removed undefined type

fix: address infinite hang when infisical run watch fails

.github/workflows/deployment-pipeline.yml

@@ -97,7 +97,7 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-gamma-stage
@@ -153,7 +153,7 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-platform
@@ -204,7 +204,7 @@ jobs:
             image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
             environment-variables: "LOG_LEVEL=info"
         - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
           with:
             task-definition: ${{ steps.render-web-container.outputs.task-definition }}
             service: infisical-core-platform

backend/src/@types/fastify.d.ts

@@ -80,7 +80,6 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@@ -211,7 +210,6 @@ declare module "fastify" {
       projectTemplate: TProjectTemplateServiceFactory;
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
-      secretSync: TSecretSyncServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -218,6 +218,9 @@ import {
   TRateLimit,
   TRateLimitInsert,
   TRateLimitUpdate,
+  TResourceMetadata,
+  TResourceMetadataInsert,
+  TResourceMetadataUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -369,7 +372,6 @@ import {
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
-import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
   TSecretV2TagJunction,
   TSecretV2TagJunctionInsert,
@@ -888,11 +890,15 @@ declare module "knex/types/tables" {
       TProjectSplitBackfillIdsInsert,
       TProjectSplitBackfillIdsUpdate
     >;
+    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
+      TResourceMetadata,
+      TResourceMetadataInsert,
+      TResourceMetadataUpdate
+    >;
     [TableName.AppConnection]: KnexOriginal.CompositeTableType<
       TAppConnections,
       TAppConnectionsInsert,
       TAppConnectionsUpdate
     >;
-    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
   }
 }

backend/src/db/migrations/20241218165837_resource-metadata.ts

@@ -0,0 +1,40 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
+    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("key").notNullable();
+      tb.string("value", 1020).notNullable();
+      tb.uuid("orgId").notNullable();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      tb.uuid("userId");
+      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      tb.uuid("identityId");
+      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      tb.uuid("secretId");
+      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      tb.timestamps(true, true, true);
+    });
+  }
+
+  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
+  if (!hasSecretMetadataField) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      t.jsonb("secretMetadata");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
+
+  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
+  if (hasSecretMetadataField) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      t.dropColumn("secretMetadata");
+    });
+  }
+}

backend/src/db/migrations/20241219210911_secret-sync.ts

@@ -1,46 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
-    await knex.schema.createTable(TableName.SecretSync, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("destination").notNullable();
-      t.boolean("isEnabled").notNullable().defaultTo(true);
-      t.integer("version").defaultTo(1).notNullable();
-      t.jsonb("destinationConfig").notNullable();
-      t.jsonb("syncOptions").notNullable();
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.uuid("connectionId").notNullable();
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.timestamps(true, true, true);
-      // sync
-      t.string("syncStatus");
-      t.string("lastSyncJobId");
-      t.string("lastSyncMessage");
-      t.datetime("lastSyncedAt");
-      // import
-      t.string("importStatus");
-      t.string("lastImportJobId");
-      t.string("lastImportMessage");
-      t.datetime("lastImportedAt");
-      // erase
-      t.string("eraseStatus");
-      t.string("lastEraseJobId");
-      t.string("lastEraseMessage");
-      t.datetime("lastErasedAt");
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSync);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSync);
-  await dropOnUpdateTrigger(knex, TableName.SecretSync);
-}

backend/src/db/schemas/index.ts

@@ -71,6 +71,7 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
+export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";

backend/src/db/schemas/models.ts

@@ -80,6 +80,7 @@ export enum TableName {
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
+  ResourceMetadata = "resource_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@@ -130,8 +131,7 @@ export enum TableName {
   WorkflowIntegrations = "workflow_integrations",
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections",
-  SecretSync = "secret_syncs"
+  AppConnection = "app_connections"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";

backend/src/db/schemas/resource-metadata.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ResourceMetadataSchema = z.object({
+  id: z.string().uuid(),
+  key: z.string(),
+  value: z.string(),
+  orgId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional(),
+  identityId: z.string().uuid().nullable().optional(),
+  secretId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
+export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
+export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-requests-secrets-v2.ts

@@ -24,7 +24,8 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
   requestId: z.string().uuid(),
   op: z.string(),
   secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional(),
+  secretMetadata: z.unknown().nullable().optional()
 });
 
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;

backend/src/db/schemas/secret-syncs.ts

@@ -1,39 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretSyncsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  destination: z.string(),
-  isEnabled: z.boolean().default(true),
-  version: z.number().default(1),
-  destinationConfig: z.unknown(),
-  syncOptions: z.unknown(),
-  folderId: z.string().uuid(),
-  connectionId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  syncStatus: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional(),
-  lastSyncMessage: z.string().nullable().optional(),
-  lastSyncedAt: z.date().nullable().optional(),
-  importStatus: z.string().nullable().optional(),
-  lastImportJobId: z.string().nullable().optional(),
-  lastImportMessage: z.string().nullable().optional(),
-  lastImportedAt: z.date().nullable().optional(),
-  eraseStatus: z.string().nullable().optional(),
-  lastEraseJobId: z.string().nullable().optional(),
-  lastEraseMessage: z.string().nullable().optional(),
-  lastErasedAt: z.date().nullable().optional()
-});
-
-export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
-export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
-export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/v1/index.ts

@@ -22,6 +22,7 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
+import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@@ -92,6 +93,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
+  await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });

backend/src/ee/routes/v1/org-role-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
-import { OrgPermissionSchema } from "@app/ee/services/permission/org-permission";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -25,7 +24,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         ),
         name: z.string().trim(),
         description: z.string().trim().nullish(),
-        permissions: OrgPermissionSchema.array()
+        permissions: z.any().array()
       }),
       response: {
         200: z.object({
@@ -97,7 +96,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().nullish(),
-        permissions: OrgPermissionSchema.array().optional()
+        permissions: z.any().array().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -12,6 +12,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
   UsersSchema.pick({
@@ -274,6 +275,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .extend({
                   op: z.string(),
                   tags: tagSchema,
+                  secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
                       id: z.string(),
@@ -291,7 +293,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: tagSchema
+                      tags: tagSchema,
+                      secretMetadata: ResourceMetadataSchema.nullish()
                     })
                     .optional()
                 })

backend/src/ee/routes/v1/secret-router.ts

@@ -0,0 +1,71 @@
+import z from "zod";
+
+import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
+import { RAW_SECRETS } from "@app/lib/api-docs";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const AccessListEntrySchema = z
+  .object({
+    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
+    id: z.string(),
+    membershipId: z.string(),
+    name: z.string()
+  })
+  .array();
+
+export const registerSecretRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:secretName/access-list",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get list of users, machine identities, and groups with access to a secret",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
+      }),
+      querystring: z.object({
+        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
+      }),
+      response: {
+        200: z.object({
+          groups: AccessListEntrySchema,
+          identities: AccessListEntrySchema,
+          users: AccessListEntrySchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { secretName } = req.params;
+      const { secretPath, environment, workspaceId: projectId } = req.query;
+
+      return server.services.secret.getSecretAccessList({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        secretPath,
+        environment,
+        projectId,
+        secretName
+      });
+    }
+  });
+};

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -79,8 +79,7 @@ export const auditLogServiceFactory = ({
     }
     // add all cases in which project id or org id cannot be added
     if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId)
-        throw new BadRequestError({ message: "Must specify either project id or org id" });
+      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
     }
 
     return auditLogQueue.pushToLog(data);

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -13,13 +13,6 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import {
-  TCreateSecretSyncDTO,
-  TDeleteSecretSyncDTO,
-  TSecretSyncRaw,
-  TUpdateSecretSyncDTO
-} from "@app/services/secret-sync/secret-sync-types";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -233,19 +226,10 @@ export enum EventType {
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
   APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
-  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection",
-  GET_SECRET_SYNCS = "get-secret-syncs",
-  GET_SECRET_SYNC = "get-secret-sync",
-  CREATE_SECRET_SYNC = "create-secret-sync",
-  UPDATE_SECRET_SYNC = "update-secret-sync",
-  DELETE_SECRET_SYNC = "delete-secret-sync",
-  SYNC_SECRET_SYNC = "sync-secret-sync",
-  IMPORT_SECRET_SYNC = "import-secret-sync",
-  ERASE_SECRET_SYNC = "erase-secret-sync"
+  DELETE_APP_CONNECTION = "delete-app-connection"
 }
 
 interface UserActorMetadata {
@@ -1899,15 +1883,6 @@ interface GetAppConnectionsEvent {
   };
 }
 
-interface GetAvailableAppConnectionsDetailsEvent {
-  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
-  metadata: {
-    app?: AppConnection;
-    count: number;
-    connectionIds: string[];
-  };
-}
-
 interface GetAppConnectionEvent {
   type: EventType.GET_APP_CONNECTION;
   metadata: {
@@ -1932,77 +1907,6 @@ interface DeleteAppConnectionEvent {
   };
 }
 
-interface GetSecretSyncsEvent {
-  type: EventType.GET_SECRET_SYNCS;
-  metadata: {
-    destination?: SecretSync;
-    count: number;
-    syncIds: string[];
-  };
-}
-
-interface GetSecretSyncEvent {
-  type: EventType.GET_SECRET_SYNC;
-  metadata: {
-    destination: SecretSync;
-    syncId: string;
-  };
-}
-
-interface CreateSecretSyncEvent {
-  type: EventType.CREATE_SECRET_SYNC;
-  metadata: TCreateSecretSyncDTO & { syncId: string };
-}
-
-interface UpdateSecretSyncEvent {
-  type: EventType.UPDATE_SECRET_SYNC;
-  metadata: TUpdateSecretSyncDTO;
-}
-
-interface DeleteSecretSyncEvent {
-  type: EventType.DELETE_SECRET_SYNC;
-  metadata: TDeleteSecretSyncDTO;
-}
-
-interface SyncSecretSyncEvent {
-  type: EventType.SYNC_SECRET_SYNC;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "environment" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    syncMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
-interface ImportSecretSyncEvent {
-  type: EventType.IMPORT_SECRET_SYNC;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "environment" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    importMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
-interface EraseSecretSyncEvent {
-  type: EventType.ERASE_SECRET_SYNC;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "eraseStatus" | "environment" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    eraseMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2176,16 +2080,7 @@ export type Event =
   | DeleteProjectTemplateEvent
   | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
-  | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent
-  | GetSecretSyncsEvent
-  | GetSecretSyncEvent
-  | CreateSecretSyncEvent
-  | UpdateSecretSyncEvent
-  | DeleteSecretSyncEvent
-  | SyncSecretSyncEvent
-  | ImportSecretSyncEvent
-  | EraseSecretSyncEvent;
+  | DeleteAppConnectionEvent;

backend/src/ee/services/license/license-fns.ts

@@ -24,6 +24,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   rbac: false,
   customRateLimits: false,
   customAlerts: false,
+  secretAccessInsights: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
   auditLogStreams: false,

backend/src/ee/services/license/license-types.ts

@@ -48,6 +48,7 @@ export type TFeatureSet = {
   samlSSO: false;
   hsm: false;
   oidcSSO: false;
+  secretAccessInsights: false;
   scim: false;
   ldap: false;
   groups: false;

backend/src/ee/services/permission/org-permission.ts

@@ -1,12 +1,4 @@
-import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
-import { z } from "zod";
-
-import {
-  CASL_ACTION_SCHEMA_ENUM,
-  CASL_ACTION_SCHEMA_NATIVE_ENUM
-} from "@app/ee/services/permission/permission-schemas";
-import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
-import { PermissionConditionOperators } from "@app/lib/casl";
+import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
 
 export enum OrgPermissionActions {
   Read = "read",
@@ -15,14 +7,6 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
-export enum OrgPermissionAppConnectionActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  Connect = "connect"
-}
-
 export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
@@ -47,10 +31,6 @@ export enum OrgPermissionSubjects {
   AppConnections = "app-connections"
 }
 
-export type AppConnectionSubjectFields = {
-  connectionId: string;
-};
-
 export type OrgPermissionSet =
   | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
   | [OrgPermissionActions, OrgPermissionSubjects.Role]
@@ -67,109 +47,9 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [
-      OrgPermissionAppConnectionActions,
-      (
-        | OrgPermissionSubjects.AppConnections
-        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
-      )
-    ]
+  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
-const AppConnectionConditionSchema = z
-  .object({
-    connectionId: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
-  })
-  .partial();
-
-export const OrgPermissionSchema = z.discriminatedUnion("subject", [
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: AppConnectionConditionSchema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
-      "Describe what action an entity can take."
-    )
-  })
-]);
-
 const buildAdminPermission = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
   // ws permissions
@@ -245,16 +125,10 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
 
-  can(
-    [
-      OrgPermissionAppConnectionActions.Create,
-      OrgPermissionAppConnectionActions.Edit,
-      OrgPermissionAppConnectionActions.Delete,
-      OrgPermissionAppConnectionActions.Read,
-      OrgPermissionAppConnectionActions.Connect
-    ],
-    OrgPermissionSubjects.AppConnections
-  );
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
@@ -286,7 +160,7 @@ const buildMemberPermission = () => {
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
 
-  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
 
   return rules;
 };

backend/src/ee/services/permission/permission-dal.ts

@@ -125,6 +125,404 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getProjectGroupPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.GroupProjectMembership)
+        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
+        .join(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `groupCustomRoles.id`
+        )
+        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
+        .select(
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
+        );
+
+      const groupPermissions = sqlNestRelationships({
+        data: docs,
+        key: "groupId",
+        parentMapper: ({ groupId, groupName, membershipId }) => ({
+          groupId,
+          username: groupName,
+          id: membershipId
+        }),
+        childrenMapper: [
+          {
+            key: "groupProjectMembershipRoleId",
+            label: "groupRoles" as const,
+            mapper: ({
+              groupProjectMembershipRoleId,
+              groupProjectMembershipRole,
+              groupProjectMembershipRolePermission,
+              groupProjectMembershipRoleCustomRoleSlug,
+              groupProjectMembershipRoleIsTemporary,
+              groupProjectMembershipRoleTemporaryMode,
+              groupProjectMembershipRoleTemporaryAccessEndTime,
+              groupProjectMembershipRoleTemporaryAccessStartTime,
+              groupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: groupProjectMembershipRoleId,
+              role: groupProjectMembershipRole,
+              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
+              permissions: groupProjectMembershipRolePermission,
+              temporaryRange: groupProjectMembershipRoleTemporaryRange,
+              temporaryMode: groupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: groupProjectMembershipRoleIsTemporary
+            })
+          }
+        ]
+      });
+
+      return groupPermissions
+        .map((groupPermission) => {
+          if (!groupPermission) return undefined;
+
+          const activeGroupRoles =
+            groupPermission?.groupRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          return {
+            ...groupPermission,
+            roles: activeGroupRoles
+          };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
+    }
+  };
+
+  const getProjectUserPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.Users)
+        .where("isGhost", "=", false)
+        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
+          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
+        })
+        .leftJoin(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `groupCustomRoles.id`
+        )
+        .join(TableName.ProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
+        })
+        .leftJoin(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
+        })
+        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
+        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
+            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .select(
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("username").withSchema(TableName.Users).as("username"),
+          // groups specific
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
+          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
+          // user specific
+          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
+          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
+          db
+            .ref("permissions")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryRange"),
+          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
+          // general
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("type").withSchema(TableName.Project).as("projectType"),
+          db.ref("id").withSchema(TableName.Project).as("projectId")
+        );
+
+      const userPermissions = sqlNestRelationships({
+        data: docs,
+        key: "userId",
+        parentMapper: ({
+          orgId,
+          username,
+          orgAuthEnforced,
+          membershipId,
+          groupMembershipId,
+          membershipCreatedAt,
+          groupMembershipCreatedAt,
+          groupMembershipUpdatedAt,
+          membershipUpdatedAt,
+          projectType,
+          userId
+        }) => ({
+          orgId,
+          orgAuthEnforced,
+          userId,
+          projectId,
+          username,
+          projectType,
+          id: membershipId || groupMembershipId,
+          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
+        }),
+        childrenMapper: [
+          {
+            key: "userGroupProjectMembershipRoleId",
+            label: "userGroupRoles" as const,
+            mapper: ({
+              userGroupProjectMembershipRoleId,
+              userGroupProjectMembershipRole,
+              userGroupProjectMembershipRolePermission,
+              userGroupProjectMembershipRoleCustomRoleSlug,
+              userGroupProjectMembershipRoleIsTemporary,
+              userGroupProjectMembershipRoleTemporaryMode,
+              userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              userGroupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: userGroupProjectMembershipRoleId,
+              role: userGroupProjectMembershipRole,
+              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
+              permissions: userGroupProjectMembershipRolePermission,
+              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
+              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userGroupProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userProjectMembershipRoleId",
+            label: "projectMembershipRoles" as const,
+            mapper: ({
+              userProjectMembershipRoleId,
+              userProjectMembershipRole,
+              userProjectCustomRolePermission,
+              userProjectMembershipRoleIsTemporary,
+              userProjectMembershipRoleTemporaryMode,
+              userProjectMembershipRoleTemporaryRange,
+              userProjectMembershipRoleTemporaryAccessEndTime,
+              userProjectMembershipRoleTemporaryAccessStartTime,
+              userProjectMembershipRoleCustomRoleSlug
+            }) => ({
+              id: userProjectMembershipRoleId,
+              role: userProjectMembershipRole,
+              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
+              permissions: userProjectCustomRolePermission,
+              temporaryRange: userProjectMembershipRoleTemporaryRange,
+              temporaryMode: userProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userAdditionalPrivilegesId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              userAdditionalPrivilegesId,
+              userAdditionalPrivilegesPermissions,
+              userAdditionalPrivilegesIsTemporary,
+              userAdditionalPrivilegesTemporaryMode,
+              userAdditionalPrivilegesTemporaryRange,
+              userAdditionalPrivilegesTemporaryAccessEndTime,
+              userAdditionalPrivilegesTemporaryAccessStartTime
+            }) => ({
+              id: userAdditionalPrivilegesId,
+              permissions: userAdditionalPrivilegesPermissions,
+              temporaryRange: userAdditionalPrivilegesTemporaryRange,
+              temporaryMode: userAdditionalPrivilegesTemporaryMode,
+              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
+              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
+              isTemporary: userAdditionalPrivilegesIsTemporary
+            })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
+
+      return userPermissions
+        .map((userPermission) => {
+          if (!userPermission) return undefined;
+          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
+
+          // when introducting cron mode change it here
+          const activeRoles =
+            userPermission?.projectMembershipRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          const activeGroupRoles =
+            userPermission?.userGroupRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          const activeAdditionalPrivileges =
+            userPermission?.additionalPrivileges?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          return {
+            ...userPermission,
+            roles: [...activeRoles, ...activeGroupRoles],
+            additionalPrivileges: activeAdditionalPrivileges
+          };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
+    }
+  };
+
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
       const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@@ -414,6 +812,163 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getProjectIdentityPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.IdentityProjectMembership)
+        .join(
+          TableName.IdentityProjectMembershipRole,
+          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
+        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .leftJoin(
+          TableName.IdentityProjectAdditionalPrivilege,
+          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
+        .join(
+          // Join the Project table to later select orgId
+          TableName.Project,
+          `${TableName.IdentityProjectMembership}.projectId`,
+          `${TableName.Project}.id`
+        )
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
+            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
+        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
+        .select(
+          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("id").withSchema(TableName.Identity).as("identityId"),
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
+          db.ref("type").withSchema(TableName.Project).as("projectType"),
+          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles),
+          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
+          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryMode"),
+          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
+        );
+
+      const permissions = sqlNestRelationships({
+        data: docs,
+        key: "identityId",
+        parentMapper: ({
+          membershipId,
+          membershipCreatedAt,
+          membershipUpdatedAt,
+          orgId,
+          identityName,
+          projectType,
+          identityId
+        }) => ({
+          id: membershipId,
+          identityId,
+          username: identityName,
+          projectId,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt,
+          orgId,
+          projectType,
+          // just a prefilled value
+          orgAuthEnforced: false
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              IdentityProjectMembershipRoleSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          },
+          {
+            key: "identityApId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              identityApId,
+              identityApPermissions,
+              identityApIsTemporary,
+              identityApTemporaryMode,
+              identityApTemporaryRange,
+              identityApTemporaryAccessEndTime,
+              identityApTemporaryAccessStartTime
+            }) => ({
+              id: identityApId,
+              permissions: identityApPermissions,
+              temporaryRange: identityApTemporaryRange,
+              temporaryMode: identityApTemporaryMode,
+              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
+              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
+              isTemporary: identityApIsTemporary
+            })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
+
+      return permissions
+        .map((permission) => {
+          if (!permission) {
+            return undefined;
+          }
+
+          // when introducting cron mode change it here
+          const activeRoles = permission?.roles.filter(
+            ({ isTemporary, temporaryAccessEndTime }) =>
+              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+          );
+          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
+            ({ isTemporary, temporaryAccessEndTime }) =>
+              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+          );
+
+          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
+    }
+  };
+
   const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
     try {
       const docs = await db
@@ -568,6 +1123,9 @@ export const permissionDALFactory = (db: TDbClient) => {
     getOrgPermission,
     getOrgIdentityPermission,
     getProjectPermission,
-    getProjectIdentityPermission
+    getProjectIdentityPermission,
+    getProjectUserPermissions,
+    getProjectIdentityPermissions,
+    getProjectGroupPermissions
   };
 };

backend/src/ee/services/permission/permission-schemas.ts

@@ -1,9 +0,0 @@
-import { z } from "zod";
-
-export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  z
-    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-    .transform((el) => (typeof el === "string" ? [el] : el));
-
-export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));

backend/src/ee/services/permission/permission-service.ts

@@ -405,6 +405,123 @@ export const permissionServiceFactory = ({
         ForbidOnInvalidProjectType: (type: ProjectType) => void;
       };
 
+  const getProjectPermissions = async (projectId: string) => {
+    // fetch user permissions
+    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
+    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
+      const rolePermissions =
+        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const additionalPrivileges =
+        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+          role: ProjectMembershipRole.Custom,
+          permissions
+        })) || [];
+
+      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+        objectify(
+          userProjectPermission.metadata,
+          (i) => i.key,
+          (i) => i.value
+        )
+      );
+      const interpolateRules = templatedRules(
+        {
+          identity: {
+            id: userProjectPermission.userId,
+            username: userProjectPermission.username,
+            metadata: metadataKeyValuePair
+          }
+        },
+        { data: false }
+      );
+      const permission = createMongoAbility<ProjectPermissionSet>(
+        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+        {
+          conditionsMatcher
+        }
+      );
+
+      return {
+        permission,
+        id: userProjectPermission.userId,
+        name: userProjectPermission.username,
+        membershipId: userProjectPermission.id
+      };
+    });
+
+    // fetch identity permissions
+    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
+    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
+      const rolePermissions =
+        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const additionalPrivileges =
+        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+          role: ProjectMembershipRole.Custom,
+          permissions
+        })) || [];
+
+      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+        objectify(
+          identityProjectPermission.metadata,
+          (i) => i.key,
+          (i) => i.value
+        )
+      );
+
+      const interpolateRules = templatedRules(
+        {
+          identity: {
+            id: identityProjectPermission.identityId,
+            username: identityProjectPermission.username,
+            metadata: metadataKeyValuePair
+          }
+        },
+        { data: false }
+      );
+      const permission = createMongoAbility<ProjectPermissionSet>(
+        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+        {
+          conditionsMatcher
+        }
+      );
+
+      return {
+        permission,
+        id: identityProjectPermission.identityId,
+        name: identityProjectPermission.username,
+        membershipId: identityProjectPermission.id
+      };
+    });
+
+    // fetch group permissions
+    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
+    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
+      const rolePermissions =
+        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const rules = buildProjectPermissionRules(rolePermissions);
+      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
+        conditionsMatcher
+      });
+
+      return {
+        permission,
+        id: groupProjectPermission.groupId,
+        name: groupProjectPermission.username,
+        membershipId: groupProjectPermission.id
+      };
+    });
+
+    return {
+      userPermissions,
+      identityPermissions,
+      groupPermissions
+    };
+  };
+
   const getProjectPermission = async <T extends ActorType>(
     type: T,
     id: string,
@@ -455,6 +572,7 @@ export const permissionServiceFactory = ({
     getOrgPermission,
     getUserProjectPermission,
     getProjectPermission,
+    getProjectPermissions,
     getOrgPermissionByRole,
     getProjectPermissionByRole,
     buildOrgPermission,

backend/src/ee/services/permission/project-permission.ts

@@ -1,10 +1,6 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 
-import {
-  CASL_ACTION_SCHEMA_ENUM,
-  CASL_ACTION_SCHEMA_NATIVE_ENUM
-} from "@app/ee/services/permission/permission-schemas";
 import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 
@@ -64,8 +60,7 @@ export enum ProjectPermissionSub {
   PkiAlerts = "pki-alerts",
   PkiCollections = "pki-collections",
   Kms = "kms",
-  Cmek = "cmek",
-  SecretSyncs = "secret-syncs"
+  Cmek = "cmek"
 }
 
 export type SecretSubjectFields = {
@@ -145,7 +140,6 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
-  | [ProjectPermissionActions, ProjectPermissionSub.SecretSyncs]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -153,6 +147,14 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
 
