Merge pull request #1117 from akhilmhdh/feat/secret-rotation

Secret rotation

backend/package.json

@@ -11,6 +11,7 @@
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
     "@ucast/mongo2js": "^1.3.4",
+    "ajv": "^8.12.0",
     "argon2": "^0.30.3",
     "aws-sdk": "^2.1364.0",
     "axios": "^1.3.5",
@@ -29,12 +30,14 @@
     "helmet": "^5.1.1",
     "infisical-node": "^1.2.1",
     "ioredis": "^5.3.2",
+    "jmespath": "^0.16.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
     "mongoose": "^7.4.1",
+    "mysql2": "^3.6.2",
     "nanoid": "^3.3.6",
     "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
@@ -44,6 +47,7 @@
     "passport-google-oauth20": "^2.0.0",
     "pino": "^8.16.1",
     "pino-http": "^8.5.1",
+    "pg": "^8.11.3",
     "posthog-node": "^2.6.0",
     "probot": "^12.3.1",
     "query-string": "^7.1.3",
@@ -98,11 +102,13 @@
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
     "@types/jest": "^29.5.0",
+    "@types/jmespath": "^0.15.1",
     "@types/jsonwebtoken": "^8.5.9",
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
     "@types/passport": "^1.0.12",
+    "@types/pg": "^8.10.7",
     "@types/picomatch": "^2.3.0",
     "@types/pino": "^7.0.5",
     "@types/supertest": "^2.0.12",

backend/src/controllers/v3/secretsController.ts

@@ -140,7 +140,7 @@ export const getSecretsRaw = async (req: Request, res: Response) => {
     query: { secretPath, environment, workspaceId }
   } = validatedData;
   const {
-    query: { folderId, include_imports: includeImports }
+    query: { include_imports: includeImports }
   } = validatedData;
 
   // if the service token has single scope, it will get all secrets for that scope by default
@@ -156,13 +156,6 @@ export const getSecretsRaw = async (req: Request, res: Response) => {
     workspaceId = serviceTokenDetails.workspace.toString();
   }
 
-  if (folderId && folderId !== "root") {
-    const folder = await Folder.findOne({ workspace: workspaceId, environment });
-    if (!folder) throw BadRequestError({ message: "Folder not found" });
-
-    secretPath = getFolderWithPathFromId(folder.nodes, folderId).folderPath;
-  }
-
   if (!environment || !workspaceId)
     throw BadRequestError({ message: "Missing environment or workspace id" });
 
@@ -177,7 +170,6 @@ export const getSecretsRaw = async (req: Request, res: Response) => {
   const secrets = await SecretService.getSecrets({
     workspaceId: new Types.ObjectId(workspaceId),
     environment,
-    folderId,
     secretPath,
     authData: req.authData
   });
@@ -467,20 +459,13 @@ export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
 export const getSecrets = async (req: Request, res: Response) => {
   const validatedData = await validateRequest(reqValidator.GetSecretsV3, req);
   const {
-    query: { environment, workspaceId, include_imports: includeImports, folderId }
+    query: { environment, workspaceId, include_imports: includeImports }
   } = validatedData;
 
   let {
     query: { secretPath }
   } = validatedData;
 
-  if (folderId && folderId !== "root") {
-    const folder = await Folder.findOne({ workspace: workspaceId, environment });
-    if (!folder) return res.send({ secrets: [] });
-
-    secretPath = getFolderWithPathFromId(folder.nodes, folderId).folderPath;
-  }
-
   const { authVerifier: permissionCheckFn } = await checkSecretsPermission({
     authData: req.authData,
     workspaceId,
@@ -492,7 +477,6 @@ export const getSecrets = async (req: Request, res: Response) => {
   const secrets = await SecretService.getSecrets({
     workspaceId: new Types.ObjectId(workspaceId),
     environment,
-    folderId,
     secretPath,
     authData: req.authData
   });
@@ -875,6 +859,14 @@ export const createSecretByNameBatch = async (req: Request, res: Response) => {
     authData: req.authData
   });
 
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
   return res.status(200).send({
     secrets: createdSecrets
   });
@@ -919,6 +911,14 @@ export const updateSecretByNameBatch = async (req: Request, res: Response) => {
     authData: req.authData
   });
 
