDBg==",
+      "version": "8.2.1",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-8.2.1.tgz",
+      "integrity": "sha512-n57hXtOoHrhwTWdvhVkdJHdhTv0JstjDbDRhJfwIRNfFqmSo1DaK/mD2syoNUoLCyqSjBpGAKOG0BuwF392slw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/request": "^9.0.0",
-        "@octokit/types": "^13.0.0",
+        "@octokit/request": "^9.2.2",
+        "@octokit/types": "^13.8.0",
         "universal-user-agent": "^7.0.0"
       },
       "engines": {
@@ -1650,18 +1650,18 @@
       }
     },
     "node_modules/@octokit/openapi-types": {
-      "version": "22.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
-      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg==",
+      "version": "23.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-23.0.1.tgz",
+      "integrity": "sha512-izFjMJ1sir0jn0ldEKhZ7xegCTj/ObmEDlEfpFrx4k/JyZSMRHbO3/rBwgE7f3m2DHt+RrNGIVw4wSmwnm3t/g==",
       "license": "MIT"
     },
     "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "11.3.6",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-11.3.6.tgz",
-      "integrity": "sha512-zcvqqf/+TicbTCa/Z+3w4eBJcAxCFymtc0UAIsR3dEVoNilWld4oXdscQ3laXamTszUZdusw97K8+DrbFiOwjw==",
+      "version": "11.4.2",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-11.4.2.tgz",
+      "integrity": "sha512-BXJ7XPCTDXFF+wxcg/zscfgw2O/iDPtNSkwwR1W1W5c4Mb3zav/M2XvxQ23nVmKj7jpweB4g8viMeCQdm7LMVA==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.6.2"
+        "@octokit/types": "^13.7.0"
       },
       "engines": {
         "node": ">= 18"
@@ -1683,12 +1683,12 @@
       }
     },
     "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "13.2.6",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-13.2.6.tgz",
-      "integrity": "sha512-wMsdyHMjSfKjGINkdGKki06VEkgdEldIGstIEyGX0wbYHGByOwN/KiM+hAAlUwAtPkP3gvXtVQA9L3ITdV2tVw==",
+      "version": "13.3.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-13.3.1.tgz",
+      "integrity": "sha512-o8uOBdsyR+WR8MK9Cco8dCgvG13H1RlM1nWnK/W7TEACQBFux/vPREgKucxUfuDQ5yi1T3hGf4C5ZmZXAERgwQ==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.6.1"
+        "@octokit/types": "^13.8.0"
       },
       "engines": {
         "node": ">= 18"
@@ -1698,14 +1698,15 @@
       }
     },
     "node_modules/@octokit/request": {
-      "version": "9.1.3",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
-      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.2.2.tgz",
+      "integrity": "sha512-dZl0ZHx6gOQGcffgm1/Sf6JfEpmh34v3Af2Uci02vzUYz6qEN6zepoRtmybWXIGXFIK8K9ylE3b+duCWqhArtg==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/endpoint": "^10.0.0",
-        "@octokit/request-error": "^6.0.1",
-        "@octokit/types": "^13.1.0",
+        "@octokit/endpoint": "^10.1.3",
+        "@octokit/request-error": "^6.1.7",
+        "@octokit/types": "^13.6.2",
+        "fast-content-type-parse": "^2.0.0",
         "universal-user-agent": "^7.0.2"
       },
       "engines": {
@@ -1713,39 +1714,39 @@
       }
     },
     "node_modules/@octokit/request-error": {
-      "version": "6.1.5",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
-      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
+      "version": "6.1.7",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.7.tgz",
+      "integrity": "sha512-69NIppAwaauwZv6aOzb+VVLwt+0havz9GT5YplkeJv7fG7a40qpLt/yZKyiDxAhgz0EtgNdNcb96Z0u+Zyuy2g==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.0.0"
+        "@octokit/types": "^13.6.2"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/rest": {
-      "version": "21.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-21.0.2.tgz",
-      "integrity": "sha512-+CiLisCoyWmYicH25y1cDfCrv41kRSvTq6pPWtRroRJzhsCZWZyCqGyI8foJT5LmScADSwRAnr/xo+eewL04wQ==",
+      "version": "21.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-21.1.1.tgz",
+      "integrity": "sha512-sTQV7va0IUVZcntzy1q3QqPm/r8rWtDCqpRAmb8eXXnKkjoQEtFe3Nt5GTVsHft+R6jJoHeSiVLcgcvhtue/rg==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/core": "^6.1.2",
-        "@octokit/plugin-paginate-rest": "^11.0.0",
+        "@octokit/core": "^6.1.4",
+        "@octokit/plugin-paginate-rest": "^11.4.2",
         "@octokit/plugin-request-log": "^5.3.1",
-        "@octokit/plugin-rest-endpoint-methods": "^13.0.0"
+        "@octokit/plugin-rest-endpoint-methods": "^13.3.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/types": {
-      "version": "13.6.2",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.2.tgz",
-      "integrity": "sha512-WpbZfZUcZU77DrSW4wbsSgTPfKcp286q3ItaIgvSbBpZJlu6mnYXAkjZz6LVZPXkEvLIM8McanyZejKTYUHipA==",
+      "version": "13.8.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.8.0.tgz",
+      "integrity": "sha512-x7DjTIbEpEWXK99DMd01QfWy0hd5h4EN+Q7shkdKds3otGQP+oWE/y0A76i1OvH9fygo4ddvNf7ZvF0t78P98A==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^22.2.0"
+        "@octokit/openapi-types": "^23.0.1"
       }
     },
     "node_modules/@peculiar/asn1-cms": {
@@ -6905,6 +6906,22 @@
         "safe-buffer": "^5.1.1"
       }
     },
+    "node_modules/fast-content-type-parse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-2.0.1.tgz",
+      "integrity": "sha512-nGqtvLrj5w0naR6tDPfB4cUmYCqouzyQiz6C5y/LtcDllJdrcc6WaWW6iXyIIOErTa/XRybj28aasdn4LkVk6Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
+      "license": "MIT"
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",

frontend/package.json

@@ -27,7 +27,7 @@
     "@headlessui/react": "^1.7.19",
     "@hookform/resolvers": "^3.9.1",
     "@lottiefiles/dotlottie-react": "^0.12.0",
-    "@octokit/rest": "^21.0.2",
+    "@octokit/rest": "^21.1.1",
     "@peculiar/x509": "^1.12.3",
     "@radix-ui/react-accordion": "^1.2.2",
     "@radix-ui/react-alert-dialog": "^1.1.3",

frontend/src/components/secret-syncs/forms/CreateSecretSyncForm.tsx

@@ -1,11 +1,13 @@
 import { useState } from "react";
 import { Controller, FormProvider, useForm } from "react-hook-form";
+import { faInfoCircle } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Tab } from "@headlessui/react";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { twMerge } from "tailwind-merge";
 
 import { createNotification } from "@app/components/notifications";
-import { Button, Checkbox, FormControl, Switch } from "@app/components/v2";
+import { Button, FormControl, Switch } from "@app/components/v2";
 import { useWorkspace } from "@app/context";
 import { SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import {
@@ -16,10 +18,10 @@ import {
   useSecretSyncOption
 } from "@app/hooks/api/secretSyncs";
 