+const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
+  z
+    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
+    .transform((el) => (typeof el === "string" ? [el] : el));
+
+const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
+  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
+
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@@ -390,15 +392,10 @@ const GeneralPermissionSchema = [
   }),
   z.object({
     subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
       "Describe what action an entity can take."
     )
-  }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-      "Describe what action an entity can take."
-    )
   })
 ];
 
@@ -514,8 +511,7 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.PkiCollections,
     ProjectPermissionSub.SshCertificateAuthorities,
     ProjectPermissionSub.SshCertificates,
-    ProjectPermissionSub.SshCertificateTemplates,
-    ProjectPermissionSub.SecretSyncs
+    ProjectPermissionSub.SshCertificateTemplates
   ].forEach((el) => {
     can(
       [
@@ -717,16 +713,6 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.Cmek
   );
 
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.SecretSyncs
-  );
-
   return rules;
 };
 
@@ -760,7 +746,6 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
 
   return rules;
 };

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -256,6 +256,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
           db.ref("id").withSchema("secVerTag")
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
         .select({
           secVerTagId: "secVerTag.id",
@@ -279,6 +280,11 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
           db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
           db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
+        )
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
         );
       const formatedDoc = sqlNestRelationships({
         data: doc,
@@ -338,9 +344,19 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
                 })
               }
             ]
+          },
+          {
+            key: "metadataId",
+            label: "oldSecretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
+
       return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
         ...el,
         secret: secret?.[0],

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -22,6 +22,8 @@ import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
   decryptSecretWithBot,
@@ -91,6 +93,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   smtpService: Pick<TSmtpService, "sendMail">;
   userDAL: Pick<TUserDALFactory, "find" | "findOne" | "findById">;
@@ -138,7 +141,8 @@ export const secretApprovalRequestServiceFactory = ({
   secretVersionV2BridgeDAL,
   secretVersionTagV2BridgeDAL,
   licenseService,
-  projectSlackConfigDAL
+  projectSlackConfigDAL,
+  resourceMetadataDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -241,6 +245,7 @@ export const secretApprovalRequestServiceFactory = ({
         secretKey: el.key,
         id: el.id,
         version: el.version,
+        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         secretValue: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
         secretComment: el.encryptedComment
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
@@ -269,7 +274,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretComment: el.secretVersion.encryptedComment
                 ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
                 : "",
-              tags: el.secretVersion.tags
+              tags: el.secretVersion.tags,
+              secretMetadata: el.oldSecretMetadata as ResourceMetadataDTO
             }
           : undefined
       }));
@@ -543,6 +549,7 @@ export const secretApprovalRequestServiceFactory = ({
           ? await fnSecretV2BridgeBulkInsert({
               tx,
               folderId,
+              orgId: actorOrgId,
               inputSecrets: secretCreationCommits.map((el) => ({
                 tagIds: el?.tags.map(({ id }) => id),
                 version: 1,
@@ -550,6 +557,7 @@ export const secretApprovalRequestServiceFactory = ({
                 encryptedValue: el.encryptedValue,
                 skipMultilineEncoding: el.skipMultilineEncoding,
                 key: el.key,
+                secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                 references: el.encryptedValue
                   ? getAllSecretReferencesV2Bridge(
                       secretManagerDecryptor({
@@ -559,6 +567,7 @@ export const secretApprovalRequestServiceFactory = ({
                   : [],
                 type: SecretType.Shared
               })),
+              resourceMetadataDAL,
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
@@ -568,6 +577,7 @@ export const secretApprovalRequestServiceFactory = ({
         const updatedSecrets = secretUpdationCommits.length
           ? await fnSecretV2BridgeBulkUpdate({
               folderId,
+              orgId: actorOrgId,
               tx,
               inputSecrets: secretUpdationCommits.map((el) => {
                 const encryptedValue =
@@ -592,6 +602,7 @@ export const secretApprovalRequestServiceFactory = ({
                     skipMultilineEncoding: el.skipMultilineEncoding,
                     key: el.key,
                     tags: el?.tags.map(({ id }) => id),
+                    secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                     ...encryptedValue
                   }
                 };
@@ -599,7 +610,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+              resourceMetadataDAL
             })
           : [];
         const deletedSecret = secretDeletionCommits.length
@@ -824,6 +836,7 @@ export const secretApprovalRequestServiceFactory = ({
     }
     await secretQueueService.syncSecrets({
       projectId,
+      orgId: actorOrgId,
       secretPath: folder.path,
       environmentSlug: folder.environmentSlug,
       actorId,
@@ -1208,6 +1221,7 @@ export const secretApprovalRequestServiceFactory = ({
           ),
           skipMultilineEncoding: createdSecret.skipMultilineEncoding,
           key: createdSecret.secretKey,
+          secretMetadata: createdSecret.secretMetadata,
           type: SecretType.Shared
         }))
       );
@@ -1263,12 +1277,14 @@ export const secretApprovalRequestServiceFactory = ({
             reminderNote,
             secretComment,
             metadata,
-            skipMultilineEncoding
+            skipMultilineEncoding,
+            secretMetadata
           }) => {
             const secretId = updatingSecretsGroupByKey[secretKey][0].id;
             if (tagIds?.length) commitTagIds[secretKey] = tagIds;
             return {
               ...latestSecretVersions[secretId],
+              secretMetadata,
               key: newSecretName || secretKey,
               encryptedComment: setKnexStringValue(
                 secretComment,
@@ -1370,7 +1386,8 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             encryptedValue,
             secretId,
-            secretVersion
+            secretVersion,
+            secretMetadata
           }) => ({
             version,
             requestId: doc.id,
@@ -1383,7 +1400,8 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             reminderNote,
             encryptedComment,
-            key
+            key,
+            secretMetadata: JSON.stringify(secretMetadata)
           })
         ),
         tx

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -1,5 +1,6 @@
 import { TImmutableDBKeys, TSecretApprovalPolicies, TSecretApprovalRequestsSecrets } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations } from "@app/services/secret/secret-types";
 
 export enum RequestState {
@@ -34,6 +35,7 @@ export type TApprovalCreateSecretV2Bridge = {
   reminderRepeatDays?: number | null;
   skipMultilineEncoding?: boolean;
   metadata?: Record<string, string>;
+  secretMetadata?: ResourceMetadataDTO;
   tagIds?: string[];
 };
 

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -13,6 +13,8 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
+import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/secret-queue";
@@ -56,6 +58,7 @@ type TSecretReplicationServiceFactoryDep = {
   >;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
   secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
   queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
   secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
@@ -121,7 +124,8 @@ export const secretReplicationServiceFactory = ({
   secretVersionV2TagBridgeDAL,
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
-  kmsService
+  kmsService,
+  resourceMetadataDAL
 }: TSecretReplicationServiceFactoryDep) => {
   const $getReplicatedSecrets = (
     botKey: string,
@@ -151,8 +155,10 @@ export const secretReplicationServiceFactory = ({
   };
 
   const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
-    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
+    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[],
+    importedSecrets: {
+      secrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[];
+    }[]
   ) => {
     const deDupe = new Set<string>();
     const secrets = [...localSecrets];
@@ -178,6 +184,7 @@ export const secretReplicationServiceFactory = ({
       secretPath,
       environmentSlug,
       projectId,
+      orgId,
       actorId,
       actor,
       pickOnlyImportIds,
@@ -222,6 +229,7 @@ export const secretReplicationServiceFactory = ({
           .map(({ folderId }) =>
             secretQueueService.replicateSecrets({
               projectId,
+              orgId,
               secretPath: foldersGroupedById[folderId][0]?.path as string,
               environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
               actorId,
@@ -267,6 +275,7 @@ export const secretReplicationServiceFactory = ({
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
           : undefined
       }));
+
       const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
       const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);
 
@@ -333,13 +342,29 @@ export const secretReplicationServiceFactory = ({
               .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create
 
             const locallyUpdatedSecrets = sourceSecrets
-              .filter(
-                ({ key, secretKey, secretValue }) =>
+              .filter(({ key, secretKey, secretValue, secretMetadata }) => {
+                const sourceSecretMetadataJson = JSON.stringify(
+                  (secretMetadata ?? []).map((entry) => ({
+                    key: entry.key,
+                    value: entry.value
+                  }))
+                );
+
+                const destinationSecretMetadataJson = JSON.stringify(
+                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretMetadata ?? []).map((entry) => ({
+                    key: entry.key,
+                    value: entry.value
+                  }))
+                );
+
+                return (
                   destinationLocalSecretsGroupedByKey[key]?.[0] &&
                   // if key or value changed
                   (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
-              )
+                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue ||
+                    sourceSecretMetadataJson !== destinationSecretMetadataJson)
+                );
+              })
               .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create
 
             const locallyDeletedSecrets = destinationLocalSecrets
@@ -387,6 +412,7 @@ export const secretReplicationServiceFactory = ({
                       op: operation,
                       requestId: approvalRequestDoc.id,
                       metadata: doc.metadata,
+                      secretMetadata: JSON.stringify(doc.secretMetadata),
                       key: doc.key,
                       encryptedValue: doc.encryptedValue,
                       encryptedComment: doc.encryptedComment,
@@ -406,10 +432,12 @@ export const secretReplicationServiceFactory = ({
                 if (locallyCreatedSecrets.length) {
                   await fnSecretV2BridgeBulkInsert({
                     folderId: destinationReplicationFolderId,
+                    orgId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
                     secretTagDAL,
+                    resourceMetadataDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyCreatedSecrets.map((doc) => {
                       return {
@@ -419,6 +447,7 @@ export const secretReplicationServiceFactory = ({
                         encryptedValue: doc.encryptedValue,
                         encryptedComment: doc.encryptedComment,
                         skipMultilineEncoding: doc.skipMultilineEncoding,
+                        secretMetadata: doc.secretMetadata,
                         references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                       };
                     })
@@ -426,10 +455,12 @@ export const secretReplicationServiceFactory = ({
                 }
                 if (locallyUpdatedSecrets.length) {
                   await fnSecretV2BridgeBulkUpdate({
+                    orgId,
                     folderId: destinationReplicationFolderId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
+                    resourceMetadataDAL,
                     secretTagDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyUpdatedSecrets.map((doc) => {
@@ -445,6 +476,7 @@ export const secretReplicationServiceFactory = ({
                           encryptedValue: doc.encryptedValue as Buffer,
                           encryptedComment: doc.encryptedComment,
                           skipMultilineEncoding: doc.skipMultilineEncoding,
+                          secretMetadata: doc.secretMetadata,
                           references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                         }
                       };
@@ -466,6 +498,7 @@ export const secretReplicationServiceFactory = ({
 
               await secretQueueService.syncSecrets({
                 projectId,
+                orgId,
                 secretPath: destinationFolder.path,
                 environmentSlug: destinationFolder.environmentSlug,
                 actorId,
@@ -751,6 +784,7 @@ export const secretReplicationServiceFactory = ({
 
             await secretQueueService.syncSecrets({
               projectId,
+              orgId,
               secretPath: destinationFolder.path,
               environmentSlug: destinationFolder.environmentSlug,
               actorId,

backend/src/keystore/keystore.ts

@@ -23,8 +23,6 @@ export const KeyStorePrefixes = {
     `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
   SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
     `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
-  SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
-  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
   ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`
@@ -32,7 +30,6 @@ export const KeyStorePrefixes = {
 
 export const KeyStoreTtls = {
   SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
-  SetSecretSyncLastRunTimestampInSeconds: 60,
   AccessTokenStatusUpdateInSeconds: 120
 };
 

backend/src/lib/api-docs/constants.ts

@@ -1,7 +1,5 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
 export const GROUPS = {
   CREATE: {
@@ -743,6 +741,12 @@ export const RAW_SECRETS = {
     workspaceId: "The ID of the project where the secret is located.",
     environment: "The slug of the environment where the the secret is located.",
     secretPath: "The folder path where the secret is located."
+  },
+  GET_ACCESS_LIST: {
+    secretName: "The name of the secret to get the access list for.",
+    workspaceId: "The ID of the project where the secret is located.",
+    environment: "The slug of the environment where the the secret is located.",
+    secretPath: "The folder path where the secret is located."
   }
 } as const;
 
@@ -1152,7 +1156,8 @@ export const INTEGRATION = {
       shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
       shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
       shouldEnableDelete: "The flag to enable deletion of secrets.",
-      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy.",
+      metadataSyncMode: "The mode for syncing metadata to external system"
     }
   },
   UPDATE: {
@@ -1638,66 +1643,6 @@ export const AppConnections = {
     };
   },
   DELETE: (app: AppConnection) => ({
-    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} connection to be deleted.`
   })
 };
-
-export const SecretSyncs = {
-  LIST: (destination?: SecretSync) => ({
-    projectId: `The ID of the project to list ${destination ? SECRET_SYNC_NAME_MAP[destination] : "Secret"} Syncs from.`
-  }),
-  GET_BY_ID: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`
-  }),
-  GET_BY_NAME: (destination: SecretSync) => ({
-    syncName: `The name of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`,
-    projectId: `The ID of the project the ${SECRET_SYNC_NAME_MAP[destination]} Sync is associated with.`
-  }),
-  CREATE: (destination: SecretSync) => {
-    const destinationName = SECRET_SYNC_NAME_MAP[destination];
-    return {
-      name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
-      description: `An optional description for the ${destinationName} Sync.`,
-      folderId: `The ID of the project folder to sync secrets from.`,
-      connectionId: `The ID of the ${
-        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
-      } Connection to use for syncing.`,
-      isEnabled: `Whether secrets should be synced automatically or not.`,
-      syncOptions: "Optional parameters to modify how secrets are synced."
-    };
-  },
-  UPDATE: (destination: SecretSync) => {
-    const destinationName = SECRET_SYNC_NAME_MAP[destination];
-    return {
-      syncId: `The ID of the ${destinationName} Sync to be updated.`,
-      name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
-      folderId: `The updated project folder ID to sync secrets from.`,
-      description: `The updated description of the ${destinationName} Sync.`,
-      isEnabled: `Whether secrets should be synced automatically or not.`,
-      syncOptions: "Optional parameters to modify how secrets are synced."
-    };
-  },
-  DELETE: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`
-  }),
-  SYNC: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
-  }),
-  IMPORT: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger an import for.`,
-    shouldOverwrite: `Specify whether newly imported secrets should override existing secrets with matching names in Infisical.`
-  }),
-  ERASE: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger an erase for.`
-  }),
-  SYNC_OPTIONS: {
-    PREPEND_PREFIX: "Optionally prepend a prefix to your secrets' keys when syncing.",
-    APPEND_SUFFIX: "Optionally append a suffix to your secrets' keys when syncing."
-  },
-  DESTINATION_CONFIG: {
-    AWS_PARAMETER_STORE: {
-      REGION: "The AWS region to sync secrets to.",
-      PATH: "The Parameter Store path to sync secrets to."
-    }
-  }
-};

backend/src/lib/fn/string.ts

@@ -16,7 +16,3 @@ export const prefixWithSlash = (str: string) => {
 };
 
 export const startsWithVowel = (str: string) => /^[aeiou]/i.test(str);
-
-export const wrapWithSlashes = (str: string) => {
-  return `${str.startsWith("/") ? "" : "/"}${str}${str.endsWith("/") ? "" : `/`}`;
-};

backend/src/queue/queue-service.ts

@@ -15,12 +15,6 @@ import {
   TIntegrationSyncPayload,
   TSyncSecretsDTO
 } from "@app/services/secret/secret-types";
-import {
-  TQueueSecretSyncByIdDTO,
-  TQueueSecretSyncEraseByIdDTO,
-  TQueueSecretSyncImportByIdDTO,
-  TQueueSendSecretSyncActionFailedNotificationsDTO
-} from "@app/services/secret-sync/secret-sync-types";
 
 export enum QueueName {
   SecretRotation = "secret-rotation",
@@ -42,8 +36,7 @@ export enum QueueName {
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
   AccessTokenStatusUpdate = "access-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
-  AppConnectionSecretSync = "app-connection-secret-sync"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
 }
 
 export enum QueueJobs {
@@ -68,11 +61,7 @@ export enum QueueJobs {
   ProjectV3Migration = "project-v3-migration",
   IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
   ServiceTokenStatusUpdate = "service-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
-  AppConnectionSecretSync = "app-connection-secret-sync",
-  AppConnectionSecretSyncImport = "app-connection-secret-sync-import",
-  AppConnectionSecretSyncErase = "app-connection-secret-sync-erase",
-  AppConnectionSendSecretSyncActionFailedNotifications = "app-connection-send-secret-sync-action-failed-notifications"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
 }
 
 export type TQueueJobTypes = {
@@ -195,23 +184,6 @@ export type TQueueJobTypes = {
       };
     };
   };
-  [QueueName.AppConnectionSecretSync]:
-    | {
-        name: QueueJobs.AppConnectionSecretSync;
-        payload: TQueueSecretSyncByIdDTO;
-      }
-    | {
-        name: QueueJobs.AppConnectionSecretSyncImport;
-        payload: TQueueSecretSyncImportByIdDTO;
-      }
-    | {
-        name: QueueJobs.AppConnectionSecretSyncErase;
-        payload: TQueueSecretSyncEraseByIdDTO;
-      }
-    | {
-        name: QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications;
-        payload: TQueueSendSecretSyncActionFailedNotificationsDTO;
-      };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/routes/index.ts

@@ -181,6 +181,7 @@ import { projectUserMembershipRoleDALFactory } from "@app/services/project-membe
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
+import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@@ -195,9 +196,6 @@ import { secretImportDALFactory } from "@app/services/secret-import/secret-impor
 import { secretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { secretSharingDALFactory } from "@app/services/secret-sharing/secret-sharing-dal";
 import { secretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { secretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
-import { secretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
-import { secretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { secretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
@@ -320,7 +318,6 @@ export const registerRoutes = async (
   const trustedIpDAL = trustedIpDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
   const appConnectionDAL = appConnectionDALFactory(db);
-  const secretSyncDAL = secretSyncDALFactory(db, folderDAL);
 
   // ee db layer ops
   const permissionDAL = permissionDALFactory(db);
@@ -378,6 +375,7 @@ export const registerRoutes = async (
   const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
 
   const projectTemplateDAL = projectTemplateDALFactory(db);
+  const resourceMetadataDAL = resourceMetadataDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -825,28 +823,6 @@ export const registerRoutes = async (
     kmsService
   });
 
-  const secretSyncQueue = secretSyncQueueFactory({
-    queueService,
-    secretSyncDAL,
-    folderDAL,
-    secretImportDAL,
-    secretV2BridgeDAL,
-    kmsService,
-    keyStore,
-    auditLogService,
-    smtpService,
-    projectDAL,
-    projectMembershipDAL,
-    projectBotDAL,
-    secretDAL,
-    secretBlindIndexDAL,
-    secretVersionDAL,
-    secretTagDAL,
-    secretVersionTagDAL,
-    secretVersionV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
-  });
-
   const secretQueueService = secretQueueFactory({
     keyStore,
     queueService,
@@ -881,7 +857,7 @@ export const registerRoutes = async (
     projectKeyDAL,
     projectUserMembershipRoleDAL,
     orgService,
-    secretSyncQueue
+    resourceMetadataDAL
   });
 
   const projectService = projectServiceFactory({
@@ -1007,7 +983,8 @@ export const registerRoutes = async (
     secretApprovalPolicyService,
     secretApprovalRequestSecretDAL,
     kmsService,
-    snapshotService
+    snapshotService,
+    resourceMetadataDAL
   });
 
   const secretApprovalRequestService = secretApprovalRequestServiceFactory({
@@ -1034,7 +1011,8 @@ export const registerRoutes = async (
     projectEnvDAL,
     userDAL,
     licenseService,
-    projectSlackConfigDAL
+    projectSlackConfigDAL,
+    resourceMetadataDAL
   });
 
   const secretService = secretServiceFactory({
@@ -1055,7 +1033,8 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
-    secretApprovalRequestService
+    secretApprovalRequestService,
+    licenseService
   });
 
   const secretSharingService = secretSharingServiceFactory({
@@ -1113,8 +1092,10 @@ export const registerRoutes = async (
     kmsService,
     secretV2BridgeDAL,
     secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
-    secretVersionV2BridgeDAL
+    secretVersionV2BridgeDAL,
+    resourceMetadataDAL
   });
+
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -1366,7 +1347,8 @@ export const registerRoutes = async (
     folderDAL,
     secretDAL: secretV2BridgeDAL,
     queueService,
-    secretV2BridgeService
+    secretV2BridgeService,
+    resourceMetadataDAL
   });
 
   const migrationService = externalMigrationServiceFactory({
@@ -1389,17 +1371,6 @@ export const registerRoutes = async (
     licenseService
   });
 
-  const secretSyncService = secretSyncServiceFactory({
-    secretSyncDAL,
-    permissionService,
-    appConnectionService,
-    licenseService,
-    folderDAL,
-    secretSyncQueue,
-    projectBotService,
-    keyStore
-  });
-
   await superAdminService.initServerCfg();
 
   // setup the communication with license key server
@@ -1497,8 +1468,7 @@ export const registerRoutes = async (
     externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
     projectTemplate: projectTemplateService,
     totp: totpService,
-    appConnection: appConnectionService,
-    secretSync: secretSyncService
+    appConnection: appConnectionService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts

@@ -15,7 +15,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
   app,
   createSchema,
   updateSchema,
-  sanitizedResponseSchema
+  responseSchema
 }: {
   app: AppConnection;
   server: FastifyZodProvider;
@@ -26,7 +26,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     description?: string | null;
   }>;
   updateSchema: z.ZodType<{ name?: string; credentials?: I["credentials"]; description?: string | null }>;
-  sanitizedResponseSchema: z.ZodTypeAny;
+  responseSchema: z.ZodTypeAny;
 }) => {
   const appName = APP_CONNECTION_NAME_MAP[app];
 