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
   return res.status(200).send({
     secrets: updatedSecrets
   });

backend/src/ee/controllers/v1/index.ts

@@ -10,6 +10,8 @@ import * as cloudProductsController from "./cloudProductsController";
 import * as roleController from "./roleController";
 import * as secretApprovalPolicyController from "./secretApprovalPolicyController";
 import * as secretApprovalRequestController from "./secretApprovalRequestsController";
+import * as secretRotationProviderController from "./secretRotationProviderController";
+import * as secretRotationController from "./secretRotationController";
 
 export {
   secretController,
@@ -23,5 +25,7 @@ export {
   cloudProductsController,
   roleController,
   secretApprovalPolicyController,
-  secretApprovalRequestController
+  secretApprovalRequestController,
+  secretRotationProviderController,
+  secretRotationController
 };

backend/src/ee/controllers/v1/secretRotationController.ts

@@ -0,0 +1,91 @@
+import { Request, Response } from "express";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotation";
+import * as secretRotationService from "../../secretRotation/service";
+import {
+  getUserProjectPermissions,
+  ProjectPermissionActions,
+  ProjectPermissionSub
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const createSecretRotation = async (req: Request, res: Response) => {
+  const {
+    body: {
+      provider,
+      customProvider,
+      interval,
+      outputs,
+      secretPath,
+      environment,
+      workspaceId,
+      inputs
+    }
+  } = await validateRequest(reqValidator.createSecretRotationV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.createSecretRotation({
+    workspaceId,
+    inputs,
+    environment,
+    secretPath,
+    outputs,
+    interval,
+    customProvider,
+    provider
+  });
+
+  return res.send({ secretRotation });
+};
+
+export const restartSecretRotations = async (req: Request, res: Response) => {
+  const {
+    body: { id }
+  } = await validateRequest(reqValidator.restartSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+  const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.restartSecretRotation({ id });
+  return res.send({ secretRotation });
+};
+
+export const deleteSecretRotations = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.removeSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+  const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.deleteSecretRotation({ id });
+  return res.send({ secretRotations });
+};
+
+export const getSecretRotations = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.getSecretRotationOfWorkspace(workspaceId);
+  return res.send({ secretRotations });
+};

backend/src/ee/controllers/v1/secretRotationProviderController.ts

@@ -0,0 +1,28 @@
+import { Request, Response } from "express";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotationProvider";
+import * as secretRotationProviderService from "../../secretRotation/service";
+import {
+  getUserProjectPermissions,
+  ProjectPermissionActions,
+  ProjectPermissionSub
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const getProviderTemplates = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationProvidersV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const rotationProviderList = await secretRotationProviderService.getProviderTemplate({
+    workspaceId
+  });
+
+  return res.send(rotationProviderList);
+};

backend/src/ee/models/auditLog/enums.ts

@@ -1,7 +1,8 @@
 export enum ActorType {
-    USER = "user",
-    SERVICE = "service",
-    SERVICE_V3 = "service-v3"
+  USER = "user",
+  SERVICE = "service",
+  SERVICE_V3 = "service-v3",
+  Machine = "machine"
 }
 
 export enum UserAgentType {

backend/src/ee/models/auditLog/types.ts

@@ -1,11 +1,5 @@
-import {
-    ActorType,
-    EventType
-} from "./enums";
-import {
-  IServiceTokenV3Scope,
-  IServiceTokenV3TrustedIp
-} from "../../../models/serviceTokenDataV3";
+import { ActorType, EventType } from "./enums";
+import { IServiceTokenV3Scope, IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";
 
 interface UserActorMetadata {
   userId: string;
@@ -28,14 +22,15 @@ export interface ServiceActor {
 }
 
 export interface ServiceActorV3 {
-    type: ActorType.SERVICE_V3;
-    metadata: ServiceActorMetadata;
+  type: ActorType.SERVICE_V3;
+  metadata: ServiceActorMetadata;
+}
+
+export interface MachineActor {
+  type: ActorType.Machine;
 }
 