+import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields/SecretSyncOptionsFields";
 import { SecretSyncFormSchema, TSecretSyncForm } from "./schemas";
 import { SecretSyncDestinationFields } from "./SecretSyncDestinationFields";
 import { SecretSyncDetailsFields } from "./SecretSyncDetailsFields";
-import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields";
 import { SecretSyncReviewFields } from "./SecretSyncReviewFields";
 import { SecretSyncSourceFields } from "./SecretSyncSourceFields";
 
@@ -32,7 +34,7 @@ type Props = {
 const FORM_TABS: { name: string; key: string; fields: (keyof TSecretSyncForm)[] }[] = [
   { name: "Source", key: "source", fields: ["secretPath", "environment"] },
   { name: "Destination", key: "destination", fields: ["connection", "destinationConfig"] },
-  { name: "Options", key: "options", fields: ["syncOptions"] },
+  { name: "Sync Options", key: "options", fields: ["syncOptions"] },
   { name: "Details", key: "details", fields: ["name", "description"] },
   { name: "Review", key: "review", fields: [] }
 ];
@@ -42,8 +44,9 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
   const { currentWorkspace } = useWorkspace();
   const { name: destinationName } = SECRET_SYNC_MAP[destination];
 
+  const [showConfirmation, setShowConfirmation] = useState(false);
+
   const [selectedTabIndex, setSelectedTabIndex] = useState(0);
-  const [confirmOverwrite, setConfirmOverwrite] = useState(false);
 
   const { syncOption } = useSecretSyncOption(destination);
 
@@ -77,6 +80,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
       onComplete(secretSync);
     } catch (err: any) {
       console.error(err);
+      setShowConfirmation(false);
       createNotification({
         title: `Failed to add ${destinationName} Sync`,
         text: err.message,
@@ -94,7 +98,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
     setSelectedTabIndex((prev) => prev - 1);
   };
 
-  const { handleSubmit, trigger, watch, control } = formMethods;
+  const { handleSubmit, trigger, control } = formMethods;
 
   const isStepValid = async (index: number) => trigger(FORM_TABS[index].fields);
 
@@ -102,7 +106,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
 
   const handleNext = async () => {
     if (isFinalStep) {
-      handleSubmit(onSubmit)();
+      setShowConfirmation(true);
       return;
     }
 
@@ -123,7 +127,42 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
     return isEnabled;
   };
 
-  const initialSyncBehavior = watch("syncOptions.initialSyncBehavior");
+  if (showConfirmation)
+    return (
+      <>
+        <div className="flex flex-col rounded-sm border border-l-[2px] border-mineshaft-600 border-l-primary bg-mineshaft-700/80 px-4 py-3">
+          <div className="mb-1 flex items-center text-sm">
+            <FontAwesomeIcon icon={faInfoCircle} size="sm" className="mr-1.5 text-primary" />
+            Secret Sync Behavior
+          </div>
+          <p className="mt-1 text-sm text-bunker-200">
+            Secret Syncs are the source of truth for connected third-party services. Any secret,
+            including associated data, not present or imported in Infisical before syncing will be
+            overwritten, and changes made directly in the connected service outside of infisical may
+            also be overwritten by future syncs.
+          </p>
+        </div>
+        <div className="mt-4 flex gap-4">
+          <Button
+            isDisabled={createSecretSync.isPending}
+            isLoading={createSecretSync.isPending}
+            onClick={handleSubmit(onSubmit)}
+            colorSchema="secondary"
+          >
+            I Understand
+          </Button>
+
+          <Button
+            isDisabled={createSecretSync.isPending}
+            variant="plain"
+            onClick={() => setShowConfirmation(false)}
+            colorSchema="secondary"
+          >
+            Cancel
+          </Button>
+        </div>
+      </>
+    );
 
   return (
     <form className={twMerge(isFinalStep && "max-h-[70vh] overflow-y-auto")}>
@@ -174,7 +213,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
                       errorText={error?.message}
                     >
                       <Switch
-                        className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/50"
+                        className="bg-mineshaft-400/80 shadow-inner data-[state=checked]:bg-green/80"
                         id="auto-sync-enabled"
                         thumbClassName="bg-mineshaft-800"
                         onCheckedChange={onChange}
@@ -196,32 +235,9 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
           </Tab.Panels>
         </Tab.Group>
       </FormProvider>
-      {isFinalStep &&
-        initialSyncBehavior === SecretSyncInitialSyncBehavior.OverwriteDestination && (
-          <Checkbox
-            id="confirm-overwrite"
-            isChecked={confirmOverwrite}
-            containerClassName="-mt-5"
-            onCheckedChange={(isChecked) => setConfirmOverwrite(Boolean(isChecked))}
-          >
-            <p
-              className={`mt-5 text-wrap text-xs ${confirmOverwrite ? "text-mineshaft-200" : "text-red"}`}
-            >
-              I understand all secrets present in the configured {destinationName} destination will
-              be removed if they are not present within Infisical.
-            </p>
-          </Checkbox>
-        )}
+
       <div className="flex w-full flex-row-reverse justify-between gap-4 pt-4">
-        <Button
-          isDisabled={
-            isFinalStep &&
-            initialSyncBehavior === SecretSyncInitialSyncBehavior.OverwriteDestination &&
-            !confirmOverwrite
-          }
-          onClick={handleNext}
-          colorSchema="secondary"
-        >
+        <Button onClick={handleNext} colorSchema="secondary">
           {isFinalStep ? "Create Sync" : "Next"}
         </Button>
         {selectedTabIndex > 0 && (

frontend/src/components/secret-syncs/forms/EditSecretSyncForm.tsx

@@ -8,10 +8,10 @@ import { Button, ModalClose } from "@app/components/v2";
 import { SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import { TSecretSync, useUpdateSecretSync } from "@app/hooks/api/secretSyncs";
 
