bring back missing secrets docs

Merge pull request #4384 from Infisical/aws-parameter-store-key-schema-path-fix
fix(aws-parameter-store-sync): handle keyschema with path segments for aws parameter store
2025-09-06 06:00:42 +00:00 · 2025-08-16 17:02:06 +07:00 · 2025-08-14 17:10:24 -07:00 · 2025-08-14 17:07:11 -07:00 · 2025-08-14 16:59:26 -07:00 · 2025-08-14 16:25:00 -07:00
5 changed files with 129 additions and 27 deletions
--- a/backend/src/services/project-env/project-env-service.ts
+++ b/backend/src/services/project-env/project-env-service.ts
@@ -177,6 +177,18 @@ export const projectEnvServiceFactory = ({
        }
      }

+      const envs = await projectEnvDAL.find({ projectId });
+      const project = await projectDAL.findById(projectId);
+      const plan = await licenseService.getPlan(project.orgId);
+      if (plan.environmentLimit !== null && envs.length > plan.environmentLimit) {
+        // case: limit imposed on number of environments allowed
+        // case: number of environments used exceeds the number of environments allowed
+        throw new BadRequestError({
+          message:
+            "Failed to update environment due to environment limit exceeded. To update an environment, please upgrade your plan or remove unused environments."
+        });
+      }
+
      const env = await projectEnvDAL.transaction(async (tx) => {
        if (position) {
          const existingEnvWithPosition = await projectEnvDAL.findOne({ projectId, position }, tx);
--- a/backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts
+++ b/backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts
@@ -1,4 +1,5 @@
 import AWS, { AWSError } from "aws-sdk";
+import handlebars from "handlebars";

 import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
@@ -34,18 +35,51 @@ const sleep = async () =>
    setTimeout(resolve, 1000);
  });

-const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreRecord> => {
+const getFullPath = ({ path, keySchema, environment }: { path: string; keySchema?: string; environment: string }) => {
+  if (!keySchema || !keySchema.includes("/")) return path;
+
+  if (keySchema.startsWith("/")) {
+    throw new SecretSyncError({ message: `Key schema cannot contain leading '/'`, shouldRetry: false });
+  }
+
+  const keySchemaSegments = handlebars
+    .compile(keySchema)({
+      environment,
+      secretKey: "{{secretKey}}"
+    })
+    .split("/");
+
+  const pathSegments = keySchemaSegments.slice(0, keySchemaSegments.length - 1);
+
+  if (pathSegments.some((segment) => segment.includes("{{secretKey}}"))) {
+    throw new SecretSyncError({
+      message: "Key schema cannot contain '/' after {{secretKey}}",
+      shouldRetry: false
+    });
+  }
+
+  return `${path}${pathSegments.join("/")}/`;
+};
+
+const getParametersByPath = async (
+  ssm: AWS.SSM,
+  path: string,
+  keySchema: string | undefined,
+  environment: string
+): Promise<TAWSParameterStoreRecord> => {
  const awsParameterStoreSecretsRecord: TAWSParameterStoreRecord = {};
  let hasNext = true;
  let nextToken: string | undefined;
  let attempt = 0;

+  const fullPath = getFullPath({ path, keySchema, environment });
+
  while (hasNext) {
    try {
      // eslint-disable-next-line no-await-in-loop
      const parameters = await ssm
        .getParametersByPath({
-          Path: path,
+          Path: fullPath,
          Recursive: false,
          WithDecryption: true,
          MaxResults: BATCH_SIZE,
@@ -59,7 +93,7 @@ const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSPara
        parameters.Parameters.forEach((parameter) => {
          if (parameter.Name) {
            // no leading slash if path is '/'
-            const secKey = path.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
+            const secKey = fullPath.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
            awsParameterStoreSecretsRecord[secKey] = parameter;
          }
        });
@@ -83,12 +117,19 @@ const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSPara
  return awsParameterStoreSecretsRecord;
 };

