fix: update sync job status

Add Support for Auth0 SAML

.github/workflows/check-fe-ts-and-lint.yml

@@ -18,18 +18,18 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 20
         uses: actions/setup-node@v3
         with:
-          node-version: "16"
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: frontend/package-lock.json
       - name: 📦 Install dependencies
         run: npm install
         working-directory: frontend
       - name: 🏗️ Run Type check
-        run: npm run type:check 
+        run: npm run type:check
         working-directory: frontend
       - name: 🏗️ Run Link check
-        run: npm run lint:fix 
+        run: npm run lint:fix
         working-directory: frontend

Dockerfile.fips.standalone-infisical

@@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -23,17 +23,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -44,20 +43,10 @@ WORKDIR /app
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
 USER non-root-user
 
-ENV NEXT_TELEMETRY_DISABLED 1
-
 ##
 ## BACKEND
 ##
@@ -137,7 +126,7 @@ RUN apt-get update && apt-get install -y \
     freetds-dev \
     freetds-bin \
     tdsodbc \
-    openssh \
+    openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC in production
@@ -160,14 +149,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 WORKDIR / 
 
@@ -192,4 +178,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat
 
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -27,17 +27,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -49,20 +48,10 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user
 
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
 USER non-root-user
 
-ENV NEXT_TELEMETRY_DISABLED 1
-
 ##
 ## BACKEND
 ##
@@ -159,14 +148,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 
 COPY --from=backend-runner /app /backend
@@ -189,4 +175,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

backend/package-lock.json

@@ -26,6 +26,7 @@
         "@fastify/rate-limit": "^9.0.0",
         "@fastify/request-context": "^5.1.0",
         "@fastify/session": "^10.7.0",
+        "@fastify/static": "^7.0.4",
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@google-cloud/kms": "^4.5.0",
@@ -5406,6 +5407,7 @@
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/@fastify/accept-negotiator/-/accept-negotiator-1.1.0.tgz",
       "integrity": "sha512-OIHZrb2ImZ7XG85HXOONLcJWGosv7sIvM2ifAPQVhg9Lv7qdmMBNVaai4QTdyuaqbKM5eO6sLSQOYI7wEQeCJQ==",
+      "license": "MIT",
       "engines": {
         "node": ">=14"
       }
@@ -5545,6 +5547,7 @@
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/@fastify/send/-/send-2.1.0.tgz",
       "integrity": "sha512-yNYiY6sDkexoJR0D8IDy3aRP3+L4wdqCpvx5WP+VtEU58sn7USmKynBzDQex5X42Zzvw2gNzzYgP90UfWShLFA==",
+      "license": "MIT",
       "dependencies": {
         "@lukeed/ms": "^2.0.1",
         "escape-html": "~1.0.3",
@@ -5563,16 +5566,85 @@
       }
     },
     "node_modules/@fastify/static": {
-      "version": "6.12.0",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
-      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-7.0.4.tgz",
+      "integrity": "sha512-p2uKtaf8BMOZWLs6wu+Ihg7bWNBdjNgCwDza4MJtTqg+5ovKmcbgbR9Xs5/smZ1YISfzKOCNYmZV8LaCj+eJ1Q==",
+      "license": "MIT",
       "dependencies": {
         "@fastify/accept-negotiator": "^1.0.0",
         "@fastify/send": "^2.0.0",
         "content-disposition": "^0.5.3",
         "fastify-plugin": "^4.0.0",
-        "glob": "^8.0.1",
-        "p-limit": "^3.1.0"
+        "fastq": "^1.17.0",
+        "glob": "^10.3.4"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/brace-expansion": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/glob": {
+      "version": "10.4.5",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
+      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
+      "license": "ISC",
+      "dependencies": {
+        "foreground-child": "^3.1.0",
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "package-json-from-dist": "^1.0.0",
+        "path-scurry": "^1.11.1"
+      },
+      "bin": {
+        "glob": "dist/esm/bin.mjs"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/jackspeak": {
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
+      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "@isaacs/cliui": "^8.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      },
+      "optionalDependencies": {
+        "@pkgjs/parseargs": "^0.11.0"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/minimatch": {
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/@fastify/static/node_modules/minipass": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
       }
     },
     "node_modules/@fastify/swagger": {
@@ -5599,6 +5671,20 @@
         "yaml": "^2.2.2"
       }
     },
+    "node_modules/@fastify/swagger-ui/node_modules/@fastify/static": {
+      "version": "6.12.0",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
+      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@fastify/accept-negotiator": "^1.0.0",
+        "@fastify/send": "^2.0.0",
+        "content-disposition": "^0.5.3",
+        "fastify-plugin": "^4.0.0",
+        "glob": "^8.0.1",
+        "p-limit": "^3.1.0"
+      }
+    },
     "node_modules/@google-cloud/kms": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@@ -6062,9 +6148,10 @@
       "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
     },
     "node_modules/@lukeed/ms": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
-      "integrity": "sha512-Xs/4RZltsAL7pkvaNStUQt7netTkyxrS0K+RILcVr3TRMS/ToOg4I6uNfhB9SlGsnWBym4U+EaXq0f0cEMNkHA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
+      "integrity": "sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==",
+      "license": "MIT",
       "engines": {
         "node": ">=8"
       }
@@ -13879,9 +13966,9 @@
       }
     },
     "node_modules/express": {
-      "version": "4.21.1",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
-      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
+      "version": "4.21.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
+      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
       "license": "MIT",
       "dependencies": {
         "accepts": "~1.3.8",
@@ -13903,7 +13990,7 @@
         "methods": "~1.1.2",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.10",
+        "path-to-regexp": "0.1.12",
         "proxy-addr": "~2.0.7",
         "qs": "6.13.0",
         "range-parser": "~1.2.1",
@@ -13918,6 +14005,10 @@
       },
       "engines": {
         "node": ">= 0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/express-session": {
@@ -17388,15 +17479,16 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.7",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
-      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
+      "version": "3.3.8",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
+      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
       "funding": [
         {
           "type": "github",
           "url": "https://github.com/sponsors/ai"
         }
       ],
+      "license": "MIT",
       "bin": {
         "nanoid": "bin/nanoid.cjs"
       },
@@ -18383,9 +18475,9 @@
       "license": "ISC"
     },
     "node_modules/path-to-regexp": {
-      "version": "0.1.10",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
-      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
+      "version": "0.1.12",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
+      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
       "license": "MIT"
     },
     "node_modules/path-type": {

backend/package.json

@@ -134,6 +134,7 @@
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/request-context": "^5.1.0",
     "@fastify/session": "^10.7.0",
+    "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",

backend/src/@types/fastify.d.ts

@@ -80,6 +80,7 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
+import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@@ -210,6 +211,7 @@ declare module "fastify" {
       projectTemplate: TProjectTemplateServiceFactory;
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
+      secretSync: TSecretSyncServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -369,6 +369,7 @@ import {
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
+import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
   TSecretV2TagJunction,
   TSecretV2TagJunctionInsert,
@@ -892,5 +893,6 @@ declare module "knex/types/tables" {
       TAppConnectionsInsert,
       TAppConnectionsUpdate
     >;
+    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
   }
 }

backend/src/db/migrations/20241219210911_secret-sync.ts

@@ -0,0 +1,46 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
+    await knex.schema.createTable(TableName.SecretSync, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("destination").notNullable();
+      t.boolean("isEnabled").notNullable().defaultTo(true);
+      t.integer("version").defaultTo(1).notNullable();
+      t.jsonb("destinationConfig").notNullable();
+      t.jsonb("syncOptions").notNullable();
+      t.uuid("folderId").notNullable();
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.uuid("connectionId").notNullable();
+      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
+      t.timestamps(true, true, true);
+      // sync
+      t.string("syncStatus");
+      t.string("lastSyncJobId");
+      t.string("lastSyncMessage");
+      t.datetime("lastSyncedAt");
+      // import
+      t.string("importStatus");
+      t.string("lastImportJobId");
+      t.string("lastImportMessage");
+      t.datetime("lastImportedAt");
+      // erase
+      t.string("eraseStatus");
+      t.string("lastEraseJobId");
+      t.string("lastEraseMessage");
+      t.datetime("lastErasedAt");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretSync);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretSync);
+  await dropOnUpdateTrigger(knex, TableName.SecretSync);
+}

backend/src/db/schemas/models.ts

@@ -130,7 +130,8 @@ export enum TableName {
   WorkflowIntegrations = "workflow_integrations",
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections"
+  AppConnection = "app_connections",
+  SecretSync = "secret_syncs"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";

backend/src/db/schemas/secret-syncs.ts

@@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretSyncsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  destination: z.string(),
+  isEnabled: z.boolean().default(true),
+  version: z.number().default(1),
+  destinationConfig: z.unknown(),
+  syncOptions: z.unknown(),
+  folderId: z.string().uuid(),
+  connectionId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  syncStatus: z.string().nullable().optional(),
+  lastSyncJobId: z.string().nullable().optional(),
+  lastSyncMessage: z.string().nullable().optional(),
+  lastSyncedAt: z.date().nullable().optional(),
+  importStatus: z.string().nullable().optional(),
+  lastImportJobId: z.string().nullable().optional(),
+  lastImportMessage: z.string().nullable().optional(),
+  lastImportedAt: z.date().nullable().optional(),
+  eraseStatus: z.string().nullable().optional(),
+  lastEraseJobId: z.string().nullable().optional(),
+  lastEraseMessage: z.string().nullable().optional(),
+  lastErasedAt: z.date().nullable().optional()
+});
+
+export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
+export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
+export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/v1/org-role-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { OrgPermissionSchema } from "@app/ee/services/permission/org-permission";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,7 +25,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         ),
         name: z.string().trim(),
         description: z.string().trim().nullish(),
-        permissions: z.any().array()
+        permissions: OrgPermissionSchema.array()
       }),
       response: {
         200: z.object({
@@ -96,7 +97,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().nullish(),
-        permissions: z.any().array().optional()
+        permissions: OrgPermissionSchema.array().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/saml-router.ts

@@ -84,7 +84,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                 samlConfig.audience = `spn:${ssoConfig.issuer}`;
               }
             }
-            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
+            if (
+              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
+              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
+            ) {
               samlConfig.wantAssertionsSigned = false;
             }
 
@@ -123,7 +126,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               `email: ${email} firstName: ${profile.firstName as string}`
             );
 
-            throw new Error("Invalid saml request. Missing email or first name");
+            throw new BadRequestError({
+              message:
+                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
+            });
           }
 
           const userMetadata = Object.keys(profile.attributes || {})

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -213,7 +213,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
 
       await triggerSlackNotification({
         projectId: project.id,

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -79,7 +79,8 @@ export const auditLogServiceFactory = ({
     }
     // add all cases in which project id or org id cannot be added
     if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
+      if (!data.projectId && !data.orgId)
+        throw new BadRequestError({ message: "Must specify either project id or org id" });
     }
 
     return auditLogQueue.pushToLog(data);

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -13,6 +13,13 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  TCreateSecretSyncDTO,
+  TDeleteSecretSyncDTO,
+  TSecretSyncRaw,
+  TUpdateSecretSyncDTO
+} from "@app/services/secret-sync/secret-sync-types";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -226,10 +233,19 @@ export enum EventType {
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
   APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
+  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection"
+  DELETE_APP_CONNECTION = "delete-app-connection",
+  GET_SECRET_SYNCS = "get-secret-syncs",
+  GET_SECRET_SYNC = "get-secret-sync",
+  CREATE_SECRET_SYNC = "create-secret-sync",
+  UPDATE_SECRET_SYNC = "update-secret-sync",
+  DELETE_SECRET_SYNC = "delete-secret-sync",
+  SYNC_SECRET_SYNC = "sync-secret-sync",
+  IMPORT_SECRET_SYNC = "import-secret-sync",
+  ERASE_SECRET_SYNC = "erase-secret-sync"
 }
 
 interface UserActorMetadata {
@@ -1883,6 +1899,15 @@ interface GetAppConnectionsEvent {
   };
 }
 
+interface GetAvailableAppConnectionsDetailsEvent {
+  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
+  metadata: {
+    app?: AppConnection;
+    count: number;
+    connectionIds: string[];
+  };
+}
+
 interface GetAppConnectionEvent {
   type: EventType.GET_APP_CONNECTION;
   metadata: {
@@ -1907,6 +1932,77 @@ interface DeleteAppConnectionEvent {
   };
 }
 
+interface GetSecretSyncsEvent {
+  type: EventType.GET_SECRET_SYNCS;
+  metadata: {
+    destination?: SecretSync;
+    count: number;
+    syncIds: string[];
+  };
+}
+
+interface GetSecretSyncEvent {
+  type: EventType.GET_SECRET_SYNC;
+  metadata: {
+    destination: SecretSync;
+    syncId: string;
+  };
+}
+
+interface CreateSecretSyncEvent {
+  type: EventType.CREATE_SECRET_SYNC;
+  metadata: TCreateSecretSyncDTO & { syncId: string };
+}
+
+interface UpdateSecretSyncEvent {
+  type: EventType.UPDATE_SECRET_SYNC;
+  metadata: TUpdateSecretSyncDTO;
+}
+
+interface DeleteSecretSyncEvent {
+  type: EventType.DELETE_SECRET_SYNC;
+  metadata: TDeleteSecretSyncDTO;
+}
+
+interface SyncSecretSyncEvent {
+  type: EventType.SYNC_SECRET_SYNC;
+  metadata: Pick<
+    TSecretSyncRaw,
+    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "environment" | "connectionId" | "folderId"
+  > & {
+    syncId: string;
+    syncMessage: string | null;
+    jobId: string;
+    jobRanAt: Date;
+  };
+}
+
+interface ImportSecretSyncEvent {
+  type: EventType.IMPORT_SECRET_SYNC;
+  metadata: Pick<
+    TSecretSyncRaw,
+    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "environment" | "connectionId" | "folderId"
+  > & {
+    syncId: string;
+    importMessage: string | null;
+    jobId: string;
+    jobRanAt: Date;
+  };
+}
+
+interface EraseSecretSyncEvent {
+  type: EventType.ERASE_SECRET_SYNC;
+  metadata: Pick<
+    TSecretSyncRaw,
+    "syncOptions" | "destinationConfig" | "destination" | "eraseStatus" | "environment" | "connectionId" | "folderId"
+  > & {
+    syncId: string;
+    eraseMessage: string | null;
+    jobId: string;
+    jobRanAt: Date;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2080,7 +2176,16 @@ export type Event =
   | DeleteProjectTemplateEvent
   | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
+  | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent;
+  | DeleteAppConnectionEvent
+  | GetSecretSyncsEvent
+  | GetSecretSyncEvent
+  | CreateSecretSyncEvent
+  | UpdateSecretSyncEvent
+  | DeleteSecretSyncEvent
+  | SyncSecretSyncEvent
+  | ImportSecretSyncEvent
+  | EraseSecretSyncEvent;

backend/src/ee/services/license/license-service.ts

@@ -246,8 +246,7 @@ export const licenseServiceFactory = ({
   };
 
   const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     const plan = await getPlan(orgId, projectId);
     return plan;
   };

backend/src/ee/services/permission/org-permission.ts

@@ -1,4 +1,12 @@
-import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
+import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
+import { z } from "zod";
+
+import {
+  CASL_ACTION_SCHEMA_ENUM,
+  CASL_ACTION_SCHEMA_NATIVE_ENUM
+} from "@app/ee/services/permission/permission-schemas";
+import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
+import { PermissionConditionOperators } from "@app/lib/casl";
 
 export enum OrgPermissionActions {
   Read = "read",
@@ -7,6 +15,14 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
+export enum OrgPermissionAppConnectionActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  Connect = "connect"
+}
+
 export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
@@ -31,6 +47,10 @@ export enum OrgPermissionSubjects {
   AppConnections = "app-connections"
 }
 
+export type AppConnectionSubjectFields = {
+  connectionId: string;
+};
+
 export type OrgPermissionSet =
   | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
   | [OrgPermissionActions, OrgPermissionSubjects.Role]
@@ -47,9 +67,109 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections]
+  | [
+      OrgPermissionAppConnectionActions,
+      (
+        | OrgPermissionSubjects.AppConnections
+        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
+      )
+    ]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
+const AppConnectionConditionSchema = z
+  .object({
+    connectionId: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ])
+  })
+  .partial();
+
+export const OrgPermissionSchema = z.discriminatedUnion("subject", [
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: AppConnectionConditionSchema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
+      "Describe what action an entity can take."
+    )
+  })
+]);
+
 const buildAdminPermission = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
   // ws permissions
@@ -125,10 +245,16 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+  can(
+    [
+      OrgPermissionAppConnectionActions.Create,
+      OrgPermissionAppConnectionActions.Edit,
+      OrgPermissionAppConnectionActions.Delete,
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionAppConnectionActions.Connect
+    ],
+    OrgPermissionSubjects.AppConnections
+  );
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
@@ -160,7 +286,7 @@ const buildMemberPermission = () => {
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
 
   return rules;
 };

backend/src/ee/services/permission/permission-schemas.ts

@@ -0,0 +1,9 @@
+import { z } from "zod";
+
+export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
+  z
+    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
+    .transform((el) => (typeof el === "string" ? [el] : el));
+
+export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
+  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));

backend/src/ee/services/permission/project-permission.ts

@@ -1,6 +1,10 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 
+import {
+  CASL_ACTION_SCHEMA_ENUM,
+  CASL_ACTION_SCHEMA_NATIVE_ENUM
+} from "@app/ee/services/permission/permission-schemas";
 import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 
@@ -60,7 +64,8 @@ export enum ProjectPermissionSub {
   PkiAlerts = "pki-alerts",
   PkiCollections = "pki-collections",
   Kms = "kms",
-  Cmek = "cmek"
+  Cmek = "cmek",
+  SecretSyncs = "secret-syncs"
 }
 
 export type SecretSubjectFields = {
@@ -140,6 +145,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretSyncs]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -147,14 +153,6 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
 