+import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields/SecretSyncOptionsFields";
 import { TSecretSyncForm, UpdateSecretSyncFormSchema } from "./schemas";
 import { SecretSyncDestinationFields } from "./SecretSyncDestinationFields";
 import { SecretSyncDetailsFields } from "./SecretSyncDetailsFields";
-import { SecretSyncOptionsFields } from "./SecretSyncOptionsFields";
 import { SecretSyncSourceFields } from "./SecretSyncSourceFields";
 
 type Props = {

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/AwsParameterStoreSyncFields.tsx

@@ -8,13 +8,17 @@ import { TSecretSyncForm } from "../schemas";
 import { AwsRegionSelect } from "./shared";
 
 export const AwsParameterStoreSyncFields = () => {
-  const { control } = useFormContext<
+  const { control, setValue } = useFormContext<
     TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
   >();
 
   return (
     <>
-      <SecretSyncConnectionField />
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("syncOptions.keyId", undefined);
+        }}
+      />
       <Controller
         render={({ field: { value, onChange }, fieldState: { error } }) => (
           <FormControl isError={Boolean(error)} errorText={error?.message} label="Region">

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/AwsSecretsManagerSyncFields.tsx

@@ -9,7 +9,7 @@ import { TSecretSyncForm } from "../schemas";
 import { AwsRegionSelect } from "./shared";
 
 export const AwsSecretsManagerSyncFields = () => {
-  const { control, watch } = useFormContext<
+  const { control, watch, setValue } = useFormContext<
     TSecretSyncForm & { destination: SecretSync.AWSSecretsManager }
   >();
 
@@ -59,7 +59,10 @@ export const AwsSecretsManagerSyncFields = () => {
           >
             <Select
               value={value}
-              onValueChange={(val) => onChange(val)}
+              onValueChange={(val) => {
+                onChange(val);
+                setValue("syncOptions.syncSecretMetadataAsTags", false);
+              }}
               className="w-full border border-mineshaft-500 capitalize"
               position="popper"
               placeholder="Select an option..."

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/AwsParameterStoreSyncOptionsFields.tsx

@@ -0,0 +1,209 @@
+import { Fragment } from "react";
+import { Controller, useFieldArray, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+import { faPlus, faQuestionCircle, faTrash } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import {
+  Button,
+  FilterableSelect,
+  FormControl,
+  FormLabel,
+  IconButton,
+  Input,
+  Switch,
+  Tooltip
+} from "@app/components/v2";
+import {
+  TAwsConnectionKmsKey,
+  useListAwsConnectionKmsKeys
+} from "@app/hooks/api/appConnections/aws";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const AwsParameterStoreSyncOptionsFields = () => {
+  const { control, watch } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
+  >();
+
+  const region = watch("destinationConfig.region");
+  const connectionId = useWatch({ name: "connection.id", control });
+
+  const { data: kmsKeys = [], isPending: isKmsKeysPending } = useListAwsConnectionKmsKeys(
+    {
+      connectionId,
+      region,
+      destination: SecretSync.AWSParameterStore
+    },
+    { enabled: Boolean(connectionId && region) }
+  );
+
+  const tagFields = useFieldArray({
+    control,
+    name: "syncOptions.tags"
+  });
+
+  return (
+    <>
+      <Controller
+        name="syncOptions.keyId"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            tooltipText="The AWS KMS key to encrypt parameters with"
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="KMS Key"
+          >
+            <FilterableSelect
+              isLoading={isKmsKeysPending && Boolean(connectionId && region)}
+              isDisabled={!connectionId}
+              value={kmsKeys.find((org) => org.alias === value) ?? null}
+              onChange={(option) =>
+                onChange((option as SingleValue<TAwsConnectionKmsKey>)?.alias ?? null)
+              }
+              // eslint-disable-next-line react/no-unstable-nested-components
+              noOptionsMessage={({ inputValue }) =>
+                inputValue ? undefined : (
+                  <p>
+                    To configure a KMS key, ensure the following permissions are present on the
+                    selected IAM role:{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:ListAliases&#34;
+                    </span>
+                    ,{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:DescribeKey&#34;
+                    </span>
+                    ,{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:Encrypt&#34;
+                    </span>
+                    ,{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:Decrypt&#34;
+                    </span>
+                    .
+                  </p>
+                )
+              }
+              options={kmsKeys}
+              placeholder="Leave blank to use default KMS key"
+              getOptionLabel={(option) =>
+                option.alias === "alias/aws/ssm" ? `${option.alias} (Default)` : option.alias
+              }
+              getOptionValue={(option) => option.alias}
+            />
+          </FormControl>
+        )}
+      />
+      <FormLabel
+        label="Resource Tags"
+        tooltipText="Add resource tags to parameters synced by Infisical"
+      />
+      <div className="mb-3 grid max-h-[20vh] grid-cols-12 flex-col items-end gap-2 overflow-y-auto">
+        {tagFields.fields.map(({ id: tagFieldId }, i) => (
+          <Fragment key={tagFieldId}>
+            <div className="col-span-5">
+              {i === 0 && <span className="text-xs text-mineshaft-400">Key</span>}
+              <Controller
+                control={control}
+                name={`syncOptions.tags.${i}.key`}
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                    className="mb-0"
+                  >
+                    <Input className="text-xs" {...field} />
+                  </FormControl>
+                )}
+              />
+            </div>
+            <div className="col-span-6">
+              {i === 0 && (
+                <FormLabel label="Value" className="text-xs text-mineshaft-400" isOptional />
+              )}
+              <Controller
+                control={control}
+                name={`syncOptions.tags.${i}.value`}
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                    className="mb-0"
+                  >
+                    <Input className="text-xs" {...field} />
+                  </FormControl>
+                )}
+              />
+            </div>
+            <Tooltip content="Remove tag" position="right">
+              <IconButton
+                variant="plain"
+                ariaLabel="Remove tag"
+                className="col-span-1 mb-1.5"
+                colorSchema="danger"
+                size="xs"
+                onClick={() => tagFields.remove(i)}
+              >
+                <FontAwesomeIcon icon={faTrash} />
+              </IconButton>
+            </Tooltip>
+          </Fragment>
+        ))}
+      </div>
+      <div className="mt-2 flex">
+        <Button
+          leftIcon={<FontAwesomeIcon icon={faPlus} />}
+          size="xs"
+          variant="outline_bg"
+          onClick={() => tagFields.append({ key: "", value: "" })}
+        >
+          Add Tag
+        </Button>
+      </div>
+      <Controller
+        name="syncOptions.syncSecretMetadataAsTags"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            className="mt-6"
+            isError={Boolean(error?.message)}
+            errorText={error?.message}
+          >
+            <Switch
+              className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
+              id="overwrite-existing-secrets"
+              thumbClassName="bg-mineshaft-800"
+              isChecked={value}
+              onCheckedChange={onChange}
+            >
+              <p className="w-[18rem]">
+                Sync Secret Metadata as Resource Tags{" "}
+                <Tooltip
+                  className="max-w-md"
+                  content={
+                    <>
+                      <p>
+                        If enabled, metadata attached to secrets will be added as resource tags to
+                        parameters synced by Infisical.
+                      </p>
+                      <p className="mt-4">
+                        Manually configured tags from the field above will take precedence over
+                        secret metadata when tag keys conflict.
+                      </p>
+                    </>
+                  }
+                >
+                  <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
+                </Tooltip>
+              </p>
+            </Switch>
+          </FormControl>
+        )}
+      />
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/AwsSecretsManagerSyncOptionsFields.tsx