-export type Actor = 
-    | UserActor
-    | ServiceActor
-    | ServiceActorV3;
+export type Actor = UserActor | ServiceActor | ServiceActorV3 | MachineActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;
@@ -226,36 +221,36 @@ interface DeleteServiceTokenEvent {
 }
 
 interface CreateServiceTokenV3Event {
-    type: EventType.CREATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+  type: EventType.CREATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    scopes: Array<IServiceTokenV3Scope>;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
 }
 
 interface UpdateServiceTokenV3Event {
-    type: EventType.UPDATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name?: string;
-        isActive?: boolean;
-        scopes?: Array<IServiceTokenV3Scope>;
-        trustedIps?: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+  type: EventType.UPDATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name?: string;
+    isActive?: boolean;
+    scopes?: Array<IServiceTokenV3Scope>;
+    trustedIps?: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
 }
 
 interface DeleteServiceTokenV3Event {
-    type: EventType.DELETE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        expiresAt?: Date;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-    }
+  type: EventType.DELETE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    scopes: Array<IServiceTokenV3Scope>;
+    expiresAt?: Date;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+  };
 }
 
 interface CreateEnvironmentEvent {
@@ -427,15 +422,15 @@ interface UpdateUserRole {
 }
 
 interface UpdateUserDeniedPermissions {
-    type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
-    metadata: {
-        userId: string;
-        email: string;
-        deniedPermissions: {
-            environmentSlug: string;
-            ability: string;
-        }[]
-    }
+  type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS;
+  metadata: {
+    userId: string;
+    email: string;
+    deniedPermissions: {
+      environmentSlug: string;
+      ability: string;
+    }[];
+  };
 }
 interface SecretApprovalMerge {
   type: EventType.SECRET_APPROVAL_MERGED;

backend/src/ee/routes/v1/index.ts

@@ -10,6 +10,8 @@ import secretScanning from "./secretScanning";
 import roles from "./role";
 import secretApprovalPolicy from "./secretApprovalPolicy";
 import secretApprovalRequest from "./secretApprovalRequest";
+import secretRotationProvider from "./secretRotationProvider";
+import secretRotation from "./secretRotation";
 
 export {
   secret,
@@ -23,5 +25,7 @@ export {
   secretScanning,
   roles,
   secretApprovalPolicy,
-  secretApprovalRequest
+  secretApprovalRequest,
+  secretRotationProvider,
+  secretRotation
 };

backend/src/ee/routes/v1/secretRotation.ts

@@ -0,0 +1,41 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.post(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.createSecretRotation
+);
+
+router.post(
+  "/restart",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.restartSecretRotations
+);
+
+router.get(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.getSecretRotations
+);
+
+router.delete(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.deleteSecretRotations
+);
+
+export default router;

backend/src/ee/routes/v1/secretRotationProvider.ts

@@ -0,0 +1,17 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationProviderController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.get(
+  "/:workspaceId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationProviderController.getProviderTemplates
+);
+
+export default router;

backend/src/ee/secretRotation/models.ts

@@ -0,0 +1,91 @@
+import { Schema, model } from "mongoose";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { ISecretRotation } from "./types";
+
+const secretRotationSchema = new Schema(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace"
+    },
+    provider: {
+      type: String,
+      required: true
+    },
+    customProvider: {
+      type: Schema.Types.ObjectId,
+      ref: "SecretRotationProvider"
+    },
+    environment: {
+      type: String,
+      required: true
+    },
+    secretPath: {
+      type: String,
+      required: true
+    },
+    interval: {
+      type: Number,
+      required: true
+    },
+    lastRotatedAt: {
+      type: String
+    },
+    status: {
+      type: String,
+      enum: ["success", "failed"]
+    },
+    statusMessage: {
+      type: String
+    },
+    // encrypted data on input keys and secrets got
+    encryptedData: {
+      type: String,
+      select: false
+    },
+    encryptedDataIV: {
+      type: String,
+      select: false
+    },
+    encryptedDataTag: {
+      type: String,
+      select: false
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      select: false,
+      default: ALGORITHM_AES_256_GCM
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      select: false,
+      default: ENCODING_SCHEME_UTF8
+    },
+    outputs: [
+      {
+        key: {
+          type: String,
+          required: true
+        },
+        secret: {
+          type: Schema.Types.ObjectId,
+          ref: "Secret"
+        }
+      }
+    ]
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const SecretRotation = model<ISecretRotation>("SecretRotation", secretRotationSchema);