-const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  z
-    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-    .transform((el) => (typeof el === "string" ? [el] : el));
-
-const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
-
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@@ -392,10 +390,15 @@ const GeneralPermissionSchema = [
   }),
   z.object({
     subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ];
 
@@ -511,7 +514,8 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.PkiCollections,
     ProjectPermissionSub.SshCertificateAuthorities,
     ProjectPermissionSub.SshCertificates,
-    ProjectPermissionSub.SshCertificateTemplates
+    ProjectPermissionSub.SshCertificateTemplates,
+    ProjectPermissionSub.SecretSyncs
   ].forEach((el) => {
     can(
       [
@@ -713,6 +717,16 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.Cmek
   );
 
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.SecretSyncs
+  );
+
   return rules;
 };
 
@@ -746,6 +760,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
 
   return rules;
 };

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -6,7 +6,8 @@ export enum SamlProviders {
   AZURE_SAML = "azure-saml",
   JUMPCLOUD_SAML = "jumpcloud-saml",
   GOOGLE_SAML = "google-saml",
-  KEYCLOAK_SAML = "keycloak-saml"
+  KEYCLOAK_SAML = "keycloak-saml",
+  AUTH0_SAML = "auth0-saml"
 }
 
 export type TCreateSamlCfgDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -852,7 +852,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });

backend/src/keystore/keystore.ts

@@ -23,6 +23,8 @@ export const KeyStorePrefixes = {
     `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
   SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
     `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
+  SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
+  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
   ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`
@@ -30,6 +32,7 @@ export const KeyStorePrefixes = {
 
 export const KeyStoreTtls = {
   SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
+  SetSecretSyncLastRunTimestampInSeconds: 60,
   AccessTokenStatusUpdateInSeconds: 120
 };
 

backend/src/lib/api-docs/constants.ts

@@ -1,5 +1,7 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
 export const GROUPS = {
   CREATE: {
@@ -1636,6 +1638,66 @@ export const AppConnections = {
     };
   },
   DELETE: (app: AppConnection) => ({
-    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} connection to be deleted.`
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
   })
 };
+
+export const SecretSyncs = {
+  LIST: (destination?: SecretSync) => ({
+    projectId: `The ID of the project to list ${destination ? SECRET_SYNC_NAME_MAP[destination] : "Secret"} Syncs from.`
+  }),
+  GET_BY_ID: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`
+  }),
+  GET_BY_NAME: (destination: SecretSync) => ({
+    syncName: `The name of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`,
+    projectId: `The ID of the project the ${SECRET_SYNC_NAME_MAP[destination]} Sync is associated with.`
+  }),
+  CREATE: (destination: SecretSync) => {
+    const destinationName = SECRET_SYNC_NAME_MAP[destination];
+    return {
+      name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
+      description: `An optional description for the ${destinationName} Sync.`,
+      folderId: `The ID of the project folder to sync secrets from.`,
+      connectionId: `The ID of the ${
+        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
+      } Connection to use for syncing.`,
+      isEnabled: `Whether secrets should be synced automatically or not.`,
+      syncOptions: "Optional parameters to modify how secrets are synced."
+    };
+  },
+  UPDATE: (destination: SecretSync) => {
+    const destinationName = SECRET_SYNC_NAME_MAP[destination];
+    return {
+      syncId: `The ID of the ${destinationName} Sync to be updated.`,
+      name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
+      folderId: `The updated project folder ID to sync secrets from.`,
+      description: `The updated description of the ${destinationName} Sync.`,
+      isEnabled: `Whether secrets should be synced automatically or not.`,
+      syncOptions: "Optional parameters to modify how secrets are synced."
+    };
+  },
+  DELETE: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`
+  }),
+  SYNC: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
+  }),
+  IMPORT: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger an import for.`,
+    shouldOverwrite: `Specify whether newly imported secrets should override existing secrets with matching names in Infisical.`
+  }),
+  ERASE: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger an erase for.`
+  }),
+  SYNC_OPTIONS: {
+    PREPEND_PREFIX: "Optionally prepend a prefix to your secrets' keys when syncing.",
+    APPEND_SUFFIX: "Optionally append a suffix to your secrets' keys when syncing."
+  },
+  DESTINATION_CONFIG: {
+    AWS_PARAMETER_STORE: {
+      REGION: "The AWS region to sync secrets to.",
+      PATH: "The Parameter Store path to sync secrets to."
+    }
+  }
+};

backend/src/lib/config/env.ts

@@ -157,6 +157,8 @@ const envSchema = z
     INFISICAL_CLOUD: zodStrBool.default("false"),
     MAINTENANCE_MODE: zodStrBool.default("false"),
     CAPTCHA_SECRET: zpStr(z.string().optional()),
+    CAPTCHA_SITE_KEY: zpStr(z.string().optional()),
+    INTERCOM_ID: zpStr(z.string().optional()),
 
     // TELEMETRY
     OTEL_TELEMETRY_COLLECTION_ENABLED: zodStrBool.default("false"),

backend/src/lib/fn/string.ts

@@ -16,3 +16,7 @@ export const prefixWithSlash = (str: string) => {
 };
 
 export const startsWithVowel = (str: string) => /^[aeiou]/i.test(str);
+
+export const wrapWithSlashes = (str: string) => {
+  return `${str.startsWith("/") ? "" : "/"}${str}${str.endsWith("/") ? "" : `/`}`;
+};

backend/src/queue/queue-service.ts

@@ -15,6 +15,12 @@ import {
   TIntegrationSyncPayload,
   TSyncSecretsDTO
 } from "@app/services/secret/secret-types";
+import {
+  TQueueSecretSyncByIdDTO,
+  TQueueSecretSyncEraseByIdDTO,
+  TQueueSecretSyncImportByIdDTO,
+  TQueueSendSecretSyncActionFailedNotificationsDTO
+} from "@app/services/secret-sync/secret-sync-types";
 
 export enum QueueName {
   SecretRotation = "secret-rotation",
@@ -36,7 +42,8 @@ export enum QueueName {
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
   AccessTokenStatusUpdate = "access-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
+  AppConnectionSecretSync = "app-connection-secret-sync"
 }
 
 export enum QueueJobs {
@@ -61,7 +68,11 @@ export enum QueueJobs {
   ProjectV3Migration = "project-v3-migration",
   IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
   ServiceTokenStatusUpdate = "service-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
+  AppConnectionSecretSync = "app-connection-secret-sync",
+  AppConnectionSecretSyncImport = "app-connection-secret-sync-import",
+  AppConnectionSecretSyncErase = "app-connection-secret-sync-erase",
+  AppConnectionSendSecretSyncActionFailedNotifications = "app-connection-send-secret-sync-action-failed-notifications"
 }
 
 export type TQueueJobTypes = {
@@ -184,6 +195,23 @@ export type TQueueJobTypes = {
       };
     };
   };
+  [QueueName.AppConnectionSecretSync]:
+    | {
+        name: QueueJobs.AppConnectionSecretSync;
+        payload: TQueueSecretSyncByIdDTO;
+      }
+    | {
+        name: QueueJobs.AppConnectionSecretSyncImport;
+        payload: TQueueSecretSyncImportByIdDTO;
+      }
+    | {
+        name: QueueJobs.AppConnectionSecretSyncErase;
+        payload: TQueueSecretSyncEraseByIdDTO;
+      }
+    | {
+        name: QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications;
+        payload: TQueueSendSecretSyncActionFailedNotificationsDTO;
+      };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/app.ts

@@ -27,10 +27,10 @@ import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
 import { apiMetrics } from "./plugins/api-metrics";
 import { fastifyErrHandler } from "./plugins/error-handler";
-import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
 import { fastifyIp } from "./plugins/ip";
 import { maintenanceMode } from "./plugins/maintenanceMode";
+import { registerServeUI } from "./plugins/serve-ui";
 import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";
 
@@ -120,13 +120,10 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
 
-    if (appCfg.isProductionMode) {
-      await server.register(registerExternalNextjs, {
-        standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
-        dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../"),
-        port: appCfg.PORT
-      });
-    }
+    await server.register(registerServeUI, {
+      standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
+      dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../")
+    });
 
     await server.ready();
     server.swagger();

backend/src/server/plugins/external-nextjs.ts

@@ -1,76 +0,0 @@
-// this plugins allows to run infisical in standalone mode
-// standalone mode = infisical backend and nextjs frontend in one server
-// this way users don't need to deploy two things
-import path from "node:path";
-
-import { IS_PACKAGED } from "@app/lib/config/env";
-
-// to enabled this u need to set standalone mode to true
-export const registerExternalNextjs = async (
-  server: FastifyZodProvider,
-  {
-    standaloneMode,
-    dir,
-    port
-  }: {
-    standaloneMode?: boolean;
-    dir: string;
-    port: number;
-  }
-) => {
-  if (standaloneMode) {
-    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
-    const nextJsBuildPath = path.join(dir, frontendName);
-
-    const { default: conf } = (await import(
-      path.join(dir, `${frontendName}/.next/required-server-files.json`),
-      // @ts-expect-error type
-      {
-        assert: { type: "json" }
-      }
-    )) as { default: { config: string } };
-
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    let NextServer: any;
-
-    if (!IS_PACKAGED) {
-      /* eslint-disable */
-      const { default: nextServer } = (
-        await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`))
-      ).default;
-
-      NextServer = nextServer;
-    } else {
-      /* eslint-disable */
-      const nextServer = await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`));
-
-      NextServer = nextServer.default;
-    }
-
-    const nextApp = new NextServer({
-      dev: false,
-      dir: nextJsBuildPath,
-      port,
-      conf: conf.config,
-      hostname: "local",
-      customServer: false
-    });
-
-    server.route({
-      method: ["GET", "PUT", "PATCH", "POST", "DELETE"],
-      url: "/*",
-      schema: {
-        hide: true
-      },
-      handler: (req, res) =>
-        nextApp
-          .getRequestHandler()(req.raw, res.raw)
-          .then(() => {
-            res.hijack();
-          })
-    });
-    server.addHook("onClose", () => nextApp.close());
-    await nextApp.prepare();
-    /* eslint-enable */
-  }
-};

backend/src/server/plugins/serve-ui.ts

@@ -0,0 +1,64 @@
+import path from "node:path";
+
+import staticServe from "@fastify/static";
+
+import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
+
+// to enabled this u need to set standalone mode to true
+export const registerServeUI = async (
+  server: FastifyZodProvider,
+  {
+    standaloneMode,
+    dir
+  }: {
+    standaloneMode?: boolean;
+    dir: string;
+  }
+) => {
+  // use this only for frontend runtime static non-sensitive configuration in standalone mode
+  // that app needs before loading like posthog dsn key
+  // for most of the other usecase use server config
+  server.route({
+    method: "GET",
+    url: "/runtime-ui-env.js",
+    schema: {
+      hide: true
+    },
+    handler: (_req, res) => {
+      const appCfg = getConfig();
+      void res.type("application/javascript");
+      const config = {
+        CAPTCHA_SITE_KEY: appCfg.CAPTCHA_SITE_KEY,
+        POSTHOG_API_KEY: appCfg.POSTHOG_PROJECT_API_KEY,
+        INTERCOM_ID: appCfg.INTERCOM_ID,
+        TELEMETRY_CAPTURING_ENABLED: appCfg.TELEMETRY_ENABLED
+      };
+      const js = `window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});`;
+      void res.send(js);
+    }
+  });
+
+  if (standaloneMode) {
+    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
+    const frontendPath = path.join(dir, frontendName);
+    await server.register(staticServe, {
+      root: frontendPath,
+      wildcard: false
+    });
+
+    server.route({
+      method: "GET",
+      url: "/*",
+      schema: {
+        hide: true
+      },
+      handler: (request, reply) => {
+        if (request.url.startsWith("/api")) {
+          reply.callNotFound();
+          return;
+        }
+        void reply.sendFile("index.html");
+      }
+    });
+  }
+};

backend/src/server/routes/index.ts

@@ -195,6 +195,9 @@ import { secretImportDALFactory } from "@app/services/secret-import/secret-impor
 import { secretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { secretSharingDALFactory } from "@app/services/secret-sharing/secret-sharing-dal";
 import { secretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
+import { secretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
+import { secretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
+import { secretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { secretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
@@ -317,6 +320,7 @@ export const registerRoutes = async (
   const trustedIpDAL = trustedIpDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
   const appConnectionDAL = appConnectionDALFactory(db);
+  const secretSyncDAL = secretSyncDALFactory(db, folderDAL);
 
   // ee db layer ops
   const permissionDAL = permissionDALFactory(db);
@@ -821,6 +825,28 @@ export const registerRoutes = async (
     kmsService
   });
 
+  const secretSyncQueue = secretSyncQueueFactory({
+    queueService,
+    secretSyncDAL,
+    folderDAL,
+    secretImportDAL,
+    secretV2BridgeDAL,
+    kmsService,
+    keyStore,
+    auditLogService,
+    smtpService,
+    projectDAL,
+    projectMembershipDAL,
+    projectBotDAL,
+    secretDAL,
+    secretBlindIndexDAL,
+    secretVersionDAL,
+    secretTagDAL,
+    secretVersionTagDAL,
+    secretVersionV2BridgeDAL,
+    secretVersionTagV2BridgeDAL
+  });
+
   const secretQueueService = secretQueueFactory({
     keyStore,
     queueService,
@@ -854,7 +880,8 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     projectKeyDAL,
     projectUserMembershipRoleDAL,
-    orgService
+    orgService,
+    secretSyncQueue
   });
 
   const projectService = projectServiceFactory({
@@ -1362,6 +1389,17 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const secretSyncService = secretSyncServiceFactory({
+    secretSyncDAL,
+    permissionService,
+    appConnectionService,
+    licenseService,
+    folderDAL,
+    secretSyncQueue,
+    projectBotService,
+    keyStore
+  });
+
   await superAdminService.initServerCfg();
 
   // setup the communication with license key server
@@ -1459,7 +1497,8 @@ export const registerRoutes = async (
     externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
     projectTemplate: projectTemplateService,
     totp: totpService,
-    appConnection: appConnectionService
+    appConnection: appConnectionService,
+    secretSync: secretSyncService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/app-connection-routers/app-connection-endpoints.ts

@@ -15,7 +15,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
   app,
   createSchema,
   updateSchema,
-  responseSchema
+  sanitizedResponseSchema
 }: {
   app: AppConnection;
   server: FastifyZodProvider;
@@ -26,7 +26,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     description?: string | null;
   }>;
   updateSchema: z.ZodType<{ name?: string; credentials?: I["credentials"]; description?: string | null }>;
-  responseSchema: z.ZodTypeAny;
+  sanitizedResponseSchema: z.ZodTypeAny;
 }) => {
   const appName = APP_CONNECTION_NAME_MAP[app];
 
@@ -39,7 +39,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     schema: {
       description: `List the ${appName} Connections for the current organization.`,
       response: {
-        200: z.object({ appConnections: responseSchema.array() })
+        200: z.object({ appConnections: sanitizedResponseSchema.array() })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -63,6 +63,44 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/available",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `List the ${appName} Connections the current user has permission to establish connections with.`,
+      response: {
+        200: z.object({
+          appConnections: z.object({ app: z.literal(app), name: z.string(), id: z.string().uuid() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const appConnections = await server.services.appConnection.listAvailableAppConnectionsForUser(
+        app,
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS,
+          metadata: {
+            app,
+            count: appConnections.length,
+            connectionIds: appConnections.map((connection) => connection.id)
+          }
+        }
+      });
+
+      return { appConnections };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/:connectionId",
@@ -75,7 +113,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
         connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
       }),
       response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -114,11 +152,12 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       params: z.object({
         connectionName: z
           .string()
-          .min(0, "Connection name required")
+          .trim()
+          .min(1, "Connection name required")
           .describe(AppConnections.GET_BY_NAME(app).connectionName)
       }),
       response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -158,7 +197,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       } ${appName} Connection for the current organization.`,
       body: createSchema,
       response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -168,7 +207,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       const appConnection = (await server.services.appConnection.createAppConnection(
         { name, method, app, credentials, description },
         req.permission
-      )) as TAppConnection;
+      )) as T;
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -201,7 +240,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       }),
       body: updateSchema,
       response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -244,7 +283,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
         connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
       }),
       response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),

backend/src/server/routes/v1/app-connection-routers/apps/index.ts

@@ -1,8 +0,0 @@
-import { registerAwsConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/aws-connection-router";
-import { registerGitHubConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/github-connection-router";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const APP_CONNECTION_REGISTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> = {
-  [AppConnection.AWS]: registerAwsConnectionRouter,
-  [AppConnection.GitHub]: registerGitHubConnectionRouter
-};

backend/src/server/routes/v1/app-connection-routers/aws-connection-router.ts

@@ -11,7 +11,7 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
   registerAppConnectionEndpoints({
     app: AppConnection.AWS,
     server,
-    responseSchema: SanitizedAwsConnectionSchema,
+    sanitizedResponseSchema: SanitizedAwsConnectionSchema,
     createSchema: CreateAwsConnectionSchema,
     updateSchema: UpdateAwsConnectionSchema
   });

backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts

@@ -11,7 +11,7 @@ export const registerGitHubConnectionRouter = async (server: FastifyZodProvider)
   registerAppConnectionEndpoints({
     app: AppConnection.GitHub,
     server,
-    responseSchema: SanitizedGitHubConnectionSchema,
+    sanitizedResponseSchema: SanitizedGitHubConnectionSchema,
     createSchema: CreateGitHubConnectionSchema,
     updateSchema: UpdateGitHubConnectionSchema
   });