@@ -0,0 +1,208 @@
+import { Fragment } from "react";
+import { Controller, useFieldArray, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+import { faPlus, faQuestionCircle, faTrash } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import {
+  Button,
+  FilterableSelect,
+  FormControl,
+  FormLabel,
+  IconButton,
+  Input,
+  Switch,
+  Tooltip
+} from "@app/components/v2";
+import {
+  TAwsConnectionKmsKey,
+  useListAwsConnectionKmsKeys
+} from "@app/hooks/api/appConnections/aws";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { AwsSecretsManagerSyncMappingBehavior } from "@app/hooks/api/secretSyncs/types/aws-secrets-manager-sync";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const AwsSecretsManagerSyncOptionsFields = () => {
+  const { control, watch } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.AWSSecretsManager }
+  >();
+
+  const region = watch("destinationConfig.region");
+  const connectionId = useWatch({ name: "connection.id", control });
+  const mappingBehavior = watch("destinationConfig.mappingBehavior");
+
+  const { data: kmsKeys = [], isPending: isKmsKeysPending } = useListAwsConnectionKmsKeys(
+    {
+      connectionId,
+      region,
+      destination: SecretSync.AWSSecretsManager
+    },
+    { enabled: Boolean(connectionId && region) }
+  );
+
+  const tagFields = useFieldArray({
+    control,
+    name: "syncOptions.tags"
+  });
+
+  return (
+    <>
+      <Controller
+        name="syncOptions.keyId"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            tooltipText="The AWS KMS key to encrypt secrets with"
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="KMS Key"
+          >
+            <FilterableSelect
+              isLoading={isKmsKeysPending && Boolean(connectionId && region)}
+              isDisabled={!connectionId}
+              value={kmsKeys.find((org) => org.alias === value) ?? null}
+              onChange={(option) =>
+                onChange((option as SingleValue<TAwsConnectionKmsKey>)?.alias ?? null)
+              }
+              // eslint-disable-next-line react/no-unstable-nested-components
+              noOptionsMessage={({ inputValue }) =>
+                inputValue ? undefined : (
+                  <p>
+                    To configure a KMS key, ensure the following permissions are present on the
+                    selected IAM role:{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:ListAliases&#34;
+                    </span>
+                    ,{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:DescribeKey&#34;
+                    </span>
+                    ,{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:Encrypt&#34;
+                    </span>
+                    ,{" "}
+                    <span className="rounded bg-mineshaft-600 text-mineshaft-300">
+                      &#34;kms:Decrypt&#34;
+                    </span>
+                    .
+                  </p>
+                )
+              }
+              options={kmsKeys}
+              placeholder="Leave blank to use default KMS key"
+              getOptionLabel={(option) =>
+                option.alias === "alias/aws/secretsmanager"
+                  ? `${option.alias} (Default)`
+                  : option.alias
+              }
+              getOptionValue={(option) => option.alias}
+            />
+          </FormControl>
+        )}
+      />
+      <FormLabel label="Tags" tooltipText="Add tags to secrets synced by Infisical" />
+      <div className="mb-3 grid max-h-[20vh] grid-cols-12 flex-col items-end gap-2 overflow-y-auto">
+        {tagFields.fields.map(({ id: tagFieldId }, i) => (
+          <Fragment key={tagFieldId}>
+            <div className="col-span-5">
+              {i === 0 && <span className="text-xs text-mineshaft-400">Key</span>}
+              <Controller
+                control={control}
+                name={`syncOptions.tags.${i}.key`}
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                    className="mb-0"
+                  >
+                    <Input className="text-xs" {...field} />
+                  </FormControl>
+                )}
+              />
+            </div>
+            <div className="col-span-6">
+              {i === 0 && (
+                <FormLabel label="Value" className="text-xs text-mineshaft-400" isOptional />
+              )}
+              <Controller
+                control={control}
+                name={`syncOptions.tags.${i}.value`}
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                    className="mb-0"
+                  >
+                    <Input className="text-xs" {...field} />
+                  </FormControl>
+                )}
+              />
+            </div>
+            <Tooltip content="Remove tag" position="right">
+              <IconButton
+                variant="plain"
+                ariaLabel="Remove tag"
+                className="col-span-1 mb-1.5"
+                colorSchema="danger"
+                size="xs"
+                onClick={() => tagFields.remove(i)}
+              >
+                <FontAwesomeIcon icon={faTrash} />
+              </IconButton>
+            </Tooltip>
+          </Fragment>
+        ))}
+      </div>
+      <div className="mb-6 mt-2 flex">
+        <Button
+          leftIcon={<FontAwesomeIcon icon={faPlus} />}
+          size="xs"
+          variant="outline_bg"
+          onClick={() => tagFields.append({ key: "", value: "" })}
+        >
+          Add Tag
+        </Button>
+      </div>
+      {mappingBehavior === AwsSecretsManagerSyncMappingBehavior.OneToOne && (
+        <Controller
+          name="syncOptions.syncSecretMetadataAsTags"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl isError={Boolean(error?.message)} errorText={error?.message}>
+              <Switch
+                className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
+                id="overwrite-existing-secrets"
+                thumbClassName="bg-mineshaft-800"
+                isChecked={value}
+                onCheckedChange={onChange}
+              >
+                <p className="w-[14rem]">
+                  Sync Secret Metadata as Tags{" "}
+                  <Tooltip
+                    className="max-w-md"
+                    content={
+                      <>
+                        <p>
+                          If enabled, metadata attached to secrets will be added as tags to secrets
+                          synced by Infisical.
+                        </p>
+                        <p className="mt-4">
+                          Manually configured tags from the field above will take precedence over
+                          secret metadata when tag keys conflict.
+                        </p>
+                      </>
+                    }
+                  >
+                    <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
+                  </Tooltip>
+                </p>
+              </Switch>
+            </FormControl>
+          )}
+        />
+      )}
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -1,12 +1,15 @@
+import { ReactNode } from "react";
 import { Controller, useFormContext } from "react-hook-form";
 import { faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { FormControl, Select, SelectItem } from "@app/components/v2";
 import { SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP, SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
-import { useSecretSyncOption } from "@app/hooks/api/secretSyncs";
+import { SecretSync, useSecretSyncOption } from "@app/hooks/api/secretSyncs";
 