backend/src/ee/secretRotation/queue/queue.ts

@@ -0,0 +1,287 @@
+import Queue, { Job } from "bull";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../../config";
+import { BotService, EventService, TelemetryService } from "../../../services";
+import { SecretRotation } from "../models";
+import { rotationTemplates } from "../templates";
+import {
+  ISecretRotationData,
+  ISecretRotationEncData,
+  ISecretRotationProviderTemplate,
+  TProviderFunctionTypes
+} from "../types";
+import {
+  decryptSymmetric128BitHexKeyUTF8,
+  encryptSymmetric128BitHexKeyUTF8
+} from "../../../utils/crypto";
+import { ISecret, Secret } from "../../../models";
+import { ENCODING_SCHEME_BASE64, ENCODING_SCHEME_UTF8, SECRET_SHARED } from "../../../variables";
+import { EESecretService } from "../../services";
+import { SecretVersion } from "../../models";
+import { eventPushSecrets } from "../../../events";
+import { logger } from "../../../utils/logging";
+
+import {
+  secretRotationPreSetFn,
+  secretRotationRemoveFn,
+  secretRotationSetFn,
+  secretRotationTestFn
+} from "./queue.utils";
+
+const secretRotationQueue = new Queue("secret-rotation-service", process.env.REDIS_URL as string);
+
+secretRotationQueue.process(async (job: Job) => {
+  const rotationStratDocId = job.data.rotationDocId;
+  const secretRotation = await SecretRotation.findById(rotationStratDocId)
+    .select("+encryptedData +encryptedDataTag +encryptedDataIV +keyEncoding")
+    .populate<{
+      outputs: [
+        {
+          key: string;
+          secret: ISecret;
+        }
+      ];
+    }>("outputs.secret");
+
+  const infisicalRotationProvider = rotationTemplates.find(
+    ({ name }) => name === secretRotation?.provider
+  );
+
+  try {
+    if (!infisicalRotationProvider || !secretRotation)
+      throw new Error("Failed to find rotation strategy");
+
+    if (secretRotation.outputs.some(({ secret }) => !secret))
+      throw new Error("Secrets not found in dashboard");
+
+    const workspaceId = secretRotation.workspace;
+
+    // deep copy
+    const provider = JSON.parse(
+      JSON.stringify(infisicalRotationProvider)
+    ) as ISecretRotationProviderTemplate;
+
+    // decrypt user  provided inputs for secret rotation
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+    let decryptedData = "";
+    if (rootEncryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_BASE64) {
+      // case: encoding scheme is base64
+      decryptedData = client.decryptSymmetric(
+        secretRotation.encryptedData,
+        rootEncryptionKey,
+        secretRotation.encryptedDataIV,
+        secretRotation.encryptedDataTag
+      );
+    } else if (encryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_UTF8) {
+      // case: encoding scheme is utf8
+      decryptedData = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secretRotation.encryptedData,
+        iv: secretRotation.encryptedDataIV,
+        tag: secretRotation.encryptedDataTag,
+        key: encryptionKey
+      });
+    }
+
+    const variables = JSON.parse(decryptedData) as ISecretRotationEncData;
+
+    // rotation set cycle
+    const newCredential: ISecretRotationData = {
+      inputs: variables.inputs,
+      outputs: {},
+      internal: {}
+    };
+    // special glue code for database
+    if (provider.template.functions.set.type === TProviderFunctionTypes.DB) {
+      const lastCred = variables.creds.at(-1);
+      if (lastCred && variables.creds.length === 1) {
+        newCredential.internal.username =
+          lastCred.internal.username === variables.inputs.username1
+            ? variables.inputs.username2
+            : variables.inputs.username1;
+      } else {
+        newCredential.internal.username = lastCred
+          ? lastCred.internal.username
+          : variables.inputs.username1;
+      }
+    }
+    if (provider.template.functions.set?.pre) {
+      secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
+    }
+    await secretRotationSetFn(provider.template.functions.set, newCredential);
+    await secretRotationTestFn(provider.template.functions.test, newCredential);
+
+    if (variables.creds.length === 2) {
+      const deleteCycleCred = variables.creds.pop();
+      if (deleteCycleCred && provider.template.functions.remove) {
+        const deleteCycleVar = { inputs: variables.inputs, ...deleteCycleCred };
+        await secretRotationRemoveFn(provider.template.functions.remove, deleteCycleVar);
+      }
+    }
+    variables.creds.unshift({ outputs: newCredential.outputs, internal: newCredential.internal });
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(variables),
+      rootEncryptionKey
+    );
+
+    // save the rotation state
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      encryptedData: ciphertext,
+      encryptedDataIV: iv,
+      encryptedDataTag: tag,