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,2 +1,12 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { registerAwsConnectionRouter } from "./aws-connection-router";
+import { registerGitHubConnectionRouter } from "./github-connection-router";
+
 export * from "./app-connection-router";
-export * from "./apps";
+
+export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> =
+  {
+    [AppConnection.AWS]: registerAwsConnectionRouter,
+    [AppConnection.GitHub]: registerGitHubConnectionRouter
+  };

backend/src/server/routes/v1/auth-router.ts

@@ -63,7 +63,8 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          token: z.string()
+          token: z.string(),
+          organizationId: z.string().optional()
         })
       }
     },
@@ -115,7 +116,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         { expiresIn: appCfg.JWT_AUTH_LIFETIME }
       );
 
-      return { token };
+      return { token, organizationId: decodedToken.organizationId };
     }
   });
 };

backend/src/server/routes/v1/index.ts

@@ -1,6 +1,10 @@
-import { APP_CONNECTION_REGISTER_MAP, registerAppConnectionRouter } from "@app/server/routes/v1/app-connection-routers";
+import {
+  APP_CONNECTION_REGISTER_ROUTER_MAP,
+  registerAppConnectionRouter
+} from "@app/server/routes/v1/app-connection-routers";
 import { registerCmekRouter } from "@app/server/routes/v1/cmek-router";
 import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
+import { registerSecretSyncRouter, SECRET_SYNC_REGISTER_ROUTER_MAP } from "@app/server/routes/v1/secret-sync-routers";
 
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
@@ -113,12 +117,28 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerExternalGroupOrgRoleMappingRouter, { prefix: "/external-group-mappings" });
 
   await server.register(
-    async (appConnectionsRouter) => {
-      await appConnectionsRouter.register(registerAppConnectionRouter);
-      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_MAP)) {
-        await appConnectionsRouter.register(router, { prefix: `/${app}` });
+    async (appConnectionRouter) => {
+      // register generic app connection endpoints
+      await appConnectionRouter.register(registerAppConnectionRouter);
+
+      // register service specific endpoints (app-connections/aws, app-connections/github, etc.)
+      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_ROUTER_MAP)) {
+        await appConnectionRouter.register(router, { prefix: `/${app}` });
       }
     },
     { prefix: "/app-connections" }
   );
+
+  await server.register(
+    async (secretSyncRouter) => {
+      // register generic secret sync endpoints
+      await secretSyncRouter.register(registerSecretSyncRouter);
+
+      // register service specific secret sync endpoints (secret-syncs/aws-parameter-store, secret-syncs/github, etc.)
+      for await (const [destination, router] of Object.entries(SECRET_SYNC_REGISTER_ROUTER_MAP)) {
+        await secretSyncRouter.register(router, { prefix: `/${destination}` });
+      }
+    },
+    { prefix: "/secret-syncs" }
+  );
 };

backend/src/server/routes/v1/secret-sync-routers/aws-parameter-store-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  AwsParameterStoreSyncSchema,
+  CreateAwsParameterStoreSyncSchema,
+  UpdateAwsParameterStoreSyncSchema
+} from "@app/services/secret-sync/aws-parameter-store";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerAwsParameterStoreSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.AWSParameterStore,
+    server,
+    responseSchema: AwsParameterStoreSyncSchema,
+    createSchema: CreateAwsParameterStoreSyncSchema,
+    updateSchema: UpdateAwsParameterStoreSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -0,0 +1,9 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
+
+export * from "./secret-sync-router";
+
+export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: FastifyZodProvider) => Promise<void>> = {
+  [SecretSync.AWSParameterStore]: registerAwsParameterStoreSyncRouter
+};

backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts

@@ -0,0 +1,398 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SecretSyncs } from "@app/lib/api-docs";
+import { startsWithVowel } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
+import { TSecretSync, TSecretSyncInput } from "@app/services/secret-sync/secret-sync-types";
+
+export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TSecretSyncInput>({
+  server,
+  destination,
+  createSchema,
+  updateSchema,
+  responseSchema
+}: {
+  destination: SecretSync;
+  server: FastifyZodProvider;
+  createSchema: z.ZodType<{
+    name: string;
+    folderId: string;
+    connectionId: string;
+    destinationConfig: I["destinationConfig"];
+    syncOptions?: I["syncOptions"];
+    description?: string | null;
+  }>;
+  updateSchema: z.ZodType<{
+    name?: string;
+    folderId?: string;
+    destinationConfig?: I["destinationConfig"];
+    syncOptions?: I["syncOptions"];
+    description?: string | null;
+  }>;
+  responseSchema: z.ZodTypeAny;
+}) => {
+  const destinationName = SECRET_SYNC_NAME_MAP[destination];
+
+  server.route({
+    method: "GET",
+    url: `/`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `List the ${destinationName} Syncs for the specified project.`,
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST(destination).projectId)
+      }),
+      response: {
+        200: z.object({ secretSyncs: responseSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId }
+      } = req;
+
+      const secretSyncs = (await server.services.secretSync.listSecretSyncsByProjectId(
+        { projectId, destination },
+        req.permission
+      )) as T[];
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNCS,
+          metadata: {
+            destination,
+            count: secretSyncs.length,
+            syncIds: secretSyncs.map((connection) => connection.id)
+          }
+        }
+      });
+
+      return { secretSyncs };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:syncId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `Get the specified ${destinationName} Sync by ID.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.GET_BY_ID(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.findSecretSyncById(
+        { syncId, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretSync.projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNC,
+          metadata: {
+            syncId,
+            destination
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/name/:syncName`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `Get the specified ${destinationName} Sync by name and project ID.`,
+      params: z.object({
+        syncName: z.string().trim().min(1, "Sync name required").describe(SecretSyncs.GET_BY_NAME(destination).syncName)
+      }),
+      querystring: z.object({
+        projectId: z
+          .string()
+          .trim()
+          .min(1, "Project ID required")
+          .describe(SecretSyncs.GET_BY_NAME(destination).projectId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncName } = req.params;
+      const { projectId } = req.query;
+
+      const secretSync = (await server.services.secretSync.findSecretSyncByName(
+        { syncName, projectId, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            destination
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Create ${
+        startsWithVowel(destinationName) ? "an" : "a"
+      } ${destinationName} Sync for the specified project environment.`,
+      body: createSchema,
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const syncOptions = req.body.syncOptions ?? {};
+
+      const secretSync = (await server.services.secretSync.createSecretSync(
+        { ...req.body, destination, syncOptions },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretSync.projectId,
+        event: {
+          type: EventType.CREATE_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            destination,
+            ...req.body,
+            syncOptions
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:syncId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Update the specified ${destinationName} Connection.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).syncId)
+      }),
+      body: updateSchema,
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.updateSecretSync(
+        { ...req.body, syncId, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretSync.projectId,
+        event: {
+          type: EventType.UPDATE_SECRET_SYNC,
+          metadata: {
+            syncId,
+            destination,
+            ...req.body
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: `/:syncId`,
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Delete the specified ${destinationName} Connection.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.DELETE(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.deleteSecretSync(
+        { destination, syncId },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_SECRET_SYNC,
+          metadata: {
+            destination,
+            syncId
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:syncId/sync",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Trigger a sync for the specified ${destinationName} Sync.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.SYNC(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.triggerSecretSyncById(
+        {
+          syncId,
+          destination,
+          auditLogInfo: req.auditLogInfo
+        },
+        req.permission
+      )) as T;
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:syncId/import",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Import secrets from the specified ${destinationName} Sync destination.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.IMPORT(destination).syncId)
+      }),
+      querystring: z.object({
+        shouldOverwrite: z
+          .enum(["true", "false"])
+          .optional()
+          .transform((val) => val === "true")
+          .describe(SecretSyncs.IMPORT(destination).shouldOverwrite)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+      const { shouldOverwrite } = req.query;
+
+      const secretSync = (await server.services.secretSync.triggerSecretSyncImportById(
+        {
+          syncId,
+          destination,
+          shouldOverwrite
+        },
+        req.permission
+      )) as T;
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:syncId/erase",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Erase synced secrets from the specified ${destinationName} Sync destination.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.ERASE(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.triggerSecretSyncEraseById(
+        {
+          syncId,
+          destination
+        },
+        req.permission
+      )) as T;
+
+      return { secretSync };
+    }
+  });
+};

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -0,0 +1,80 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SecretSyncs } from "@app/lib/api-docs";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import {
+  AwsParameterStoreSyncListItemSchema,
+  AwsParameterStoreSyncSchema
+} from "@app/services/secret-sync/aws-parameter-store";
+
+// union once more available
+const SecretSyncSchema = AwsParameterStoreSyncSchema;
+
+// union once more available
+const SecretSyncOptionsSchema = AwsParameterStoreSyncListItemSchema;
+
+export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/options",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List the available Secret Sync Options.",
+      response: {
+        200: z.object({
+          secretSyncOptions: SecretSyncOptionsSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: () => {
+      const secretSyncOptions = server.services.secretSync.listSecretSyncOptions();
+      return { secretSyncOptions };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List all the Secret Syncs for the specified project.",
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST().projectId)
+      }),
+      response: {
+        200: z.object({ secretSyncs: SecretSyncSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const secretSyncs = await server.services.secretSync.listSecretSyncsByProjectId({ projectId }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNCS,
+          metadata: {
+            syncIds: secretSyncs.map((sync) => sync.id),
+            count: secretSyncs.length
+          }
+        }
+      });
+
+      return { secretSyncs };
+    }
+  });
+};

backend/src/server/routes/v1/slack-router.ts

@@ -331,12 +331,8 @@ export const registerSlackRouter = async (server: FastifyZodProvider) => {
         failureAsync: async () => {
           return res.redirect(appCfg.SITE_URL as string);
         },
-        successAsync: async (installation) => {
-          const metadata = JSON.parse(installation.metadata || "") as {
-            orgId: string;
-          };
-
-          return res.redirect(`${appCfg.SITE_URL}/org/${metadata.orgId}/settings?selectedTab=workflow-integrations`);
+        successAsync: async () => {
+          return res.redirect(`${appCfg.SITE_URL}/organization/settings?selectedTab=workflow-integrations`);
         }
       });
     }

backend/src/services/app-connection/app-connection-enums.ts

@@ -2,3 +2,50 @@ export enum AppConnection {
   GitHub = "github",
   AWS = "aws"
 }
+
+export enum AWSRegion {
+  // US
+  US_EAST_1 = "us-east-1", // N. Virginia
+  US_EAST_2 = "us-east-2", // Ohio
+  US_WEST_1 = "us-west-1", // N. California
+  US_WEST_2 = "us-west-2", // Oregon
+
+  // GovCloud
+  US_GOV_EAST_1 = "us-gov-east-1", // US-East
+  US_GOV_WEST_1 = "us-gov-west-1", // US-West
+
+  // Africa
+  AF_SOUTH_1 = "af-south-1", // Cape Town
+
+  // Asia Pacific
+  AP_EAST_1 = "ap-east-1", // Hong Kong
+  AP_SOUTH_1 = "ap-south-1", // Mumbai
+  AP_SOUTH_2 = "ap-south-2", // Hyderabad
+  AP_NORTHEAST_1 = "ap-northeast-1", // Tokyo
+  AP_NORTHEAST_2 = "ap-northeast-2", // Seoul
+  AP_NORTHEAST_3 = "ap-northeast-3", // Osaka
+  AP_SOUTHEAST_1 = "ap-southeast-1", // Singapore
+  AP_SOUTHEAST_2 = "ap-southeast-2", // Sydney
+  AP_SOUTHEAST_3 = "ap-southeast-3", // Jakarta
+  AP_SOUTHEAST_4 = "ap-southeast-4", // Melbourne
+
+  // Canada
+  CA_CENTRAL_1 = "ca-central-1", // Central
+
+  // Europe
+  EU_CENTRAL_1 = "eu-central-1", // Frankfurt
+  EU_CENTRAL_2 = "eu-central-2", // Zurich
+  EU_WEST_1 = "eu-west-1", // Ireland
+  EU_WEST_2 = "eu-west-2", // London
+  EU_WEST_3 = "eu-west-3", // Paris
+  EU_SOUTH_1 = "eu-south-1", // Milan
+  EU_SOUTH_2 = "eu-south-2", // Spain
+  EU_NORTH_1 = "eu-north-1", // Stockholm
+
+  // Middle East
+  ME_SOUTH_1 = "me-south-1", // Bahrain
+  ME_CENTRAL_1 = "me-central-1", // UAE
+
+  // South America
+  SA_EAST_1 = "sa-east-1" // Sao Paulo
+}

backend/src/services/app-connection/app-connection-fns.ts

@@ -1,3 +1,4 @@
+import { TAppConnections } from "@app/db/schemas/app-connections";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TAppConnectionServiceFactoryDep } from "@app/services/app-connection/app-connection-service";
 import { TAppConnection, TAppConnectionConfig } from "@app/services/app-connection/app-connection-types";
@@ -64,9 +65,8 @@ export const validateAppConnectionCredentials = async (
 ): Promise<TAppConnection["credentials"]> => {
   const { app } = appConnection;
   switch (app) {
-    case AppConnection.AWS: {
+    case AppConnection.AWS:
       return validateAwsConnectionCredentials(appConnection);
-    }
     case AppConnection.GitHub:
       return validateGitHubConnectionCredentials(appConnection);
     default:
@@ -90,3 +90,17 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       throw new Error(`Unhandled App Connection Method: ${method}`);
   }
 };
+
+export const decryptAppConnection = async (
+  appConnection: TAppConnections,
+  kmsService: TAppConnectionServiceFactoryDep["kmsService"]
+) => {
+  return {
+    ...appConnection,
+    credentials: await decryptAppConnectionCredentials({
+      encryptedCredentials: appConnection.encryptedCredentials,
+      orgId: appConnection.orgId,
+      kmsService
+    })
+  } as TAppConnection;
+};

backend/src/services/app-connection/app-connection-service.ts

@@ -1,13 +1,13 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { DiscriminativePick, OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
-  decryptAppConnectionCredentials,
+  decryptAppConnection,
   encryptAppConnectionCredentials,
   getAppConnectionMethodName,
   listAppConnectionOptions,
@@ -65,7 +65,10 @@ export const appConnectionServiceFactory = ({
       actor.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionSubjects.AppConnections
+    );
 
     const appConnections = await appConnectionDAL.find(
       app
@@ -78,18 +81,7 @@ export const appConnectionServiceFactory = ({
     return Promise.all(
       appConnections
         .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()))
-        .map(async ({ encryptedCredentials, ...connection }) => {
-          const credentials = await decryptAppConnectionCredentials({
-            encryptedCredentials,
-            kmsService,
-            orgId: connection.orgId
-          });
-
-          return {
-            ...connection,
-            credentials
-          } as TAppConnection;
-        })
+        .map((appConnection) => decryptAppConnection(appConnection, kmsService))
     );
   };
 
@@ -108,19 +100,15 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionSubjects.AppConnections
+    );
 
     if (appConnection.app !== app)
       throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });
 
-    return {
-      ...appConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: appConnection.encryptedCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+    return decryptAppConnection(appConnection, kmsService);
   };
 
   const findAppConnectionByName = async (app: AppConnection, connectionName: string, actor: OrgServiceActor) => {
@@ -139,19 +127,15 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionSubjects.AppConnections
+    );
 
     if (appConnection.app !== app)
       throw new BadRequestError({ message: `App Connection with name ${connectionName} is not for App "${app}"` });
 
-    return {
-      ...appConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: appConnection.encryptedCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+    return decryptAppConnection(appConnection, kmsService);
   };
 
   const createAppConnection = async (
@@ -168,7 +152,10 @@ export const appConnectionServiceFactory = ({
       actor.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Create,
+      OrgPermissionSubjects.AppConnections
+    );
 
     const appConnection = await appConnectionDAL.transaction(async (tx) => {
       const isConflictingName = Boolean(
@@ -216,7 +203,7 @@ export const appConnectionServiceFactory = ({
       };
     });
 
-    return appConnection;
+    return appConnection as TAppConnection;
   };
 
   const updateAppConnection = async (
@@ -237,7 +224,10 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Edit,
+      OrgPermissionSubjects.AppConnections
+    );
 
     const updatedAppConnection = await appConnectionDAL.transaction(async (tx) => {
       if (params.name && appConnection.name !== params.name) {
@@ -304,14 +294,7 @@ export const appConnectionServiceFactory = ({
       return updatedConnection;
     });
 