-import { TSecretSyncForm } from "./schemas";
+import { TSecretSyncForm } from "../schemas";
+import { AwsParameterStoreSyncOptionsFields } from "./AwsParameterStoreSyncOptionsFields";
+import { AwsSecretsManagerSyncOptionsFields } from "./AwsSecretsManagerSyncOptionsFields";
 
 type Props = {
   hideInitialSync?: boolean;
@@ -21,6 +24,26 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
 
   const { syncOption } = useSecretSyncOption(destination);
 
+  let AdditionalSyncOptionsFieldsComponent: ReactNode;
+
+  switch (destination) {
+    case SecretSync.AWSParameterStore:
+      AdditionalSyncOptionsFieldsComponent = <AwsParameterStoreSyncOptionsFields />;
+      break;
+    case SecretSync.AWSSecretsManager:
+      AdditionalSyncOptionsFieldsComponent = <AwsSecretsManagerSyncOptionsFields />;
+      break;
+    case SecretSync.GitHub:
+    case SecretSync.GCPSecretManager:
+    case SecretSync.AzureKeyVault:
+    case SecretSync.AzureAppConfiguration:
+    case SecretSync.Databricks:
+      AdditionalSyncOptionsFieldsComponent = null;
+      break;
+    default:
+      throw new Error(`Unhandled Additional Sync Options Fields: ${destination}`);
+  }
+
   return (
     <>
       <p className="mb-4 text-sm text-bunker-300">Configure how secrets should be synced.</p>
@@ -91,6 +114,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
           )}
         </>
       )}
+      {AdditionalSyncOptionsFieldsComponent}
       {/* <Controller
         render={({ field: { value, onChange }, fieldState: { error } }) => (
           <FormControl

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/index.ts

@@ -0,0 +1 @@
+export * from "./SecretSyncOptionsFields";

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/AwsParameterStoreSyncReviewFields.tsx

@@ -1,17 +1,71 @@
 import { useFormContext } from "react-hook-form";
+import { faEye } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { SecretSyncLabel } from "@app/components/secret-syncs";
 import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
-import { Badge } from "@app/components/v2";
+import { Badge, Table, TBody, Td, Th, THead, Tooltip, Tr } from "@app/components/v2";
 import { AWS_REGIONS } from "@app/helpers/appConnections";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AwsParameterStoreSyncReviewFields = () => {
+export const AwsParameterStoreSyncOptionsReviewFields = () => {
   const { watch } = useFormContext<
     TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
   >();
 
-  const [region, path] = watch(["destinationConfig.region", "destinationConfig.path"]);
+  const [{ keyId, tags, syncSecretMetadataAsTags }] = watch(["syncOptions"]);
+
+  return (
+    <>
+      {keyId && <SecretSyncLabel label="KMS Key">{keyId}</SecretSyncLabel>}
+      {tags && tags.length > 0 && (
+        <SecretSyncLabel label="Resource Tags">
+          <Tooltip
+            side="right"
+            className="max-w-xl p-1"
+            content={
+              <Table>
+                <THead>
+                  <Th className="whitespace-nowrap p-2">Key</Th>
+                  <Th className="p-2">Value</Th>
+                </THead>
+                <TBody>
+                  {tags.map((tag) => (
+                    <Tr key={tag.key}>
+                      <Td className="p-2">{tag.key}</Td>
+                      <Td className="p-2">{tag.value}</Td>
+                    </Tr>
+                  ))}
+                </TBody>
+              </Table>
+            }
+          >
+            <div className="w-min">
+              <Badge className="flex h-5 w-min items-center gap-1.5 whitespace-nowrap bg-mineshaft-400/50 text-bunker-300">
+                <FontAwesomeIcon icon={faEye} />
+                <span>
+                  {tags.length} Tag{tags.length > 1 ? "s" : ""}
+                </span>
+              </Badge>
+            </div>
+          </Tooltip>
+        </SecretSyncLabel>
+      )}
+      {syncSecretMetadataAsTags && (
+        <SecretSyncLabel label="Sync Secret Metadata as Resource Tags">
+          <Badge variant="success">Enabled</Badge>
+        </SecretSyncLabel>
+      )}
+    </>
+  );
+};
+
+export const AwsParameterStoreDestinationReviewFields = () => {
+  const { watch } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.AWSParameterStore }
+  >();
+
+  const [{ region, path }] = watch(["destinationConfig"]);
 
   const awsRegion = AWS_REGIONS.find((r) => r.slug === region);
 

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/AwsSecretsManagerSyncReviewFields.tsx

@@ -1,8 +1,10 @@
 import { useFormContext } from "react-hook-form";
+import { faEye } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { SecretSyncLabel } from "@app/components/secret-syncs";
 import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
-import { Badge } from "@app/components/v2";
+import { Badge, Table, TBody, Td, Th, THead, Tooltip, Tr } from "@app/components/v2";
 import { AWS_REGIONS } from "@app/helpers/appConnections";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import { AwsSecretsManagerSyncMappingBehavior } from "@app/hooks/api/secretSyncs/types/aws-secrets-manager-sync";
@@ -37,3 +39,55 @@ export const AwsSecretsManagerSyncReviewFields = () => {
     </>
   );
 };
+
+export const AwsSecretsManagerSyncOptionsReviewFields = () => {
+  const { watch } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.AWSSecretsManager }
+  >();
+
+  const [{ keyId, tags, syncSecretMetadataAsTags }] = watch(["syncOptions"]);
+
+  return (
+    <>
+      {keyId && <SecretSyncLabel label="KMS Key">{keyId}</SecretSyncLabel>}
+      {tags && tags.length > 0 && (
+        <SecretSyncLabel label="Tags">
+          <Tooltip
+            side="right"
+            className="max-w-xl p-1"
+            content={
+              <Table>
+                <THead>
+                  <Th className="whitespace-nowrap p-2">Key</Th>
+                  <Th className="p-2">Value</Th>
+                </THead>
+                <TBody>
+                  {tags.map((tag) => (
+                    <Tr key={tag.key}>
+                      <Td className="p-2">{tag.key}</Td>
+                      <Td className="p-2">{tag.value}</Td>
+                    </Tr>
+                  ))}
+                </TBody>
+              </Table>
+            }
+          >
+            <div className="w-min">
+              <Badge className="flex h-5 w-min items-center gap-1.5 whitespace-nowrap bg-mineshaft-400/50 text-bunker-300">
+                <FontAwesomeIcon icon={faEye} />
+                <span>
+                  {tags.length} Tag{tags.length > 1 ? "s" : ""}
+                </span>
+              </Badge>
+            </div>
+          </Tooltip>
+        </SecretSyncLabel>
+      )}
+      {syncSecretMetadataAsTags && (
+        <SecretSyncLabel label="Sync Secret Metadata as Resource Tags">
+          <Badge variant="success">Enabled</Badge>
+        </SecretSyncLabel>
+      )}
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -3,15 +3,21 @@ import { useFormContext } from "react-hook-form";
 