-const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreMetadataRecord> => {
+const getParameterMetadataByPath = async (
+  ssm: AWS.SSM,
+  path: string,
+  keySchema: string | undefined,
+  environment: string
+): Promise<TAWSParameterStoreMetadataRecord> => {
  const awsParameterStoreMetadataRecord: TAWSParameterStoreMetadataRecord = {};
  let hasNext = true;
  let nextToken: string | undefined;
  let attempt = 0;

+  const fullPath = getFullPath({ path, keySchema, environment });
+
  while (hasNext) {
    try {
      // eslint-disable-next-line no-await-in-loop
@@ -100,7 +141,7 @@ const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<T
            {
              Key: "Path",
              Option: "OneLevel",
-              Values: [path]
+              Values: [fullPath]
            }
          ]
        })
@@ -112,7 +153,7 @@ const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<T
        parameters.Parameters.forEach((parameter) => {
          if (parameter.Name) {
            // no leading slash if path is '/'
-            const secKey = path.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
+            const secKey = fullPath.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
            awsParameterStoreMetadataRecord[secKey] = parameter;
          }
        });
@@ -298,9 +339,19 @@ export const AwsParameterStoreSyncFns = {

    const ssm = await getSSM(secretSync);

-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+    const awsParameterStoreSecretsRecord = await getParametersByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );

-    const awsParameterStoreMetadataRecord = await getParameterMetadataByPath(ssm, destinationConfig.path);
+    const awsParameterStoreMetadataRecord = await getParameterMetadataByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );

    const { shouldManageTags, awsParameterStoreTagsRecord } = await getParameterStoreTagsRecord(
      ssm,
@@ -400,22 +451,32 @@ export const AwsParameterStoreSyncFns = {
    await deleteParametersBatch(ssm, parametersToDelete);
  },
  getSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials): Promise<TSecretMap> => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;

    const ssm = await getSSM(secretSync);

-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+    const awsParameterStoreSecretsRecord = await getParametersByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );

    return Object.fromEntries(
      Object.entries(awsParameterStoreSecretsRecord).map(([key, value]) => [key, { value: value.Value ?? "" }])
    );
  },
  removeSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;

    const ssm = await getSSM(secretSync);

-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+    const awsParameterStoreSecretsRecord = await getParametersByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );

    const parametersToDelete: AWS.SSM.Parameter[] = [];

--- a/docs/docs.json
+++ b/docs/docs.json
@@ -416,6 +416,9 @@
                "pages": [
                  "documentation/platform/secrets-mgmt/project",
                  "documentation/platform/folder",
+                  "documentation/platform/secret-versioning",
+                  "documentation/platform/pit-recovery",
+                  "documentation/platform/secret-reference",
                  {
                    "group": "Secret Rotation",
                    "pages": [
@@ -459,7 +462,8 @@
                      "documentation/platform/dynamic-secrets/kubernetes",
                      "documentation/platform/dynamic-secrets/vertica"
                    ]
-                  }
+                  },
+                  "documentation/platform/webhooks"
                ]
              },
              {
--- a/docs/documentation/platform/secrets-mgmt/concepts/secrets-delivery.mdx
+++ b/docs/documentation/platform/secrets-mgmt/concepts/secrets-delivery.mdx
@@ -1,6 +1,6 @@
 ---
-title: "Delivering Secrets"
-description: "Learn how to get secrets out of Infisical and into the systems, applications, and environments that need them."
+title: "Fetching Secrets"
+description: "Learn how to deliver secrets from Infisical into the systems, applications, and environments that need them."
 ---

 Once secrets are stored and scoped in Infisical, the next step is delivering them securely to the systems and applications that need them.
--- a/frontend/src/pages/secret-manager/SettingsPage/components/EnvironmentSection/EnvironmentTable.tsx
+++ b/frontend/src/pages/secret-manager/SettingsPage/components/EnvironmentSection/EnvironmentTable.tsx
@@ -12,9 +12,15 @@ import {
  Td,
  Th,
  THead,
+  Tooltip,
  Tr
 } from "@app/components/v2";
-import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  useSubscription,
+  useWorkspace
+} from "@app/context";
 import { useUpdateWsEnvironment } from "@app/hooks/api";
 import { UsePopUpState } from "@app/hooks/usePopUp";