+      status: "success",
+      statusMessage: "Rotated successfully",
+      lastRotatedAt: new Date().toUTCString()
+    });
+
+    const key = await BotService.getWorkspaceKeyWithBot({
+      workspaceId: secretRotation.workspace
+    });
+
+    const encryptedSecrets = secretRotation.outputs.map(({ key: outputKey, secret }) => ({
+      secret,
+      value: encryptSymmetric128BitHexKeyUTF8({
+        plaintext:
+          typeof newCredential.outputs[outputKey] === "object"
+            ? JSON.stringify(newCredential.outputs[outputKey])
+            : String(newCredential.outputs[outputKey]),
+        key
+      })
+    }));
+
+    // now save the secret do a bulk update
+    // can't use the updateSecret function due to various parameter required issue
+    // REFACTOR(akhilmhdh): secret module should be lot more flexible. Ability to update bulk or individually by blindIndex, by id etc
+    await Secret.bulkWrite(
+      encryptedSecrets.map(({ secret, value }) => ({
+        updateOne: {
+          filter: {
+            workspace: workspaceId,
+            environment: secretRotation.environment,
+            _id: secret._id,
+            type: SECRET_SHARED
+          },
+          update: {
+            $inc: {
+              version: 1
+            },
+            secretValueCiphertext: value.ciphertext,
+            secretValueIV: value.iv,
+            secretValueTag: value.tag
+          }
+        }
+      }))
+    );
+
+    await EESecretService.addSecretVersions({
+      secretVersions: encryptedSecrets.map(({ secret, value }) => {
+        const {
+          _id,
+          version,
+          workspace,
+          type,
+          folder,
+          secretBlindIndex,
+          secretKeyIV,
+          secretKeyTag,
+          secretKeyCiphertext,
+          skipMultilineEncoding,
+          environment,
+          algorithm,
+          keyEncoding
+        } = secret;
+
+        return new SecretVersion({
+          secret: _id,
+          version: version + 1,
+          workspace: workspace,
+          type,
+          folder,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: secretBlindIndex,
+          secretKeyCiphertext: secretKeyCiphertext,
+          secretKeyIV: secretKeyIV,
+          secretKeyTag: secretKeyTag,
+          secretValueCiphertext: value.ciphertext,
+          secretValueIV: value.iv,
+          secretValueTag: value.tag,
+          algorithm,
+          keyEncoding,
+          skipMultilineEncoding
+        });
+      })
+    });
+
+    // akhilmhdh: @tony need to do something about this as its depend on authData which is not possibile in here
+    // await EEAuditLogService.createAuditLog(
+    //   {actor:ActorType.Machine},
+    //   {
+    //     type: EventType.UPDATE_SECRETS,
+    //     metadata: {
+    //       environment,
+    //       secretPath,
+    //       secrets: secretsToBeUpdated.map(({ _id, version, secretBlindIndex }) => ({
+    //         secretId: _id.toString(),
+    //         secretKey: secretBlindIndexToKey[secretBlindIndex || ""],
+    //         secretVersion: version + 1
+    //       }))
+    //     }
+    //   },
+    //   {
+    //     workspaceId
+    //   }
+    // );
+
+    const folderId = encryptedSecrets?.[0]?.secret?.folder;
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment: secretRotation.environment,
+      folderId
+    });
+
+    await EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: secretRotation.workspace,
+        environment: secretRotation.environment,
+        secretPath: secretRotation.secretPath
+      })
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+    if (postHogClient) {
+      postHogClient.capture({
+        event: "secrets rotated",
+        properties: {
+          numberOfSecrets: encryptedSecrets.length,
+          environment: secretRotation.environment,
+          workspaceId,
+          folderId
+        }
+      });
+    }
+  } catch (err) {
+    logger.error(err);
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      status: "failed",
+      statusMessage: (err as Error).message,
+      lastRotatedAt: new Date().toUTCString()
+    });
+  }
+
+  return Promise.resolve();
+});
+
+const daysToMillisecond = (days: number) => days * 24 * 60 * 60 * 1000;
+export const startSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  // when migration to bull mq just use the option immedite to trigger repeatable immediately
+  secretRotationQueue.add({ rotationDocId }, { jobId: rotationDocId, removeOnComplete: true });
+  return secretRotationQueue.add(
+    { rotationDocId },
+    { repeat: { every: daysToMillisecond(interval) }, jobId: rotationDocId }
+  );
+};
+
+export const removeSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  return secretRotationQueue.removeRepeatable({ every: interval * 1000, jobId: rotationDocId });
+};