@@ -39,7 +39,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     schema: {
       description: `List the ${appName} Connections for the current organization.`,
       response: {
-        200: z.object({ appConnections: sanitizedResponseSchema.array() })
+        200: z.object({ appConnections: responseSchema.array() })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -63,44 +63,6 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/available",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: `List the ${appName} Connections the current user has permission to establish connections with.`,
-      response: {
-        200: z.object({
-          appConnections: z.object({ app: z.literal(app), name: z.string(), id: z.string().uuid() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const appConnections = await server.services.appConnection.listAvailableAppConnectionsForUser(
-        app,
-        req.permission
-      );
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS,
-          metadata: {
-            app,
-            count: appConnections.length,
-            connectionIds: appConnections.map((connection) => connection.id)
-          }
-        }
-      });
-
-      return { appConnections };
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/:connectionId",
@@ -113,7 +75,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
         connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
       }),
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -152,12 +114,11 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       params: z.object({
         connectionName: z
           .string()
-          .trim()
-          .min(1, "Connection name required")
+          .min(0, "Connection name required")
           .describe(AppConnections.GET_BY_NAME(app).connectionName)
       }),
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -197,7 +158,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       } ${appName} Connection for the current organization.`,
       body: createSchema,
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -207,7 +168,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       const appConnection = (await server.services.appConnection.createAppConnection(
         { name, method, app, credentials, description },
         req.permission
-      )) as T;
+      )) as TAppConnection;
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -240,7 +201,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       }),
       body: updateSchema,
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -283,7 +244,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
         connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
       }),
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),

backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts

@@ -11,7 +11,7 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
   registerAppConnectionEndpoints({
     app: AppConnection.AWS,
     server,
-    sanitizedResponseSchema: SanitizedAwsConnectionSchema,
+    responseSchema: SanitizedAwsConnectionSchema,
     createSchema: CreateAwsConnectionSchema,
     updateSchema: UpdateAwsConnectionSchema
   });

backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts

@@ -11,7 +11,7 @@ export const registerGitHubConnectionRouter = async (server: FastifyZodProvider)
   registerAppConnectionEndpoints({
     app: AppConnection.GitHub,
     server,
-    sanitizedResponseSchema: SanitizedGitHubConnectionSchema,
+    responseSchema: SanitizedGitHubConnectionSchema,
     createSchema: CreateGitHubConnectionSchema,
     updateSchema: UpdateGitHubConnectionSchema
   });

backend/src/server/routes/v1/app-connection-routers/apps/index.ts

@@ -0,0 +1,8 @@
+import { registerAwsConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/aws-connection-router";
+import { registerGitHubConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/github-connection-router";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const APP_CONNECTION_REGISTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> = {
+  [AppConnection.AWS]: registerAwsConnectionRouter,
+  [AppConnection.GitHub]: registerGitHubConnectionRouter
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,12 +1,2 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-import { registerAwsConnectionRouter } from "./aws-connection-router";
-import { registerGitHubConnectionRouter } from "./github-connection-router";
-
 export * from "./app-connection-router";
-
-export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> =
-  {
-    [AppConnection.AWS]: registerAwsConnectionRouter,
-    [AppConnection.GitHub]: registerGitHubConnectionRouter
-  };
+export * from "./apps";

backend/src/server/routes/v1/dashboard-router.ts

@@ -17,6 +17,7 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -116,6 +117,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -408,6 +410,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -693,6 +696,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -864,6 +868,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,

backend/src/server/routes/v1/index.ts

@@ -1,10 +1,6 @@
-import {
-  APP_CONNECTION_REGISTER_ROUTER_MAP,
-  registerAppConnectionRouter
-} from "@app/server/routes/v1/app-connection-routers";
+import { APP_CONNECTION_REGISTER_MAP, registerAppConnectionRouter } from "@app/server/routes/v1/app-connection-routers";
 import { registerCmekRouter } from "@app/server/routes/v1/cmek-router";
 import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
-import { registerSecretSyncRouter, SECRET_SYNC_REGISTER_ROUTER_MAP } from "@app/server/routes/v1/secret-sync-routers";
 
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
@@ -117,28 +113,12 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerExternalGroupOrgRoleMappingRouter, { prefix: "/external-group-mappings" });
 
   await server.register(
-    async (appConnectionRouter) => {
-      // register generic app connection endpoints
-      await appConnectionRouter.register(registerAppConnectionRouter);
-
-      // register service specific endpoints (app-connections/aws, app-connections/github, etc.)
-      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_ROUTER_MAP)) {
-        await appConnectionRouter.register(router, { prefix: `/${app}` });
+    async (appConnectionsRouter) => {
+      await appConnectionsRouter.register(registerAppConnectionRouter);
+      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_MAP)) {
+        await appConnectionsRouter.register(router, { prefix: `/${app}` });
       }
     },
     { prefix: "/app-connections" }
   );
-
-  await server.register(
-    async (secretSyncRouter) => {
-      // register generic secret sync endpoints
-      await secretSyncRouter.register(registerSecretSyncRouter);
-
-      // register service specific secret sync endpoints (secret-syncs/aws-parameter-store, secret-syncs/github, etc.)
-      for await (const [destination, router] of Object.entries(SECRET_SYNC_REGISTER_ROUTER_MAP)) {
-        await secretSyncRouter.register(router, { prefix: `/${destination}` });
-      }
-    },
-    { prefix: "/secret-syncs" }
-  );
 };

backend/src/server/routes/v1/secret-sync-routers/aws-parameter-store-sync-router.ts

@@ -1,17 +0,0 @@
-import {
-  AwsParameterStoreSyncSchema,
-  CreateAwsParameterStoreSyncSchema,
-  UpdateAwsParameterStoreSyncSchema
-} from "@app/services/secret-sync/aws-parameter-store";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
-export const registerAwsParameterStoreSyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.AWSParameterStore,
-    server,
-    responseSchema: AwsParameterStoreSyncSchema,
-    createSchema: CreateAwsParameterStoreSyncSchema,
-    updateSchema: UpdateAwsParameterStoreSyncSchema
-  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -1,9 +0,0 @@
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
-
-export * from "./secret-sync-router";
-
-export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: FastifyZodProvider) => Promise<void>> = {
-  [SecretSync.AWSParameterStore]: registerAwsParameterStoreSyncRouter
-};

backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts

@@ -1,398 +0,0 @@
-import { z } from "zod";
-
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SecretSyncs } from "@app/lib/api-docs";
-import { startsWithVowel } from "@app/lib/fn";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
-import { TSecretSync, TSecretSyncInput } from "@app/services/secret-sync/secret-sync-types";
-
-export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TSecretSyncInput>({
-  server,
-  destination,
-  createSchema,
-  updateSchema,
-  responseSchema
-}: {
-  destination: SecretSync;
-  server: FastifyZodProvider;
-  createSchema: z.ZodType<{
-    name: string;
-    folderId: string;
-    connectionId: string;
-    destinationConfig: I["destinationConfig"];
-    syncOptions?: I["syncOptions"];
-    description?: string | null;
-  }>;
-  updateSchema: z.ZodType<{
-    name?: string;
-    folderId?: string;
-    destinationConfig?: I["destinationConfig"];
-    syncOptions?: I["syncOptions"];
-    description?: string | null;
-  }>;
-  responseSchema: z.ZodTypeAny;
-}) => {
-  const destinationName = SECRET_SYNC_NAME_MAP[destination];
-
-  server.route({
-    method: "GET",
-    url: `/`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: `List the ${destinationName} Syncs for the specified project.`,
-      querystring: z.object({
-        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST(destination).projectId)
-      }),
-      response: {
-        200: z.object({ secretSyncs: responseSchema.array() })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const {
-        query: { projectId }
-      } = req;
-
-      const secretSyncs = (await server.services.secretSync.listSecretSyncsByProjectId(
-        { projectId, destination },
-        req.permission
-      )) as T[];
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId,
-        event: {
-          type: EventType.GET_SECRET_SYNCS,
-          metadata: {
-            destination,
-            count: secretSyncs.length,
-            syncIds: secretSyncs.map((connection) => connection.id)
-          }
-        }
-      });
-
-      return { secretSyncs };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:syncId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: `Get the specified ${destinationName} Sync by ID.`,
-      params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.GET_BY_ID(destination).syncId)
-      }),
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncId } = req.params;
-
-      const secretSync = (await server.services.secretSync.findSecretSyncById(
-        { syncId, destination },
-        req.permission
-      )) as T;
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: secretSync.projectId,
-        event: {
-          type: EventType.GET_SECRET_SYNC,
-          metadata: {
-            syncId,
-            destination
-          }
-        }
-      });
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/name/:syncName`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: `Get the specified ${destinationName} Sync by name and project ID.`,
-      params: z.object({
-        syncName: z.string().trim().min(1, "Sync name required").describe(SecretSyncs.GET_BY_NAME(destination).syncName)
-      }),
-      querystring: z.object({
-        projectId: z
-          .string()
-          .trim()
-          .min(1, "Project ID required")
-          .describe(SecretSyncs.GET_BY_NAME(destination).projectId)
-      }),
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncName } = req.params;
-      const { projectId } = req.query;
-
-      const secretSync = (await server.services.secretSync.findSecretSyncByName(
-        { syncName, projectId, destination },
-        req.permission
-      )) as T;
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId,
-        event: {
-          type: EventType.GET_SECRET_SYNC,
-          metadata: {
-            syncId: secretSync.id,
-            destination
-          }
-        }
-      });
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: `Create ${
-        startsWithVowel(destinationName) ? "an" : "a"
-      } ${destinationName} Sync for the specified project environment.`,
-      body: createSchema,
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const syncOptions = req.body.syncOptions ?? {};
-
-      const secretSync = (await server.services.secretSync.createSecretSync(
-        { ...req.body, destination, syncOptions },
-        req.permission
-      )) as T;
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: secretSync.projectId,
-        event: {
-          type: EventType.CREATE_SECRET_SYNC,
-          metadata: {
-            syncId: secretSync.id,
-            destination,
-            ...req.body,
-            syncOptions
-          }
-        }
-      });
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:syncId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: `Update the specified ${destinationName} Connection.`,
-      params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).syncId)
-      }),
-      body: updateSchema,
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncId } = req.params;
-
-      const secretSync = (await server.services.secretSync.updateSecretSync(
-        { ...req.body, syncId, destination },
-        req.permission
-      )) as T;
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: secretSync.projectId,
-        event: {
-          type: EventType.UPDATE_SECRET_SYNC,
-          metadata: {
-            syncId,
-            destination,
-            ...req.body
-          }
-        }
-      });
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: `/:syncId`,
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: `Delete the specified ${destinationName} Connection.`,
-      params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.DELETE(destination).syncId)
-      }),
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncId } = req.params;
-
-      const secretSync = (await server.services.secretSync.deleteSecretSync(
-        { destination, syncId },
-        req.permission
-      )) as T;
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.DELETE_SECRET_SYNC,
-          metadata: {
-            destination,
-            syncId
-          }
-        }
-      });
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:syncId/sync",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: `Trigger a sync for the specified ${destinationName} Sync.`,
-      params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.SYNC(destination).syncId)
-      }),
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncId } = req.params;
-
-      const secretSync = (await server.services.secretSync.triggerSecretSyncById(
-        {
-          syncId,
-          destination,
-          auditLogInfo: req.auditLogInfo
-        },
-        req.permission
-      )) as T;
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:syncId/import",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: `Import secrets from the specified ${destinationName} Sync destination.`,
-      params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.IMPORT(destination).syncId)
-      }),
-      querystring: z.object({
-        shouldOverwrite: z
-          .enum(["true", "false"])
-          .optional()
-          .transform((val) => val === "true")
-          .describe(SecretSyncs.IMPORT(destination).shouldOverwrite)
-      }),
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncId } = req.params;
-      const { shouldOverwrite } = req.query;
-
-      const secretSync = (await server.services.secretSync.triggerSecretSyncImportById(
-        {
-          syncId,
-          destination,
-          shouldOverwrite
-        },
-        req.permission
-      )) as T;
-
-      return { secretSync };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:syncId/erase",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: `Erase synced secrets from the specified ${destinationName} Sync destination.`,
-      params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.ERASE(destination).syncId)
-      }),
-      response: {
-        200: z.object({ secretSync: responseSchema })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { syncId } = req.params;
-
-      const secretSync = (await server.services.secretSync.triggerSecretSyncEraseById(
-        {
-          syncId,
-          destination
-        },
-        req.permission
-      )) as T;
-
-      return { secretSync };
-    }
-  });
-};

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -1,80 +0,0 @@
-import { z } from "zod";
-
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SecretSyncs } from "@app/lib/api-docs";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import {
-  AwsParameterStoreSyncListItemSchema,
-  AwsParameterStoreSyncSchema
-} from "@app/services/secret-sync/aws-parameter-store";
-
-// union once more available
-const SecretSyncSchema = AwsParameterStoreSyncSchema;
-
-// union once more available
-const SecretSyncOptionsSchema = AwsParameterStoreSyncListItemSchema;
-
-export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/options",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List the available Secret Sync Options.",
-      response: {
-        200: z.object({
-          secretSyncOptions: SecretSyncOptionsSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: () => {
-      const secretSyncOptions = server.services.secretSync.listSecretSyncOptions();
-      return { secretSyncOptions };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List all the Secret Syncs for the specified project.",
-      querystring: z.object({
-        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST().projectId)
-      }),
-      response: {
-        200: z.object({ secretSyncs: SecretSyncSchema.array() })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const {
-        query: { projectId },
-        permission
-      } = req;
-
-      const secretSyncs = await server.services.secretSync.listSecretSyncsByProjectId({ projectId }, permission);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId,
-        event: {
-          type: EventType.GET_SECRET_SYNCS,
-          metadata: {
-            syncIds: secretSyncs.map((sync) => sync.id),
-            count: secretSyncs.length
-          }
-        }
-      });
-
-      return { secretSyncs };
-    }
-  });
-};

backend/src/server/routes/v3/secret-router.ts

@@ -18,6 +18,7 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations, SecretProtectionType } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -35,6 +36,12 @@ const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReference
   children: z.lazy(() => SecretReferenceNodeTree.array())
 });
 
+const SecretNameSchema = z
+  .string()
+  .trim()
+  .min(1)
+  .refine((el) => !el.includes(" "), "Secret name cannot contain spaces.");
+
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -50,7 +57,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
+        secretName: SecretNameSchema.describe(SECRETS.ATTACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
@@ -113,7 +120,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
+        secretName: z.string().describe(SECRETS.DETACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
@@ -205,6 +212,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
+              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -220,7 +228,12 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
               secretPath: z.string(),
               environment: z.string(),
               folderId: z.string().optional(),
-              secrets: secretRawSchema.omit({ createdAt: true, updatedAt: true }).array()
+              secrets: secretRawSchema
+                .omit({ createdAt: true, updatedAt: true })
+                .extend({
+                  secretMetadata: ResourceMetadataSchema.optional()
+                })
+                .array()
             })
             .array()
             .optional()
@@ -348,7 +361,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             })
               .extend({ name: z.string() })
               .array()
-              .optional()
+              .optional(),
+            secretMetadata: ResourceMetadataSchema.optional()
           })
         })
       }
@@ -434,7 +448,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
+        secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
@@ -450,6 +464,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
           .describe(RAW_SECRETS.CREATE.secretValue),
         secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
+        secretMetadata: ResourceMetadataSchema.optional(),
         tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds),
         skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type),
@@ -484,6 +499,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretValue: req.body.secretValue,
         skipMultilineEncoding: req.body.skipMultilineEncoding,
         secretComment: req.body.secretComment,
+        secretMetadata: req.body.secretMetadata,
         tagIds: req.body.tagIds,
         secretReminderNote: req.body.secretReminderNote,
         secretReminderRepeatDays: req.body.secretReminderRepeatDays
@@ -539,7 +555,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
@@ -558,13 +574,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type),
         tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
         metadata: z.record(z.string()).optional(),
+        secretMetadata: ResourceMetadataSchema.optional(),
         secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
         secretReminderRepeatDays: z
           .number()
           .optional()
           .nullable()
           .describe(RAW_SECRETS.UPDATE.secretReminderRepeatDays),
-        newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+        newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
         secretComment: z.string().optional().describe(RAW_SECRETS.UPDATE.secretComment)
       }),
       response: {
@@ -595,8 +612,10 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretReminderNote: req.body.secretReminderNote,
         metadata: req.body.metadata,
         newSecretName: req.body.newSecretName,
-        secretComment: req.body.secretComment
+        secretComment: req.body.secretComment,
+        secretMetadata: req.body.secretMetadata
       });
+
       if (secretOperation.type === SecretProtectionType.Approval) {
         return { approval: secretOperation.approval };
       }
@@ -647,7 +666,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
@@ -1842,7 +1861,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.CREATE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.CREATE.secretName),
+            secretKey: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
@@ -1850,6 +1869,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
             metadata: z.record(z.string()).optional(),
+            secretMetadata: ResourceMetadataSchema.optional(),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds)
           })
           .array()
@@ -1942,16 +1962,17 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.UPDATE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName),
+            secretKey: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
               .describe(RAW_SECRETS.UPDATE.secretValue),
             secretComment: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-            newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+            newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
             secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
+            secretMetadata: ResourceMetadataSchema.optional(),
             secretReminderRepeatDays: z
               .number()
               .optional()
@@ -2047,7 +2068,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.DELETE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.DELETE.secretName),
+            secretKey: z.string().describe(RAW_SECRETS.DELETE.secretName),
             type: z.nativeEnum(SecretType).default(SecretType.Shared)
           })
           .array()

backend/src/services/app-connection/app-connection-enums.ts

@@ -2,50 +2,3 @@ export enum AppConnection {
   GitHub = "github",
   AWS = "aws"
 }
-
-export enum AWSRegion {
-  // US
-  US_EAST_1 = "us-east-1", // N. Virginia
-  US_EAST_2 = "us-east-2", // Ohio
-  US_WEST_1 = "us-west-1", // N. California
-  US_WEST_2 = "us-west-2", // Oregon
-
-  // GovCloud
-  US_GOV_EAST_1 = "us-gov-east-1", // US-East
-  US_GOV_WEST_1 = "us-gov-west-1", // US-West
-
-  // Africa
-  AF_SOUTH_1 = "af-south-1", // Cape Town
-
-  // Asia Pacific
-  AP_EAST_1 = "ap-east-1", // Hong Kong
-  AP_SOUTH_1 = "ap-south-1", // Mumbai
-  AP_SOUTH_2 = "ap-south-2", // Hyderabad
-  AP_NORTHEAST_1 = "ap-northeast-1", // Tokyo
-  AP_NORTHEAST_2 = "ap-northeast-2", // Seoul
-  AP_NORTHEAST_3 = "ap-northeast-3", // Osaka
-  AP_SOUTHEAST_1 = "ap-southeast-1", // Singapore
-  AP_SOUTHEAST_2 = "ap-southeast-2", // Sydney
-  AP_SOUTHEAST_3 = "ap-southeast-3", // Jakarta
-  AP_SOUTHEAST_4 = "ap-southeast-4", // Melbourne
-
-  // Canada
-  CA_CENTRAL_1 = "ca-central-1", // Central
-
-  // Europe
-  EU_CENTRAL_1 = "eu-central-1", // Frankfurt
-  EU_CENTRAL_2 = "eu-central-2", // Zurich
-  EU_WEST_1 = "eu-west-1", // Ireland
-  EU_WEST_2 = "eu-west-2", // London
-  EU_WEST_3 = "eu-west-3", // Paris
-  EU_SOUTH_1 = "eu-south-1", // Milan
-  EU_SOUTH_2 = "eu-south-2", // Spain
-  EU_NORTH_1 = "eu-north-1", // Stockholm
-
-  // Middle East
-  ME_SOUTH_1 = "me-south-1", // Bahrain
-  ME_CENTRAL_1 = "me-central-1", // UAE
-
-  // South America
-  SA_EAST_1 = "sa-east-1" // Sao Paulo
-}

backend/src/services/app-connection/app-connection-fns.ts

@@ -1,4 +1,3 @@
-import { TAppConnections } from "@app/db/schemas/app-connections";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TAppConnectionServiceFactoryDep } from "@app/services/app-connection/app-connection-service";
 import { TAppConnection, TAppConnectionConfig } from "@app/services/app-connection/app-connection-types";
@@ -65,8 +64,9 @@ export const validateAppConnectionCredentials = async (
 ): Promise<TAppConnection["credentials"]> => {
   const { app } = appConnection;
   switch (app) {
-    case AppConnection.AWS:
+    case AppConnection.AWS: {
       return validateAwsConnectionCredentials(appConnection);
+    }
     case AppConnection.GitHub:
       return validateGitHubConnectionCredentials(appConnection);
     default:
@@ -90,17 +90,3 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       throw new Error(`Unhandled App Connection Method: ${method}`);
   }
 };
-
-export const decryptAppConnection = async (
-  appConnection: TAppConnections,
-  kmsService: TAppConnectionServiceFactoryDep["kmsService"]
-) => {
-  return {
-    ...appConnection,
-    credentials: await decryptAppConnectionCredentials({
-      encryptedCredentials: appConnection.encryptedCredentials,
-      orgId: appConnection.orgId,
-      kmsService
-    })
-  } as TAppConnection;
-};

backend/src/services/app-connection/app-connection-service.ts

@@ -1,13 +1,13 @@
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { DiscriminativePick, OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
-  decryptAppConnection,
+  decryptAppConnectionCredentials,
   encryptAppConnectionCredentials,
   getAppConnectionMethodName,
   listAppConnectionOptions,
@@ -65,10 +65,7 @@ export const appConnectionServiceFactory = ({
       actor.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Read,
-      OrgPermissionSubjects.AppConnections
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
 
     const appConnections = await appConnectionDAL.find(
       app
@@ -81,7 +78,18 @@ export const appConnectionServiceFactory = ({
     return Promise.all(
       appConnections
         .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()))
-        .map((appConnection) => decryptAppConnection(appConnection, kmsService))
+        .map(async ({ encryptedCredentials, ...connection }) => {
+          const credentials = await decryptAppConnectionCredentials({
+            encryptedCredentials,
+            kmsService,
+            orgId: connection.orgId
+          });
+
+          return {
+            ...connection,
+            credentials
+          } as TAppConnection;
+        })
     );
   };
 
@@ -100,15 +108,19 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Read,
-      OrgPermissionSubjects.AppConnections
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
 
     if (appConnection.app !== app)
       throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });
 
-    return decryptAppConnection(appConnection, kmsService);
+    return {
+      ...appConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: appConnection.encryptedCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
   };
 
   const findAppConnectionByName = async (app: AppConnection, connectionName: string, actor: OrgServiceActor) => {
@@ -127,15 +139,19 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Read,
-      OrgPermissionSubjects.AppConnections
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
 
     if (appConnection.app !== app)
       throw new BadRequestError({ message: `App Connection with name ${connectionName} is not for App "${app}"` });
 
-    return decryptAppConnection(appConnection, kmsService);
+    return {
+      ...appConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: appConnection.encryptedCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
   };
 
   const createAppConnection = async (
@@ -152,10 +168,7 @@ export const appConnectionServiceFactory = ({
       actor.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Create,
-      OrgPermissionSubjects.AppConnections
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
 
     const appConnection = await appConnectionDAL.transaction(async (tx) => {
       const isConflictingName = Boolean(
@@ -203,7 +216,7 @@ export const appConnectionServiceFactory = ({
       };
     });
 
-    return appConnection as TAppConnection;
+    return appConnection;
   };
 
   const updateAppConnection = async (
@@ -224,10 +237,7 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Edit,
-      OrgPermissionSubjects.AppConnections
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
 
     const updatedAppConnection = await appConnectionDAL.transaction(async (tx) => {
       if (params.name && appConnection.name !== params.name) {
@@ -294,7 +304,14 @@ export const appConnectionServiceFactory = ({
       return updatedConnection;
     });
 
-    return decryptAppConnection(updatedAppConnection, kmsService);
+    return {
+      ...updatedAppConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: updatedAppConnection.encryptedCredentials,
+        orgId: updatedAppConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
   };
 
   const deleteAppConnection = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
@@ -312,74 +329,23 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Delete,
-      OrgPermissionSubjects.AppConnections
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
 
     if (appConnection.app !== app)
       throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });
 
-    // TODO (scott): add option to delete all dependencies
+    // TODO: specify delete error message if due to existing dependencies
 
-    try {
-      const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);
+    const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);
 