-    return {
-      ...updatedAppConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: updatedAppConnection.encryptedCredentials,
-        orgId: updatedAppConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+    return decryptAppConnection(updatedAppConnection, kmsService);
   };
 
   const deleteAppConnection = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
@@ -329,23 +312,74 @@ export const appConnectionServiceFactory = ({
       appConnection.orgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Delete,
+      OrgPermissionSubjects.AppConnections
+    );
 
     if (appConnection.app !== app)
       throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });
 
-    // TODO: specify delete error message if due to existing dependencies
+    // TODO (scott): add option to delete all dependencies
 
-    const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);
+    try {
+      const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);
 
-    return {
-      ...deletedAppConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: deletedAppConnection.encryptedCredentials,
-        orgId: deletedAppConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+      return await decryptAppConnection(deletedAppConnection, kmsService);
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === "23503") {
+        throw new BadRequestError({
+          message:
+            "Cannot delete App Connection with existing connections. Remove all existing connections and try again."
+        });
+      }
+
+      throw err;
+    }
+  };
+
+  const connectAppConnectionById = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await appConnectionDAL.findById(connectionId);
+
+    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
+
+    const { permission: orgPermission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      appConnection.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(orgPermission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Connect,
+      subject(OrgPermissionSubjects.AppConnections, { connectionId: appConnection.id })
+    );
+
+    return decryptAppConnection(appConnection, kmsService);
+  };
+
+  const listAvailableAppConnectionsForUser = async (app: AppConnection, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const { permission: orgPermission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    const appConnections = await appConnectionDAL.find({ app, orgId: actor.orgId });
+
+    const availableConnections = appConnections.filter((connection) =>
+      orgPermission.can(
+        OrgPermissionAppConnectionActions.Connect,
+        subject(OrgPermissionSubjects.AppConnections, { connectionId: connection.id })
+      )
+    );
+
+    return availableConnections as Omit<TAppConnection, "credentials">[];
   };
 
   return {
@@ -355,6 +389,8 @@ export const appConnectionServiceFactory = ({
     findAppConnectionByName,
     createAppConnection,
     updateAppConnection,
-    deleteAppConnection
+    deleteAppConnection,
+    connectAppConnectionById,
+    listAvailableAppConnectionsForUser
   };
 };

backend/src/services/app-connection/aws/aws-connection-fns.ts

@@ -4,7 +4,7 @@ import { randomUUID } from "crypto";
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
 
 import { AwsConnectionMethod } from "./aws-connection-enums";
 import { TAwsConnectionConfig } from "./aws-connection-types";
@@ -20,7 +20,7 @@ export const getAwsAppConnectionListItem = () => {
   };
 };
 
-export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = "us-east-1") => {
+export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = AWSRegion.US_EAST_1) => {
   const appCfg = getConfig();
 
   let accessKeyId: string;

backend/src/services/app-connection/aws/aws-connection-schemas.ts

@@ -75,7 +75,7 @@ export const UpdateAwsConnectionSchema = z
 export const AwsConnectionListItemSchema = z.object({
   name: z.literal("AWS"),
   app: z.literal(AppConnection.AWS),
-  // the below is preferable but currently breaks mintlify
+  // the below is preferable but currently breaks with our zod to json schema parser
   // methods: z.tuple([z.literal(AwsConnectionMethod.AssumeRole), z.literal(AwsConnectionMethod.AccessKey)]),
   methods: z.nativeEnum(AwsConnectionMethod).array(),
   accessKeyId: z.string().optional()

backend/src/services/app-connection/github/github-connection-schemas.ts

@@ -57,7 +57,7 @@ export const UpdateGitHubConnectionSchema = z
 
 const BaseGitHubConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.GitHub) });
 
-export const GitHubAppConnectionSchema = z.intersection(
+export const GitHubConnectionSchema = z.intersection(
   BaseGitHubConnectionSchema,
   z.discriminatedUnion("method", [
     z.object({
@@ -85,8 +85,8 @@ export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
 export const GitHubConnectionListItemSchema = z.object({
   name: z.literal("GitHub"),
   app: z.literal(AppConnection.GitHub),
-  // the below is preferable but currently breaks mintlify
-  // methods: z.tuple([z.literal(GitHubConnectionMethod.GitHubApp), z.literal(GitHubConnectionMethod.OAuth)]),
+  // the below is preferable but currently breaks with our zod to json schema parser
+  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
   methods: z.nativeEnum(GitHubConnectionMethod).array(),
   oauthClientId: z.string().optional(),
   appClientSlug: z.string().optional()

backend/src/services/app-connection/github/github-connection-types.ts

@@ -5,11 +5,11 @@ import { DiscriminativePick } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import {
   CreateGitHubConnectionSchema,
-  GitHubAppConnectionSchema,
+  GitHubConnectionSchema,
   ValidateGitHubConnectionCredentialsSchema
 } from "./github-connection-schemas";
 
-export type TGitHubConnection = z.infer<typeof GitHubAppConnectionSchema>;
+export type TGitHubConnection = z.infer<typeof GitHubConnectionSchema>;
 
 export type TGitHubConnectionInput = z.infer<typeof CreateGitHubConnectionSchema> & {
   app: AppConnection.GitHub;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -305,10 +305,16 @@ const syncSecretsAzureAppConfig = async ({
     value: string;
   }
 
-  const getCompleteAzureAppConfigValues = async (url: string) => {
+  if (!integration.app || !integration.app.endsWith(".azconfig.io"))
+    throw new BadRequestError({
+      message: "Invalid Azure App Configuration URL provided."
+    });
+
+  const getCompleteAzureAppConfigValues = async (baseURL: string, url: string) => {
     let result: AzureAppConfigKeyValue[] = [];
     while (url) {
       const res = await request.get(url, {
+        baseURL,
         headers: {
           Authorization: `Bearer ${accessToken}`
         },
@@ -319,7 +325,7 @@ const syncSecretsAzureAppConfig = async ({
       });
 
       result = result.concat(res.data.items);
-      url = res.data.nextLink;
+      url = res.data?.["@nextLink"];
     }
 
     return result;
@@ -327,11 +333,13 @@ const syncSecretsAzureAppConfig = async ({
 
   const metadata = IntegrationMetadataSchema.parse(integration.metadata);
 
-  const azureAppConfigValuesUrl = `${integration.app}/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
-    metadata.azureLabel ? `&label=${metadata.azureLabel}` : ""
+  const azureAppConfigValuesUrl = `/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
+    metadata.azureLabel ? `&label=${metadata.azureLabel}` : "&label=%00"
   }`;
 
-  const azureAppConfigSecrets = (await getCompleteAzureAppConfigValues(azureAppConfigValuesUrl)).reduce(
+  const azureAppConfigSecrets = (
+    await getCompleteAzureAppConfigValues(integration.app, azureAppConfigValuesUrl)
+  ).reduce(
     (accum, entry) => {
       accum[entry.key] = entry.value;
 
@@ -1159,7 +1167,8 @@ const syncSecretsAWSSecretManager = async ({
         } else {
           await secretsManager.send(
             new DeleteSecretCommand({
-              SecretId: secretId
+              SecretId: secretId,
+              ForceDeleteWithoutRecovery: true
             })
           );
         }

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const AWS_PARAMETER_STORE_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "AWS Parameter Store",
+  destination: SecretSync.AWSParameterStore,
+  connection: AppConnection.AWS,
+  supportsImport: true
+};

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -0,0 +1,198 @@
+import AWS, { AWSError } from "aws-sdk";
+
+import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
+import { TSecretMap, TSecretSyncWithConnection } from "@app/services/secret-sync/secret-sync-types";
+
+import { TAwsParameterStoreSyncWithConnection } from "./aws-parameter-store-sync-types";
+
+type TAWSParameterStoreRecord = Record<string, AWS.SSM.Parameter>;
+
+const MAX_RETRIES = 5;
+const BATCH_SIZE = 10;
+
+const getSSM = async (secretSync: TSecretSyncWithConnection) => {
+  const { destinationConfig, connection } = secretSync;
+
+  const config = await getAwsConnectionConfig(connection, destinationConfig.region);
+
+  const ssm = new AWS.SSM({
+    apiVersion: "2014-11-06",
+    region: destinationConfig.region
+  });
+
+  ssm.config.update(config);
+
+  return ssm;
+};
+
+const sleep = async () =>
+  new Promise((resolve) => {
+    setTimeout(resolve, 1000);
+  });
+
+const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreRecord> => {
+  const awsParameterStoreSecretsRecord: TAWSParameterStoreRecord = {};
+  let hasNext = true;
+  let nextToken: string | undefined;
+  let attempt = 0;
+
+  while (hasNext) {
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      const parameters = await ssm
+        .getParametersByPath({
+          Path: path,
+          Recursive: false,
+          WithDecryption: true,
+          MaxResults: BATCH_SIZE,
+          NextToken: nextToken
+        })
+        .promise();
+
+      attempt = 0;
+
+      if (parameters.Parameters) {
+        parameters.Parameters.forEach((parameter) => {
+          if (parameter.Name) {
+            const secKey = parameter.Name.substring(path.length);
+            awsParameterStoreSecretsRecord[secKey] = parameter;
+          }
+        });
+      }
+
+      hasNext = Boolean(parameters.NextToken);
+      nextToken = parameters.NextToken;
+    } catch (e) {
+      if ((e as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+        attempt += 1;
+        // eslint-disable-next-line no-await-in-loop
+        await sleep();
+      }
+
+      throw e;
+    }
+  }
+
+  return awsParameterStoreSecretsRecord;
+};
+
+const putParameter = async (
+  ssm: AWS.SSM,
+  params: AWS.SSM.PutParameterRequest,
+  attempt = 0
+): Promise<AWS.SSM.PutParameterResult> => {
+  try {
+    return await ssm.putParameter(params).promise();
+  } catch (error) {
+    if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+      await sleep();
+
+      // retry
+      return putParameter(ssm, params, attempt + 1);
+    }
+    throw error;
+  }
+};
+
+const deleteParametersBatch = async (
+  ssm: AWS.SSM,
+  parameters: AWS.SSM.Parameter[],
+  attempt = 0
+): Promise<AWS.SSM.DeleteParameterResult[]> => {
+  const results: AWS.SSM.DeleteParameterResult[] = [];
+  let remainingParams = [...parameters];
+
+  while (remainingParams.length > 0) {
+    const batch = remainingParams.slice(0, BATCH_SIZE);
+
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      const result = await ssm.deleteParameters({ Names: batch.map((param) => param.Name!) }).promise();
+      results.push(result);
+      remainingParams = remainingParams.slice(BATCH_SIZE);
+    } catch (error) {
+      if ((error as AWSError).code === "ThrottlingException" && attempt < MAX_RETRIES) {
+        // eslint-disable-next-line no-await-in-loop
+        await sleep();
+
+        // Retry the current batch
+        // eslint-disable-next-line no-await-in-loop
+        return [...results, ...(await deleteParametersBatch(ssm, remainingParams, attempt + 1))];
+      }
+      throw error;
+    }
+  }
+
+  return results;
+};
+
+export const AwsParameterStoreSyncFns = {
+  sync: async (secretSync: TAwsParameterStoreSyncWithConnection, secrets: TSecretMap) => {
+    const { destinationConfig } = secretSync;
+
+    const ssm = await getSSM(secretSync);
+
+    // TODO(scott): KMS Key ID, Tags
+
+    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+
+    for await (const entry of Object.entries(secrets)) {
+      const [key, { value }] = entry;
+
+      // skip empty values (not allowed by AWS) or secrets that haven't changed
+      if (!value || (key in awsParameterStoreSecretsRecord && awsParameterStoreSecretsRecord[key].Value === value)) {
+        // eslint-disable-next-line no-continue
+        continue;
+      }
+
+      await putParameter(ssm, {
+        Name: `${destinationConfig.path}${key}`,
+        Type: "SecureString",
+        Value: value,
+        Overwrite: true
+      });
+    }
+
+    const parametersToDelete: AWS.SSM.Parameter[] = [];
+
+    for (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
+      const [key, parameter] = entry;
+
+      if (!(key in secrets) || !secrets[key].value) {
+        parametersToDelete.push(parameter);
+      }
+    }
+
+    await deleteParametersBatch(ssm, parametersToDelete);
+  },
+  import: async (secretSync: TAwsParameterStoreSyncWithConnection): Promise<TSecretMap> => {
+    const { destinationConfig } = secretSync;
+
+    const ssm = await getSSM(secretSync);
+
+    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+
+    return Object.fromEntries(
+      Object.entries(awsParameterStoreSecretsRecord).map(([key, value]) => [key, { value: value.Value ?? "" }])
+    );
+  },
+  erase: async (secretSync: TAwsParameterStoreSyncWithConnection, secrets: TSecretMap) => {
+    const { destinationConfig } = secretSync;
+
+    const ssm = await getSSM(secretSync);
+
+    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+
+    const parametersToDelete: AWS.SSM.Parameter[] = [];
+
+    for (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
+      const [key, param] = entry;
+
+      if (key in secrets) {
+        parametersToDelete.push(param);
+      }
+    }
+
+    await deleteParametersBatch(ssm, parametersToDelete);
+  }
+};

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-schemas.ts

@@ -0,0 +1,59 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { wrapWithSlashes } from "@app/lib/fn";
+import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+
+const AwsParameterStoreSyncDestinationConfigSchema = z.object({
+  region: z.nativeEnum(AWSRegion).describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.REGION),
+  path: z
+    .string()
+    .min(1, "Parameter Store Path Required")
+    .transform(wrapWithSlashes)
+    .superRefine((val, ctx) => {
+      if (!/^\/([\w-]+\/)*[\w-]+\/$/.test(val)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: `Invalid Parameter Store Path - must follow "/example/path/" format`
+        });
+      }
+
+      if (val.length > 2048) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: `Invalid Parameter Store Path - cannot exceed 2048 characters`
+        });
+      }
+    })
+    .describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.PATH)
+});
+
+export const AwsParameterStoreSyncSchema = BaseSecretSyncSchema(AppConnection.AWS).extend({
+  destination: z.literal(SecretSync.AWSParameterStore),
+  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
+});
+
+export const CreateAwsParameterStoreSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.AWSParameterStore
+).extend({
+  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema
+});
+
+export const UpdateAwsParameterStoreSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.AWSParameterStore
+).extend({
+  destinationConfig: AwsParameterStoreSyncDestinationConfigSchema.optional()
+});
+
+export const AwsParameterStoreSyncListItemSchema = z.object({
+  name: z.literal("AWS Parameter Store"),
+  connection: z.literal(AppConnection.AWS),
+  destination: z.literal(SecretSync.AWSParameterStore),
+  supportsImport: z.literal(true)
+});