backend/src/ee/secretRotation/queue/queue.utils.ts

@@ -0,0 +1,179 @@
+import axios from "axios";
+import jmespath from "jmespath";
+import { customAlphabet } from "nanoid";
+import { Client as PgClient } from "pg";
+import mysql from "mysql2";
+import {
+  ISecretRotationData,
+  TAssignOp,
+  TDbProviderClients,
+  TDbProviderFunction,
+  TDirectAssignOp,
+  THttpProviderFunction,
+  TProviderFunction,
+  TProviderFunctionTypes
+} from "../types";
+const REGEX = /\${([^}]+)}/g;
+const SLUG_ALPHABETS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+const nanoId = customAlphabet(SLUG_ALPHABETS, 10);
+
+export const interpolate = (data: any, getValue: (key: string) => unknown) => {
+  if (!data) return;
+
+  if (typeof data === "number") return data;
+
+  if (typeof data === "string") {
+    return data.replace(REGEX, (_a, b) => getValue(b) as string);
+  }
+
+  if (typeof data === "object" && Array.isArray(data)) {
+    data.forEach((el, index) => {
+      data[index] = interpolate(el, getValue);
+    });
+  }
+
+  if (typeof data === "object") {
+    if ((data as { ref: string })?.ref) return getValue((data as { ref: string }).ref);
+    const temp = data as Record<string, unknown>; // for converting ts object to record type
+    Object.keys(temp).forEach((key) => {
+      temp[key as keyof typeof temp] = interpolate(data[key as keyof typeof temp], getValue);
+    });
+  }
+  return data;
+};
+
+const getInterpolationValue = (variables: ISecretRotationData) => (key: string) => {
+  if (key.includes("|")) {
+    const [keyword, ...arg] = key.split("|").map((el) => el.trim());
+    switch (keyword) {
+      case "random": {
+        return nanoId(parseInt(arg[0], 10));
+      }
+      default: {
+        throw Error(`Interpolation key not found - ${key}`);
+      }
+    }
+  }
+  const [type, keyName] = key.split(".").map((el) => el.trim());
+  return variables[type as keyof ISecretRotationData][keyName];
+};
+
+export const secretRotationHttpFn = async (
+  func: THttpProviderFunction,
+  variables: ISecretRotationData
+) => {
+  // string interpolation
+  const headers = interpolate(func.header, getInterpolationValue(variables));
+  const url = interpolate(func.url, getInterpolationValue(variables));
+  const body = interpolate(func.body, getInterpolationValue(variables));
+  // axios will automatically throw error if req status is not between 2xx range
+  return axios({ method: func.method, url, headers, data: body });
+};
+
+export const secretRotationDbFn = async (
+  func: TDbProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const { type, client, pre, ...dbConnection } = func;
+  const { username, password, host, database, port, query, ca } = interpolate(
+    dbConnection,
+    getInterpolationValue(variables)
+  );
+  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
+  if (host === "localhost" || host === "127.0.0.1") throw new Error("Invalid db host");
+  if (client === TDbProviderClients.Pg) {
+    const pgClient = new PgClient({ user: username, password, host, database, port, ssl });
+    await pgClient.connect();
+    const res = await pgClient.query(query);
+    await pgClient.end();
+    return res.rows[0];
+  } else if (client === TDbProviderClients.Sql) {
+    const sqlClient = mysql.createPool({
+      user: username,
+      password,
+      host,
+      database,
+      port,
+      connectionLimit: 1,
+      ssl
+    });
+    const res = await new Promise((resolve, reject) => {
+      sqlClient.query(query, (err, data) => {
+        if (err) return reject(err);
+        resolve(data);
+      });
+    });
+    await new Promise((resolve, reject) => {
+      sqlClient.end(function (err) {
+        if (err) return reject(err);
+        return resolve({});
+      });
+    });
+    return (res as any)?.[0];
+  }
+};
+
+export const secretRotationPreSetFn = (
+  op: Record<string, TDirectAssignOp>,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  Object.entries(op || {}).forEach(([key, assignFn]) => {
+    const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+    variables[type][keyName] = interpolate(assignFn.value, getValFn);
+  });
+};
+
+export const secretRotationSetFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  // http setter
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    const res = await secretRotationHttpFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        variables[type][keyName] = jmespath.search(res.data, assignFn.path);
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+    // db setter
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    const data = await secretRotationDbFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        if (typeof data === "object") {
+          variables[type][keyName] = jmespath.search(data, assignFn.path);
+        }
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+  }
+};
+
+export const secretRotationTestFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    await secretRotationHttpFn(func, variables);
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    await secretRotationDbFn(func, variables);
+  }
+};
+
+export const secretRotationRemoveFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (!func) return;
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    // string interpolation
+    return await secretRotationHttpFn(func, variables);
+  }
+};