-      return await decryptAppConnection(deletedAppConnection, kmsService);
-    } catch (err) {
-      if (err instanceof DatabaseError && (err.error as { code: string })?.code === "23503") {
-        throw new BadRequestError({
-          message:
-            "Cannot delete App Connection with existing connections. Remove all existing connections and try again."
-        });
-      }
-
-      throw err;
-    }
-  };
-
-  const connectAppConnectionById = async (connectionId: string, actor: OrgServiceActor) => {
-    const appConnection = await appConnectionDAL.findById(connectionId);
-
-    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
-
-    const { permission: orgPermission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      appConnection.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(orgPermission).throwUnlessCan(
-      OrgPermissionAppConnectionActions.Connect,
-      subject(OrgPermissionSubjects.AppConnections, { connectionId: appConnection.id })
-    );
-
-    return decryptAppConnection(appConnection, kmsService);
-  };
-
-  const listAvailableAppConnectionsForUser = async (app: AppConnection, actor: OrgServiceActor) => {
-    await checkAppServicesAvailability(actor.orgId);
-
-    const { permission: orgPermission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      actor.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    const appConnections = await appConnectionDAL.find({ app, orgId: actor.orgId });
-
-    const availableConnections = appConnections.filter((connection) =>
-      orgPermission.can(
-        OrgPermissionAppConnectionActions.Connect,
-        subject(OrgPermissionSubjects.AppConnections, { connectionId: connection.id })
-      )
-    );
-
-    return availableConnections as Omit<TAppConnection, "credentials">[];
+    return {
+      ...deletedAppConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: deletedAppConnection.encryptedCredentials,
+        orgId: deletedAppConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
   };
 
   return {
@@ -389,8 +355,6 @@ export const appConnectionServiceFactory = ({
     findAppConnectionByName,
     createAppConnection,
     updateAppConnection,
-    deleteAppConnection,
-    connectAppConnectionById,
-    listAvailableAppConnectionsForUser
+    deleteAppConnection
   };
 };

backend/src/services/app-connection/aws/aws-connection-fns.ts

@@ -4,7 +4,7 @@ import { randomUUID } from "crypto";
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
-import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
 import { AwsConnectionMethod } from "./aws-connection-enums";
 import { TAwsConnectionConfig } from "./aws-connection-types";
@@ -20,7 +20,7 @@ export const getAwsAppConnectionListItem = () => {
   };
 };
 
-export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = AWSRegion.US_EAST_1) => {
+export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = "us-east-1") => {
   const appCfg = getConfig();
 
   let accessKeyId: string;

backend/src/services/app-connection/aws/aws-connection-schemas.ts

@@ -75,7 +75,7 @@ export const UpdateAwsConnectionSchema = z
 export const AwsConnectionListItemSchema = z.object({
   name: z.literal("AWS"),
   app: z.literal(AppConnection.AWS),
-  // the below is preferable but currently breaks with our zod to json schema parser
+  // the below is preferable but currently breaks mintlify
   // methods: z.tuple([z.literal(AwsConnectionMethod.AssumeRole), z.literal(AwsConnectionMethod.AccessKey)]),
   methods: z.nativeEnum(AwsConnectionMethod).array(),
   accessKeyId: z.string().optional()

backend/src/services/app-connection/github/github-connection-schemas.ts

@@ -57,7 +57,7 @@ export const UpdateGitHubConnectionSchema = z
 
 const BaseGitHubConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.GitHub) });
 
-export const GitHubConnectionSchema = z.intersection(
+export const GitHubAppConnectionSchema = z.intersection(
   BaseGitHubConnectionSchema,
   z.discriminatedUnion("method", [
     z.object({
@@ -85,8 +85,8 @@ export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
 export const GitHubConnectionListItemSchema = z.object({
   name: z.literal("GitHub"),
   app: z.literal(AppConnection.GitHub),
-  // the below is preferable but currently breaks with our zod to json schema parser
-  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
+  // the below is preferable but currently breaks mintlify
+  // methods: z.tuple([z.literal(GitHubConnectionMethod.GitHubApp), z.literal(GitHubConnectionMethod.OAuth)]),
   methods: z.nativeEnum(GitHubConnectionMethod).array(),
   oauthClientId: z.string().optional(),
   appClientSlug: z.string().optional()

backend/src/services/app-connection/github/github-connection-types.ts

@@ -5,11 +5,11 @@ import { DiscriminativePick } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import {
   CreateGitHubConnectionSchema,
-  GitHubConnectionSchema,
+  GitHubAppConnectionSchema,
   ValidateGitHubConnectionCredentialsSchema
 } from "./github-connection-schemas";
 
-export type TGitHubConnection = z.infer<typeof GitHubConnectionSchema>;
+export type TGitHubConnection = z.infer<typeof GitHubAppConnectionSchema>;
 
 export type TGitHubConnectionInput = z.infer<typeof CreateGitHubConnectionSchema> & {
   app: AppConnection.GitHub;

backend/src/services/external-migration/external-migration-fns.ts

@@ -16,6 +16,7 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -35,6 +36,8 @@ export type TImportDataIntoInfisicalDTO = {
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
   secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;
 
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
+
   folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath" | "findById">;
   projectService: Pick<TProjectServiceFactory, "createProject">;
   projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
@@ -503,6 +506,7 @@ export const importDataIntoInfisicalFn = async ({
   secretTagDAL,
   secretVersionTagDAL,
   folderDAL,
+  resourceMetadataDAL,
   input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
   // Import data to infisical
@@ -762,6 +766,8 @@ export const importDataIntoInfisicalFn = async ({
               };
             }),
             folderId: selectedFolder.id,
+            orgId: actorOrgId,
+            resourceMetadataDAL,
             secretDAL,
             secretVersionDAL,
             secretTagDAL,

backend/src/services/external-migration/external-migration-queue.ts

@@ -8,6 +8,7 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -35,6 +36,8 @@ export type TExternalMigrationQueueFactoryDep = {
   projectService: Pick<TProjectServiceFactory, "createProject">;
   projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
   secretV2BridgeService: Pick<TSecretV2BridgeServiceFactory, "createManySecret">;
+
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TExternalMigrationQueueFactory = ReturnType<typeof externalMigrationQueueFactory>;
@@ -52,7 +55,8 @@ export const externalMigrationQueueFactory = ({
   secretVersionDAL,
   secretTagDAL,
   secretVersionTagDAL,
-  folderDAL
+  folderDAL,
+  resourceMetadataDAL
 }: TExternalMigrationQueueFactoryDep) => {
   const startImport = async (dto: {
     actorEmail: string;
@@ -109,7 +113,8 @@ export const externalMigrationQueueFactory = ({
         kmsService,
         projectService,
         projectEnvService,
-        secretV2BridgeService
+        secretV2BridgeService,
+        resourceMetadataDAL
       });
 
       if (projectsNotImported.length) {

backend/src/services/integration-auth/integration-list.ts

@@ -427,3 +427,8 @@ export const getIntegrationOptions = async () => {
 
   return INTEGRATION_OPTIONS;
 };
+
+export enum IntegrationMetadataSyncMode {
+  CUSTOM = "custom",
+  SECRET_METADATA = "secret-metadata"
+}

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -38,6 +38,7 @@ import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { IntegrationMetadataSchema } from "../integration/integration-schema";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { IntegrationAuthMetadataSchema } from "./integration-auth-schema";
 import {
   CircleCiScope,
@@ -48,6 +49,7 @@ import {
 import {
   IntegrationInitialSyncBehavior,
   IntegrationMappingBehavior,
+  IntegrationMetadataSyncMode,
   Integrations,
   IntegrationUrls
 } from "./integration-list";
@@ -1082,14 +1084,14 @@ const syncSecretsAWSSecretManager = async ({
   projectId
 }: {
   integration: TIntegrations;
-  secrets: Record<string, { value: string; comment?: string }>;
+  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
   accessId: string | null;
   accessToken: string;
   awsAssumeRoleArn: string | null;
   projectId?: string;
 }) => {
   const appCfg = getConfig();
-  const metadata = z.record(z.any()).parse(integration.metadata || {});
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata || {});
 
   if (!accessId && !awsAssumeRoleArn) {
     throw new Error("AWS access ID/AWS Assume Role is required");
@@ -1137,8 +1139,25 @@ const syncSecretsAWSSecretManager = async ({
 
   const processAwsSecret = async (
     secretId: string,
-    secretValue: Record<string, string | null | undefined> | string
+    secretValue: Record<string, string | null | undefined> | string,
+    secretMetadata?: ResourceMetadataDTO
   ) => {
+    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+    const shouldTag =
+      (secretAWSTag && secretAWSTag.length) ||
+      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA &&
+        metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE);
+    const tagArray =
+      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA ? secretMetadata : secretAWSTag) ?? [];
+
+    const integrationTagObj = tagArray.reduce(
+      (acc, item) => {
+        acc[item.key] = item.value;
+        return acc;
+      },
+      {} as Record<string, string>
+    );
+
     try {
       const awsSecretManagerSecret = await secretsManager.send(
         new GetSecretValueCommand({
@@ -1174,9 +1193,7 @@ const syncSecretsAWSSecretManager = async ({
         }
       }
 
-      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
-
-      if (secretAWSTag && secretAWSTag.length) {
+      if (shouldTag) {
         const describedSecret = await secretsManager.send(
           // requires secretsmanager:DescribeSecret policy
           new DescribeSecretCommand({
@@ -1186,14 +1203,6 @@ const syncSecretsAWSSecretManager = async ({
 
         if (!describedSecret.Tags) return;
 
-        const integrationTagObj = secretAWSTag.reduce(
-          (acc, item) => {
-            acc[item.key] = item.value;
-            return acc;
-          },
-          {} as Record<string, string>
-        );
-
         const awsTagObj = (describedSecret.Tags || []).reduce(
           (acc, item) => {
             if (item.Key && item.Value) {
@@ -1225,7 +1234,7 @@ const syncSecretsAWSSecretManager = async ({
           }
         });
 
-        secretAWSTag?.forEach((tag) => {
+        tagArray.forEach((tag) => {
           if (!(tag.key in awsTagObj)) {
             // create tag in AWS secret manager
             tagsToUpdate.push({
@@ -1262,8 +1271,8 @@ const syncSecretsAWSSecretManager = async ({
               Name: secretId,
               SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
               ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-              Tags: metadata.secretAWSTag
-                ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({
+              Tags: shouldTag
+                ? tagArray.map((tag: { key: string; value: string }) => ({
                     Key: tag.key,
                     Value: tag.value
                   }))
@@ -1280,7 +1289,7 @@ const syncSecretsAWSSecretManager = async ({
 
   if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
     for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value);
+      await processAwsSecret(key, value.value, value.secretMetadata);
     }
   } else {
     await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
@@ -2763,13 +2772,23 @@ const syncSecretsAzureDevops = async ({
  * Sync/push [secrets] to GitLab repo with name [integration.app]
  */
 const syncSecretsGitLab = async ({
+  createManySecretsRawFn,
   integrationAuth,
   integration,
   secrets,
   accessToken
 }: {
+  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<{ id: string }>>;
   integrationAuth: TIntegrationAuths;
-  integration: TIntegrations;
+  integration: TIntegrations & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
 }) => {
@@ -2826,6 +2845,81 @@ const syncSecretsGitLab = async ({
       return isValid;
     });
 
+  if (!integration.lastUsed) {
+    const secretsToAddToInfisical: { [key: string]: GitLabSecret } = {};
+    const secretsToRemoveInGitlab: GitLabSecret[] = [];
+
+    if (!metadata.initialSyncBehavior) {
+      metadata.initialSyncBehavior = IntegrationInitialSyncBehavior.OVERWRITE_TARGET;
+    }
+
+    getSecretsRes.forEach((gitlabSecret) => {
+      // first time using integration
+      // -> apply initial sync behavior
+      switch (metadata.initialSyncBehavior) {
+        // Override all the secrets in GitLab
+        case IntegrationInitialSyncBehavior.OVERWRITE_TARGET: {
+          if (!(gitlabSecret.key in secrets)) {
+            secretsToRemoveInGitlab.push(gitlabSecret);
+          }
+          break;
+        }
+        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
+          // if the secret is not in infisical, we need to add it to infisical
+          if (!(gitlabSecret.key in secrets)) {
+            secrets[gitlabSecret.key] = {
+              value: gitlabSecret.value
+            };
+            // need to remove prefix and suffix from what we're saving to Infisical
+            const prefix = metadata?.secretPrefix || "";
+            const suffix = metadata?.secretSuffix || "";
+            let processedKey = gitlabSecret.key;
+
+            // Remove prefix if it exists at the start
+            if (prefix && processedKey.startsWith(prefix)) {
+              processedKey = processedKey.slice(prefix.length);
+            }
+
+            // Remove suffix if it exists at the end
+            if (suffix && processedKey.endsWith(suffix)) {
+              processedKey = processedKey.slice(0, -suffix.length);
+            }
+
+            secretsToAddToInfisical[processedKey] = gitlabSecret;
+          }
+          break;
+        }
+        default: {
+          throw new Error(`Invalid initial sync behavior: ${metadata.initialSyncBehavior}`);
+        }
+      }
+    });
+
+    if (Object.keys(secretsToAddToInfisical).length) {
+      await createManySecretsRawFn({
+        projectId: integration.projectId,
+        environment: integration.environment.slug,
+        path: integration.secretPath,
+        secrets: Object.keys(secretsToAddToInfisical).map((key) => ({
+          secretName: key,
+          secretValue: secretsToAddToInfisical[key].value,
+          type: SecretType.Shared
+        }))
+      });
+    }
+
+    for await (const gitlabSecret of secretsToRemoveInGitlab) {
+      await request.delete(
+        `${gitLabApiUrl}/v4/projects/${integration?.appId}/variables/${gitlabSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`
+          }
+        }
+      );
+    }
+  }
+
   for await (const key of Object.keys(secrets)) {
     const existingSecret = getSecretsRes.find((s) => s.key === key);
     if (!existingSecret) {
@@ -4440,7 +4534,7 @@ export const syncIntegrationSecrets = async ({
     secretPath: string;
   };
   integrationAuth: TIntegrationAuths;
-  secrets: Record<string, { value: string; comment?: string }>;
+  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
   accessId: string | null;
   awsAssumeRoleArn: string | null;
   accessToken: string;
@@ -4545,7 +4639,8 @@ export const syncIntegrationSecrets = async ({
         integrationAuth,
         integration,
         secrets,
-        accessToken
+        accessToken,
+        createManySecretsRawFn
       });
       break;
     case Integrations.RENDER:

backend/src/services/integration-auth/integration-team.ts

@@ -1,3 +1,5 @@
+import { AxiosResponse } from "axios";
+
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";
 
@@ -11,19 +13,27 @@ const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken:
   const gitLabApiUrl = url ? `${url}/api` : IntegrationUrls.GITLAB_API_URL;
 
   let teams: Team[] = [];
-  const res = (
-    await request.get<{ name: string; id: string }[]>(`${gitLabApiUrl}/v4/groups`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json"
+  let page: number = 1;
+  while (page > 0) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data, headers }: AxiosResponse<{ name: string; id: string }[]> = await request.get(
+      `${gitLabApiUrl}/v4/groups?page=${page}`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
       }
-    })
-  ).data;
+    );
 
-  teams = res.map((t) => ({
-    name: t.name,
-    id: t.id.toString()
-  }));
+    page = Number(headers["x-next-page"] ?? "");
+    teams = teams.concat(
+      data.map((t) => ({
+        name: t.name,
+        id: t.id.toString()
+      }))
+    );
+  }
 
   return teams;
 };

backend/src/services/integration/integration-schema.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { INTEGRATION } from "@app/lib/api-docs";
 
-import { IntegrationMappingBehavior } from "../integration-auth/integration-list";
+import { IntegrationMappingBehavior, IntegrationMetadataSyncMode } from "../integration-auth/integration-list";
 
 export const IntegrationMetadataSchema = z.object({
   initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
@@ -50,6 +50,11 @@ export const IntegrationMetadataSchema = z.object({
   shouldMaskSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldMaskSecrets),
   shouldProtectSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldProtectSecrets),
 
+  metadataSyncMode: z
+    .nativeEnum(IntegrationMetadataSyncMode)
+    .optional()
+    .describe(INTEGRATION.CREATE.metadata.metadataSyncMode),
+
   octopusDeployScopeValues: z
     .object({
       // in Octopus Deploy Scope Value Format

backend/src/services/resource-metadata/resource-metadata-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TResourceMetadataDALFactory = ReturnType<typeof resourceMetadataDALFactory>;
+
+export const resourceMetadataDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.ResourceMetadata);
+
+  return orm;
+};

backend/src/services/resource-metadata/resource-metadata-schema.ts

@@ -0,0 +1,10 @@
+import z from "zod";
+
+export const ResourceMetadataSchema = z
+  .object({
+    key: z.string().trim().min(1),
+    value: z.string().trim().default("")
+  })
+  .array();
+
+export type ResourceMetadataDTO = z.infer<typeof ResourceMetadataSchema>;

backend/src/services/secret-import/secret-import-fns.ts

@@ -1,6 +1,7 @@
 import { SecretType, TSecretImports, TSecrets, TSecretsV2 } from "@app/db/schemas";
 import { groupBy, unique } from "@app/lib/fn";
 
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -39,6 +40,7 @@ type TSecretImportSecretsV2 = {
     // But for somereason ts consider ? and undefined explicit as different just ts things
     secretValue: string;
     secretComment: string;
+    secretMetadata?: ResourceMetadataDTO;
   })[];
 };
 

backend/src/services/secret-import/secret-import-service.ts

@@ -160,6 +160,7 @@ export const secretImportServiceFactory = ({
     if (secImport.isReplication && sourceFolder) {
       await secretQueueService.replicateSecrets({
         secretPath: secImport.importPath,
+        orgId: actorOrgId,
         projectId,
         environmentSlug: importEnv.slug,
         pickOnlyImportIds: [secImport.id],
@@ -169,6 +170,7 @@ export const secretImportServiceFactory = ({
     } else {
       await secretQueueService.syncSecrets({
         secretPath,
+        orgId: actorOrgId,
         projectId,
         environmentSlug: environment,
         actorId,
@@ -340,6 +342,7 @@ export const secretImportServiceFactory = ({
 
     await secretQueueService.syncSecrets({
       secretPath,
+      orgId: actorOrgId,
       projectId,
       environmentSlug: environment,
       actor,
@@ -415,6 +418,7 @@ export const secretImportServiceFactory = ({
 
     if (membership && sourceFolder) {
       await secretQueueService.replicateSecrets({
+        orgId: actorOrgId,
         secretPath: secretImportDoc.importPath,
         projectId,
         environmentSlug: secretImportDoc.importEnv.slug,

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-constants.ts

@@ -1,10 +0,0 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
-
-export const AWS_PARAMETER_STORE_SYNC_LIST_OPTION: TSecretSyncListItem = {
-  name: "AWS Parameter Store",
-  destination: SecretSync.AWSParameterStore,
-  connection: AppConnection.AWS,
-  supportsImport: true
-};

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -1,198 +0,0 @@
-import AWS, { AWSError } from "aws-sdk";
-
-import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
-import { TSecretMap, TSecretSyncWithConnection } from "@app/services/secret-sync/secret-sync-types";
-
-import { TAwsParameterStoreSyncWithConnection } from "./aws-parameter-store-sync-types";
-
-type TAWSParameterStoreRecord = Record<string, AWS.SSM.Parameter>;
-
-const MAX_RETRIES = 5;
-const BATCH_SIZE = 10;
-
-const getSSM = async (secretSync: TSecretSyncWithConnection) => {
-  const { destinationConfig, connection } = secretSync;
-
-  const config = await getAwsConnectionConfig(connection, destinationConfig.region);
-
-  const ssm = new AWS.SSM({
-    apiVersion: "2014-11-06",
-    region: destinationConfig.region
-  });
-
-  ssm.config.update(config);
-
-  return ssm;
-};
-
-const sleep = async () =>
-  new Promise((resolve) => {
-    setTimeout(resolve, 1000);
-  });
-
-const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreRecord> => {
-  const awsParameterStoreSecretsRecord: TAWSParameterStoreRecord = {};
-  let hasNext = true;
-  let nextToken: string | undefined;
-  let attempt = 0;
-
-  while (hasNext) {
-    try {
-      // eslint-disable-next-line no-await-in-loop
-      const parameters = await ssm
-        .getParametersByPath({
-          Path: path,
-          Recursive: false,
-          WithDecryption: true,
-          MaxResults: BATCH_SIZE,
-          NextToken: nextToken
-        })
-        .promise();
-
-      attempt = 0;
-
-      if (parameters.Parameters) {
-        parameters.Parameters.forEach((parameter) => {
-          if (parameter.Name) {
-            const secKey = parameter.Name.substring(path.length);
-            awsParameterStoreSecretsRecord[secKey] = parameter;
-          }
-        });
-      }
-
-      hasNext = Boolean(parameters.NextToken);
-      nextToken = parameters.NextToken;
-    } catch (e) {
-      if ((e as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
-        attempt += 1;
-        // eslint-disable-next-line no-await-in-loop
-        await sleep();
-      }
-
-      throw e;
-    }
-  }
-
-  return awsParameterStoreSecretsRecord;
-};
-
-const putParameter = async (
-  ssm: AWS.SSM,
-  params: AWS.SSM.PutParameterRequest,
-  attempt = 0
-): Promise<AWS.SSM.PutParameterResult> => {
-  try {
-    return await ssm.putParameter(params).promise();
-  } catch (error) {
-    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
-      await sleep();
-
-      // retry
-      return putParameter(ssm, params, attempt + 1);
-    }
-    throw error;
-  }
-};
-
-const deleteParametersBatch = async (
-  ssm: AWS.SSM,
-  parameters: AWS.SSM.Parameter[],
-  attempt = 0
-): Promise<AWS.SSM.DeleteParameterResult[]> => {
-  const results: AWS.SSM.DeleteParameterResult[] = [];
-  let remainingParams = [...parameters];
-
-  while (remainingParams.length > 0) {
-    const batch = remainingParams.slice(0, BATCH_SIZE);
-
-    try {
-      // eslint-disable-next-line no-await-in-loop
-      const result = await ssm.deleteParameters({ Names: batch.map((param) => param.Name!) }).promise();
-      results.push(result);
-      remainingParams = remainingParams.slice(BATCH_SIZE);
-    } catch (error) {
-      if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
-        // eslint-disable-next-line no-await-in-loop
-        await sleep();
-
-        // Retry the current batch
-        // eslint-disable-next-line no-await-in-loop
-        return [...results, ...(await deleteParametersBatch(ssm, remainingParams, attempt + 1))];
-      }
-      throw error;
-    }
-  }
-
-  return results;
-};
-
-export const AwsParameterStoreSyncFns = {
-  sync: async (secretSync: TAwsParameterStoreSyncWithConnection, secrets: TSecretMap) => {
-    const { destinationConfig } = secretSync;
-
-    const ssm = await getSSM(secretSync);
-
-    // TODO(scott): KMS Key ID, Tags
-
-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
-
-    for await (const entry of Object.entries(secrets)) {
-      const [key, { value }] = entry;
-
-      // skip empty values (not allowed by AWS) or secrets that haven't changed
-      if (!value || (key in awsParameterStoreSecretsRecord && awsParameterStoreSecretsRecord[key].Value === value)) {
-        // eslint-disable-next-line no-continue
-        continue;
-      }
-
-      await putParameter(ssm, {
-        Name: `${destinationConfig.path}${key}`,
-        Type: "SecureString",
-        Value: value,
-        Overwrite: true
-      });
-    }
-
-    const parametersToDelete: AWS.SSM.Parameter[] = [];
-
-    for (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
-      const [key, parameter] = entry;
-
-      if (!(key in secrets) || !secrets[key].value) {
-        parametersToDelete.push(parameter);
-      }
-    }
-
-    await deleteParametersBatch(ssm, parametersToDelete);
-  },
-  import: async (secretSync: TAwsParameterStoreSyncWithConnection): Promise<TSecretMap> => {
-    const { destinationConfig } = secretSync;
-
-    const ssm = await getSSM(secretSync);
-
-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
-
-    return Object.fromEntries(
-      Object.entries(awsParameterStoreSecretsRecord).map(([key, value]) => [key, { value: value.Value ?? "" }])
-    );
-  },
-  erase: async (secretSync: TAwsParameterStoreSyncWithConnection, secrets: TSecretMap) => {
-    const { destinationConfig } = secretSync;
-
-    const ssm = await getSSM(secretSync);
-
-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
-
-    const parametersToDelete: AWS.SSM.Parameter[] = [];
-
-    for (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
-      const [key, param] = entry;
-
-      if (key in secrets) {
-        parametersToDelete.push(param);
-      }
-    }
-
-    await deleteParametersBatch(ssm, parametersToDelete);
-  }
-};