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-types.ts

@@ -0,0 +1,19 @@
+import { z } from "zod";
+
+import { TAwsConnection } from "@app/services/app-connection/aws";
+
+import {
+  AwsParameterStoreSyncListItemSchema,
+  AwsParameterStoreSyncSchema,
+  CreateAwsParameterStoreSyncSchema
+} from "./aws-parameter-store-sync-schemas";
+
+export type TAwsParameterStoreSync = z.infer<typeof AwsParameterStoreSyncSchema>;
+
+export type TAwsParameterStoreSyncInput = z.infer<typeof CreateAwsParameterStoreSyncSchema>;
+
+export type TAwsParameterStoreSyncListItem = z.infer<typeof AwsParameterStoreSyncListItemSchema>;
+
+export type TAwsParameterStoreSyncWithConnection = Omit<TAwsParameterStoreSync, "connection"> & {
+  connection: TAwsConnection;
+};

backend/src/services/secret-sync/aws-parameter-store/index.ts

@@ -0,0 +1,4 @@
+export * from "./aws-parameter-store-sync-constants";
+export * from "./aws-parameter-store-sync-fns";
+export * from "./aws-parameter-store-sync-schemas";
+export * from "./aws-parameter-store-sync-types";

backend/src/services/secret-sync/secret-sync-dal.ts

@@ -0,0 +1,201 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { TSecretSyncs } from "@app/db/schemas/secret-syncs";
+import { DatabaseError } from "@app/lib/errors";
+import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
+import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+
+export type TSecretSyncDALFactory = ReturnType<typeof secretSyncDALFactory>;
+
+type SecretSyncFindFilter = Parameters<typeof buildFindFilter<TSecretSyncs>>[0];
+
+const baseSecretSyncQuery = ({ filter, db, tx }: { db: TDbClient; filter?: SecretSyncFindFilter; tx?: Knex }) => {
+  const query = (tx || db.replicaNode())(TableName.SecretSync)
+    .join(TableName.SecretFolder, `${TableName.SecretSync}.folderId`, `${TableName.SecretFolder}.id`)
+    .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+    .join(TableName.AppConnection, `${TableName.SecretSync}.connectionId`, `${TableName.AppConnection}.id`)
+    .select(selectAllTableCols(TableName.SecretSync))
+    .select(
+      // evironment
+      db.ref("name").withSchema(TableName.Environment).as("envName"),
+      db.ref("id").withSchema(TableName.Environment).as("envId"),
+      db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
+      db.ref("projectId").withSchema(TableName.Environment),
+      // entire connection
+      db.ref("name").withSchema(TableName.AppConnection).as("connectionName"),
+      db.ref("method").withSchema(TableName.AppConnection).as("connectionMethod"),
+      db.ref("app").withSchema(TableName.AppConnection).as("connectionApp"),
+      db.ref("orgId").withSchema(TableName.AppConnection).as("connectionOrgId"),
+      db.ref("encryptedCredentials").withSchema(TableName.AppConnection).as("connectionEncryptedCredentials"),
+      db.ref("description").withSchema(TableName.AppConnection).as("connectionDescription"),
+      db.ref("version").withSchema(TableName.AppConnection).as("connectionVersion"),
+      db.ref("createdAt").withSchema(TableName.AppConnection).as("connectionCreatedAt"),
+      db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt")
+    );
+
+  // prepends table name to filter keys to avoid ambiguous col references, skipping utility filters like $in, etc.
+  const prependTableName = (filterObj: object): SecretSyncFindFilter =>
+    Object.fromEntries(
+      Object.entries(filterObj).map(([key, value]) =>
+        key.startsWith("$") ? [key, prependTableName(value as object)] : [`${TableName.SecretSync}.${key}`, value]
+      )
+    );
+
+  if (filter) {
+    /* eslint-disable @typescript-eslint/no-misused-promises */
+    void query.where(buildFindFilter(prependTableName(filter)));
+  }
+
+  return query;
+};
+
+const expandSecretSync = (
+  secretSync: Awaited<ReturnType<typeof baseSecretSyncQuery>>[number],
+  folder: Awaited<ReturnType<TSecretFolderDALFactory["findSecretPathByFolderIds"]>>[number]
+) => {
+  const {
+    envId,
+    envName,
+    envSlug,
+    connectionApp,
+    connectionName,
+    connectionId,
+    connectionOrgId,
+    connectionEncryptedCredentials,
+    connectionMethod,
+    connectionDescription,
+    connectionCreatedAt,
+    connectionUpdatedAt,
+    connectionVersion,
+    ...el
+  } = secretSync;
+
+  return {
+    ...el,
+    connectionId,
+    environment: { id: envId, name: envName, slug: envSlug },
+    connection: {
+      app: connectionApp,
+      id: connectionId,
+      name: connectionName,
+      orgId: connectionOrgId,
+      encryptedCredentials: connectionEncryptedCredentials,
+      method: connectionMethod,
+      description: connectionDescription,
+      createdAt: connectionCreatedAt,
+      updatedAt: connectionUpdatedAt,
+      version: connectionVersion
+    },
+    folder: {
+      id: folder!.id,
+      path: folder!.path
+    }
+  };
+};
+
+export const secretSyncDALFactory = (
+  db: TDbClient,
+  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">
+) => {
+  const secretSyncOrm = ormify(db, TableName.SecretSync);
+
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const secretSync = await baseSecretSyncQuery({
+        filter: { id },
+        db,
+        tx
+      }).first();
+
+      if (secretSync) {
+        // TODO (scott): replace with cached folder path once implemented
+        const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
+        return expandSecretSync(secretSync, folderWithPath);
+      }
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by ID - Secret Sync" });
+    }
+  };
+
+  const create = async (data: Parameters<(typeof secretSyncOrm)["create"]>[0]) => {
+    try {
+      const secretSync = (await secretSyncOrm.transaction(async (tx) => {
+        const sync = await secretSyncOrm.create(data, tx);
+
+        return baseSecretSyncQuery({
+          filter: { id: sync.id },
+          db,
+          tx
+        }).first();
+      }))!;
+
+      // TODO (scott): replace with cached folder path once implemented
+      const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
+      return expandSecretSync(secretSync, folderWithPath);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Create - Secret Sync" });
+    }
+  };
+
+  const updateById = async (syncId: string, data: Parameters<(typeof secretSyncOrm)["updateById"]>[1]) => {
+    try {
+      const secretSync = (await secretSyncOrm.transaction(async (tx) => {
+        const sync = await secretSyncOrm.updateById(syncId, data, tx);
+
+        return baseSecretSyncQuery({
+          filter: { id: sync.id },
+          db,
+          tx
+        }).first();
+      }))!;
+
+      // TODO (scott): replace with cached folder path once implemented
+      const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
+      return expandSecretSync(secretSync, folderWithPath);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Update by ID - Secret Sync" });
+    }
+  };
+
+  const findOne = async (filter: Parameters<(typeof secretSyncOrm)["findOne"]>[0], tx?: Knex) => {
+    try {
+      const secretSync = await baseSecretSyncQuery({ filter, db, tx }).first();
+
+      if (secretSync) {
+        // TODO (scott): replace with cached folder path once implemented
+        const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId]);
+        return expandSecretSync(secretSync, folderWithPath);
+      }
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find One - Secret Sync" });
+    }
+  };
+
+  const find = async (filter: Parameters<(typeof secretSyncOrm)["find"]>[0], tx?: Knex) => {
+    try {
+      const secretSyncs = await baseSecretSyncQuery({ filter, db, tx });
+
+      if (!secretSyncs.length) return [];
+
+      const foldersWithPath = await folderDAL.findSecretPathByFolderIds(
+        secretSyncs[0].projectId,
+        secretSyncs.map((sync) => sync.folderId)
+      );
+
+      // TODO (scott): replace with cached folder path once implemented
+      const folderRecord: Record<string, (typeof foldersWithPath)[number]> = {};
+
+      foldersWithPath.forEach((folder) => {
+        if (folder) folderRecord[folder.id] = folder;
+      });
+
+      return secretSyncs.map((secretSync) => expandSecretSync(secretSync, folderRecord[secretSync.folderId]));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find - Secret Sync" });
+    }
+  };
+
+  return { ...secretSyncOrm, findById, findOne, find, create, updateById };
+};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -0,0 +1,3 @@
+export enum SecretSync {
+  AWSParameterStore = "aws-parameter-store"
+}

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -0,0 +1,70 @@
+import { BadRequestError } from "@app/lib/errors";
+import {
+  AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
+  AwsParameterStoreSyncFns
+} from "@app/services/secret-sync/aws-parameter-store";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
+import {
+  TSecretMap,
+  TSecretSyncListItem,
+  TSecretSyncWithConnection
+} from "@app/services/secret-sync/secret-sync-types";
+
+const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
+  [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION
+};
+
+export const listSecretSyncOptions = () => {
+  return Object.values(SECRET_SYNC_LIST_OPTIONS).sort((a, b) => a.name.localeCompare(b.name));
+};
+
+const processSyncOptions = (secretSync: TSecretSyncWithConnection, unprocessedSecretMap: TSecretMap) => {
+  let secretMap = { ...unprocessedSecretMap };
+
+  const { appendSuffix, prependPrefix } = secretSync.syncOptions;
+
+  if (appendSuffix || prependPrefix) {
+    secretMap = {};
+    Object.entries(unprocessedSecretMap).forEach(([key, value]) => {
+      secretMap[`${prependPrefix || ""}${key}${appendSuffix || ""}`] = value;
+    });
+  }
+
+  return secretMap;
+};
+
+export const SecretSyncFns = {
+  sync: (secretSync: TSecretSyncWithConnection, unprocessedSecretMap: TSecretMap): Promise<void> => {
+    const secretMap = processSyncOptions(secretSync, unprocessedSecretMap);
+
+    switch (secretSync.destination) {
+      case SecretSync.AWSParameterStore:
+        return AwsParameterStoreSyncFns.sync(secretSync, secretMap);
+      default:
+        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+        throw new Error(`Unhandled sync destination for push secrets: ${secretSync.destination}`);
+    }
+  },
+  import: (secretSync: TSecretSyncWithConnection): Promise<TSecretMap> => {
+    switch (secretSync.destination) {
+      case SecretSync.AWSParameterStore:
+        return AwsParameterStoreSyncFns.import(secretSync);
+      default:
+        throw new BadRequestError({
+          message: `${SECRET_SYNC_NAME_MAP[secretSync.destination as SecretSync]} Syncs do not support pulling.`
+        });
+    }
+  },
+  erase: (secretSync: TSecretSyncWithConnection, unprocessedSecretMap: TSecretMap): Promise<void> => {
+    const secretMap = processSyncOptions(secretSync, unprocessedSecretMap);
+
+    switch (secretSync.destination) {
+      case SecretSync.AWSParameterStore:
+        return AwsParameterStoreSyncFns.erase(secretSync, secretMap);
+      default:
+        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+        throw new Error(`Unhandled sync destination for purging secrets: ${secretSync.destination}`);
+    }
+  }
+};

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
+  [SecretSync.AWSParameterStore]: "AWS Parameter Store"
+};
+
+export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
+  [SecretSync.AWSParameterStore]: AppConnection.AWS
+};