 import { SecretSyncLabel } from "@app/components/secret-syncs";
 import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
-import { AwsSecretsManagerSyncReviewFields } from "@app/components/secret-syncs/forms/SecretSyncReviewFields/AwsSecretsManagerSyncReviewFields";
-import { DatabricksSyncReviewFields } from "@app/components/secret-syncs/forms/SecretSyncReviewFields/DatabricksSyncReviewFields";
 import { Badge } from "@app/components/v2";
 import { SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP, SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-import { AwsParameterStoreSyncReviewFields } from "./AwsParameterStoreSyncReviewFields";
+import {
+  AwsParameterStoreDestinationReviewFields,
+  AwsParameterStoreSyncOptionsReviewFields
+} from "./AwsParameterStoreSyncReviewFields";
+import {
+  AwsSecretsManagerSyncOptionsReviewFields,
+  AwsSecretsManagerSyncReviewFields
+} from "./AwsSecretsManagerSyncReviewFields";
 import { AzureAppConfigurationSyncReviewFields } from "./AzureAppConfigurationSyncReviewFields";
 import { AzureKeyVaultSyncReviewFields } from "./AzureKeyVaultSyncReviewFields";
+import { DatabricksSyncReviewFields } from "./DatabricksSyncReviewFields";
 import { GcpSyncReviewFields } from "./GcpSyncReviewFields";
 import { GitHubSyncReviewFields } from "./GitHubSyncReviewFields";
 
@@ -19,6 +25,7 @@ export const SecretSyncReviewFields = () => {
   const { watch } = useFormContext<TSecretSyncForm>();
 
   let DestinationFieldsComponent: ReactNode;
+  let AdditionalSyncOptionsFieldsComponent: ReactNode;
 
   const {
     name,
@@ -38,10 +45,12 @@ export const SecretSyncReviewFields = () => {
 
   switch (destination) {
     case SecretSync.AWSParameterStore:
-      DestinationFieldsComponent = <AwsParameterStoreSyncReviewFields />;
+      DestinationFieldsComponent = <AwsParameterStoreDestinationReviewFields />;
+      AdditionalSyncOptionsFieldsComponent = <AwsParameterStoreSyncOptionsReviewFields />;
       break;
     case SecretSync.AWSSecretsManager:
       DestinationFieldsComponent = <AwsSecretsManagerSyncReviewFields />;
+      AdditionalSyncOptionsFieldsComponent = <AwsSecretsManagerSyncOptionsReviewFields />;
       break;
     case SecretSync.GitHub:
       DestinationFieldsComponent = <GitHubSyncReviewFields />;
@@ -84,7 +93,7 @@ export const SecretSyncReviewFields = () => {
       </div>
       <div className="flex flex-col gap-3">
         <div className="w-full border-b border-mineshaft-600">
-          <span className="text-sm text-mineshaft-300">Options</span>
+          <span className="text-sm text-mineshaft-300">Sync Options</span>
         </div>
         <div className="flex flex-wrap gap-x-8 gap-y-2">
           <SecretSyncLabel label="Auto-Sync">
@@ -97,6 +106,7 @@ export const SecretSyncReviewFields = () => {
           </SecretSyncLabel>
           {/* <SecretSyncLabel label="Prepend Prefix">{prependPrefix}</SecretSyncLabel>
           <SecretSyncLabel label="Append Suffix">{appendSuffix}</SecretSyncLabel> */}
+          {AdditionalSyncOptionsFieldsComponent}
         </div>
       </div>
       <div className="flex flex-col gap-3">

frontend/src/components/secret-syncs/forms/schemas/aws-parameter-store-sync-destination-schema.ts

@@ -1,16 +1,45 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AwsParameterStoreSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.AWSParameterStore),
-  destinationConfig: z.object({
-    path: z
-      .string()
-      .trim()
-      .min(1, "Parameter Store Path required")
-      .max(2048, "Cannot exceed 2048 characters")
-      .regex(/^\/([/]|(([\w-]+\/)+))?$/, 'Invalid path - must follow "/example/path/" format'),
-    region: z.string().min(1, "Region required")
+export const AwsParameterStoreSyncDestinationSchema = BaseSecretSyncSchema(
+  z.object({
+    keyId: z.string().optional(),
+    tags: z
+      .object({
+        key: z
+          .string()
+          .regex(
+            /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+            "Keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+          )
+          .min(1, "Key required")
+          .max(128, "Tag key cannot exceed 128 characters"),
+        value: z
+          .string()
+          .regex(
+            /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+            "Values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+          )
+          .max(256, "Tag value cannot exceed 256 characters")
+      })
+      .array()
+      .max(50)
+      .optional(),
+    syncSecretMetadataAsTags: z.boolean().optional()
   })
-});
+).merge(
+  z.object({
+    destination: z.literal(SecretSync.AWSParameterStore),
+    destinationConfig: z.object({
+      path: z
+        .string()
+        .trim()
+        .min(1, "Parameter Store Path required")
+        .max(2048, "Cannot exceed 2048 characters")
+        .regex(/^\/([/]|(([\w-]+\/)+))?$/, 'Invalid path - must follow "/example/path/" format'),
+      region: z.string().min(1, "Region required")
+    })
+  })
+);

frontend/src/components/secret-syncs/forms/schemas/aws-secrets-manager-sync-destination-schema.ts

@@ -1,30 +1,59 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import { AwsSecretsManagerSyncMappingBehavior } from "@app/hooks/api/secretSyncs/types/aws-secrets-manager-sync";
 