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-schemas.ts

@@ -1,59 +0,0 @@
-import { z } from "zod";
-
-import { SecretSyncs } from "@app/lib/api-docs";
-import { wrapWithSlashes } from "@app/lib/fn";
-import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import {
-  BaseSecretSyncSchema,
-  GenericCreateSecretSyncFieldsSchema,
-  GenericUpdateSecretSyncFieldsSchema
-} from "@app/services/secret-sync/secret-sync-schemas";
-
-const AwsParameterStoreSyncDestinationConfigSchema = z.object({
-  region: z.nativeEnum(AWSRegion).describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.REGION),
-  path: z
-    .string()
-    .min(1, "Parameter Store Path Required")
-    .transform(wrapWithSlashes)
-    .superRefine((val, ctx) => {
-      if (!/^\/([\w-]+\/)*[\w-]+\/$/.test(val)) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: `Invalid Parameter Store Path - must follow "/example/path/" format`
-        });
-      }
-
-      if (val.length > 2048) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: `Invalid Parameter Store Path - cannot exceed 2048 characters`
-        });
-      }
-    })
-    .describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.PATH)
-});
-
-export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(AppConnection.AWS).extend({
-  destination: z.literal(SecretSync.AWSParameterStore),
-  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
-});
-
-export const CreateAwsParameterStoreSyncSchema = GenericCreateSecretSyncFieldsSchema(
-  SecretSync.AWSParameterStore
-).extend({
-  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
-});
-
-export const UpdateAwsParameterStoreSyncSchema = GenericUpdateSecretSyncFieldsSchema(
-  SecretSync.AWSParameterStore
-).extend({
-  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema.optional()
-});
-
-export const AwsParameterStoreSyncListItemSchema = z.object({
-  name: z.literal("AWS Parameter Store"),
-  connection: z.literal(AppConnection.AWS),
-  destination: z.literal(SecretSync.AWSParameterStore),
-  supportsImport: z.literal(true)
-});

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-types.ts

@@ -1,19 +0,0 @@
-import { z } from "zod";
-
-import { TAwsConnection } from "@app/services/app-connection/aws";
-
-import {
-  AwsParameterStoreSyncListItemSchema,
-  AwsParameterStoreSyncSchema,
-  CreateAwsParameterStoreSyncSchema
-} from "./aws-parameter-store-sync-schemas";
-
-export type TAwsParameterStoreSync = z.infer<typeof AwsParameterStoreSyncSchema>;
-
-export type TAwsParameterStoreSyncInput = z.infer<typeof CreateAwsParameterStoreSyncSchema>;
-
-export type TAwsParameterStoreSyncListItem = z.infer<typeof AwsParameterStoreSyncListItemSchema>;
-
-export type TAwsParameterStoreSyncWithConnection = Omit<TAwsParameterStoreSync, "connection"> & {
-  connection: TAwsConnection;
-};

backend/src/services/secret-sync/aws-parameter-store/index.ts

@@ -1,4 +0,0 @@
-export * from "./aws-parameter-store-sync-constants";
-export * from "./aws-parameter-store-sync-fns";
-export * from "./aws-parameter-store-sync-schemas";
-export * from "./aws-parameter-store-sync-types";

backend/src/services/secret-sync/secret-sync-dal.ts

@@ -1,201 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { TSecretSyncs } from "@app/db/schemas/secret-syncs";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-
-export type TSecretSyncDALFactory = ReturnType<typeof secretSyncDALFactory>;
-
-type SecretSyncFindFilter = Parameters<typeof buildFindFilter<TSecretSyncs>>[0];
-
-const baseSecretSyncQuery = ({ filter, db, tx }: { db: TDbClient; filter?: SecretSyncFindFilter; tx?: Knex }) => {
-  const query = (tx || db.replicaNode())(TableName.SecretSync)
-    .join(TableName.SecretFolder, `${TableName.SecretSync}.folderId`, `${TableName.SecretFolder}.id`)
-    .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-    .join(TableName.AppConnection, `${TableName.SecretSync}.connectionId`, `${TableName.AppConnection}.id`)
-    .select(selectAllTableCols(TableName.SecretSync))
-    .select(
-      // evironment
-      db.ref("name").withSchema(TableName.Environment).as("envName"),
-      db.ref("id").withSchema(TableName.Environment).as("envId"),
-      db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-      db.ref("projectId").withSchema(TableName.Environment),
-      // entire connection
-      db.ref("name").withSchema(TableName.AppConnection).as("connectionName"),
-      db.ref("method").withSchema(TableName.AppConnection).as("connectionMethod"),
-      db.ref("app").withSchema(TableName.AppConnection).as("connectionApp"),
-      db.ref("orgId").withSchema(TableName.AppConnection).as("connectionOrgId"),
-      db.ref("encryptedCredentials").withSchema(TableName.AppConnection).as("connectionEncryptedCredentials"),
-      db.ref("description").withSchema(TableName.AppConnection).as("connectionDescription"),
-      db.ref("version").withSchema(TableName.AppConnection).as("connectionVersion"),
-      db.ref("createdAt").withSchema(TableName.AppConnection).as("connectionCreatedAt"),
-      db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt")
-    );
-
-  // prepends table name to filter keys to avoid ambiguous col references, skipping utility filters like $in, etc.
-  const prependTableName = (filterObj: object): SecretSyncFindFilter =>
-    Object.fromEntries(
-      Object.entries(filterObj).map(([key, value]) =>
-        key.startsWith("$") ? [key, prependTableName(value as object)] : [`${TableName.SecretSync}.${key}`, value]
-      )
-    );
-
-  if (filter) {
-    /* eslint-disable @typescript-eslint/no-misused-promises */
-    void query.where(buildFindFilter(prependTableName(filter)));
-  }
-
-  return query;
-};
-
-const expandSecretSync = (
-  secretSync: Awaited<ReturnType<typeof baseSecretSyncQuery>>[number],
-  folder: Awaited<ReturnType<TSecretFolderDALFactory["findSecretPathByFolderIds"]>>[number]
-) => {
-  const {
-    envId,
-    envName,
-    envSlug,
-    connectionApp,
-    connectionName,
-    connectionId,
-    connectionOrgId,
-    connectionEncryptedCredentials,
-    connectionMethod,
-    connectionDescription,
-    connectionCreatedAt,
-    connectionUpdatedAt,
-    connectionVersion,
-    ...el
-  } = secretSync;
-
-  return {
-    ...el,
-    connectionId,
-    environment: { id: envId, name: envName, slug: envSlug },
-    connection: {
-      app: connectionApp,
-      id: connectionId,
-      name: connectionName,
-      orgId: connectionOrgId,
-      encryptedCredentials: connectionEncryptedCredentials,
-      method: connectionMethod,
-      description: connectionDescription,
-      createdAt: connectionCreatedAt,
-      updatedAt: connectionUpdatedAt,
-      version: connectionVersion
-    },
-    folder: {
-      id: folder!.id,
-      path: folder!.path
-    }
-  };
-};
-
-export const secretSyncDALFactory = (
-  db: TDbClient,
-  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">
-) => {
-  const secretSyncOrm = ormify(db, TableName.SecretSync);
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const secretSync = await baseSecretSyncQuery({
-        filter: { id },
-        db,
-        tx
-      }).first();
-
-      if (secretSync) {
-        // TODO (scott): replace with cached folder path once implemented
-        const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
-        return expandSecretSync(secretSync, folderWithPath);
-      }
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find by ID - Secret Sync" });
-    }
-  };
-
-  const create = async (data: Parameters<(typeof secretSyncOrm)["create"]>[0]) => {
-    try {
-      const secretSync = (await secretSyncOrm.transaction(async (tx) => {
-        const sync = await secretSyncOrm.create(data, tx);
-
-        return baseSecretSyncQuery({
-          filter: { id: sync.id },
-          db,
-          tx
-        }).first();
-      }))!;
-
-      // TODO (scott): replace with cached folder path once implemented
-      const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
-      return expandSecretSync(secretSync, folderWithPath);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Create - Secret Sync" });
-    }
-  };
-
-  const updateById = async (syncId: string, data: Parameters<(typeof secretSyncOrm)["updateById"]>[1]) => {
-    try {
-      const secretSync = (await secretSyncOrm.transaction(async (tx) => {
-        const sync = await secretSyncOrm.updateById(syncId, data, tx);
-
-        return baseSecretSyncQuery({
-          filter: { id: sync.id },
-          db,
-          tx
-        }).first();
-      }))!;
-
-      // TODO (scott): replace with cached folder path once implemented
-      const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
-      return expandSecretSync(secretSync, folderWithPath);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Update by ID - Secret Sync" });
-    }
-  };
-
-  const findOne = async (filter: Parameters<(typeof secretSyncOrm)["findOne"]>[0], tx?: Knex) => {
-    try {
-      const secretSync = await baseSecretSyncQuery({ filter, db, tx }).first();
-
-      if (secretSync) {
-        // TODO (scott): replace with cached folder path once implemented
-        const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
-        return expandSecretSync(secretSync, folderWithPath);
-      }
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find One - Secret Sync" });
-    }
-  };
-
-  const find = async (filter: Parameters<(typeof secretSyncOrm)["find"]>[0], tx?: Knex) => {
-    try {
-      const secretSyncs = await baseSecretSyncQuery({ filter, db, tx });
-
-      if (!secretSyncs.length) return [];
-
-      const foldersWithPath = await folderDAL.findSecretPathByFolderIds(
-        secretSyncs[0].projectId,
-        secretSyncs.map((sync) => sync.folderId)
-      );
-
-      // TODO (scott): replace with cached folder path once implemented
-      const folderRecord: Record<string, (typeof foldersWithPath)[number]> = {};
-
-      foldersWithPath.forEach((folder) => {
-        if (folder) folderRecord[folder.id] = folder;
-      });
-
-      return secretSyncs.map((secretSync) => expandSecretSync(secretSync, folderRecord[secretSync.folderId]));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find - Secret Sync" });
-    }
-  };
-
-  return { ...secretSyncOrm, findById, findOne, find, create, updateById };
-};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -1,3 +0,0 @@
-export enum SecretSync {
-  AWSParameterStore = "aws-parameter-store"
-}

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -1,70 +0,0 @@
-import { BadRequestError } from "@app/lib/errors";
-import {
-  AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
-  AwsParameterStoreSyncFns
-} from "@app/services/secret-sync/aws-parameter-store";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
-import {
-  TSecretMap,
-  TSecretSyncListItem,
-  TSecretSyncWithConnection
-} from "@app/services/secret-sync/secret-sync-types";
-
-const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
-  [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION
-};
-
-export const listSecretSyncOptions = () => {
-  return Object.values(SECRET_SYNC_LIST_OPTIONS).sort((a, b) => a.name.localeCompare(b.name));
-};
-
-const processSyncOptions = (secretSync: TSecretSyncWithConnection, unprocessedSecretMap: TSecretMap) => {
-  let secretMap = { ...unprocessedSecretMap };
-
-  const { appendSuffix, prependPrefix } = secretSync.syncOptions;
-
-  if (appendSuffix || prependPrefix) {
-    secretMap = {};
-    Object.entries(unprocessedSecretMap).forEach(([key, value]) => {
-      secretMap[`${prependPrefix || ""}${key}${appendSuffix || ""}`] = value;
-    });
-  }
-
-  return secretMap;
-};
-
-export const SecretSyncFns = {
-  sync: (secretSync: TSecretSyncWithConnection, unprocessedSecretMap: TSecretMap): Promise<void> => {
-    const secretMap = processSyncOptions(secretSync, unprocessedSecretMap);
-
-    switch (secretSync.destination) {
-      case SecretSync.AWSParameterStore:
-        return AwsParameterStoreSyncFns.sync(secretSync, secretMap);
-      default:
-        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
-        throw new Error(`Unhandled sync destination for push secrets: ${secretSync.destination}`);
-    }
-  },
-  import: (secretSync: TSecretSyncWithConnection): Promise<TSecretMap> => {
-    switch (secretSync.destination) {
-      case SecretSync.AWSParameterStore:
-        return AwsParameterStoreSyncFns.import(secretSync);
-      default:
-        throw new BadRequestError({
-          message: `${SECRET_SYNC_NAME_MAP[secretSync.destination as SecretSync]} Syncs do not support pulling.`
-        });
-    }
-  },
-  erase: (secretSync: TSecretSyncWithConnection, unprocessedSecretMap: TSecretMap): Promise<void> => {
-    const secretMap = processSyncOptions(secretSync, unprocessedSecretMap);
-
-    switch (secretSync.destination) {
-      case SecretSync.AWSParameterStore:
-        return AwsParameterStoreSyncFns.erase(secretSync, secretMap);
-      default:
-        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
-        throw new Error(`Unhandled sync destination for purging secrets: ${secretSync.destination}`);
-    }
-  }
-};

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -1,10 +0,0 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
-  [SecretSync.AWSParameterStore]: "AWS Parameter Store"
-};
-
-export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
-  [SecretSync.AWSParameterStore]: AppConnection.AWS
-};