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -0,0 +1,821 @@
+import opentelemetry from "@opentelemetry/api";
+import { AxiosError } from "axios";
+
+import { ProjectMembershipRole, SecretType } from "@app/db/schemas";
+import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
+import { getConfig } from "@app/lib/config/env";
+import { InternalServerError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+import { decryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
+import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TSecretDALFactory } from "@app/services/secret/secret-dal";
+import { createManySecretsRawFnFactory, updateManySecretsRawFnFactory } from "@app/services/secret/secret-fns";
+import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
+import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
+import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
+import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "@app/services/secret-import/secret-import-dal";
+import { fnSecretsV2FromImports } from "@app/services/secret-import/secret-import-fns";
+import { TSecretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SecretSyncFns } from "@app/services/secret-sync/secret-sync-fns";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
+import {
+  SecretSyncAction,
+  SecretSyncStatus,
+  TQueueSecretSyncByIdDTO,
+  TQueueSecretSyncEraseByIdDTO,
+  TQueueSecretSyncImportByIdDTO,
+  TQueueSecretSyncsByPathDTO,
+  TQueueSendSecretSyncActionFailedNotificationsDTO,
+  TSecretMap,
+  TSecretSyncDTO,
+  TSecretSyncEraseDTO,
+  TSecretSyncImportDTO,
+  TSecretSyncRaw,
+  TSecretSyncWithConnection,
+  TSendSecretSyncFailedNotificationsJobDTO
+} from "@app/services/secret-sync/secret-sync-types";
+import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
+import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
+import { expandSecretReferencesFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
+import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
+import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+
+export type TSecretSyncQueueFactory = ReturnType<typeof secretSyncQueueFactory>;
+
+type TSecretSyncQueueFactoryDep = {
+  queueService: Pick<TQueueServiceFactory, "queue" | "start">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  keyStore: Pick<TKeyStoreFactory, "acquireLock" | "setItemWithExpiry" | "getItem">;
+  folderDAL: TSecretFolderDALFactory;
+  secretV2BridgeDAL: Pick<
+    TSecretV2BridgeDALFactory,
+    | "findByFolderId"
+    | "find"
+    | "insertMany"
+    | "upsertSecretReferences"
+    | "findBySecretKeys"
+    | "bulkUpdate"
+    | "deleteMany"
+  >;
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
+  secretSyncDAL: Pick<TSecretSyncDALFactory, "findById" | "find" | "updateById">;
+  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findAllProjectMembers">;
+  projectDAL: TProjectDALFactory;
+  smtpService: Pick<TSmtpService, "sendMail">;
+  projectBotDAL: TProjectBotDALFactory;
+  secretDAL: TSecretDALFactory;
+  secretVersionDAL: TSecretVersionDALFactory;
+  secretBlindIndexDAL: TSecretBlindIndexDALFactory;
+  secretTagDAL: TSecretTagDALFactory;
+  secretVersionTagDAL: TSecretVersionTagDALFactory;
+  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
+  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+};
+
+export const secretSyncQueueFactory = ({
+  queueService,
+  kmsService,
+  keyStore,
+  folderDAL,
+  secretV2BridgeDAL,
+  secretImportDAL,
+  secretSyncDAL,
+  auditLogService,
+  projectMembershipDAL,
+  projectDAL,
+  smtpService,
+  projectBotDAL,
+  secretDAL,
+  secretVersionDAL,
+  secretBlindIndexDAL,
+  secretTagDAL,
+  secretVersionTagDAL,
+  secretVersionV2BridgeDAL,
+  secretVersionTagV2BridgeDAL
+}: TSecretSyncQueueFactoryDep) => {
+  const appCfg = getConfig();
+
+  const integrationMeter = opentelemetry.metrics.getMeter("SecretSyncs");
+  const syncErrorHistogram = integrationMeter.createHistogram("secret_sync_errors", {
+    description: "Secret Sync - sync errors",
+    unit: "1"
+  });
+  const importErrorHistogram = integrationMeter.createHistogram("secret_sync_import_errors", {
+    description: "Secret Sync - import errors",
+    unit: "1"
+  });
+  const eraseErrorHistogram = integrationMeter.createHistogram("secret_sync_erase_errors", {
+    description: "Secret Sync - erase errors",
+    unit: "1"
+  });
+
+  const $createManySecretsRawFn = createManySecretsRawFnFactory({
+    projectDAL,
+    projectBotDAL,
+    secretDAL,
+    secretVersionDAL,
+    secretBlindIndexDAL,
+    secretTagDAL,
+    secretVersionTagDAL,
+    folderDAL,
+    kmsService,
+    secretVersionV2BridgeDAL,
+    secretV2BridgeDAL,
+    secretVersionTagV2BridgeDAL
+  });
+
+  const $updateManySecretsRawFn = updateManySecretsRawFnFactory({
+    projectDAL,
+    projectBotDAL,
+    secretDAL,
+    secretVersionDAL,
+    secretBlindIndexDAL,
+    secretTagDAL,
+    secretVersionTagDAL,
+    folderDAL,
+    kmsService,
+    secretVersionV2BridgeDAL,
+    secretV2BridgeDAL,
+    secretVersionTagV2BridgeDAL
+  });
+
+  const $getSecrets = async (secretSync: TSecretSyncRaw, includeImports = true) => {
+    const {
+      projectId,
+      folderId,
+      environment: { slug: environmentSlug },
+      folder: { path: secretPath }
+    } = secretSync;
+
+    const secretMap: TSecretMap = {};
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId
+    });
+
+    const decryptSecretValue = (value?: Buffer | undefined | null) =>
+      value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "";
+
+    const { expandSecretReferences } = expandSecretReferencesFactory({
+      decryptSecretValue,
+      secretDAL: secretV2BridgeDAL,
+      folderDAL,
+      projectId,
+      canExpandValue: () => true
+    });
+
+    const secrets = await secretV2BridgeDAL.findByFolderId(folderId);
+
+    await Promise.allSettled(
+      secrets.map(async (secret) => {
+        const secretKey = secret.key;
+        const secretValue = decryptSecretValue(secret.encryptedValue);
+        const expandedSecretValue = await expandSecretReferences({
+          environment: environmentSlug,
+          secretPath,
+          skipMultilineEncoding: secret.skipMultilineEncoding,
+          value: secretValue
+        });
+        secretMap[secretKey] = { value: expandedSecretValue || "" };
+
+        if (secret.encryptedComment) {
+          const commentValue = decryptSecretValue(secret.encryptedComment);
+          secretMap[secretKey].comment = commentValue;
+        }
+
+        secretMap[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
+      })
+    );
+
+    if (!includeImports) return secretMap;
+
+    const secretImports = await secretImportDAL.find({ folderId, isReplication: false });
+
+    if (secretImports.length) {
+      const importedSecrets = await fnSecretsV2FromImports({
+        decryptor: decryptSecretValue,
+        folderDAL,
+        secretDAL: secretV2BridgeDAL,
+        expandSecretReferences,
+        secretImportDAL,
+        secretImports,
+        hasSecretAccess: () => true
+      });
+
+      for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
+        for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {
+          const importedSecret = importedSecrets[i].secrets[j];
+          if (!secretMap[importedSecret.key]) {
+            secretMap[importedSecret.key] = {
+              skipMultilineEncoding: importedSecret.skipMultilineEncoding,
+              comment: importedSecret.secretComment,
+              value: importedSecret.secretValue || ""
+            };
+          }
+        }
+      }
+    }
+
+    return secretMap;
+  };
+
+  const queueSecretSyncById = async (payload: TQueueSecretSyncByIdDTO) =>
+    queueService.queue(QueueName.AppConnectionSecretSync, QueueJobs.AppConnectionSecretSync, payload, {
+      attempts: 5,
+      delay: 1000,
+      backoff: {
+        type: "exponential",
+        delay: 3000
+      },
+      removeOnComplete: true,
+      removeOnFail: true
+    });
+
+  const queueSecretSyncImportById = async (payload: TQueueSecretSyncImportByIdDTO) =>
+    queueService.queue(QueueName.AppConnectionSecretSync, QueueJobs.AppConnectionSecretSyncImport, payload, {
+      attempts: 5,
+      delay: 1000,
+      backoff: {
+        type: "exponential",
+        delay: 3000
+      },
+      removeOnComplete: true,
+      removeOnFail: true
+    });
+
+  const queueSecretSyncEraseById = async (payload: TQueueSecretSyncEraseByIdDTO) =>
+    queueService.queue(QueueName.AppConnectionSecretSync, QueueJobs.AppConnectionSecretSyncErase, payload, {
+      attempts: 5,
+      delay: 1000,
+      backoff: {
+        type: "exponential",
+        delay: 3000
+      },
+      removeOnComplete: true,
+      removeOnFail: true
+    });
+
+  const $queueSendSecretSyncFailedNotifications = async (payload: TQueueSendSecretSyncActionFailedNotificationsDTO) => {
+    if (!appCfg.isSmtpConfigured) return;
+
+    await queueService.queue(
+      QueueName.AppConnectionSecretSync,
+      QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications,
+      payload,
+      {
+        jobId: `secret-sync-${payload.secretSync.id}-failed-notifications`,
+        attempts: 5,
+        delay: 1000 * 60,
+        backoff: {
+          type: "exponential",
+          delay: 3000
+        },
+        removeOnFail: true,
+        removeOnComplete: true
+      }
+    );
+  };
+
+  const $syncSecrets = async (job: TSecretSyncDTO) => {
+    const {
+      data: { syncId, auditLogInfo }
+    } = job;
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync) throw new Error(`Cannot find secret sync with ID ${syncId}`);
+
+    await secretSyncDAL.updateById(syncId, {
+      syncStatus: SecretSyncStatus.Pending
+    });
+
+    logger.info(
+      `SecretSync Sync [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
+    );
+
+    let isSynced = false;
+    let syncMessage: string | null = null;
+    const isFinalAttempt = job.attemptsStarted === job.opts.attempts;
+
+    try {
+      const {
+        connection: { orgId, encryptedCredentials }
+      } = secretSync;
+
+      const credentials = await decryptAppConnectionCredentials({
+        orgId,
+        encryptedCredentials,
+        kmsService
+      });
+
+      const secretMap = await $getSecrets(secretSync);
+
+      await SecretSyncFns.sync(
+        {
+          ...secretSync,
+          connection: {
+            ...secretSync.connection,
+            credentials
+          }
+        } as TSecretSyncWithConnection,
+        secretMap
+      );
+
+      isSynced = true;
+    } catch (err) {
+      logger.error(
+        err,
+        `SecretSync Sync Error [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
+      );
+
+      if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+        syncErrorHistogram.record(1, {
+          version: 1,
+          destination: secretSync.destination,
+          syncId: secretSync.id,
+          projectId: secretSync.projectId,
+          type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
+          status: err instanceof AxiosError ? err.response?.status : undefined,
+          name: err instanceof Error ? err.name : undefined
+        });
+      }
+
+      syncMessage =
+        // eslint-disable-next-line no-nested-ternary
+        (err instanceof AxiosError
+          ? err?.response?.data
+            ? JSON.stringify(err?.response?.data)
+            : err?.message
+          : (err as Error)?.message) || "An unknown error occurred.";
+
+      // re-throw so job fails
+      throw err;
+    } finally {
+      const ranAt = new Date();
+      const syncStatus = isSynced ? SecretSyncStatus.Success : SecretSyncStatus.Failed;
+
+      await auditLogService.createAuditLog({
+        projectId: secretSync.projectId,
+        ...(auditLogInfo ?? {
+          actor: {
+            type: ActorType.PLATFORM,
+            metadata: {}
+          }
+        }),
+        event: {
+          type: EventType.SYNC_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            syncOptions: secretSync.syncOptions,
+            environment: secretSync.environment,
+            destination: secretSync.destination,
+            destinationConfig: secretSync.destinationConfig,
+            folderId: secretSync.folderId,
+            connectionId: secretSync.connectionId,
+            jobRanAt: ranAt,
+            jobId: job.id!,
+            syncStatus,
+            syncMessage
+          }
+        }
+      });
+
+      if (isSynced || isFinalAttempt) {
+        const updatedSecretSync = await secretSyncDAL.updateById(secretSync.id, {
+          syncStatus,
+          lastSyncJobId: job.id,
+          lastSyncMessage: syncMessage,
+          lastSyncedAt: isSynced ? ranAt : undefined
+        });
+
+        if (!isSynced) {
+          await $queueSendSecretSyncFailedNotifications({
+            secretSync: updatedSecretSync,
+            action: SecretSyncAction.Sync
+          });
+        }
+      }
+    }
+
+    logger.info("SecretSync Sync Job with ID %s Completed", job.id);
+  };
+
+  const $importSecrets = async (job: TSecretSyncImportDTO) => {
+    const {
+      data: { syncId, auditLogInfo, shouldOverwrite }
+    } = job;
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync) throw new Error(`Cannot find secret sync with ID ${syncId}`);
+
+    await secretSyncDAL.updateById(syncId, {
+      importStatus: SecretSyncStatus.Pending
+    });
+
+    logger.info(
+      `SecretSync Import [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
+    );
+
+    let isImported = false;
+    let importMessage: string | null = null;
+    const isFinalAttempt = job.attemptsStarted === job.opts.attempts;
+
+    try {
+      const {
+        connection: { orgId, encryptedCredentials },
+        projectId,
+        environment
+      } = secretSync;
+
+      const credentials = await decryptAppConnectionCredentials({
+        orgId,
+        encryptedCredentials,
+        kmsService
+      });
+
+      const importedSecrets = await SecretSyncFns.import({
+        ...secretSync,
+        connection: {
+          ...secretSync.connection,
+          credentials
+        }
+      } as TSecretSyncWithConnection);
+
+      if (Object.keys(importedSecrets).length) {
+        const secretMap = await $getSecrets(secretSync, false);
+
+        const secretsToCreate: Parameters<typeof $createManySecretsRawFn>[0]["secrets"] = [];
+        const secretsToUpdate: Parameters<typeof $updateManySecretsRawFn>[0]["secrets"] = [];
+
+        Object.entries(importedSecrets).forEach(([key, { value }]) => {
+          const secret = {
+            secretName: key,
+            secretValue: value,
+            type: SecretType.Shared,
+            secretComment: ""
+          };
+
+          if (Object.hasOwn(secretMap, key)) {
+            secretsToUpdate.push(secret);
+          } else {
+            secretsToCreate.push(secret);
+          }
+        });
+
+        if (secretsToCreate.length) {
+          await $createManySecretsRawFn({
+            projectId,
+            path: secretSync.folder.path,
+            environment: environment.slug,
+            secrets: secretsToCreate
+          });
+        }
+
+        if (shouldOverwrite && secretsToUpdate.length) {
+          await $updateManySecretsRawFn({
+            projectId,
+            path: secretSync.folder.path,
+            environment: environment.slug,
+            secrets: secretsToUpdate
+          });
+        }
+      }
+
+      isImported = true;
+    } catch (err) {
+      logger.error(
+        err,
+        `SecretSync Import Error [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
+      );
+
+      if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+        importErrorHistogram.record(1, {
+          version: 1,
+          destination: secretSync.destination,
+          syncId: secretSync.id,
+          projectId: secretSync.projectId,
+          type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
+          status: err instanceof AxiosError ? err.response?.status : undefined,
+          name: err instanceof Error ? err.name : undefined
+        });
+      }
+
+      importMessage =
+        // eslint-disable-next-line no-nested-ternary
+        (err instanceof AxiosError
+          ? err?.response?.data
+            ? JSON.stringify(err?.response?.data)
+            : err?.message
+          : (err as Error)?.message) || "An unknown error occurred.";
+
+      // re-throw so job fails
+      throw err;
+    } finally {
+      const ranAt = new Date();
+      const importStatus = isImported ? SecretSyncStatus.Success : SecretSyncStatus.Failed;
+
+      await auditLogService.createAuditLog({
+        projectId: secretSync.projectId,
+        ...(auditLogInfo ?? {
+          actor: {
+            type: ActorType.PLATFORM,
+            metadata: {}
+          }
+        }),
+        event: {
+          type: EventType.IMPORT_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            syncOptions: secretSync.syncOptions,
+            environment: secretSync.environment,
+            destination: secretSync.destination,
+            destinationConfig: secretSync.destinationConfig,
+            folderId: secretSync.folderId,
+            connectionId: secretSync.connectionId,
+            jobRanAt: ranAt,
+            jobId: job.id!,
+            importStatus,
+            importMessage
+          }
+        }
+      });
+
+      if (isImported || isFinalAttempt) {
+        const updatedSecretSync = await secretSyncDAL.updateById(secretSync.id, {
+          importStatus,
+          lastImportJobId: job.id,
+          lastImportMessage: importMessage,
+          lastImportedAt: isImported ? ranAt : undefined
+        });
+
+        if (!isImported) {
+          await $queueSendSecretSyncFailedNotifications({
+            secretSync: updatedSecretSync,
+            action: SecretSyncAction.Import
+          });
+        }
+      }
+    }
+
+    logger.info("SecretSync Import Job with ID %s Completed", job.id);
+  };
+
+  const $eraseSecrets = async (job: TSecretSyncEraseDTO) => {
+    const {
+      data: { syncId, auditLogInfo }
+    } = job;
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync) throw new Error(`Cannot find secret sync with ID ${syncId}`);
+
+    await secretSyncDAL.updateById(syncId, {
+      eraseStatus: SecretSyncStatus.Pending
+    });
+
+    logger.info(
+      `SecretSync Erase [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
+    );
+
+    let isErased = false;
+    let eraseMessage: string | null = null;
+    const isFinalAttempt = job.attemptsStarted === job.opts.attempts;
+
+    try {
+      const {
+        connection: { orgId, encryptedCredentials }
+      } = secretSync;
+
+      const credentials = await decryptAppConnectionCredentials({
+        orgId,
+        encryptedCredentials,
+        kmsService
+      });
+
+      const secretMap = await $getSecrets(secretSync);
+
+      await SecretSyncFns.erase(
+        {
+          ...secretSync,
+          connection: {
+            ...secretSync.connection,
+            credentials
+          }
+        } as TSecretSyncWithConnection,
+        secretMap
+      );
+
+      isErased = true;
+    } catch (err) {
+      logger.error(
+        err,
+        `SecretSync Erase Error [syncId=${secretSync.id}] [destination=${secretSync.destination}] [projectId=${secretSync.projectId}] [folderId=${secretSync.folderId}] [connectionId=${secretSync.connectionId}]`
+      );
+
+      if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+        eraseErrorHistogram.record(1, {
+          version: 1,
+          destination: secretSync.destination,
+          syncId: secretSync.id,
+          projectId: secretSync.projectId,
+          type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
+          status: err instanceof AxiosError ? err.response?.status : undefined,
+          name: err instanceof Error ? err.name : undefined
+        });
+      }
+
+      eraseMessage =
+        // eslint-disable-next-line no-nested-ternary
+        (err instanceof AxiosError
+          ? err?.response?.data
+            ? JSON.stringify(err?.response?.data)
+            : err?.message
+          : (err as Error)?.message) || "An unknown error occurred.";
+
+      // re-throw so job fails
+      throw err;
+    } finally {
+      const ranAt = new Date();
+      const eraseStatus = isErased ? SecretSyncStatus.Success : SecretSyncStatus.Failed;
+
+      await auditLogService.createAuditLog({
+        projectId: secretSync.projectId,
+        ...(auditLogInfo ?? {
+          actor: {
+            type: ActorType.PLATFORM,
+            metadata: {}
+          }
+        }),
+        event: {
+          type: EventType.ERASE_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            syncOptions: secretSync.syncOptions,
+            environment: secretSync.environment,
+            destination: secretSync.destination,
+            destinationConfig: secretSync.destinationConfig,
+            folderId: secretSync.folderId,
+            connectionId: secretSync.connectionId,
+            jobRanAt: ranAt,
+            jobId: job.id!,
+            eraseStatus,
+            eraseMessage
+          }
+        }
+      });
+
+      if (isErased || isFinalAttempt) {
+        const updatedSecretSync = await secretSyncDAL.updateById(secretSync.id, {
+          eraseStatus,
+          lastEraseJobId: job.id,
+          lastEraseMessage: eraseMessage,
+          lastErasedAt: isErased ? ranAt : undefined
+        });
+
+        if (!isErased) {
+          await $queueSendSecretSyncFailedNotifications({
+            secretSync: updatedSecretSync,
+            action: SecretSyncAction.Erase
+          });
+        }
+      }
+    }
+
+    logger.info("SecretSync Erase Job with ID %s Completed", job.id);
+  };
+
+  const $sendSecretSyncFailedNotifications = async (job: TSendSecretSyncFailedNotificationsJobDTO) => {
+    const {
+      data: { secretSync, auditLogInfo, action }
+    } = job;
+
+    const { projectId, destination, name, folder, lastSyncMessage, lastEraseMessage, lastImportMessage, environment } =
+      secretSync;
+
+    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
+    const project = await projectDAL.findById(projectId);
+
+    let projectAdmins = projectMembers.filter((member) =>
+      member.roles.some((role) => role.role === ProjectMembershipRole.Admin)
+    );
+
+    const triggeredByUserId =
+      auditLogInfo && auditLogInfo.actor.type === ActorType.USER && auditLogInfo.actor.metadata.userId;
+
+    // only notify triggering user if triggered by admin
+    if (triggeredByUserId && projectAdmins.map((admin) => admin.userId).includes(triggeredByUserId)) {
+      projectAdmins = projectAdmins.filter((admin) => admin.userId === triggeredByUserId);
+    }
+
+    const syncDestination = SECRET_SYNC_NAME_MAP[destination as SecretSync];
+
+    let subject: string;
+    let failureMessage: string | null | undefined;
+    let content: string;
+
+    switch (action) {
+      case SecretSyncAction.Import:
+        subject = "Import";
+        failureMessage = lastImportMessage;
+        content = `Your ${syncDestination} Sync named "${name}" failed while attempting to import secrets.`;
+        break;
+      case SecretSyncAction.Erase:
+        subject = "Erase";
+        failureMessage = lastEraseMessage;
+        content = `Your ${syncDestination} Sync named "${name}" failed while attempting to erase secrets.`;
+        break;
+      case SecretSyncAction.Sync:
+      default:
+        subject = `Sync`;
+        failureMessage = lastSyncMessage;
+        content = `Your ${syncDestination} Sync named "${name}" failed to sync.`;
+        break;
+    }
+
+    await smtpService.sendMail({
+      recipients: projectAdmins.map((member) => member.user.email!).filter(Boolean),
+      template: SmtpTemplates.SecretSyncFailed,
+      subjectLine: `Secret Sync Failed to ${subject} Secrets`,
+      substitutions: {
+        syncName: name,
+        syncDestination,
+        content,
+        failureMessage,
+        secretPath: folder.path,
+        environment: environment.name,
+        projectName: project.name,
+        // TODO (scott): verify this is still the URL after bare react change
+        syncUrl: `${appCfg.SITE_URL}/integrations/secret-syncs/${destination}/${secretSync.id}`
+      }
+    });
+  };
+
+  const queueSecretSyncsByPath = async ({ secretPath, projectId, environmentSlug }: TQueueSecretSyncsByPathDTO) => {
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, secretPath);
+
+    if (!folder)
+      throw new Error(
+        `Could not find folder at path "${secretPath}" for environment with slug "${environmentSlug}" in project with ID "${projectId}"`
+      );
+
+    const secretSyncs = await secretSyncDAL.find({ folderId: folder.id, isEnabled: true });
+
+    await Promise.all(secretSyncs.map((secretSync) => queueSecretSyncById({ syncId: secretSync.id })));
+  };
+
+  queueService.start(QueueName.AppConnectionSecretSync, async (job) => {
+    if (job.name === QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications) {
+      await $sendSecretSyncFailedNotifications(job as TSendSecretSyncFailedNotificationsJobDTO);
+      return;
+    }
+
+    const { syncId } = job.data as
+      | TQueueSecretSyncByIdDTO
+      | TQueueSecretSyncImportByIdDTO
+      | TQueueSecretSyncEraseByIdDTO;
+
+    const lock = await keyStore.acquireLock([KeyStorePrefixes.SecretSyncLock(syncId)], 5 * 60 * 1000);
+
+    try {
+      switch (job.name) {
+        case QueueJobs.AppConnectionSecretSync:
+          await $syncSecrets(job as TSecretSyncDTO);
+          break;
+        case QueueJobs.AppConnectionSecretSyncImport:
+          await $importSecrets(job as TSecretSyncImportDTO);
+          break;
+        case QueueJobs.AppConnectionSecretSyncErase:
+          await $eraseSecrets(job as TSecretSyncEraseDTO);
+          break;
+        default:
+          throw new InternalServerError({
+            // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+            message: `Unhandled Secret Sync Job ${job.name}`
+          });
+      }
+    } finally {
+      await lock.release();
+    }
+  });
+
+  return {
+    queueSecretSyncById,
+    queueSecretSyncImportById,
+    queueSecretSyncEraseById,
+    queueSecretSyncsByPath
+  };
+};