-export const AwsSecretsManagerSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.AWSSecretsManager),
-  destinationConfig: z
-    .discriminatedUnion("mappingBehavior", [
-      z.object({
-        mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.OneToOne)
-      }),
-      z.object({
-        mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.ManyToOne),
-        secretName: z
+export const AwsSecretsManagerSyncDestinationSchema = BaseSecretSyncSchema(
+  z.object({
+    keyId: z.string().optional(),
+    tags: z
+      .object({
+        key: z
           .string()
           .regex(
-            /^[a-zA-Z0-9/_+=.@-]+$/,
-            "Secret name must contain only alphanumeric characters and the characters /_+=.@-"
+            /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+            "Keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
           )
-          .min(1, "Secret name is required")
-          .max(256, "Secret name cannot exceed 256 characters")
+          .min(1, "Key required")
+          .max(128, "Tag key cannot exceed 128 characters"),
+        value: z
+          .string()
+          .regex(
+            /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+            "Values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+          )
+          .max(256, "Tag value cannot exceed 256 characters")
       })
-    ])
-    .and(
-      z.object({
-        region: z.string().min(1, "Region required")
-      })
-    )
-});
+      .array()
+      .max(50)
+      .optional(),
+    syncSecretMetadataAsTags: z.boolean().optional()
+  })
+).merge(
+  z.object({
+    destination: z.literal(SecretSync.AWSSecretsManager),
+    destinationConfig: z
+      .discriminatedUnion("mappingBehavior", [
+        z.object({
+          mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.OneToOne)
+        }),
+        z.object({
+          mappingBehavior: z.literal(AwsSecretsManagerSyncMappingBehavior.ManyToOne),
+          secretName: z
+            .string()
+            .regex(
+              /^[a-zA-Z0-9/_+=.@-]+$/,
+              "Secret name must contain only alphanumeric characters and the characters /_+=.@-"
+            )
+            .min(1, "Secret name is required")
+            .max(256, "Secret name cannot exceed 256 characters")
+        })
+      ])
+      .and(
+        z.object({
+          region: z.string().min(1, "Region required")
+        })
+      )
+  })
+);

frontend/src/components/secret-syncs/forms/schemas/azure-app-configuration-sync-destination-schema.ts

@@ -1,19 +1,22 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AzureAppConfigurationSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.AzureAppConfiguration),
-  destinationConfig: z.object({
-    configurationUrl: z
-      .string()
-      .trim()
-      .min(1, { message: "Azure App Configuration URL is required" })
-      .url()
-      .refine(
-        (val) => val.endsWith(".azconfig.io"),
-        "URL should have the following format: https://resource-name-here.azconfig.io"
-      ),
-    label: z.string().optional()
+export const AzureAppConfigurationSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.AzureAppConfiguration),
+    destinationConfig: z.object({
+      configurationUrl: z
+        .string()
+        .trim()
+        .min(1, { message: "Azure App Configuration URL is required" })
+        .url()
+        .refine(
+          (val) => val.endsWith(".azconfig.io"),
+          "URL should have the following format: https://resource-name-here.azconfig.io"
+        ),
+      label: z.string().optional()
+    })
   })
-});
+);

frontend/src/components/secret-syncs/forms/schemas/azure-key-vault-sync-destination-schema.ts

@@ -1,10 +1,16 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const AzureKeyVaultSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.AzureKeyVault),
-  destinationConfig: z.object({
-    vaultBaseUrl: z.string().url("Invalid vault base URL format").min(1, "Vault base URL required")
+export const AzureKeyVaultSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.AzureKeyVault),
+    destinationConfig: z.object({
+      vaultBaseUrl: z
+        .string()
+        .url("Invalid vault base URL format")
+        .min(1, "Vault base URL required")
+    })
   })
-});
+);

frontend/src/components/secret-syncs/forms/schemas/base-secret-sync-schema.ts

@@ -0,0 +1,39 @@
+import { AnyZodObject, z } from "zod";
+
+import { SecretSyncInitialSyncBehavior } from "@app/hooks/api/secretSyncs";
+import { slugSchema } from "@app/lib/schemas";
+
+export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefined>(
+  additionalSyncOptions?: T
+) => {
+  const baseSyncOptionsSchema = z.object({
+    initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior)
+    // scott: removed temporarily for evaluation of template formatting
+    // prependPrefix: z
+    //   .string()
+    //   .trim()
+    //   .transform((str) => str.toUpperCase())
+    //   .optional(),
+    // appendSuffix: z
+    //   .string()
+    //   .trim()
+    //   .transform((str) => str.toUpperCase())
+    //   .optional()
+  });
+
+  const syncOptionsSchema = additionalSyncOptions
+    ? baseSyncOptionsSchema.merge(additionalSyncOptions)
+    : (baseSyncOptionsSchema as T extends AnyZodObject
+        ? z.ZodObject<z.objectUtil.MergeShapes<typeof baseSyncOptionsSchema.shape, T["shape"]>>
+        : typeof baseSyncOptionsSchema);
+
+  return z.object({
+    name: slugSchema({ field: "Name" }),
+    description: z.string().trim().max(256, "Cannot exceed 256 characters").optional(),
+    connection: z.object({ name: z.string(), id: z.string().uuid() }),
+    environment: z.object({ slug: z.string(), id: z.string(), name: z.string() }),
+    secretPath: z.string().min(1, "Secret path required"),
+    syncOptions: syncOptionsSchema,
+    isAutoSyncEnabled: z.boolean()
+  });
+};

frontend/src/components/secret-syncs/forms/schemas/databricks-sync-destination-schema.ts

@@ -1,10 +1,13 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 
-export const DatabricksSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.Databricks),
-  destinationConfig: z.object({
-    scope: z.string().trim().min(1, "Databricks scope required")
+export const DatabricksSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.Databricks),
+    destinationConfig: z.object({
+      scope: z.string().trim().min(1, "Databricks scope required")
+    })
   })
-});
+);

frontend/src/components/secret-syncs/forms/schemas/gcp-sync-destination-schema.ts

@@ -1,12 +1,15 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import { GcpSyncScope } from "@app/hooks/api/secretSyncs/types/gcp-sync";
 
-export const GcpSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.GCPSecretManager),
-  destinationConfig: z.object({
-    scope: z.literal(GcpSyncScope.Global),
-    projectId: z.string().min(1, "Project ID required")
+export const GcpSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.GCPSecretManager),
+    destinationConfig: z.object({
+      scope: z.literal(GcpSyncScope.Global),
+      projectId: z.string().min(1, "Project ID required")
+    })
   })
-});
+);

frontend/src/components/secret-syncs/forms/schemas/github-sync-destination-schema.ts

@@ -1,45 +1,48 @@
 import { z } from "zod";
 