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -1,809 +0,0 @@
-import opentelemetry from "@opentelemetry/api";
-import { AxiosError } from "axios";
-
-import { ProjectMembershipRole, SecretType } from "@app/db/schemas";
-import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
-import { getConfig } from "@app/lib/config/env";
-import { InternalServerError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
-import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-import { decryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
-import { ActorType } from "@app/services/auth/auth-type";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
-import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-import { TSecretDALFactory } from "@app/services/secret/secret-dal";
-import { createManySecretsRawFnFactory, updateManySecretsRawFnFactory } from "@app/services/secret/secret-fns";
-import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
-import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
-import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-import { TSecretImportDALFactory } from "@app/services/secret-import/secret-import-dal";
-import { fnSecretsV2FromImports } from "@app/services/secret-import/secret-import-fns";
-import { TSecretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { SecretSyncFns } from "@app/services/secret-sync/secret-sync-fns";
-import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
-import {
-  SecretSyncAction,
-  SecretSyncStatus,
-  TQueueSecretSyncByIdDTO,
-  TQueueSecretSyncEraseByIdDTO,
-  TQueueSecretSyncImportByIdDTO,
-  TQueueSecretSyncsByPathDTO,
-  TQueueSendSecretSyncActionFailedNotificationsDTO,
-  TSecretMap,
-  TSecretSyncDTO,
-  TSecretSyncEraseDTO,
-  TSecretSyncImportDTO,
-  TSecretSyncRaw,
-  TSecretSyncWithConnection,
-  TSendSecretSyncFailedNotificationsJobDTO
-} from "@app/services/secret-sync/secret-sync-types";
-import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
-import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import { expandSecretReferencesFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
-import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
-import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-
-export type TSecretSyncQueueFactory = ReturnType<typeof secretSyncQueueFactory>;
-
-type TSecretSyncQueueFactoryDep = {
-  queueService: Pick<TQueueServiceFactory, "queue" | "start">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  keyStore: Pick<TKeyStoreFactory, "acquireLock" | "setItemWithExpiry" | "getItem">;
-  folderDAL: TSecretFolderDALFactory;
-  secretV2BridgeDAL: Pick<
-    TSecretV2BridgeDALFactory,
-    | "findByFolderId"
-    | "find"
-    | "insertMany"
-    | "upsertSecretReferences"
-    | "findBySecretKeys"
-    | "bulkUpdate"
-    | "deleteMany"
-  >;
-  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
-  secretSyncDAL: Pick<TSecretSyncDALFactory, "findById" | "find" | "updateById">;
-  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findAllProjectMembers">;
-  projectDAL: TProjectDALFactory;
-  smtpService: Pick<TSmtpService, "sendMail">;
-  projectBotDAL: TProjectBotDALFactory;
-  secretDAL: TSecretDALFactory;
-  secretVersionDAL: TSecretVersionDALFactory;
-  secretBlindIndexDAL: TSecretBlindIndexDALFactory;
-  secretTagDAL: TSecretTagDALFactory;
-  secretVersionTagDAL: TSecretVersionTagDALFactory;
-  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
-  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
-};
-
-export const secretSyncQueueFactory = ({
-  queueService,
-  kmsService,
-  keyStore,
-  folderDAL,
-  secretV2BridgeDAL,
-  secretImportDAL,
-  secretSyncDAL,
-  auditLogService,
-  projectMembershipDAL,
-  projectDAL,
-  smtpService,
-  projectBotDAL,
-  secretDAL,
-  secretVersionDAL,
-  secretBlindIndexDAL,
-  secretTagDAL,
-  secretVersionTagDAL,
-  secretVersionV2BridgeDAL,
-  secretVersionTagV2BridgeDAL
-}: TSecretSyncQueueFactoryDep) => {
-  const appCfg = getConfig();
-
-  const integrationMeter = opentelemetry.metrics.getMeter("SecretSyncs");
-  const syncErrorHistogram = integrationMeter.createHistogram("secret_sync_errors", {
-    description: "Secret Sync - sync errors",
-    unit: "1"
-  });
-  const importErrorHistogram = integrationMeter.createHistogram("secret_sync_import_errors", {
-    description: "Secret Sync - import errors",
-    unit: "1"
-  });
-  const eraseErrorHistogram = integrationMeter.createHistogram("secret_sync_erase_errors", {
-    description: "Secret Sync - erase errors",
-    unit: "1"
-  });
-
-  const $createManySecretsRawFn = createManySecretsRawFnFactory({
-    projectDAL,
-    projectBotDAL,
-    secretDAL,
-    secretVersionDAL,
-    secretBlindIndexDAL,
-    secretTagDAL,
-    secretVersionTagDAL,
-    folderDAL,
-    kmsService,
-    secretVersionV2BridgeDAL,
-    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
-  });
-
-  const $updateManySecretsRawFn = updateManySecretsRawFnFactory({
-    projectDAL,
-    projectBotDAL,
-    secretDAL,
-    secretVersionDAL,
-    secretBlindIndexDAL,
-    secretTagDAL,
-    secretVersionTagDAL,
-    folderDAL,
-    kmsService,
-    secretVersionV2BridgeDAL,
-    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
-  });
-
-  const $getSecrets = async (secretSync: TSecretSyncRaw, includeImports = true) => {
-    const {
-      projectId,
-      folderId,
-      environment: { slug: environmentSlug },
-      folder: { path: secretPath }
-    } = secretSync;
-
-    const secretMap: TSecretMap = {};
-
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
-    const decryptSecretValue = (value?: Buffer | undefined | null) =>
-      value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "";
-
-    const { expandSecretReferences } = expandSecretReferencesFactory({
-      decryptSecretValue,
-      secretDAL: secretV2BridgeDAL,
-      folderDAL,
-      projectId,
-      canExpandValue: () => true
-    });
-
-    const secrets = await secretV2BridgeDAL.findByFolderId(folderId);
-
-    await Promise.allSettled(
-      secrets.map(async (secret) => {
-        const secretKey = secret.key;
-        const secretValue = decryptSecretValue(secret.encryptedValue);
-        const expandedSecretValue = await expandSecretReferences({
-          environment: environmentSlug,
-          secretPath,
-          skipMultilineEncoding: secret.skipMultilineEncoding,
-          value: secretValue
-        });
-        secretMap[secretKey] = { value: expandedSecretValue || "" };
-
-        if (secret.encryptedComment) {
-          const commentValue = decryptSecretValue(secret.encryptedComment);
-          secretMap[secretKey].comment = commentValue;
-        }
-
-        secretMap[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
-      })
-    );
-
-    if (!includeImports) return secretMap;
-
-    const secretImports = await secretImportDAL.find({ folderId, isReplication: false });
-
-    if (secretImports.length) {
-      const importedSecrets = await fnSecretsV2FromImports({
-        decryptor: decryptSecretValue,
-        folderDAL,
-        secretDAL: secretV2BridgeDAL,
-        expandSecretReferences,
-        secretImportDAL,
-        secretImports,
-        hasSecretAccess: () => true
-      });
-
-      for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
-        for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {
-          const importedSecret = importedSecrets[i].secrets[j];
-          if (!secretMap[importedSecret.key]) {
-            secretMap[importedSecret.key] = {
-              skipMultilineEncoding: importedSecret.skipMultilineEncoding,
-              comment: importedSecret.secretComment,
-              value: importedSecret.secretValue || ""
-            };
-          }
-        }
-      }
-    }
-
-    return secretMap;
-  };
-
-  const queueSecretSyncById = async (payload: TQueueSecretSyncByIdDTO) =>
-    queueService.queue(QueueName.AppConnectionSecretSync, QueueJobs.AppConnectionSecretSync, payload, {
-      attempts: 5,
-      delay: 1000,
-      backoff: {
-        type: "exponential",
-        delay: 3000
-      },
-      removeOnComplete: true,
-      removeOnFail: true
-    });
-
-  const queueSecretSyncImportById = async (payload: TQueueSecretSyncImportByIdDTO) =>
-    queueService.queue(QueueName.AppConnectionSecretSync, QueueJobs.AppConnectionSecretSyncImport, payload, {
-      attempts: 5,
-      delay: 1000,
-      backoff: {
-        type: "exponential",
-        delay: 3000
-      },
-      removeOnComplete: true,
-      removeOnFail: true
-    });
-
-  const queueSecretSyncEraseById = async (payload: TQueueSecretSyncEraseByIdDTO) =>
-    queueService.queue(QueueName.AppConnectionSecretSync, QueueJobs.AppConnectionSecretSyncErase, payload, {
-      attempts: 5,
-      delay: 1000,
-      backoff: {
-        type: "exponential",
-        delay: 3000
-      },
-      removeOnComplete: true,
-      removeOnFail: true
-    });
-
-  const $queueSendSecretSyncFailedNotifications = async (payload: TQueueSendSecretSyncActionFailedNotificationsDTO) => {
-    if (!appCfg.isSmtpConfigured) return;
-
-    await queueService.queue(
-      QueueName.AppConnectionSecretSync,
-      QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications,
-      payload,
-      {
-        jobId: `secret-sync-${payload.secretSync.id}-failed-notifications`,
-        attempts: 5,
-        delay: 1000 * 60,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        removeOnFail: true,
-        removeOnComplete: true
-      }
-    );
-  };
-
-  const $syncSecrets = async (job: TSecretSyncDTO) => {
-    const {
-      data: { syncId, auditLogInfo }
-    } = job;
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync) throw new Error(`Cannot find secret sync with ID ${syncId}`);
-
-    logger.info(
-      `SecretSync Sync [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
-    );
-
-    let isSynced = false;
-    let syncMessage: string | null = null;
-    const isFinalAttempt = job.attemptsStarted === job.opts.attempts;
-
-    try {
-      const {
-        connection: { orgId, encryptedCredentials }
-      } = secretSync;
-
-      const credentials = await decryptAppConnectionCredentials({
-        orgId,
-        encryptedCredentials,
-        kmsService
-      });
-
-      const secretMap = await $getSecrets(secretSync);
-
-      await SecretSyncFns.sync(
-        {
-          ...secretSync,
-          connection: {
-            ...secretSync.connection,
-            credentials
-          }
-        } as TSecretSyncWithConnection,
-        secretMap
-      );
-
-      isSynced = true;
-    } catch (err) {
-      logger.error(
-        err,
-        `SecretSync Sync Error [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
-      );
-
-      if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
-        syncErrorHistogram.record(1, {
-          version: 1,
-          destination: secretSync.destination,
-          syncId: secretSync.id,
-          projectId: secretSync.projectId,
-          type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
-          status: err instanceof AxiosError ? err.response?.status : undefined,
-          name: err instanceof Error ? err.name : undefined
-        });
-      }
-
-      syncMessage =
-        // eslint-disable-next-line no-nested-ternary
-        (err instanceof AxiosError
-          ? err?.response?.data
-            ? JSON.stringify(err?.response?.data)
-            : err?.message
-          : (err as Error)?.message) || "An unknown error occurred.";
-
-      // re-throw so job fails
-      throw err;
-    } finally {
-      const ranAt = new Date();
-      const syncStatus = isSynced ? SecretSyncStatus.Success : SecretSyncStatus.Failed;
-
-      await auditLogService.createAuditLog({
-        projectId: secretSync.projectId,
-        ...(auditLogInfo ?? {
-          actor: {
-            type: ActorType.PLATFORM,
-            metadata: {}
-          }
-        }),
-        event: {
-          type: EventType.SYNC_SECRET_SYNC,
-          metadata: {
-            syncId: secretSync.id,
-            syncOptions: secretSync.syncOptions,
-            environment: secretSync.environment,
-            destination: secretSync.destination,
-            destinationConfig: secretSync.destinationConfig,
-            folderId: secretSync.folderId,
-            connectionId: secretSync.connectionId,
-            jobRanAt: ranAt,
-            jobId: job.id!,
-            syncStatus,
-            syncMessage
-          }
-        }
-      });
-
-      if (isSynced || isFinalAttempt) {
-        const updatedSecretSync = await secretSyncDAL.updateById(secretSync.id, {
-          syncStatus,
-          lastSyncJobId: job.id,
-          lastSyncMessage: syncMessage,
-          lastSyncedAt: isSynced ? ranAt : undefined
-        });
-
-        if (!isSynced) {
-          await $queueSendSecretSyncFailedNotifications({
-            secretSync: updatedSecretSync,
-            action: SecretSyncAction.Sync
-          });
-        }
-      }
-    }
-
-    logger.info("SecretSync Sync Job with ID %s Completed", job.id);
-  };
-
-  const $importSecrets = async (job: TSecretSyncImportDTO) => {
-    const {
-      data: { syncId, auditLogInfo, shouldOverwrite }
-    } = job;
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync) throw new Error(`Cannot find secret sync with ID ${syncId}`);
-
-    logger.info(
-      `SecretSync Import [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
-    );
-
-    let isImported = false;
-    let importMessage: string | null = null;
-    const isFinalAttempt = job.attemptsStarted === job.opts.attempts;
-
-    try {
-      const {
-        connection: { orgId, encryptedCredentials },
-        projectId,
-        environment
-      } = secretSync;
-
-      const credentials = await decryptAppConnectionCredentials({
-        orgId,
-        encryptedCredentials,
-        kmsService
-      });
-
-      const importedSecrets = await SecretSyncFns.import({
-        ...secretSync,
-        connection: {
-          ...secretSync.connection,
-          credentials
-        }
-      } as TSecretSyncWithConnection);
-
-      if (Object.keys(importedSecrets).length) {
-        const secretMap = await $getSecrets(secretSync, false);
-
-        const secretsToCreate: Parameters<typeof $createManySecretsRawFn>[0]["secrets"] = [];
-        const secretsToUpdate: Parameters<typeof $updateManySecretsRawFn>[0]["secrets"] = [];
-
-        Object.entries(importedSecrets).forEach(([key, { value }]) => {
-          const secret = {
-            secretName: key,
-            secretValue: value,
-            type: SecretType.Shared,
-            secretComment: ""
-          };
-
-          if (Object.hasOwn(secretMap, key)) {
-            secretsToUpdate.push(secret);
-          } else {
-            secretsToCreate.push(secret);
-          }
-        });
-
-        if (secretsToCreate.length) {
-          await $createManySecretsRawFn({
-            projectId,
-            path: secretSync.folder.path,
-            environment: environment.slug,
-            secrets: secretsToCreate
-          });
-        }
-
-        if (shouldOverwrite && secretsToUpdate.length) {
-          await $updateManySecretsRawFn({
-            projectId,
-            path: secretSync.folder.path,
-            environment: environment.slug,
-            secrets: secretsToUpdate
-          });
-        }
-      }
-
-      isImported = true;
-    } catch (err) {
-      logger.error(
-        err,
-        `SecretSync Import Error [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
-      );
-
-      if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
-        importErrorHistogram.record(1, {
-          version: 1,
-          destination: secretSync.destination,
-          syncId: secretSync.id,
-          projectId: secretSync.projectId,
-          type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
-          status: err instanceof AxiosError ? err.response?.status : undefined,
-          name: err instanceof Error ? err.name : undefined
-        });
-      }
-
-      importMessage =
-        // eslint-disable-next-line no-nested-ternary
-        (err instanceof AxiosError
-          ? err?.response?.data
-            ? JSON.stringify(err?.response?.data)
-            : err?.message
-          : (err as Error)?.message) || "An unknown error occurred.";
-
-      // re-throw so job fails
-      throw err;
-    } finally {
-      const ranAt = new Date();
-      const importStatus = isImported ? SecretSyncStatus.Success : SecretSyncStatus.Failed;
-
-      await auditLogService.createAuditLog({
-        projectId: secretSync.projectId,
-        ...(auditLogInfo ?? {
-          actor: {
-            type: ActorType.PLATFORM,
-            metadata: {}
-          }
-        }),
-        event: {
-          type: EventType.IMPORT_SECRET_SYNC,
-          metadata: {
-            syncId: secretSync.id,
-            syncOptions: secretSync.syncOptions,
-            environment: secretSync.environment,
-            destination: secretSync.destination,
-            destinationConfig: secretSync.destinationConfig,
-            folderId: secretSync.folderId,
-            connectionId: secretSync.connectionId,
-            jobRanAt: ranAt,
-            jobId: job.id!,
-            importStatus,
-            importMessage
-          }
-        }
-      });
-
-      if (isImported || isFinalAttempt) {
-        const updatedSecretSync = await secretSyncDAL.updateById(secretSync.id, {
-          importStatus,
-          lastImportJobId: job.id,
-          lastImportMessage: importMessage,
-          lastImportedAt: isImported ? ranAt : undefined
-        });
-
-        if (!isImported) {
-          await $queueSendSecretSyncFailedNotifications({
-            secretSync: updatedSecretSync,
-            action: SecretSyncAction.Import
-          });
-        }
-      }
-    }
-
-    logger.info("SecretSync Import Job with ID %s Completed", job.id);
-  };
-
-  const $eraseSecrets = async (job: TSecretSyncEraseDTO) => {
-    const {
-      data: { syncId, auditLogInfo }
-    } = job;
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync) throw new Error(`Cannot find secret sync with ID ${syncId}`);
-
-    logger.info(
-      `SecretSync Erase [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
-    );
-
-    let isErased = false;
-    let eraseMessage: string | null = null;
-    const isFinalAttempt = job.attemptsStarted === job.opts.attempts;
-
-    try {
-      const {
-        connection: { orgId, encryptedCredentials }
-      } = secretSync;
-
-      const credentials = await decryptAppConnectionCredentials({
-        orgId,
-        encryptedCredentials,
-        kmsService
-      });
-
-      const secretMap = await $getSecrets(secretSync);
-
-      await SecretSyncFns.erase(
-        {
-          ...secretSync,
-          connection: {
-            ...secretSync.connection,
-            credentials
-          }
-        } as TSecretSyncWithConnection,
-        secretMap
-      );
-
-      isErased = true;
-    } catch (err) {
-      logger.error(
-        err,
-        `SecretSync Erase Error [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
-      );
-
-      if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
-        eraseErrorHistogram.record(1, {
-          version: 1,
-          destination: secretSync.destination,
-          syncId: secretSync.id,
-          projectId: secretSync.projectId,
-          type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
-          status: err instanceof AxiosError ? err.response?.status : undefined,
-          name: err instanceof Error ? err.name : undefined
-        });
-      }
-
-      eraseMessage =
-        // eslint-disable-next-line no-nested-ternary
-        (err instanceof AxiosError
-          ? err?.response?.data
-            ? JSON.stringify(err?.response?.data)
-            : err?.message
-          : (err as Error)?.message) || "An unknown error occurred.";
-
-      // re-throw so job fails
-      throw err;
-    } finally {
-      const ranAt = new Date();
-      const eraseStatus = isErased ? SecretSyncStatus.Success : SecretSyncStatus.Failed;
-
-      await auditLogService.createAuditLog({
-        projectId: secretSync.projectId,
-        ...(auditLogInfo ?? {
-          actor: {
-            type: ActorType.PLATFORM,
-            metadata: {}
-          }
-        }),
-        event: {
-          type: EventType.ERASE_SECRET_SYNC,
-          metadata: {
-            syncId: secretSync.id,
-            syncOptions: secretSync.syncOptions,
-            environment: secretSync.environment,
-            destination: secretSync.destination,
-            destinationConfig: secretSync.destinationConfig,
-            folderId: secretSync.folderId,
-            connectionId: secretSync.connectionId,
-            jobRanAt: ranAt,
-            jobId: job.id!,
-            eraseStatus,
-            eraseMessage
-          }
-        }
-      });
-
-      if (isErased || isFinalAttempt) {
-        const updatedSecretSync = await secretSyncDAL.updateById(secretSync.id, {
-          eraseStatus,
-          lastEraseJobId: job.id,
-          lastEraseMessage: eraseMessage,
-          lastErasedAt: isErased ? ranAt : undefined
-        });
-
-        if (!isErased) {
-          await $queueSendSecretSyncFailedNotifications({
-            secretSync: updatedSecretSync,
-            action: SecretSyncAction.Erase
-          });
-        }
-      }
-    }
-
-    logger.info("SecretSync Erase Job with ID %s Completed", job.id);
-  };
-
-  const $sendSecretSyncFailedNotifications = async (job: TSendSecretSyncFailedNotificationsJobDTO) => {
-    const {
-      data: { secretSync, auditLogInfo, action }
-    } = job;
-
-    const { projectId, destination, name, folder, lastSyncMessage, lastEraseMessage, lastImportMessage, environment } =
-      secretSync;
-
-    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
-    const project = await projectDAL.findById(projectId);
-
-    let projectAdmins = projectMembers.filter((member) =>
-      member.roles.some((role) => role.role === ProjectMembershipRole.Admin)
-    );
-
-    const triggeredByUserId =
-      auditLogInfo && auditLogInfo.actor.type === ActorType.USER && auditLogInfo.actor.metadata.userId;
-
-    // only notify triggering user if triggered by admin
-    if (triggeredByUserId && projectAdmins.map((admin) => admin.userId).includes(triggeredByUserId)) {
-      projectAdmins = projectAdmins.filter((admin) => admin.userId === triggeredByUserId);
-    }
-
-    const syncDestination = SECRET_SYNC_NAME_MAP[destination as SecretSync];
-
-    let subject: string;
-    let failureMessage: string | null | undefined;
-    let content: string;
-
-    switch (action) {
-      case SecretSyncAction.Import:
-        subject = "Import";
-        failureMessage = lastImportMessage;
-        content = `Your ${syncDestination} Sync named "${name}" failed while attempting to import secrets.`;
-        break;
-      case SecretSyncAction.Erase:
-        subject = "Erase";
-        failureMessage = lastEraseMessage;
-        content = `Your ${syncDestination} Sync named "${name}" failed while attempting to erase secrets.`;
-        break;
-      case SecretSyncAction.Sync:
-      default:
-        subject = `Sync`;
-        failureMessage = lastSyncMessage;
-        content = `Your ${syncDestination} Sync named "${name}" failed to sync.`;
-        break;
-    }
-
-    await smtpService.sendMail({
-      recipients: projectAdmins.map((member) => member.user.email!).filter(Boolean),
-      template: SmtpTemplates.SecretSyncFailed,
-      subjectLine: `Secret Sync Failed to ${subject} Secrets`,
-      substitutions: {
-        syncName: name,
-        syncDestination,
-        content,
-        failureMessage,
-        secretPath: folder.path,
-        environment: environment.name,
-        projectName: project.name,
-        // TODO (scott): verify this is still the URL after bare react change
-        syncUrl: `${appCfg.SITE_URL}/integrations/secret-syncs/${destination}/${secretSync.id}`
-      }
-    });
-  };
-
-  const queueSecretSyncsByPath = async ({ secretPath, projectId, environmentSlug }: TQueueSecretSyncsByPathDTO) => {
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, secretPath);
-
-    if (!folder)
-      throw new Error(
-        `Could not find folder at path "${secretPath}" for environment with slug "${environmentSlug}" in project with ID "${projectId}"`
-      );
-
-    const secretSyncs = await secretSyncDAL.find({ folderId: folder.id, isEnabled: true });
-
-    await Promise.all(secretSyncs.map((secretSync) => queueSecretSyncById({ syncId: secretSync.id })));
-  };
-
-  queueService.start(QueueName.AppConnectionSecretSync, async (job) => {
-    if (job.name === QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications) {
-      await $sendSecretSyncFailedNotifications(job as TSendSecretSyncFailedNotificationsJobDTO);
-      return;
-    }
-
-    const { syncId } = job.data as
-      | TQueueSecretSyncByIdDTO
-      | TQueueSecretSyncImportByIdDTO
-      | TQueueSecretSyncEraseByIdDTO;
-
-    const lock = await keyStore.acquireLock([KeyStorePrefixes.SecretSyncLock(syncId)], 5 * 60 * 1000);
-
-    try {
-      switch (job.name) {
-        case QueueJobs.AppConnectionSecretSync:
-          await $syncSecrets(job as TSecretSyncDTO);
-          break;
-        case QueueJobs.AppConnectionSecretSyncImport:
-          await $importSecrets(job as TSecretSyncImportDTO);
-          break;
-        case QueueJobs.AppConnectionSecretSyncErase:
-          await $eraseSecrets(job as TSecretSyncEraseDTO);
-          break;
-        default:
-          throw new InternalServerError({
-            // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
-            message: `Unhandled Secret Sync Job ${job.name}`
-          });
-      }
-    } finally {
-      await lock.release();
-    }
-  });
-
-  return {
-    queueSecretSyncById,
-    queueSecretSyncImportById,
-    queueSecretSyncEraseById,
-    queueSecretSyncsByPath
-  };
-};

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -1,65 +0,0 @@
-import { z } from "zod";
-
-import { SecretSyncsSchema } from "@app/db/schemas/secret-syncs";
-import { SecretSyncs } from "@app/lib/api-docs";
-import { slugSchema } from "@app/server/lib/schemas";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-const SyncOptionsSchema = z.object({
-  prependPrefix: z
-    .string()
-    .trim()
-    .transform((str) => str.toUpperCase())
-    .optional()
-    .describe(SecretSyncs.SYNC_OPTIONS.PREPEND_PREFIX),
-  appendSuffix: z
-    .string()
-    .trim()
-    .transform((str) => str.toUpperCase())
-    .optional()
-    .describe(SecretSyncs.SYNC_OPTIONS.APPEND_SUFFIX)
-});
-
-export const BaseSecretSyncSchema = (app: AppConnection) =>
-  SecretSyncsSchema.omit({
-    destination: true,
-    destinationConfig: true,
-    syncOptions: true
-  }).extend({
-    syncOptions: SyncOptionsSchema,
-    // join properties
-    projectId: z.string(),
-    connection: z.object({ app: z.literal(app), name: z.string(), id: z.string().uuid() }),
-    environment: z.object({ slug: z.string(), name: z.string(), id: z.string().uuid() }),
-    folder: z.object({ id: z.string(), path: z.string() })
-  });
-
-export const GenericCreateSecretSyncFieldsSchema = (sync: SecretSync) =>
-  z.object({
-    name: slugSchema({ field: "name" }).describe(SecretSyncs.CREATE(sync).name),
-    description: z
-      .string()
-      .trim()
-      .max(256, "Description cannot exceed 256 characters")
-      .nullish()
-      .describe(SecretSyncs.CREATE(sync).description),
-    connectionId: z.string().uuid().describe(SecretSyncs.CREATE(sync).connectionId),
-    folderId: z.string().uuid().describe(SecretSyncs.CREATE(sync).folderId),
-    isEnabled: z.boolean().default(true).describe(SecretSyncs.CREATE(sync).isEnabled),
-    syncOptions: SyncOptionsSchema.optional().default({}).describe(SecretSyncs.CREATE(sync).syncOptions)
-  });
-
-export const GenericUpdateSecretSyncFieldsSchema = (sync: SecretSync) =>
-  z.object({
-    name: slugSchema({ field: "name" }).describe(SecretSyncs.UPDATE(sync).name).optional(),
-    description: z
-      .string()
-      .trim()
-      .max(256, "Description cannot exceed 256 characters")
-      .nullish()
-      .describe(SecretSyncs.UPDATE(sync).description),
-    folderId: z.string().uuid().optional().describe(SecretSyncs.UPDATE(sync).folderId),
-    isEnabled: z.boolean().optional().describe(SecretSyncs.UPDATE(sync).isEnabled),
-    syncOptions: SyncOptionsSchema.optional().describe(SecretSyncs.UPDATE(sync).syncOptions)
-  });

backend/src/services/secret-sync/secret-sync-service.ts

@@ -1,472 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-
-import { ProjectType } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { startsWithVowel } from "@app/lib/fn";
-import { OrgServiceActor } from "@app/lib/types";
-import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
-import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-import { listSecretSyncOptions } from "@app/services/secret-sync/secret-sync-fns";
-import {
-  TCreateSecretSyncDTO,
-  TDeleteSecretSyncDTO,
-  TFindSecretSyncByIdDTO,
-  TFindSecretSyncByNameDTO,
-  TListSecretSyncsByProjectId,
-  TSecretSync,
-  TTriggerSecretSyncByIdDTO,
-  TTriggerSecretSyncEraseByIdDTO,
-  TTriggerSecretSyncImportByIdDTO,
-  TUpdateSecretSyncDTO
-} from "@app/services/secret-sync/secret-sync-types";
-
-import { TSecretSyncDALFactory } from "./secret-sync-dal";
-import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "./secret-sync-maps";
-import { TSecretSyncQueueFactory } from "./secret-sync-queue";
-
-type TSecretSyncServiceFactoryDep = {
-  secretSyncDAL: TSecretSyncDALFactory;
-  appConnectionService: Pick<TAppConnectionServiceFactory, "connectAppConnectionById">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findByProjectId" | "findById">;
-  keyStore: Pick<TKeyStoreFactory, "getItem">;
-  secretSyncQueue: Pick<
-    TSecretSyncQueueFactory,
-    "queueSecretSyncById" | "queueSecretSyncImportById" | "queueSecretSyncEraseById"
-  >;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">; // TODO: remove once launched
-};
-
-export type TSecretSyncServiceFactory = ReturnType<typeof secretSyncServiceFactory>;
-
-export const secretSyncServiceFactory = ({
-  secretSyncDAL,
-  folderDAL,
-  licenseService,
-  permissionService,
-  appConnectionService,
-  projectBotService,
-  secretSyncQueue,
-  keyStore
-}: TSecretSyncServiceFactoryDep) => {
-  // secret syncs are disabled for public until launch
-  const checkSecretSyncAvailability = async (orgId: string) => {
-    const subscription = await licenseService.getPlan(orgId);
-
-    if (!subscription.appConnections) throw new BadRequestError({ message: "Secret Syncs are not available yet." });
-  };
-
-  const listSecretSyncsByProjectId = async (
-    { projectId, destination }: TListSecretSyncsByProjectId,
-    actor: OrgServiceActor
-  ) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
-
-    const folders = await folderDAL.findByProjectId(projectId);
-
-    const secretSyncs = await secretSyncDAL.find({
-      ...(destination && { destination }),
-      $in: {
-        folderId: folders.map((folder) => folder.id)
-      }
-    });
-
-    return secretSyncs as TSecretSync[];
-  };
-
-  const findSecretSyncById = async ({ destination, syncId }: TFindSecretSyncByIdDTO, actor: OrgServiceActor) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    return secretSync as TSecretSync;
-  };
-
-  const findSecretSyncByName = async (
-    { destination, syncName, projectId }: TFindSecretSyncByNameDTO,
-    actor: OrgServiceActor
-  ) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const folders = await folderDAL.findByProjectId(projectId);
-
-    // we prevent conflicting names within a project so this will only return one at most
-    const [secretSync] = await secretSyncDAL.find({
-      name: syncName,
-      $in: {
-        folderId: folders.map((folder) => folder.id)
-      }
-    });
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with name "${syncName}"`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    return secretSync as TSecretSync;
-  };
-
-  const createSecretSync = async (params: TCreateSecretSyncDTO, actor: OrgServiceActor) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const folder = await folderDAL.findById(params.folderId);
-
-    if (!folder) throw new BadRequestError({ message: `Could not find Folder with ID "${params.folderId}"` });
-
-    const { permission: projectPermission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      folder.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(folder.projectId);
-
-    if (!shouldUseSecretV2Bridge)
-      throw new BadRequestError({ message: "Project version does not support Secret Syncs" });
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(projectPermission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      ProjectPermissionSub.SecretSyncs
-    );
-
-    const appConnection = await appConnectionService.connectAppConnectionById(params.connectionId, actor);
-
-    const destinationApp = SECRET_SYNC_CONNECTION_MAP[params.destination];
-
-    if (appConnection.app !== destinationApp) {
-      const appName = APP_CONNECTION_NAME_MAP[appConnection.app];
-      throw new BadRequestError({
-        message: `Invalid App Connection - Cannot sync to ${SECRET_SYNC_NAME_MAP[params.destination]} using ${
-          startsWithVowel(appName) ? "an" : "a"
-        } ${appName} Connection`
-      });
-    }
-
-    const projectFolders = await folderDAL.findByProjectId(folder.projectId);
-
-    const secretSync = await secretSyncDAL.transaction(async (tx) => {
-      const isConflictingName = Boolean(
-        (
-          await secretSyncDAL.find(
-            {
-              name: params.name,
-              $in: {
-                folderId: projectFolders.map((f) => f.id)
-              }
-            },
-            tx
-          )
-        ).length
-      );
-
-      if (isConflictingName)
-        throw new BadRequestError({
-          message: `A Secret Sync with the name "${params.name}" already exists for the project with ID "${folder.projectId}"`
-        });
-
-      const sync = await secretSyncDAL.create(params);
-
-      return sync;
-    });
-
-    if (secretSync.isEnabled) await secretSyncQueue.queueSecretSyncById({ syncId: secretSync.id });
-
-    return secretSync as TSecretSync;
-  };
-
-  const updateSecretSync = async ({ destination, syncId, ...params }: TUpdateSecretSyncDTO, actor: OrgServiceActor) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID ${syncId}`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    const updatedSecretSync = await secretSyncDAL.transaction(async (tx) => {
-      if (params.folderId) {
-        const newFolder = await folderDAL.findById(params.folderId);
-
-        if (!newFolder) throw new BadRequestError({ message: `Could not find folder with ID "${params.folderId}"` });
-
-        // TODO (scott): I don't think there's a reason we can't allow moving syncs across projects
-        //  but not supporting this initially
-        if (newFolder.projectId !== secretSync.projectId)
-          throw new BadRequestError({
-            message: `Cannot move Secret Sync to different project`
-          });
-      }
-
-      if (params.name && secretSync.name !== params.name) {
-        const projectFolders = await folderDAL.findByProjectId(secretSync.projectId);
-
-        const isConflictingName = Boolean(
-          (
-            await secretSyncDAL.find(
-              {
-                name: params.name,
-                $in: {
-                  folderId: projectFolders.map((f) => f.id)
-                }
-              },
-              tx
-            )
-          ).length
-        );
-
-        if (isConflictingName)
-          throw new BadRequestError({
-            message: `A Secret Sync with the name "${params.name}" already exists for project with ID "${secretSync.projectId}"`
-          });
-      }
-
-      const updatedSync = await secretSyncDAL.updateById(syncId, params);
-
-      return updatedSync;
-    });
-
-    if (updatedSecretSync.isEnabled) await secretSyncQueue.queueSecretSyncById({ syncId: secretSync.id });
-
-    return updatedSecretSync as TSecretSync;
-  };
-
-  const deleteSecretSync = async ({ destination, syncId }: TDeleteSecretSyncDTO, actor: OrgServiceActor) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    await secretSyncDAL.deleteById(syncId);
-
-    return secretSync as TSecretSync;
-  };
-
-  const triggerSecretSyncById = async (
-    { syncId, destination, ...params }: TTriggerSecretSyncByIdDTO,
-    actor: OrgServiceActor
-  ) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    await secretSyncQueue.queueSecretSyncById({ syncId, ...params });
-
-    return secretSync as TSecretSync;
-  };
-
-  const triggerSecretSyncImportById = async (
-    { syncId, destination, ...params }: TTriggerSecretSyncImportByIdDTO,
-    actor: OrgServiceActor
-  ) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    const isSyncJobRunning = Boolean(await keyStore.getItem(KeyStorePrefixes.SecretSyncLock(syncId)));
-
-    if (isSyncJobRunning)
-      throw new BadRequestError({ message: `A job for this sync is already in progress. Please try again shortly.` });
-
-    await secretSyncQueue.queueSecretSyncImportById({ syncId, ...params });
-
-    return secretSync as TSecretSync;
-  };
-
-  const triggerSecretSyncEraseById = async (
-    { syncId, destination, ...params }: TTriggerSecretSyncEraseByIdDTO,
-    actor: OrgServiceActor
-  ) => {
-    await checkSecretSyncAvailability(actor.orgId);
-
-    const secretSync = await secretSyncDAL.findById(syncId);
-
-    if (!secretSync)
-      throw new NotFoundError({
-        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
-      });
-
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      secretSync.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
-
-    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
-      throw new BadRequestError({
-        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
-      });
-
-    const isSyncJobRunning = Boolean(await keyStore.getItem(KeyStorePrefixes.SecretSyncLock(syncId)));
-
-    if (isSyncJobRunning)
-      throw new BadRequestError({ message: `A job for this sync is already in progress. Please try again shortly.` });
-
-    await secretSyncQueue.queueSecretSyncEraseById({ syncId, ...params });
-
-    return secretSync as TSecretSync;
-  };
-
-  return {
-    listSecretSyncOptions,
-    listSecretSyncsByProjectId,
-    findSecretSyncById,
-    findSecretSyncByName,
-    createSecretSync,
-    updateSecretSync,
-    deleteSecretSync,
-    triggerSecretSyncById,
-    triggerSecretSyncImportById,
-    triggerSecretSyncEraseById
-  };
-};