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -0,0 +1,65 @@
+import { z } from "zod";
+
+import { SecretSyncsSchema } from "@app/db/schemas/secret-syncs";
+import { SecretSyncs } from "@app/lib/api-docs";
+import { slugSchema } from "@app/server/lib/schemas";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+const SyncOptionsSchema = z.object({
+  prependPrefix: z
+    .string()
+    .trim()
+    .transform((str) => str.toUpperCase())
+    .optional()
+    .describe(SecretSyncs.SYNC_OPTIONS.PREPEND_PREFIX),
+  appendSuffix: z
+    .string()
+    .trim()
+    .transform((str) => str.toUpperCase())
+    .optional()
+    .describe(SecretSyncs.SYNC_OPTIONS.APPEND_SUFFIX)
+});
+
+export const BaseSecretSyncSchema = (app: AppConnection) =>
+  SecretSyncsSchema.omit({
+    destination: true,
+    destinationConfig: true,
+    syncOptions: true
+  }).extend({
+    syncOptions: SyncOptionsSchema,
+    // join properties
+    projectId: z.string(),
+    connection: z.object({ app: z.literal(app), name: z.string(), id: z.string().uuid() }),
+    environment: z.object({ slug: z.string(), name: z.string(), id: z.string().uuid() }),
+    folder: z.object({ id: z.string(), path: z.string() })
+  });
+
+export const GenericCreateSecretSyncFieldsSchema = (sync: SecretSync) =>
+  z.object({
+    name: slugSchema({ field: "name" }).describe(SecretSyncs.CREATE(sync).name),
+    description: z
+      .string()
+      .trim()
+      .max(256, "Description cannot exceed 256 characters")
+      .nullish()
+      .describe(SecretSyncs.CREATE(sync).description),
+    connectionId: z.string().uuid().describe(SecretSyncs.CREATE(sync).connectionId),
+    folderId: z.string().uuid().describe(SecretSyncs.CREATE(sync).folderId),
+    isEnabled: z.boolean().default(true).describe(SecretSyncs.CREATE(sync).isEnabled),
+    syncOptions: SyncOptionsSchema.optional().default({}).describe(SecretSyncs.CREATE(sync).syncOptions)
+  });
+
+export const GenericUpdateSecretSyncFieldsSchema = (sync: SecretSync) =>
+  z.object({
+    name: slugSchema({ field: "name" }).describe(SecretSyncs.UPDATE(sync).name).optional(),
+    description: z
+      .string()
+      .trim()
+      .max(256, "Description cannot exceed 256 characters")
+      .nullish()
+      .describe(SecretSyncs.UPDATE(sync).description),
+    folderId: z.string().uuid().optional().describe(SecretSyncs.UPDATE(sync).folderId),
+    isEnabled: z.boolean().optional().describe(SecretSyncs.UPDATE(sync).isEnabled),
+    syncOptions: SyncOptionsSchema.optional().describe(SecretSyncs.UPDATE(sync).syncOptions)
+  });

backend/src/services/secret-sync/secret-sync-service.ts

@@ -0,0 +1,472 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { ProjectType } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { startsWithVowel } from "@app/lib/fn";
+import { OrgServiceActor } from "@app/lib/types";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
+import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
+import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { listSecretSyncOptions } from "@app/services/secret-sync/secret-sync-fns";
+import {
+  TCreateSecretSyncDTO,
+  TDeleteSecretSyncDTO,
+  TFindSecretSyncByIdDTO,
+  TFindSecretSyncByNameDTO,
+  TListSecretSyncsByProjectId,
+  TSecretSync,
+  TTriggerSecretSyncByIdDTO,
+  TTriggerSecretSyncEraseByIdDTO,
+  TTriggerSecretSyncImportByIdDTO,
+  TUpdateSecretSyncDTO
+} from "@app/services/secret-sync/secret-sync-types";
+
+import { TSecretSyncDALFactory } from "./secret-sync-dal";
+import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "./secret-sync-maps";
+import { TSecretSyncQueueFactory } from "./secret-sync-queue";
+
+type TSecretSyncServiceFactoryDep = {
+  secretSyncDAL: TSecretSyncDALFactory;
+  appConnectionService: Pick<TAppConnectionServiceFactory, "connectAppConnectionById">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
+  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findByProjectId" | "findById">;
+  keyStore: Pick<TKeyStoreFactory, "getItem">;
+  secretSyncQueue: Pick<
+    TSecretSyncQueueFactory,
+    "queueSecretSyncById" | "queueSecretSyncImportById" | "queueSecretSyncEraseById"
+  >;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">; // TODO: remove once launched
+};
+
+export type TSecretSyncServiceFactory = ReturnType<typeof secretSyncServiceFactory>;
+
+export const secretSyncServiceFactory = ({
+  secretSyncDAL,
+  folderDAL,
+  licenseService,
+  permissionService,
+  appConnectionService,
+  projectBotService,
+  secretSyncQueue,
+  keyStore
+}: TSecretSyncServiceFactoryDep) => {
+  // secret syncs are disabled for public until launch
+  const checkSecretSyncAvailability = async (orgId: string) => {
+    const subscription = await licenseService.getPlan(orgId);
+
+    if (!subscription.appConnections) throw new BadRequestError({ message: "Secret Syncs are not available yet." });
+  };
+
+  const listSecretSyncsByProjectId = async (
+    { projectId, destination }: TListSecretSyncsByProjectId,
+    actor: OrgServiceActor
+  ) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
+
+    const folders = await folderDAL.findByProjectId(projectId);
+
+    const secretSyncs = await secretSyncDAL.find({
+      ...(destination && { destination }),
+      $in: {
+        folderId: folders.map((folder) => folder.id)
+      }
+    });
+
+    return secretSyncs as TSecretSync[];
+  };
+
+  const findSecretSyncById = async ({ destination, syncId }: TFindSecretSyncByIdDTO, actor: OrgServiceActor) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    return secretSync as TSecretSync;
+  };
+
+  const findSecretSyncByName = async (
+    { destination, syncName, projectId }: TFindSecretSyncByNameDTO,
+    actor: OrgServiceActor
+  ) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const folders = await folderDAL.findByProjectId(projectId);
+
+    // we prevent conflicting names within a project so this will only return one at most
+    const [secretSync] = await secretSyncDAL.find({
+      name: syncName,
+      $in: {
+        folderId: folders.map((folder) => folder.id)
+      }
+    });
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with name "${syncName}"`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    return secretSync as TSecretSync;
+  };
+
+  const createSecretSync = async (params: TCreateSecretSyncDTO, actor: OrgServiceActor) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const folder = await folderDAL.findById(params.folderId);
+
+    if (!folder) throw new BadRequestError({ message: `Could not find Folder with ID "${params.folderId}"` });
+
+    const { permission: projectPermission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      folder.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(folder.projectId);
+
+    if (!shouldUseSecretV2Bridge)
+      throw new BadRequestError({ message: "Project version does not support Secret Syncs" });
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(projectPermission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.SecretSyncs
+    );
+
+    const appConnection = await appConnectionService.connectAppConnectionById(params.connectionId, actor);
+
+    const destinationApp = SECRET_SYNC_CONNECTION_MAP[params.destination];
+
+    if (appConnection.app !== destinationApp) {
+      const appName = APP_CONNECTION_NAME_MAP[appConnection.app];
+      throw new BadRequestError({
+        message: `Invalid App Connection - Cannot sync to ${SECRET_SYNC_NAME_MAP[params.destination]} using ${
+          startsWithVowel(appName) ? "an" : "a"
+        } ${appName} Connection`
+      });
+    }
+
+    const projectFolders = await folderDAL.findByProjectId(folder.projectId);
+
+    const secretSync = await secretSyncDAL.transaction(async (tx) => {
+      const isConflictingName = Boolean(
+        (
+          await secretSyncDAL.find(
+            {
+              name: params.name,
+              $in: {
+                folderId: projectFolders.map((f) => f.id)
+              }
+            },
+            tx
+          )
+        ).length
+      );
+
+      if (isConflictingName)
+        throw new BadRequestError({
+          message: `A Secret Sync with the name "${params.name}" already exists for the project with ID "${folder.projectId}"`
+        });
+
+      const sync = await secretSyncDAL.create(params);
+
+      return sync;
+    });
+
+    if (secretSync.isEnabled) await secretSyncQueue.queueSecretSyncById({ syncId: secretSync.id });
+
+    return secretSync as TSecretSync;
+  };
+
+  const updateSecretSync = async ({ destination, syncId, ...params }: TUpdateSecretSyncDTO, actor: OrgServiceActor) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID ${syncId}`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    const updatedSecretSync = await secretSyncDAL.transaction(async (tx) => {
+      if (params.folderId) {
+        const newFolder = await folderDAL.findById(params.folderId);
+
+        if (!newFolder) throw new BadRequestError({ message: `Could not find folder with ID "${params.folderId}"` });
+
+        // TODO (scott): I don't think there's a reason we can't allow moving syncs across projects
+        //  but not supporting this initially
+        if (newFolder.projectId !== secretSync.projectId)
+          throw new BadRequestError({
+            message: `Cannot move Secret Sync to different project`
+          });
+      }
+
+      if (params.name && secretSync.name !== params.name) {
+        const projectFolders = await folderDAL.findByProjectId(secretSync.projectId);
+
+        const isConflictingName = Boolean(
+          (
+            await secretSyncDAL.find(
+              {
+                name: params.name,
+                $in: {
+                  folderId: projectFolders.map((f) => f.id)
+                }
+              },
+              tx
+            )
+          ).length
+        );
+
+        if (isConflictingName)
+          throw new BadRequestError({
+            message: `A Secret Sync with the name "${params.name}" already exists for project with ID "${secretSync.projectId}"`
+          });
+      }
+
+      const updatedSync = await secretSyncDAL.updateById(syncId, params);
+
+      return updatedSync;
+    });
+
+    if (updatedSecretSync.isEnabled) await secretSyncQueue.queueSecretSyncById({ syncId: secretSync.id });
+
+    return updatedSecretSync as TSecretSync;
+  };
+
+  const deleteSecretSync = async ({ destination, syncId }: TDeleteSecretSyncDTO, actor: OrgServiceActor) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    await secretSyncDAL.deleteById(syncId);
+
+    return secretSync as TSecretSync;
+  };
+
+  const triggerSecretSyncById = async (
+    { syncId, destination, ...params }: TTriggerSecretSyncByIdDTO,
+    actor: OrgServiceActor
+  ) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    await secretSyncQueue.queueSecretSyncById({ syncId, ...params });
+
+    return secretSync as TSecretSync;
+  };
+
+  const triggerSecretSyncImportById = async (
+    { syncId, destination, ...params }: TTriggerSecretSyncImportByIdDTO,
+    actor: OrgServiceActor
+  ) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    const isSyncJobRunning = Boolean(await keyStore.getItem(KeyStorePrefixes.SecretSyncLock(syncId)));
+
+    if (isSyncJobRunning)
+      throw new BadRequestError({ message: `A job for this sync is already in progress. Please try again shortly.` });
+
+    await secretSyncQueue.queueSecretSyncImportById({ syncId, ...params });
+
+    return secretSync as TSecretSync;
+  };
+
+  const triggerSecretSyncEraseById = async (
+    { syncId, destination, ...params }: TTriggerSecretSyncEraseByIdDTO,
+    actor: OrgServiceActor
+  ) => {
+    await checkSecretSyncAvailability(actor.orgId);
+
+    const secretSync = await secretSyncDAL.findById(syncId);
+
+    if (!secretSync)
+      throw new NotFoundError({
+        message: `Could not find ${SECRET_SYNC_NAME_MAP[destination]} Sync with ID "${syncId}"`
+      });
+
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      secretSync.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
+
+    if (secretSync.connection.app !== SECRET_SYNC_CONNECTION_MAP[destination])
+      throw new BadRequestError({
+        message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
+      });
+
+    const isSyncJobRunning = Boolean(await keyStore.getItem(KeyStorePrefixes.SecretSyncLock(syncId)));
+
+    if (isSyncJobRunning)
+      throw new BadRequestError({ message: `A job for this sync is already in progress. Please try again shortly.` });
+
+    await secretSyncQueue.queueSecretSyncEraseById({ syncId, ...params });
+
+    return secretSync as TSecretSync;
+  };
+
+  return {
+    listSecretSyncOptions,
+    listSecretSyncsByProjectId,
+    findSecretSyncById,
+    findSecretSyncByName,
+    createSecretSync,
+    updateSecretSync,
+    deleteSecretSync,
+    triggerSecretSyncById,
+    triggerSecretSyncImportById,
+    triggerSecretSyncEraseById
+  };
+};

backend/src/services/secret-sync/secret-sync-types.ts

@@ -0,0 +1,131 @@
+import { Job } from "bullmq";
+
+import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
+import { QueueJobs } from "@app/queue";
+import { TSecretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import {
+  TAwsParameterStoreSync,
+  TAwsParameterStoreSyncInput,
+  TAwsParameterStoreSyncListItem,
+  TAwsParameterStoreSyncWithConnection
+} from "./aws-parameter-store";
+
+export type TSecretSync = TAwsParameterStoreSync;
+
+export type TSecretSyncWithConnection = TAwsParameterStoreSyncWithConnection;
+
+export type TSecretSyncInput = TAwsParameterStoreSyncInput;
+
+export type TSecretSyncListItem = TAwsParameterStoreSyncListItem;
+
+export type TListSecretSyncsByProjectId = {
+  projectId: string;
+  destination?: SecretSync;
+};
+
+export type TFindSecretSyncByIdDTO = {
+  syncId: string;
+  destination: SecretSync;
+};
+
+export type TFindSecretSyncByNameDTO = {
+  syncName: string;
+  projectId: string;
+  destination: SecretSync;
+};
+
+export type TCreateSecretSyncDTO = Pick<
+  TSecretSync,
+  "syncOptions" | "destinationConfig" | "folderId" | "name" | "connectionId"
+> & { destination: SecretSync };
+
+export type TUpdateSecretSyncDTO = Partial<Omit<TCreateSecretSyncDTO, "connectionId">> & {
+  syncId: string;
+  destination: SecretSync;
+};
+
+export type TDeleteSecretSyncDTO = {
+  destination: SecretSync;
+  syncId: string;
+};
+
+type AuditLogInfo = Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
+
+export enum SecretSyncStatus {
+  Pending = "pending",
+  Success = "success",
+  Failed = "failed"
+}
+
+export enum SecretSyncAction {
+  Sync = "sync",
+  Import = "import",
+  Erase = "erase"
+}
+
+export type TSecretSyncRaw = NonNullable<Awaited<ReturnType<TSecretSyncDALFactory["findById"]>>>;
+
+export type TQueueSecretSyncsByPathDTO = {
+  secretPath: string;
+  environmentSlug: string;
+  projectId: string;
+};
+
+export type TQueueSecretSyncByIdDTO = {
+  syncId: string;
+  auditLogInfo?: AuditLogInfo;
+};
+
+export type TTriggerSecretSyncByIdDTO = {
+  destination: SecretSync;
+} & TQueueSecretSyncByIdDTO;
+
+export type TQueueSecretSyncImportByIdDTO = {
+  syncId: string;
+  shouldOverwrite: boolean;
+  auditLogInfo?: AuditLogInfo;
+};
+
+export type TTriggerSecretSyncImportByIdDTO = {
+  destination: SecretSync;
+} & TQueueSecretSyncImportByIdDTO;
+
+export type TQueueSecretSyncEraseByIdDTO = {
+  syncId: string;
+  auditLogInfo?: AuditLogInfo;
+};
+
+export type TTriggerSecretSyncEraseByIdDTO = {
+  destination: SecretSync;
+} & TQueueSecretSyncEraseByIdDTO;
+
+export type TQueueSendSecretSyncActionFailedNotificationsDTO = {
+  secretSync: TSecretSyncRaw;
+  auditLogInfo?: AuditLogInfo;
+  action: SecretSyncAction;
+};
+
+export type TSecretSyncDTO = Job<TQueueSecretSyncByIdDTO, void, QueueJobs.AppConnectionSecretSync>;
+export type TSecretSyncImportDTO = Job<TQueueSecretSyncImportByIdDTO, void, QueueJobs.AppConnectionSecretSync>;
+export type TSecretSyncEraseDTO = Job<TQueueSecretSyncEraseByIdDTO, void, QueueJobs.AppConnectionSecretSync>;
+
+export type TSendSecretSyncFailedNotificationsJobDTO = Job<
+  TQueueSendSecretSyncActionFailedNotificationsDTO,
+  void,
+  QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications
+>;
+
+export type TSecretMap = Record<
+  string,
+  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
+>;
+
+export type TSecretSyncGetSecrets = {
+  projectId: string;
+  folderId: string;
+  secretPath: string;
+  environmentSlug: string;
+  includeImports?: boolean;
+};

backend/src/services/secret/secret-queue.ts

@@ -29,6 +29,7 @@ import { createManySecretsRawFnFactory, updateManySecretsRawFnFactory } from "@a
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
 import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
 import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
+import { TSecretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
 import { ActorType } from "../auth/auth-type";
@@ -104,6 +105,7 @@ type TSecretQueueFactoryDep = {
   auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
   projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
+  secretSyncQueue: Pick<TSecretSyncQueueFactory, "queueSecretSyncsByPath">;
 };
 
 export type TGetSecrets = {
@@ -157,7 +159,8 @@ export const secretQueueFactory = ({
   auditLogService,
   orgService,
   projectUserMembershipRoleDAL,
-  projectKeyDAL
+  projectKeyDAL,
+  secretSyncQueue
 }: TSecretQueueFactoryDep) => {
   const integrationMeter = opentelemetry.metrics.getMeter("Integrations");
   const errorHistogram = integrationMeter.createHistogram("integration_secret_sync_errors", {
@@ -619,6 +622,9 @@ export const secretQueueFactory = ({
         }
       }
     );
+
+    await secretSyncQueue.queueSecretSyncsByPath({ projectId, environmentSlug: environment, secretPath });
+
     await syncIntegrations({ secretPath, projectId, environment, deDupeQueue, isManual: false });
     if (!excludeReplication) {
       await replicateSecrets({

backend/src/services/slack/slack-fns.ts

@@ -51,7 +51,7 @@ const buildSlackPayload = (notification: TSlackNotification) => {
 *Environment*: ${payload.environment}
 *Secret path*: ${payload.secretPath || "/"}
 