@@ -35,6 +41,7 @@ type Props = {

 export const EnvironmentTable = ({ handlePopUpOpen }: Props) => {
  const { currentWorkspace } = useWorkspace();
+  const { subscription } = useSubscription();

  const updateEnvironment = useUpdateWsEnvironment();

@@ -61,6 +68,16 @@ export const EnvironmentTable = ({ handlePopUpOpen }: Props) => {
    }
  };

+  const isMoreEnvironmentsAllowed =
+    subscription?.environmentLimit && currentWorkspace?.environments
+      ? currentWorkspace.environments.length <= subscription.environmentLimit
+      : true;
+
+  const environmentsOverPlanLimit =
+    subscription?.environmentLimit && currentWorkspace?.environments
+      ? Math.max(0, currentWorkspace.environments.length - subscription.environmentLimit)
+      : 0;
+
  return (
    <TableContainer>
      <Table>
@@ -122,18 +139,26 @@ export const EnvironmentTable = ({ handlePopUpOpen }: Props) => {
                  a={ProjectPermissionSub.Environments}
                >
                  {(isAllowed) => (
-                    <IconButton
-                      className="mr-3 py-2"
-                      onClick={() => {
-                        handlePopUpOpen("updateEnv", { name, slug, id });
-                      }}
-                      isDisabled={!isAllowed}
-                      colorSchema="primary"
-                      variant="plain"
-                      ariaLabel="update"
+                    <Tooltip
+                      content={
+                        isMoreEnvironmentsAllowed
+                          ? ""
+                          : `You have exceeded the number of environments allowed by your plan. To edit an existing environment, either upgrade your plan or remove at least ${environmentsOverPlanLimit} environment${environmentsOverPlanLimit === 1 ? "" : "s"}.`
+                      }
                    >
-                      <FontAwesomeIcon icon={faPencil} />
-                    </IconButton>
+                      <IconButton
+                        className="mr-3 py-2"
+                        onClick={() => {
+                          handlePopUpOpen("updateEnv", { name, slug, id });
+                        }}
+                        isDisabled={!isAllowed || !isMoreEnvironmentsAllowed}
+                        colorSchema="primary"
+                        variant="plain"
+                        ariaLabel="update"
+                      >
+                        <FontAwesomeIcon icon={faPencil} />
+                      </IconButton>
+                    </Tooltip>
                  )}
                </ProjectPermissionCan>
                <ProjectPermissionCan
Author	SHA1	Message	Date
Tuan Dang	43752e1888	bring back missing secrets docs	2025-08-16 17:02:06 +07:00
Scott Wilson	bd72129d8c	Merge pull request #4384 from Infisical/aws-parameter-store-key-schema-path-fix fix(aws-parameter-store-sync): handle keyschema with path segments for aws parameter store	2025-08-14 17:10:24 -07:00
carlosmonastyrski	bf10b2f58a	Merge pull request #4385 from Infisical/fix/gitlabSelfHostingOauth Fix Gitlab OAuth redirection issue with instanceUrls	2025-08-14 17:07:11 -07:00
Scott Wilson	d24f5a57a8	improvement: throw on keyschema leading slash	2025-08-14 16:59:26 -07:00
Scott Wilson	a7847f177c	improvements: address feedback	2025-08-14 16:25:00 -07:00
Scott Wilson	48e5f550e9	fix: handle keyschema with path segments for aws parameter store	2025-08-14 15:46:41 -07:00
carlosmonastyrski	4a4a7fd325	Merge pull request #4374 from Infisical/ENG-3518 Disable environments edit when a project has more environment than the allowed by the org plan	2025-08-14 12:24:27 -07:00
Carlos Monastyrski	91b8ed8015	Minor improvement on a math calculated field	2025-08-14 10:14:22 -07:00
Carlos Monastyrski	0473fb0ddb	Disable environments edit when a project has more environment than the allowed by the org plan	2025-08-13 13:50:29 -07:00