backend/src/services/secret-sync/secret-sync-types.ts

@@ -1,131 +0,0 @@
-import { Job } from "bullmq";
-
-import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { QueueJobs } from "@app/queue";
-import { TSecretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import {
-  TAwsParameterStoreSync,
-  TAwsParameterStoreSyncInput,
-  TAwsParameterStoreSyncListItem,
-  TAwsParameterStoreSyncWithConnection
-} from "./aws-parameter-store";
-
-export type TSecretSync = TAwsParameterStoreSync;
-
-export type TSecretSyncWithConnection = TAwsParameterStoreSyncWithConnection;
-
-export type TSecretSyncInput = TAwsParameterStoreSyncInput;
-
-export type TSecretSyncListItem = TAwsParameterStoreSyncListItem;
-
-export type TListSecretSyncsByProjectId = {
-  projectId: string;
-  destination?: SecretSync;
-};
-
-export type TFindSecretSyncByIdDTO = {
-  syncId: string;
-  destination: SecretSync;
-};
-
-export type TFindSecretSyncByNameDTO = {
-  syncName: string;
-  projectId: string;
-  destination: SecretSync;
-};
-
-export type TCreateSecretSyncDTO = Pick<
-  TSecretSync,
-  "syncOptions" | "destinationConfig" | "folderId" | "name" | "connectionId"
-> & { destination: SecretSync };
-
-export type TUpdateSecretSyncDTO = Partial<Omit<TCreateSecretSyncDTO, "connectionId">> & {
-  syncId: string;
-  destination: SecretSync;
-};
-
-export type TDeleteSecretSyncDTO = {
-  destination: SecretSync;
-  syncId: string;
-};
-
-type AuditLogInfo = Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
-
-export enum SecretSyncStatus {
-  Pending = "pending",
-  Success = "success",
-  Failed = "failed"
-}
-
-export enum SecretSyncAction {
-  Sync = "sync",
-  Import = "import",
-  Erase = "erase"
-}
-
-export type TSecretSyncRaw = NonNullable<Awaited<ReturnType<TSecretSyncDALFactory["findById"]>>>;
-
-export type TQueueSecretSyncsByPathDTO = {
-  secretPath: string;
-  environmentSlug: string;
-  projectId: string;
-};
-
-export type TQueueSecretSyncByIdDTO = {
-  syncId: string;
-  auditLogInfo?: AuditLogInfo;
-};
-
-export type TTriggerSecretSyncByIdDTO = {
-  destination: SecretSync;
-} & TQueueSecretSyncByIdDTO;
-
-export type TQueueSecretSyncImportByIdDTO = {
-  syncId: string;
-  shouldOverwrite: boolean;
-  auditLogInfo?: AuditLogInfo;
-};
-
-export type TTriggerSecretSyncImportByIdDTO = {
-  destination: SecretSync;
-} & TQueueSecretSyncImportByIdDTO;
-
-export type TQueueSecretSyncEraseByIdDTO = {
-  syncId: string;
-  auditLogInfo?: AuditLogInfo;
-};
-
-export type TTriggerSecretSyncEraseByIdDTO = {
-  destination: SecretSync;
-} & TQueueSecretSyncEraseByIdDTO;
-
-export type TQueueSendSecretSyncActionFailedNotificationsDTO = {
-  secretSync: TSecretSyncRaw;
-  auditLogInfo?: AuditLogInfo;
-  action: SecretSyncAction;
-};
-
-export type TSecretSyncDTO = Job<TQueueSecretSyncByIdDTO, void, QueueJobs.AppConnectionSecretSync>;
-export type TSecretSyncImportDTO = Job<TQueueSecretSyncImportByIdDTO, void, QueueJobs.AppConnectionSecretSync>;
-export type TSecretSyncEraseDTO = Job<TQueueSecretSyncEraseByIdDTO, void, QueueJobs.AppConnectionSecretSync>;
-
-export type TSendSecretSyncFailedNotificationsJobDTO = Job<
-  TQueueSendSecretSyncActionFailedNotificationsDTO,
-  void,
-  QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications
->;
-
-export type TSecretMap = Record<
-  string,
-  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
->;
-
-export type TSecretSyncGetSecrets = {
-  projectId: string;
-  folderId: string;
-  secretPath: string;
-  environmentSlug: string;
-  includeImports?: boolean;
-};

backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

@@ -78,6 +78,12 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        )
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
@@ -103,6 +109,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -221,7 +236,9 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
       const secs = await (tx || db.replicaNode())(TableName.SecretV2)
         .where({ folderId })
         .where((bd) => {
-          void bd.whereNull("userId").orWhere({ userId: userId || null });
+          void bd
+            .whereNull(`${TableName.SecretV2}.userId`)
+            .orWhere({ [`${TableName.SecretV2}.userId` as "userId"]: userId || null });
         })
         .leftJoin(
           TableName.SecretV2JnTag,
@@ -233,10 +250,16 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
         .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        )
         .orderBy("id", "asc");
 
       const data = sqlNestRelationships({
@@ -253,6 +276,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -367,7 +399,9 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           }
         })
         .where((bd) => {
-          void bd.whereNull(`${TableName.SecretV2}.userId`).orWhere({ userId: userId || null });
+          void bd
+            .whereNull(`${TableName.SecretV2}.userId`)
+            .orWhere({ [`${TableName.SecretV2}.userId` as "userId"]: userId || null });
         })
         .leftJoin(
           TableName.SecretV2JnTag,
@@ -379,13 +413,23 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(
           selectAllTableCols(TableName.SecretV2),
-          db.raw(`DENSE_RANK() OVER (ORDER BY "key" ${filters?.orderDirection ?? OrderByDirection.ASC}) as rank`)
+          db.raw(
+            `DENSE_RANK() OVER (ORDER BY "${TableName.SecretV2}".key ${
+              filters?.orderDirection ?? OrderByDirection.ASC
+            }) as rank`
+          )
         )
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
         .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        )
         .where((bd) => {
           const slugs = filters?.tagSlugs?.filter(Boolean);
           if (slugs && slugs.length > 0) {
@@ -425,6 +469,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -545,10 +598,17 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
         .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"));
+        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
+        .select(
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+        );
+
       const docs = sqlNestRelationships({
         data: rawDocs,
         key: "id",
@@ -563,6 +623,15 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               slug,
               name: slug
             })
+          },
+          {
+            key: "metadataId",
+            label: "secretMetadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -6,6 +6,7 @@ import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TFnSecretBulkDelete, TFnSecretBulkInsert, TFnSecretBulkUpdate } from "./secret-v2-bridge-types";
@@ -54,9 +55,11 @@ export const getAllSecretReferences = (maybeSecretReference: string) => {
 export const fnSecretBulkInsert = async ({
   // TODO: Pick types here
   folderId,
+  orgId,
   inputSecrets,
   secretDAL,
   secretVersionDAL,
+  resourceMetadataDAL,
   secretTagDAL,
   secretVersionTagDAL,
   tx
@@ -91,6 +94,7 @@ export const fnSecretBulkInsert = async ({
     sanitizedInputSecrets.map((el) => ({ ...el, folderId })),
     tx
   );
+
   const newSecretGroupedByKeyName = groupBy(newSecrets, (item) => item.key);
   const newSecretTags = inputSecrets.flatMap(({ tagIds: secretTags = [], key }) =>
     secretTags.map((tag) => ({
@@ -106,6 +110,7 @@ export const fnSecretBulkInsert = async ({
     })),
     tx
   );
+
   await secretDAL.upsertSecretReferences(
     inputSecrets.map(({ references = [], key }) => ({
       secretId: newSecretGroupedByKeyName[key][0].id,
@@ -113,6 +118,22 @@ export const fnSecretBulkInsert = async ({
     })),
     tx
   );
+
+  await resourceMetadataDAL.insertMany(
+    inputSecrets.flatMap(({ key: secretKey, secretMetadata }) => {
+      if (secretMetadata) {
+        return secretMetadata.map(({ key, value }) => ({
+          key,
+          value,
+          secretId: newSecretGroupedByKeyName[secretKey][0].id,
+          orgId
+        }));
+      }
+      return [];
+    }),
+    tx
+  );
+
   if (newSecretTags.length) {
     const secTags = await secretTagDAL.saveTagsToSecretV2(newSecretTags, tx);
     const secVersionsGroupBySecId = groupBy(secretVersions, (i) => i.secretId);
@@ -120,6 +141,7 @@ export const fnSecretBulkInsert = async ({
       [`${TableName.SecretVersionV2}Id` as const]: secVersionsGroupBySecId[secrets_v2Id][0].id,
       [`${TableName.SecretTag}Id` as const]: secret_tagsId
     }));
+
     await secretVersionTagDAL.insertMany(newSecretVersionTags, tx);
   }
 
@@ -130,10 +152,12 @@ export const fnSecretBulkUpdate = async ({
   tx,
   inputSecrets,
   folderId,
+  orgId,
   secretDAL,
   secretVersionDAL,
   secretTagDAL,
-  secretVersionTagDAL
+  secretVersionTagDAL,
+  resourceMetadataDAL
 }: TFnSecretBulkUpdate) => {
   const sanitizedInputSecrets = inputSecrets.map(
     ({
@@ -231,6 +255,34 @@ export const fnSecretBulkUpdate = async ({
     }
   }
 
+  const inputSecretIdsWithMetadata = inputSecrets
+    .filter((sec) => Boolean(sec.data.secretMetadata))
+    .map((sec) => sec.filter.id);
+
+  await resourceMetadataDAL.delete(
+    {
+      $in: {
+        secretId: inputSecretIdsWithMetadata
+      }
+    },
+    tx
+  );
+
+  await resourceMetadataDAL.insertMany(
+    inputSecrets.flatMap(({ filter: { id }, data: { secretMetadata } }) => {
+      if (secretMetadata) {
+        return secretMetadata.map(({ key, value }) => ({
+          key,
+          value,
+          secretId: id,
+          orgId
+        }));
+      }
+      return [];
+    }),
+    tx
+  );
+
   return newSecrets.map((secret) => ({ ...secret, _id: secret.id }));
 };
 
@@ -570,6 +622,7 @@ export const reshapeBridgeSecret = (
       color?: string | null;
       name: string;
     }[];
+    secretMetadata?: ResourceMetadataDTO;
   }
 ) => ({
   secretKey: secret.key,
@@ -588,6 +641,7 @@ export const reshapeBridgeSecret = (
   secretReminderRepeatDays: secret.reminderRepeatDays,
   secretReminderNote: secret.reminderNote,
   metadata: secret.metadata,
+  secretMetadata: secret.secretMetadata,
   createdAt: secret.createdAt,
   updatedAt: secret.updatedAt
 });

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -18,6 +18,7 @@ import { ActorType } from "../auth/auth-type";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
@@ -74,6 +75,7 @@ type TSecretV2BridgeServiceFactoryDep = {
     "insertV2Bridge" | "insertApprovalSecretV2Tags"
   >;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TSecretV2BridgeServiceFactory = ReturnType<typeof secretV2BridgeServiceFactory>;
@@ -95,7 +97,8 @@ export const secretV2BridgeServiceFactory = ({
   secretApprovalPolicyService,
   secretApprovalRequestDAL,
   secretApprovalRequestSecretDAL,
-  kmsService
+  kmsService,
+  resourceMetadataDAL
 }: TSecretV2BridgeServiceFactoryDep) => {
   const $validateSecretReferences = async (
     projectId: string,
@@ -141,7 +144,7 @@ export const secretV2BridgeServiceFactory = ({
               },
               {
                 operator: "eq",
-                field: "key",
+                field: `${TableName.SecretV2}.key` as "key",
                 value: el.secretKey
               }
             ]
@@ -186,6 +189,7 @@ export const secretV2BridgeServiceFactory = ({
     actorAuthMethod,
     projectId,
     secretPath,
+    secretMetadata,
     ...inputSecret
   }: TCreateSecretDTO) => {
     const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
@@ -255,6 +259,7 @@ export const secretV2BridgeServiceFactory = ({
     const secret = await secretDAL.transaction((tx) =>
       fnSecretBulkInsert({
         folderId,
+        orgId: actorOrgId,
         inputSecrets: [
           {
             version: 1,
@@ -272,9 +277,11 @@ export const secretV2BridgeServiceFactory = ({
             key: secretName,
             userId: inputSecret.type === SecretType.Personal ? actorId : null,
             tagIds: inputSecret.tagIds,
-            references: nestedReferences
+            references: nestedReferences,
+            secretMetadata
           }
         ],
+        resourceMetadataDAL,
         secretDAL,
         secretVersionDAL,
         secretTagDAL,
@@ -287,6 +294,7 @@ export const secretV2BridgeServiceFactory = ({
       await snapshotService.performSnapshot(folderId);
       await secretQueueService.syncSecrets({
         secretPath,
+        orgId: actorOrgId,
         actorId,
         actor,
         projectId,
@@ -309,6 +317,7 @@ export const secretV2BridgeServiceFactory = ({
     actorAuthMethod,
     projectId,
     secretPath,
+    secretMetadata,
     ...inputSecret
   }: TUpdateSecretDTO) => {
     const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
@@ -435,6 +444,8 @@ export const secretV2BridgeServiceFactory = ({
     const updatedSecret = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
+        orgId: actorOrgId,
+        resourceMetadataDAL,
         inputSecrets: [
           {
             filter: { id: secretId },
@@ -448,6 +459,7 @@ export const secretV2BridgeServiceFactory = ({
               skipMultilineEncoding: inputSecret.skipMultilineEncoding,
               key: inputSecret.newSecretName || secretName,
               tags: inputSecret.tagIds,
+              secretMetadata,
               ...encryptedValue
             }
           }
@@ -475,6 +487,7 @@ export const secretV2BridgeServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -562,6 +575,7 @@ export const secretV2BridgeServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -961,8 +975,8 @@ export const secretV2BridgeServiceFactory = ({
       ? secretDAL.findOneWithTags({
           folderId,
           type: secretType,
-          key: secretName,
-          userId: secretType === SecretType.Personal ? actorId : null
+          [`${TableName.SecretV2}.key` as "key"]: secretName,
+          [`${TableName.SecretV2}.userId` as "userId"]: secretType === SecretType.Personal ? actorId : null
         })
       : secretVersionDAL
           .findOne({
@@ -1113,7 +1127,7 @@ export const secretV2BridgeServiceFactory = ({
               value: [
                 {
                   operator: "eq",
-                  field: "key",
+                  field: `${TableName.SecretV2}.key` as "key",
                   value: el.secretKey
                 },
                 {
@@ -1185,11 +1199,14 @@ export const secretV2BridgeServiceFactory = ({
             key: el.secretKey,
             tagIds: el.tagIds,
             references,
+            secretMetadata: el.secretMetadata,
             type: SecretType.Shared
           };
         }),
         folderId,
+        orgId: actorOrgId,
         secretDAL,
+        resourceMetadataDAL,
         secretVersionDAL,
         secretTagDAL,
         secretVersionTagDAL,
@@ -1203,6 +1220,7 @@ export const secretV2BridgeServiceFactory = ({
       actorId,
       secretPath,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1254,7 +1272,7 @@ export const secretV2BridgeServiceFactory = ({
               value: [
                 {
                   operator: "eq",
-                  field: "key",
+                  field: `${TableName.SecretV2}.key` as "key",
                   value: el.secretKey
                 },
                 {
@@ -1319,7 +1337,7 @@ export const secretV2BridgeServiceFactory = ({
                 value: [
                   {
                     operator: "eq",
-                    field: "key",
+                    field: `${TableName.SecretV2}.key` as "key",
                     value: el.secretKey
                   },
                   {
@@ -1371,6 +1389,7 @@ export const secretV2BridgeServiceFactory = ({
     const secrets = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
+        orgId: actorOrgId,
         tx,
         inputSecrets: inputSecrets.map((el) => {
           const originalSecret = secretsToUpdateInDBGroupedByKey[el.secretKey][0];
@@ -1394,6 +1413,7 @@ export const secretV2BridgeServiceFactory = ({
               skipMultilineEncoding: el.skipMultilineEncoding,
               key: el.newSecretName || el.secretKey,
               tags: el.tagIds,
+              secretMetadata: el.secretMetadata,
               ...encryptedValue
             }
           };
@@ -1401,7 +1421,8 @@ export const secretV2BridgeServiceFactory = ({
         secretDAL,
         secretVersionDAL,
         secretTagDAL,
-        secretVersionTagDAL
+        secretVersionTagDAL,
+        resourceMetadataDAL
       })
     );
     await snapshotService.performSnapshot(folderId);
@@ -1410,6 +1431,7 @@ export const secretV2BridgeServiceFactory = ({
       actorId,
       secretPath,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1461,7 +1483,7 @@ export const secretV2BridgeServiceFactory = ({
               value: [
                 {
                   operator: "eq",
-                  field: "key",
+                  field: `${TableName.SecretV2}.key` as "key",
                   value: el.secretKey
                 },
                 {
@@ -1512,6 +1534,7 @@ export const secretV2BridgeServiceFactory = ({
       actorId,
       secretPath,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1815,10 +1838,12 @@ export const secretV2BridgeServiceFactory = ({
         if (locallyCreatedSecrets.length) {
           await fnSecretBulkInsert({
             folderId: destinationFolder.id,
+            orgId: actorOrgId,
             secretVersionDAL,
             secretDAL,
             tx,
             secretTagDAL,
+            resourceMetadataDAL,
             secretVersionTagDAL,
             inputSecrets: locallyCreatedSecrets.map((doc) => {
               return {
@@ -1830,6 +1855,7 @@ export const secretV2BridgeServiceFactory = ({
                 skipMultilineEncoding: doc.skipMultilineEncoding,
                 reminderNote: doc.reminderNote,
                 reminderRepeatDays: doc.reminderRepeatDays,
+                secretMetadata: doc.secretMetadata,
                 references: doc.value ? getAllSecretReferences(doc.value).nestedReferences : []
               };
             })
@@ -1838,6 +1864,8 @@ export const secretV2BridgeServiceFactory = ({
         if (locallyUpdatedSecrets.length) {
           await fnSecretBulkUpdate({
             folderId: destinationFolder.id,
+            orgId: actorOrgId,
+            resourceMetadataDAL,
             secretVersionDAL,
             secretDAL,
             tx,
@@ -1855,6 +1883,7 @@ export const secretV2BridgeServiceFactory = ({
                   encryptedComment: doc.encryptedComment,
                   skipMultilineEncoding: doc.skipMultilineEncoding,
                   reminderNote: doc.reminderNote,
+                  secretMetadata: doc.secretMetadata,
                   reminderRepeatDays: doc.reminderRepeatDays,
                   ...(doc.encryptedValue
                     ? {
@@ -1938,6 +1967,7 @@ export const secretV2BridgeServiceFactory = ({
       await snapshotService.performSnapshot(destinationFolder.id);
       await secretQueueService.syncSecrets({
         projectId,
+        orgId: actorOrgId,
         secretPath: destinationFolder.path,
         environmentSlug: destinationFolder.environment.slug,
         actorId,
@@ -1949,6 +1979,7 @@ export const secretV2BridgeServiceFactory = ({
       await snapshotService.performSnapshot(sourceFolder.id);
       await secretQueueService.syncSecrets({
         projectId,
+        orgId: actorOrgId,
         secretPath: sourceFolder.path,
         environmentSlug: sourceFolder.environment.slug,
         actorId,

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -7,6 +7,8 @@ import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TSecretVersionV2DALFactory } from "./secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "./secret-version-tag-dal";
@@ -58,6 +60,7 @@ export type TCreateSecretDTO = TProjectPermission & {
   skipMultilineEncoding?: boolean;
   secretReminderRepeatDays?: number | null;
   secretReminderNote?: string | null;
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TUpdateSecretDTO = TProjectPermission & {
@@ -75,6 +78,7 @@ export type TUpdateSecretDTO = TProjectPermission & {
   metadata?: {
     source?: string;
   };
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TDeleteSecretDTO = TProjectPermission & {
@@ -94,6 +98,7 @@ export type TCreateManySecretDTO = Omit<TProjectPermission, "projectId"> & {
     secretComment?: string;
     skipMultilineEncoding?: boolean;
     tagIds?: string[];
+    secretMetadata?: ResourceMetadataDTO;
     metadata?: {
       source?: string;
     };
@@ -113,6 +118,7 @@ export type TUpdateManySecretDTO = Omit<TProjectPermission, "projectId"> & {
     tagIds?: string[];
     secretReminderRepeatDays?: number | null;
     secretReminderNote?: string | null;
+    secretMetadata?: ResourceMetadataDTO;
   }[];
 };
 