-View the complete details <${appCfg.SITE_URL}/project/${payload.projectId}/approval?requestId=${
+View the complete details <${appCfg.SITE_URL}/secret-manager/${payload.projectId}/approval?requestId=${
         payload.requestId
       }|here>.`;
 

backend/src/services/smtp/smtp-service.ts

@@ -35,6 +35,7 @@ export enum SmtpTemplates {
   ScimUserProvisioned = "scimUserProvisioned.handlebars",
   PkiExpirationAlert = "pkiExpirationAlert.handlebars",
   IntegrationSyncFailed = "integrationSyncFailed.handlebars",
+  SecretSyncFailed = "secretSyncFailed.handlebars",
   ExternalImportSuccessful = "externalImportSuccessful.handlebars",
   ExternalImportFailed = "externalImportFailed.handlebars",
   ExternalImportStarted = "externalImportStarted.handlebars"

backend/src/services/smtp/templates/secretSyncFailed.handlebars

@@ -0,0 +1,35 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>{{syncDestination}} Sync "{{syncName}}" Failed</title>
+  </head>
+
+  <body>
+    <h2>Infisical</h2>
+
+    <div>
+      <p>{{content}}</p>
+      <a href="{{syncUrl}}">
+        View in Infisical.
+      </a>
+    </div>
+
+    <br />
+    <div>
+      <p><strong>Name</strong>: {{syncName}}</p>
+      <p><strong>Destination</strong>: {{syncDestination}}</p>
+      <p><strong>Project</strong>: {{projectName}}</p>
+      <p><strong>Environment</strong>: {{environment}}</p>
+      <p><strong>Secret Path</strong>: {{secretPath}}</p>
+    </div>
+
+    {{#if failureMessage}}
+      <p><b>Reason: </b>{{failureMessage}}</p>
+    {{/if}}
+
+    {{emailFooter}}
+  </body>
+
+</html>

company/handbook/onboarding.mdx

@@ -19,7 +19,7 @@ Every new joiner has an onboarding buddy who should ideally be in the the same t
 1. Join the weekly all-hands meeting. It typically happens on Monday's at 8:30am PT.
 2. Ship something together on day one – even if tiny! It feels great to hit the ground running, with a development environment all ready to go.
 3. Check out the [Areas of Responsibility (AoR) Table](https://docs.google.com/spreadsheets/d/1RnXlGFg83Sgu0dh7ycuydsSobmFfI3A0XkGw7vrVxEI/edit?usp=sharing). This is helpful to know who you can ask about particular areas of Infisical. Feel free to add yourself to the areas you'd be most interesting to dive into.
-4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1RaJd3RoS2QpWLFHlgfHaXnHqCCwRt6mCGZkbJ75J_D0/edit?usp=sharing).
+4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1uV9IaahYwbZ5OuzDTFdQMSa1P0mpMOnetGB-xqf4G40).
 5. Update your LinkedIn profile with one of [Infisical's official banners](https://drive.google.com/drive/u/0/folders/1oSNWjbpRl9oNYwxM_98IqzKs9fAskrb2) (if you want to). You can also coordinate your social posts in the #marketing Slack channel, so that we can boost it from Infisical's official social media accounts.
 6. Over the first few weeks, feel free to schedule 1:1s with folks on the team to get to know them a bit better.
 7. Change your Slack username in the users channel to `[NAME] (Infisical)`.

docker-compose.dev.yml

@@ -144,9 +144,6 @@ services:
       - ./frontend/src:/app/src/ # mounted whole src to avoid missing reload on new files
       - ./frontend/public:/app/public
     env_file: .env
-    environment:
-      - NEXT_PUBLIC_ENV=development
-      - INFISICAL_TELEMETRY_ENABLED=false
 
   pgadmin:
     image: dpage/pgadmin4

docs/api-reference/endpoints/app-connections/aws/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/aws/available"
+---

docs/api-reference/endpoints/app-connections/github/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/github/available"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/aws-parameter-store"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/aws-parameter-store/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/erase.mdx

@@ -0,0 +1,4 @@
+---
+title: "Erase Secrets"
+openapi: "POST /api/v1/secret-syncs/aws-parameter-store/{syncId}/erase"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/aws-parameter-store/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/aws-parameter-store/name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/import.mdx

@@ -0,0 +1,4 @@
+---
+title: "Import Secrets"
+openapi: "POST /api/v1/secret-syncs/aws-parameter-store/{syncId}/import"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/aws-parameter-store"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/sync.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/aws-parameter-store/{syncId}/sync"
+---

docs/api-reference/endpoints/secret-syncs/aws-parameter-store/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/aws-parameter-store/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs"
+---

docs/api-reference/endpoints/secret-syncs/options.mdx

@@ -0,0 +1,4 @@
+---
+title: "Options"
+openapi: "GET /api/v1/secret-syncs/options"
+---

docs/cli/commands/ssh.mdx

@@ -0,0 +1,116 @@
+---
+title: "infisical ssh"
+description: "Generate SSH credentials with the CLI"
+---
+
+## Description
+
+[Infisical SSH](/documentation/platform/ssh) lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure.
+
+This command enables you to obtain SSH credentials used to access a remote host; we recommend using the `issue-credentials` sub-command to generate dynamic SSH credentials for each SSH session.
+
+### Sub-commands
+
+<Accordion title="infisical ssh issue-credentials">
+    This command is used to issue SSH credentials (SSH certificate, public key, and private key) against a certificate template.
+    
+    We recommend using the `--addToAgent` flag to automatically load issued SSH credentials to the SSH agent.
+    
+    ```bash
+    $ infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<principals> --addToAgent
+    ```
+
+    ### Flags
+    <Accordion title="--certificateTemplateId">
+        The ID of the SSH certificate template to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--principals">
+        A comma-separated list of principals (i.e. usernames like `ec2-user` or hostnames) to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--addToAgent">
+        Whether to add issued SSH credentials to the SSH agent.
+        
+        Default value: `false`
+        
+        Note that either the `--outFilePath` or `--addToAgent` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--outFilePath">
+        The path to write the SSH credentials to such as `~/.ssh`, `./some_folder`, `./some_folder/id_rsa-cert.pub`. If not provided, the credentials will be saved to the current working directory where the command is run.
+        
+        Note that either the `--outFilePath` or `--addToAgent` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--keyAlgorithm">
+        The key algorithm to issue SSH credentials for.
+        
+        Default value: `RSA_2048`
+        
+        Available options: `RSA_2048`, `RSA_4096`, `EC_prime256v1`, `EC_secp384r1`.
+    </Accordion>
+    <Accordion title="--certType">
+        The certificate type to issue SSH credentials for.
+        
+        Default value: `user`
+        
+        Available options: `user` or `host`
+    </Accordion>
+    <Accordion title="--ttl">
+        The time-to-live (TTL) for the issued SSH certificate (e.g. `2 days`, `1d`, `2h`, `1y`).
+        
+        Defaults to the Default TTL value set in the certificate template.
+    </Accordion>
+    <Accordion title="--keyId">
+        A custom Key ID to issue SSH credentials for.
+        
+        Defaults to the autogenerated Key ID by Infisical.
+    </Accordion>
+    <Accordion title="--token">
+        An authenticated token to use to issue SSH credentials.
+    </Accordion>
+</Accordion>
+
+<Accordion title="infisical ssh sign-key">
+    This command is used to sign an existing SSH public key against a certificate template; the command outputs the corresponding signed SSH certificate.
+    
+    ```bash
+    $ infisical ssh sign-key --certificateTemplateId=<certificate-template-id> --publicKey=<public-key> --principals=<principals> --outFilePath=<out-file-path>
+    ```
+    <Accordion title="--certificateTemplateId">
+        The ID of the SSH certificate template to issue the SSH certificate for.
+    </Accordion>
+    <Accordion title="--publicKey">
+        The public key to sign.
+
+        Note that either the `--publicKey` or `--publicKeyFilePath` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--publicKeyFilePath">
+        The path to the public key file to sign.
+
+        Note that either the `--publicKey` or `--publicKeyFilePath` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--principals">
+        A comma-separated list of principals (i.e. usernames like `ec2-user` or hostnames) to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--outFilePath">
+        The path to write the SSH certificate to such as `~/.ssh/id_rsa-cert.pub`; the specified file must have the `.pub` extension. If not provided, the credentials will be saved to the directory of the specified `--publicKeyFilePath` or the current working directory where the command is run.
+    </Accordion>
+    <Accordion title="--certType">
+        The certificate type to issue SSH credentials for.
+        
+        Default value: `user`
+        
+        Available options: `user` or `host`
+    </Accordion>
+    <Accordion title="--ttl">
+        The time-to-live (TTL) for the issued SSH certificate (e.g. `2 days`, `1d`, `2h`, `1y`).
+        
+        Defaults to the Default TTL value set in the certificate template.
+    </Accordion>
+    <Accordion title="--keyId">
+        A custom Key ID to issue SSH credentials for.
+        
+        Defaults to the autogenerated Key ID by Infisical.
+    </Accordion>
+    <Accordion title="--token">
+        An authenticated token to use to issue SSH credentials.
+    </Accordion>
+</Accordion>

docs/documentation/platform/dynamic-secrets/overview.mdx

@@ -4,6 +4,13 @@ sidebarTitle: "Overview"
 description: "Learn how to generate secrets dynamically on-demand."
 ---
 
+<Info>
+    Note that Dynamic Secrets is a paid feature.
+
+    If you're using Infisical Cloud, then it is available under the **Enterprise Tier** 
+    If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
+</Info>
+
 ## Introduction
 
 Contrary to static key-value secrets, which require manual input of data into the secure Infisical storage, **dynamic secrets are generated on-demand upon access**. 

docs/documentation/platform/pr-workflows.mdx

@@ -3,6 +3,13 @@ title: "Approval Workflows"
 description: "Learn how to enable a set of policies to manage changes to sensitive secrets and environments."
 ---
 
+<Info>
+    Approval Workflows is a paid feature.
+   
+    If you're using Infisical Cloud, then it is available under the **Pro Tier** and **Enterprise Tire**. 
+    If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
+</Info>
+
 ## Problem at hand
 
 Updating secrets in high-stakes environments (e.g., production) can have a number of problematic issues: 
@@ -40,4 +47,4 @@ When a user submits a change to an enviropnment that is under a particular polic
 
 Approvers are notified by email and/or Slack as soon as the request is initiated. In the Infisical Dashboard, they will be able to `approve` and `merge` (or `deny`) a request for a change in a particular environment. After that, depending on the workflows setup, the change will be automatically propagated to the right applications (e.g., using [Infisical Kubernetes Operator](https://infisical.com/docs/integrations/platforms/kubernetes)).
 
-![secrets update pull request](../../images/platform/pr-workflows/secret-update-pr.png)
+![secrets update pull request](../../images/platform/pr-workflows/secret-update-pr.png)

docs/documentation/platform/scim/azure.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow Azure to provision/deprovision users for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/scim/jumpcloud.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow JumpCloud to provision/deprovision users and user groups for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/scim/okta.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow Okta to provision/deprovision users and user groups for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/ssh.mdx

@@ -6,7 +6,7 @@ description: "Learn how to generate SSH credentials to provide secure and centra
 
 ## Concept
 
-Infisical can be used to issue SSH certificates to clients to provide short-lived, secure SSH access to infrastructure;
+Infisical can be used to issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure;
 this improves on many limitations of traditional SSH key-based authentication via mitigation of private key compromise, static key management,
 unauthorized access, and SSH key sprawl.
 
@@ -191,7 +191,9 @@ infisical login
 
     - `certificateTemplateId`: The ID of the certificate template to use for issuing the SSH certificate.
     - `principals`: The comma-delimited username(s) or hostname(s) to include in the SSH certificate.
-
+    
+    For fuller documentation on commands and flags supported by the Infisical CLI for SSH, refer to the docs [here](/cli/commands/ssh).
+ 
   </Step>
   <Step title="SSH into the host">
     Finally, SSH into the desired host; the SSH operation will be performed using the SSH certificate loaded into the SSH agent.
@@ -199,11 +201,10 @@ infisical login
     ```bash
     ssh username@hostname
     ```
-
   </Step>
 </Steps>
 
 <Note>
   Note that the above workflow can be executed via API or other client methods
   such as SDK.
-</Note>
+</Note>

docs/documentation/platform/sso/auth0-saml.mdx

@@ -0,0 +1,93 @@
+---
+title: "Auth0 SAML"
+description: "Learn how to configure Auth0 SAML for Infisical SSO."
+---
+
+<Info>
+  Auth0 SAML SSO feature is a paid feature. If you're using Infisical Cloud,
+  then it is available under the **Pro Tier**. If you're self-hosting Infisical,
+  then you should contact sales@infisical.com to purchase an enterprise license
+  to use it.
+</Info>
+
+<Steps>
+   <Step title="Prepare the SAML SSO configuration in Infisical">
+        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Auth0, then click **Connect** again.
+
+        Next, note the **Application Callback URL** and **Audience** to use when configuring the Auth0 SAML application.
+
+        ![Auth0 SAML initial configuration](../../../images/sso/auth0-saml/init-config.png)
+
+   </Step>
+   <Step title="Create a SAML application in Auth0">
+        2.1. In your Auth0 account, head to Applications and create an application.
+        
+        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application.png)
+        
+        Select **Regular Web Application** and press **Create**.
+        
+        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application-2.png)
+        
+        2.2. In the Application head to Settings > Application URIs and add the **Application Callback URL** from step 1 into the **Allowed Callback URLs** field.
+        
+        ![Auth0 SAML allowed callback URLs](../../../images/sso/auth0-saml/auth0-config.png)
+        
+        2.3. In the Application head to Addons > SAML2 Web App and copy the **Issuer**, **Identity Provider Login URL**, and **Identity Provider Certificate** from the **Usage** tab.
+        
+        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-2.png)
+        
+        2.4. Back in Infisical, set **Issuer**, **Identity Provider Login URL**, and **Certificate** to the corresponding items from step 2.3.
+        
+        ![Auth0 SAML Infisical config](../../../images/sso/auth0-saml/infisical-config.png)
+        
+        2.5. Back in Auth0, in the **Settings** tab, set the **Application Callback URL** to the **Application Callback URL** from step 1
+        and update the **Settings** field with the JSON under the picture below (replacing `<audience-from-infisical>` with the **Audience** from step 1).
+        
+        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-3.png)
+        
+        ```json
+        {
+        "audience": "<audience-from-infisical>",
+        "mappings": {
+            "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email",
+            "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName",
+            "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastName"
+        },
+        "signatureAlgorithm": "rsa-sha256",
+        "digestAlgorithm": "sha256",
+        "signResponse": true
+        }
+        ```
+
+        Click **Save**.
+    </Step>
+    <Step title="Enable SAML SSO in Infisical">
+        Enabling SAML SSO allows members in your organization to log into Infisical via Auth0.
+
+        ![Auth0 SAML enable](../../../images/sso/auth0-saml/enable-saml.png)
+    </Step>
+    <Step title="Enforce SAML SSO in Infisical">
+        Enforcing SAML SSO ensures that members in your organization can only access Infisical
+        by logging into the organization via Auth0.
+
+        To enforce SAML SSO, you're required to test out the SAML connection by successfully authenticating at least one Auth0 user with Infisical;
+        Once you've completed this requirement, you can toggle the **Enforce SAML SSO** button to enforce SAML SSO.
+    </Step>
+
+</Steps>
+
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
+<Note>
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
+</Note>

docs/documentation/platform/sso/azure.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Microsoft Entra ID for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Azure / Entra, then click **Connect** again.
 
       Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
 

docs/documentation/platform/sso/google-saml.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Google SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Google, then click **Connect** again.
 
         Next, note the **ACS URL** and **SP Entity ID** to use when configuring the Google SAML application.
 

docs/documentation/platform/sso/jumpcloud.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure JumpCloud SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select JumpCloud, then click **Connect** again.
 
       Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
 

docs/documentation/platform/sso/keycloak-saml.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Keycloak SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Manage**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Keycloak, then click **Connect** again.
       
       ![Keycloak SAML organization security section](../../../images/sso/keycloak/org-security-section.png)
       

docs/documentation/platform/sso/okta.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Okta SAML 2.0 for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Okta, then click **Connect** again.
       
       Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
       ![Okta SAML initial configuration](../../../images/sso/okta/init-config.png)

docs/documentation/platform/sso/overview.mdx

@@ -28,6 +28,7 @@ Infisical supports these and many other identity providers:
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)
 - [Keycloak SAML](/documentation/platform/sso/keycloak-saml)
 - [Google SAML](/documentation/platform/sso/google-saml)
+- [Auth0 SAML](/documentation/platform/sso/auth0-saml)
 - [Keycloak OIDC](/documentation/platform/sso/keycloak-oidc)
 - [Auth0 OIDC](/documentation/platform/sso/auth0-oidc)
 - [General OIDC](/documentation/platform/sso/general-oidc)