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import {
   GitHubSyncScope,
   GitHubSyncVisibility
 } from "@app/hooks/api/secretSyncs/types/github-sync";
 
-export const GitHubSyncDestinationSchema = z.object({
-  destination: z.literal(SecretSync.GitHub),
-  destinationConfig: z
-    .discriminatedUnion("scope", [
-      z.object({
-        scope: z.literal(GitHubSyncScope.Organization),
-        org: z.string().min(1, "Organization name required"),
-        visibility: z.nativeEnum(GitHubSyncVisibility),
-        selectedRepositoryIds: z.number().array().optional()
-      }),
-      z.object({
-        scope: z.literal(GitHubSyncScope.Repository),
-        owner: z.string().min(1, "Repository owner name required"),
-        repo: z.string().min(1, "Repository name required")
-      }),
-      z.object({
-        scope: z.literal(GitHubSyncScope.RepositoryEnvironment),
-        owner: z.string().min(1, "Repository owner name required"),
-        repo: z.string().min(1, "Repository name required"),
-        env: z.string().min(1, "Environment name required")
-      })
-    ])
-    .superRefine((options, ctx) => {
-      if (options.scope === GitHubSyncScope.Organization) {
-        if (
-          options.visibility === GitHubSyncVisibility.Selected &&
-          !options.selectedRepositoryIds?.length
-        ) {
-          ctx.addIssue({
-            code: z.ZodIssueCode.custom,
-            message: "Select at least 1 repository",
-            path: ["selectedRepositoryIds"]
-          });
+export const GitHubSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.GitHub),
+    destinationConfig: z
+      .discriminatedUnion("scope", [
+        z.object({
+          scope: z.literal(GitHubSyncScope.Organization),
+          org: z.string().min(1, "Organization name required"),
+          visibility: z.nativeEnum(GitHubSyncVisibility),
+          selectedRepositoryIds: z.number().array().optional()
+        }),
+        z.object({
+          scope: z.literal(GitHubSyncScope.Repository),
+          owner: z.string().min(1, "Repository owner name required"),
+          repo: z.string().min(1, "Repository name required")
+        }),
+        z.object({
+          scope: z.literal(GitHubSyncScope.RepositoryEnvironment),
+          owner: z.string().min(1, "Repository owner name required"),
+          repo: z.string().min(1, "Repository name required"),
+          env: z.string().min(1, "Environment name required")
+        })
+      ])
+      .superRefine((options, ctx) => {
+        if (options.scope === GitHubSyncScope.Organization) {
+          if (
+            options.visibility === GitHubSyncVisibility.Selected &&
+            !options.selectedRepositoryIds?.length
+          ) {
+            ctx.addIssue({
+              code: z.ZodIssueCode.custom,
+              message: "Select at least 1 repository",
+              path: ["selectedRepositoryIds"]
+            });
+          }
         }
-      }
-    })
-});
+      })
+  })
+);

frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts

@@ -3,37 +3,12 @@ import { z } from "zod";
 import { AwsSecretsManagerSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/aws-secrets-manager-sync-destination-schema";
 import { DatabricksSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/databricks-sync-destination-schema";
 import { GitHubSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/github-sync-destination-schema";
-import { SecretSyncInitialSyncBehavior } from "@app/hooks/api/secretSyncs";
-import { slugSchema } from "@app/lib/schemas";
 
 import { AwsParameterStoreSyncDestinationSchema } from "./aws-parameter-store-sync-destination-schema";
 import { AzureAppConfigurationSyncDestinationSchema } from "./azure-app-configuration-sync-destination-schema";
 import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
 import { GcpSyncDestinationSchema } from "./gcp-sync-destination-schema";
 
-const BaseSecretSyncSchema = z.object({
-  name: slugSchema({ field: "Name" }),
-  description: z.string().trim().max(256, "Cannot exceed 256 characters").optional(),
-  connection: z.object({ name: z.string(), id: z.string().uuid() }),
-  environment: z.object({ slug: z.string(), id: z.string(), name: z.string() }),
-  secretPath: z.string().min(1, "Secret path required"),
-  syncOptions: z.object({
-    initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior)
-    // scott: removed temporarily for evaluation of template formatting
-    // prependPrefix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional(),
-    // appendSuffix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional()
-  }),
-  isAutoSyncEnabled: z.boolean()
-});
-
 const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncDestinationSchema,
   AwsSecretsManagerSyncDestinationSchema,
@@ -44,8 +19,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   DatabricksSyncDestinationSchema
 ]);
 
-export const SecretSyncFormSchema = SecretSyncUnionSchema.and(BaseSecretSyncSchema);
+export const SecretSyncFormSchema = SecretSyncUnionSchema;
 
-export const UpdateSecretSyncFormSchema = SecretSyncUnionSchema.and(BaseSecretSyncSchema.partial());
+export const UpdateSecretSyncFormSchema = SecretSyncUnionSchema;
 
 export type TSecretSyncForm = z.infer<typeof SecretSyncFormSchema>;

frontend/src/components/v2/Dropdown/Dropdown.tsx

@@ -20,7 +20,7 @@ export const DropdownMenuContent = forwardRef<HTMLDivElement, DropdownMenuConten
     return (
       <DropdownMenuPrimitive.Portal>
         <DropdownMenuPrimitive.Content
-          sideOffset={10}
+          sideOffset={-8}
           {...props}
           ref={forwardedRef}
           className={twMerge(

frontend/src/components/v2/Menu/Menu.tsx

@@ -1,5 +1,5 @@
 import { ComponentPropsWithRef, ElementType, ReactNode, Ref, useRef } from "react";
-import { DotLottie, DotLottieReact } from "@lottiefiles/dotlottie-react";
+import { DotLottie, DotLottieReact, Mode } from "@lottiefiles/dotlottie-react";
 import { twMerge } from "tailwind-merge";
 
 export type MenuProps = {
@@ -16,6 +16,7 @@ export type MenuItemProps<T extends ElementType> = {
   as?: T;
   children: ReactNode;
   icon?: string;
+  iconMode?: Mode;
   description?: ReactNode;
   isDisabled?: boolean;
   isSelected?: boolean;
@@ -26,6 +27,7 @@ export type MenuItemProps<T extends ElementType> = {
 export const MenuItem = <T extends ElementType = "button">({
   children,
   icon,
+  iconMode,
   className,
   isDisabled,
   isSelected,
@@ -62,6 +64,7 @@ export const MenuItem = <T extends ElementType = "button">({
             dotLottieRefCallback={(el) => {
               iconRef.current = el;
             }}
+            mode={iconMode}
             src={`/lotties/${icon}.json`}
             loop
             className="h-full w-full"