@@ -136,8 +142,16 @@ export type TSecretReference = { environment: string; secretPath: string; secret
 
 export type TFnSecretBulkInsert = {
   folderId: string;
+  orgId: string;
   tx?: Knex;
-  inputSecrets: Array<Omit<TSecretsV2Insert, "folderId"> & { tagIds?: string[]; references: TSecretReference[] }>;
+  inputSecrets: Array<
+    Omit<TSecretsV2Insert, "folderId"> & {
+      tagIds?: string[];
+      references: TSecretReference[];
+      secretMetadata?: ResourceMetadataDTO;
+    }
+  >;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2">;
@@ -156,10 +170,12 @@ type TRequireReferenceIfValue =
 
 export type TFnSecretBulkUpdate = {
   folderId: string;
+  orgId: string;
   inputSecrets: {
     filter: Partial<TSecretsV2>;
-    data: TRequireReferenceIfValue & { tags?: string[] };
+    data: TRequireReferenceIfValue & { tags?: string[]; secretMetadata?: ResourceMetadataDTO };
   }[];
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "bulkUpdate" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "deleteTagsToSecretV2">;

backend/src/services/secret/secret-fns.ts

@@ -749,7 +749,8 @@ export const createManySecretsRawFnFactory = ({
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
   secretVersionTagV2BridgeDAL,
-  kmsService
+  kmsService,
+  resourceMetadataDAL
 }: TCreateManySecretsRawFnFactory) => {
   const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
   const createManySecretsRawFn = async ({
@@ -760,7 +761,7 @@ export const createManySecretsRawFnFactory = ({
     userId
   }: TCreateManySecretsRawFn) => {
     const { botKey, shouldUseSecretV2Bridge } = await getBotKeyFn(projectId);
-
+    const project = await projectDAL.findById(projectId);
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
       throw new NotFoundError({
@@ -814,7 +815,9 @@ export const createManySecretsRawFnFactory = ({
             tagIds: el.tags
           })),
           folderId,
+          orgId: project.orgId,
           secretDAL: secretV2BridgeDAL,
+          resourceMetadataDAL,
           secretVersionDAL: secretVersionV2BridgeDAL,
           secretTagDAL,
           secretVersionTagDAL: secretVersionTagV2BridgeDAL,
@@ -909,6 +912,7 @@ export const updateManySecretsRawFnFactory = ({
   secretVersionTagV2BridgeDAL,
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
+  resourceMetadataDAL,
   kmsService
 }: TUpdateManySecretsRawFnFactory) => {
   const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
@@ -920,6 +924,7 @@ export const updateManySecretsRawFnFactory = ({
     userId
   }: TUpdateManySecretsRawFn): Promise<Array<{ id: string }>> => {
     const { botKey, shouldUseSecretV2Bridge } = await getBotKeyFn(projectId);
+    const project = await projectDAL.findById(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -988,11 +993,13 @@ export const updateManySecretsRawFnFactory = ({
       const updatedSecrets = await secretDAL.transaction(async (tx) =>
         fnSecretV2BridgeBulkUpdate({
           folderId,
+          orgId: project.orgId,
           tx,
           inputSecrets: inputSecrets.map((el) => ({
             filter: { id: secretsToUpdateInDBGroupedByKey[el.key][0].id, type: SecretType.Shared },
             data: el
           })),
+          resourceMetadataDAL,
           secretDAL: secretV2BridgeDAL,
           secretVersionDAL: secretVersionV2BridgeDAL,
           secretTagDAL,

backend/src/services/secret/secret-queue.ts

@@ -29,7 +29,6 @@ import { createManySecretsRawFnFactory, updateManySecretsRawFnFactory } from "@a
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
 import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
 import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
-import { TSecretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
 import { ActorType } from "../auth/auth-type";
@@ -48,6 +47,8 @@ import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
@@ -105,7 +106,7 @@ type TSecretQueueFactoryDep = {
   auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
   projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
-  secretSyncQueue: Pick<TSecretSyncQueueFactory, "queueSecretSyncsByPath">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TGetSecrets = {
@@ -122,7 +123,12 @@ export const uniqueSecretQueueKey = (environment: string, secretPath: string) =>
 
 type TIntegrationSecret = Record<
   string,
-  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
+  {
+    value: string;
+    comment?: string;
+    skipMultilineEncoding?: boolean | null | undefined;
+    secretMetadata?: ResourceMetadataDTO;
+  }
 >;
 
 // TODO(akhilmhdh): split this into multiple queue
@@ -160,7 +166,7 @@ export const secretQueueFactory = ({
   orgService,
   projectUserMembershipRoleDAL,
   projectKeyDAL,
-  secretSyncQueue
+  resourceMetadataDAL
 }: TSecretQueueFactoryDep) => {
   const integrationMeter = opentelemetry.metrics.getMeter("Integrations");
   const errorHistogram = integrationMeter.createHistogram("integration_secret_sync_errors", {
@@ -309,7 +315,8 @@ export const secretQueueFactory = ({
     kmsService,
     secretVersionV2BridgeDAL,
     secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
+    secretVersionTagV2BridgeDAL,
+    resourceMetadataDAL
   });
 
   const updateManySecretsRawFn = updateManySecretsRawFnFactory({
@@ -324,7 +331,8 @@ export const secretQueueFactory = ({
     kmsService,
     secretVersionV2BridgeDAL,
     secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
+    secretVersionTagV2BridgeDAL,
+    resourceMetadataDAL
   });
 
   /**
@@ -375,6 +383,7 @@ export const secretQueueFactory = ({
         }
 
         content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
+        content[secretKey].secretMetadata = secret.secretMetadata;
       })
     );
 
@@ -400,7 +409,8 @@ export const secretQueueFactory = ({
           content[importedSecret.key] = {
             skipMultilineEncoding: importedSecret.skipMultilineEncoding,
             comment: importedSecret.secretComment,
-            value: importedSecret.secretValue || ""
+            value: importedSecret.secretValue || "",
+            secretMetadata: importedSecret.secretMetadata
           };
         }
       }
@@ -600,6 +610,7 @@ export const secretQueueFactory = ({
       _depth: depth,
       secretPath,
       projectId,
+      orgId,
       environmentSlug: environment,
       excludeReplication,
       actorId,
@@ -622,15 +633,13 @@ export const secretQueueFactory = ({
         }
       }
     );
-
-    await secretSyncQueue.queueSecretSyncsByPath({ projectId, environmentSlug: environment, secretPath });
-
     await syncIntegrations({ secretPath, projectId, environment, deDupeQueue, isManual: false });
     if (!excludeReplication) {
       await replicateSecrets({
         _deDupeReplicationQueue: deDupeReplicationQueue,
         _depth: depth,
         projectId,
+        orgId,
         secretPath,
         actorId,
         actor,
@@ -687,6 +696,7 @@ export const secretQueueFactory = ({
       if (!folder) {
         throw new Error("Secret path not found");
       }
+      const project = await projectDAL.findById(projectId);
 
       // find all imports made with the given environment and secret path
       const linkSourceDto = {
@@ -721,6 +731,7 @@ export const secretQueueFactory = ({
             .map(({ folderId }) =>
               syncSecrets({
                 projectId,
+                orgId: project.orgId,
                 secretPath: foldersGroupedById[folderId][0]?.path as string,
                 environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
                 _deDupeQueue: deDupeQueue,
@@ -773,6 +784,7 @@ export const secretQueueFactory = ({
             .map((folderId) =>
               syncSecrets({
                 projectId,
+                orgId: project.orgId,
                 secretPath: referencedFoldersGroupedById[folderId][0]?.path as string,
                 environmentSlug: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
                 _deDupeQueue: deDupeQueue,

backend/src/services/secret/secret-service.ts

@@ -11,6 +11,7 @@ import {
   SecretsSchema,
   SecretType
 } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -69,6 +70,7 @@ import {
   TDeleteSecretRawDTO,
   TGetASecretDTO,
   TGetASecretRawDTO,
+  TGetSecretAccessListDTO,
   TGetSecretsDTO,
   TGetSecretsRawDTO,
   TGetSecretVersionsDTO,
@@ -94,7 +96,7 @@ type TSecretServiceFactoryDep = {
   >;
   secretV2BridgeService: TSecretV2BridgeServiceFactory;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissions">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretQueueService: Pick<
     TSecretQueueFactory,
@@ -113,6 +115,7 @@ type TSecretServiceFactoryDep = {
     TSecretApprovalRequestSecretDALFactory,
     "insertMany" | "insertApprovalSecretTags"
   >;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
 export type TSecretServiceFactory = ReturnType<typeof secretServiceFactory>;
@@ -134,7 +137,8 @@ export const secretServiceFactory = ({
   secretApprovalRequestDAL,
   secretApprovalRequestSecretDAL,
   secretV2BridgeService,
-  secretApprovalRequestService
+  secretApprovalRequestService,
+  licenseService
 }: TSecretServiceFactoryDep) => {
   const getSecretReference = async (projectId: string) => {
     // if bot key missing means e2e still exist
@@ -288,6 +292,7 @@ export const secretServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -429,6 +434,7 @@ export const secretServiceFactory = ({
       await snapshotService.performSnapshot(folderId);
       await secretQueueService.syncSecrets({
         secretPath: path,
+        orgId: actorOrgId,
         actorId,
         actor,
         projectId,
@@ -526,6 +532,7 @@ export const secretServiceFactory = ({
         actorId,
         actor,
         projectId,
+        orgId: actorOrgId,
         environmentSlug: folder.environment.slug
       });
     }
@@ -820,6 +827,7 @@ export const secretServiceFactory = ({
       actorId,
       secretPath: path,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -928,6 +936,7 @@ export const secretServiceFactory = ({
       actorId,
       secretPath: path,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1014,6 +1023,7 @@ export const secretServiceFactory = ({
       actorId,
       secretPath: path,
       projectId,
+      orgId: actorOrgId,
       environmentSlug: folder.environment.slug
     });
 
@@ -1147,6 +1157,71 @@ export const secretServiceFactory = ({
     return secretV2BridgeService.getSecretReferenceTree(dto);
   };
 
+  const getSecretAccessList = async (dto: TGetSecretAccessListDTO) => {
+    const { environment, secretPath, secretName, projectId } = dto;
+    const plan = await licenseService.getPlan(dto.actorOrgId);
+    if (!plan.secretAccessInsights) {
+      throw new BadRequestError({
+        message: "Failed to fetch secret access list due to plan restriction. Upgrade your plan."
+      });
+    }
+
+    const secret = await secretV2BridgeService.getSecretByName({
+      actor: dto.actor,
+      actorId: dto.actorId,
+      actorOrgId: dto.actorOrgId,
+      actorAuthMethod: dto.actorAuthMethod,
+      projectId,
+      secretName,
+      path: secretPath,
+      environment,
+      type: "shared"
+    });
+
+    const { userPermissions, identityPermissions, groupPermissions } = await permissionService.getProjectPermissions(
+      dto.projectId
+    );
+
+    const attachAllowedActions = (
+      entityPermission:
+        | (typeof userPermissions)[number]
+        | (typeof identityPermissions)[number]
+        | (typeof groupPermissions)[number]
+    ) => {
+      const allowedActions = [
+        ProjectPermissionActions.Read,
+        ProjectPermissionActions.Delete,
+        ProjectPermissionActions.Create,
+        ProjectPermissionActions.Edit
+      ].filter((action) =>
+        entityPermission.permission.can(
+          action,
+          subject(ProjectPermissionSub.Secrets, {
+            environment,
+            secretPath,
+            secretName,
+            secretTags: secret?.tags?.map((el) => el.slug)
+          })
+        )
+      );
+
+      return {
+        ...entityPermission,
+        allowedActions
+      };
+    };
+
+    const usersWithAccess = userPermissions.map(attachAllowedActions).filter((user) => user.allowedActions.length > 0);
+    const identitiesWithAccess = identityPermissions
+      .map(attachAllowedActions)
+      .filter((identity) => identity.allowedActions.length > 0);
+    const groupsWithAccess = groupPermissions
+      .map(attachAllowedActions)
+      .filter((group) => group.allowedActions.length > 0);
+
+    return { users: usersWithAccess, identities: identitiesWithAccess, groups: groupsWithAccess };
+  };
+
   const getSecretsRaw = async ({
     projectId,
     path,
@@ -1385,7 +1460,8 @@ export const secretServiceFactory = ({
     skipMultilineEncoding,
     tagIds,
     secretReminderNote,
-    secretReminderRepeatDays
+    secretReminderRepeatDays,
+    secretMetadata
   }: TCreateSecretRawDTO) => {
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     const policy =
@@ -1412,7 +1488,8 @@ export const secretServiceFactory = ({
                 secretValue,
                 tagIds,
                 reminderNote: secretReminderNote,
-                reminderRepeatDays: secretReminderRepeatDays
+                reminderRepeatDays: secretReminderRepeatDays,
+                secretMetadata
               }
             ]
           }
@@ -1435,7 +1512,8 @@ export const secretServiceFactory = ({
         tagIds,
         secretReminderNote,
         skipMultilineEncoding,
-        secretReminderRepeatDays
+        secretReminderRepeatDays,
+        secretMetadata
       });
       return { secret, type: SecretProtectionType.Direct as const };
     }
@@ -1525,7 +1603,8 @@ export const secretServiceFactory = ({
     secretReminderRepeatDays,
     metadata,
     secretComment,
-    newSecretName
+    newSecretName,
+    secretMetadata
   }: TUpdateSecretRawDTO) => {
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     const policy =
@@ -1553,7 +1632,8 @@ export const secretServiceFactory = ({
                 secretValue,
                 tagIds,
                 reminderNote: secretReminderNote,
-                reminderRepeatDays: secretReminderRepeatDays
+                reminderRepeatDays: secretReminderRepeatDays,
+                secretMetadata
               }
             ]
           }
@@ -1577,7 +1657,8 @@ export const secretServiceFactory = ({
         secretName,
         newSecretName,
         metadata,
-        secretValue
+        secretValue,
+        secretMetadata
       });
       return { type: SecretProtectionType.Direct as const, secret };
     }
@@ -1793,7 +1874,8 @@ export const secretServiceFactory = ({
               secretComment: el.secretComment,
               metadata: el.metadata,
               skipMultilineEncoding: el.skipMultilineEncoding,
-              secretKey: el.secretKey
+              secretKey: el.secretKey,
+              secretMetadata: el.secretMetadata
             }))
           }
         });
@@ -1919,7 +2001,8 @@ export const secretServiceFactory = ({
               secretValue: el.secretValue,
               secretComment: el.secretComment,
               skipMultilineEncoding: el.skipMultilineEncoding,
-              secretKey: el.secretKey
+              secretKey: el.secretKey,
+              secretMetadata: el.secretMetadata
             }))
           }
         });
@@ -2262,6 +2345,7 @@ export const secretServiceFactory = ({
     await secretQueueService.syncSecrets({
       secretPath,
       projectId: project.id,
+      orgId: project.orgId,
       environmentSlug: environment,
       excludeReplication: true
     });
@@ -2370,6 +2454,7 @@ export const secretServiceFactory = ({
     await secretQueueService.syncSecrets({
       secretPath,
       projectId: project.id,
+      orgId: project.orgId,
       environmentSlug: environment,
       excludeReplication: true
     });
@@ -2828,6 +2913,7 @@ export const secretServiceFactory = ({
       await snapshotService.performSnapshot(destinationFolder.id);
       await secretQueueService.syncSecrets({
         projectId: project.id,
+        orgId: project.orgId,
         secretPath: destinationFolder.path,
         environmentSlug: destinationFolder.environment.slug,
         actorId,
@@ -2839,6 +2925,7 @@ export const secretServiceFactory = ({
       await snapshotService.performSnapshot(sourceFolder.id);
       await secretQueueService.syncSecrets({
         projectId: project.id,
+        orgId: project.orgId,
         secretPath: sourceFolder.path,
         environmentSlug: sourceFolder.environment.slug,
         actorId,
@@ -2928,6 +3015,7 @@ export const secretServiceFactory = ({
     getSecretsCountMultiEnv,
     getSecretsRawMultiEnv,
     getSecretReferenceTree,
-    getSecretsRawByFolderMappings
+    getSecretsRawByFolderMappings,
+    getSecretAccessList
   };
 };

backend/src/services/secret/secret-types.ts

@@ -14,6 +14,8 @@ import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
 import { ActorType } from "../auth/auth-type";
 import { TKmsServiceFactory } from "../kms/kms-service";
+import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
@@ -188,6 +190,12 @@ export type TGetSecretsRawDTO = {
   keys?: string[];
 } & TProjectPermission;
 
+export type TGetSecretAccessListDTO = {
+  environment: string;
+  secretPath: string;
+  secretName: string;
+} & TProjectPermission;
+
 export type TGetASecretRawDTO = {
   secretName: string;
   path: string;
@@ -211,6 +219,7 @@ export type TCreateSecretRawDTO = TProjectPermission & {
   skipMultilineEncoding?: boolean;
   secretReminderRepeatDays?: number | null;
   secretReminderNote?: string | null;
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TUpdateSecretRawDTO = TProjectPermission & {
@@ -228,6 +237,7 @@ export type TUpdateSecretRawDTO = TProjectPermission & {
   metadata?: {
     source?: string;
   };
+  secretMetadata?: ResourceMetadataDTO;
 };
 
 export type TDeleteSecretRawDTO = TProjectPermission & {
@@ -248,6 +258,7 @@ export type TCreateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
     secretComment?: string;
     skipMultilineEncoding?: boolean;
     tagIds?: string[];
+    secretMetadata?: ResourceMetadataDTO;
     metadata?: {
       source?: string;
     };
@@ -266,6 +277,7 @@ export type TUpdateManySecretRawDTO = Omit<TProjectPermission, "projectId"> & {
     secretComment?: string;
     skipMultilineEncoding?: boolean;
     tagIds?: string[];
+    secretMetadata?: ResourceMetadataDTO;
     secretReminderRepeatDays?: number | null;
     secretReminderNote?: string | null;
   }[];
@@ -293,7 +305,13 @@ export type TSecretReference = { environment: string; secretPath: string };
 export type TFnSecretBulkInsert = {
   folderId: string;
   tx?: Knex;
-  inputSecrets: Array<Omit<TSecretsInsert, "folderId"> & { tags?: string[]; references?: TSecretReference[] }>;
+  inputSecrets: Array<
+    Omit<TSecretsInsert, "folderId"> & {
+      tags?: string[];
+      references?: TSecretReference[];
+      secretMetadata?: ResourceMetadataDTO;
+    }
+  >;
   secretDAL: Pick<TSecretDALFactory, "insertMany" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret">;
@@ -389,6 +407,7 @@ export type TCreateManySecretsRawFnFactory = {
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
 };
 
 export type TCreateManySecretsRawFn = {
@@ -425,6 +444,7 @@ export type TUpdateManySecretsRawFnFactory = {
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TUpdateManySecretsRawFn = {
@@ -460,6 +480,7 @@ export type TSyncSecretsDTO<T extends boolean = false> = {
   _depth?: number;
   secretPath: string;
   projectId: string;
+  orgId: string;
   environmentSlug: string;
   // cases for just doing sync integration and webhook
   excludeReplication?: T;

backend/src/services/smtp/smtp-service.ts

@@ -35,7 +35,6 @@ export enum SmtpTemplates {
   ScimUserProvisioned = "scimUserProvisioned.handlebars",
   PkiExpirationAlert = "pkiExpirationAlert.handlebars",
   IntegrationSyncFailed = "integrationSyncFailed.handlebars",
-  SecretSyncFailed = "secretSyncFailed.handlebars",
   ExternalImportSuccessful = "externalImportSuccessful.handlebars",
   ExternalImportFailed = "externalImportFailed.handlebars",
   ExternalImportStarted = "externalImportStarted.handlebars"

backend/src/services/smtp/templates/secretSyncFailed.handlebars

@@ -1,35 +0,0 @@
-<html>
-
-  <head>
-    <meta charset="utf-8" />
-    <meta http-equiv="x-ua-compatible" content="ie=edge" />
-    <title>{{syncDestination}} Sync "{{syncName}}" Failed</title>
-  </head>
-
-  <body>
-    <h2>Infisical</h2>
-
-    <div>
-      <p>{{content}}</p>
-      <a href="{{syncUrl}}">
-        View in Infisical.
-      </a>
-    </div>
-
-    <br />
-    <div>
-      <p><strong>Name</strong>: {{syncName}}</p>
-      <p><strong>Destination</strong>: {{syncDestination}}</p>
-      <p><strong>Project</strong>: {{projectName}}</p>
-      <p><strong>Environment</strong>: {{environment}}</p>
-      <p><strong>Secret Path</strong>: {{secretPath}}</p>
-    </div>
-
-    {{#if failureMessage}}
-      <p><b>Reason: </b>{{failureMessage}}</p>
-    {{/if}}
-
-    {{emailFooter}}
-  </body>
-
-</html>

cli/packages/cmd/run.go

@@ -419,22 +419,23 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 
 	for {
 		<-recheckSecretsChannel
-		watchMutex.Lock()
+		func() {
+			watchMutex.Lock()
+			defer watchMutex.Unlock()
 
-		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
-		if err != nil {
-			log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
-			continue
-		}
+			newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
+			if err != nil {
+				log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
+				return
+			}
 
-		if newEnvironmentVariables.ETag != currentETag {
-			runCommandWithWatcher(newEnvironmentVariables)
-		} else {
-			log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
-		}
-
-		watchMutex.Unlock()
+			if newEnvironmentVariables.ETag != currentETag {
+				runCommandWithWatcher(newEnvironmentVariables)
+			} else {
+				log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
+			}
 
+		}()
 	}
 }
 

docs/api-reference/endpoints/app-connections/aws/available.mdx

@@ -1,4 +0,0 @@
----
-title: "Available"
-openapi: "GET /api/v1/app-connections/aws/available"
----

docs/api-reference/endpoints/app-connections/github/available.mdx

@@ -1,4 +0,0 @@
----
-title: "Available"
-openapi: "GET /api/v1/app-connections/github/available"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/create.mdx

@@ -1,4 +0,0 @@
----
-title: "Create"
-openapi: "POST /api/v1/secret-syncs/aws-parameter-store"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/delete.mdx

@@ -1,4 +0,0 @@
----
-title: "Delete"
-openapi: "DELETE /api/v1/secret-syncs/aws-parameter-store/{syncId}"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/erase.mdx

@@ -1,4 +0,0 @@
----
-title: "Erase Secrets"
-openapi: "POST /api/v1/secret-syncs/aws-parameter-store/{syncId}/erase"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/get-by-id.mdx

@@ -1,4 +0,0 @@
----
-title: "Get by ID"
-openapi: "GET /api/v1/secret-syncs/aws-parameter-store/{syncId}"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/get-by-name.mdx

@@ -1,4 +0,0 @@
----
-title: "Get by Name"
-openapi: "GET /api/v1/secret-syncs/aws-parameter-store/name/{syncName}"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/import.mdx

@@ -1,4 +0,0 @@
----
-title: "Import Secrets"
-openapi: "POST /api/v1/secret-syncs/aws-parameter-store/{syncId}/import"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/list.mdx

@@ -1,4 +0,0 @@
----
-title: "List"
-openapi: "GET /api/v1/secret-syncs/aws-parameter-store"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/sync.mdx

@@ -1,4 +0,0 @@
----
-title: "Sync Secrets"
-openapi: "POST /api/v1/secret-syncs/aws-parameter-store/{syncId}/sync"
----

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/update.mdx

@@ -1,4 +0,0 @@
----
-title: "Update"
-openapi: "PATCH /api/v1/secret-syncs/aws-parameter-store/{syncId}"
----

docs/api-reference/endpoints/secret-syncs/list.mdx

@@ -1,4 +0,0 @@
----
-title: "List"
-openapi: "GET /api/v1/secret-syncs"
----

docs/api-reference/endpoints/secret-syncs/options.mdx

@@ -1,4 +0,0 @@
----
-title: "Options"
-openapi: "GET /api/v1/secret-syncs/options"
----

docs/changelog/overview.mdx

@@ -4,6 +4,27 @@ title: "Changelog"
 
 The changelog below reflects new product developments and updates on a monthly basis.
 
+## December 2024
+- Added [GCP KMS](https://infisical.com/docs/documentation/platform/kms/overview) integration support.
+- Added support for [K8s CSI integration](https://infisical.com/docs/integrations/platforms/kubernetes-csi) and ability to point K8s operator to specific secret versions.
+- Fixed [Java SDK](https://github.com/Infisical/java-sdk) compatibility issues with Alpine Linux.
+- Fixed SCIM group role assignment issues.
+- Added Group View Page for improved team management.
+- Added instance URL to email verification for Infisical accounts.
+- Added ability to copy full path of nested folders.
+- Added custom templating support for K8s operator, allowing flexible secret key mapping and additional fields
+- Optimized secrets versions table performance.
+
+## November 2024
+- Improved EnvKey migration functionality with support for Blocks, Inheritance, and Branches.
+- Added [Hardware Security Module (HSM) Encryption](https://infisical.com/docs/documentation/platform/kms/hsm-integration) support.
+- Updated permissions handling in [Infisical Terraform Provider](https://registry.terraform.io/providers/Infisical/infisical/latest/docs) to use lists instead of sets.
+- Enhanced [SCIM](https://infisical.com/docs/documentation/platform/scim/overview) implementation to remove SAML dependency.
+- Enhanced [OIDC Authentication](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general) implementation and added Default Org Slug support.
+- Added support for multiple authentication methods per identity.
+- Added AWS Parameter Store integration sync improvements.
+- Added new screen and API for managing additional privileges.
+- Added Dynamic Secrets support for SQL Server.
 
 ## October 2024
 - Significantly improved performance of audit log operations in UI.