backend/src/ee/secretRotation/service.ts

@@ -0,0 +1,130 @@
+import { ISecretRotationEncData, TCreateSecretRotation, TGetProviderTemplates } from "./types";
+import { rotationTemplates } from "./templates";
+import { SecretRotation } from "./models";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Ajv from "ajv";
+import { removeSecretRotationQueue, startSecretRotationQueue } from "./queue/queue";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+
+const ajv = new Ajv({ strict: false });
+
+export const getProviderTemplate = async ({ workspaceId }: TGetProviderTemplates) => {
+  return {
+    custom: [],
+    providers: rotationTemplates
+  };
+};
+
+export const createSecretRotation = async ({
+  workspaceId,
+  secretPath,
+  environment,
+  provider,
+  interval,
+  inputs,
+  outputs
+}: TCreateSecretRotation) => {
+  const rotationTemplate = rotationTemplates.find(({ name }) => name === provider);
+  if (!rotationTemplate) throw BadRequestError({ message: "Provider not found" });
+
+  const formattedInputs: Record<string, unknown> = {};
+  Object.entries(inputs).forEach(([key, value]) => {
+    const type = rotationTemplate.template.inputs.properties[key].type;
+    if (type === "string") {
+      formattedInputs[key] = value;
+      return;
+    }
+    if (type === "integer") {
+      formattedInputs[key] = parseInt(value as string, 10);
+      return;
+    }
+    formattedInputs[key] = JSON.parse(value as string);
+  });
+  // ensure input one follows the correct schema
+  const valid = ajv.validate(rotationTemplate.template.inputs, formattedInputs);
+  if (!valid) {
+    throw BadRequestError({ message: ajv.errors?.[0].message });
+  }
+
+  const encData: Partial<ISecretRotationEncData> = {
+    inputs: formattedInputs,
+    creds: []
+  };
+
+  const secretRotation = new SecretRotation({
+    workspace: workspaceId,
+    provider,
+    environment,
+    secretPath,
+    interval,
+    outputs: Object.entries(outputs).map(([key, secret]) => ({ key, secret }))
+  });
+
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  if (rootEncryptionKey) {
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(encData),
+      rootEncryptionKey
+    );
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_BASE64;
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: JSON.stringify(encData),
+      key: encryptionKey
+    });
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_UTF8;
+  }
+
+  await secretRotation.save();
+  await startSecretRotationQueue(secretRotation._id.toString(), interval);
+
+  return secretRotation;
+};
+
+export const deleteSecretRotation = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findByIdAndRemove(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(doc._id.toString(), doc.interval);
+  return doc;
+};
+
+export const restartSecretRotation = async ({ id }: { id: string }) => {
+  const secretRotation = await SecretRotation.findById(id);
+  if (!secretRotation) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+  await startSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+
+  return secretRotation;
+};
+
+export const getSecretRotationById = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findById(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+  return doc;
+};
+
+export const getSecretRotationOfWorkspace = async (workspaceId: string) => {
+  const secretRotations = await SecretRotation.find({
+    workspace: workspaceId
+  }).populate("outputs.secret");
+
+  return secretRotations;
+};

backend/src/ee/secretRotation/templates/index.ts

@@ -0,0 +1,28 @@
+import { ISecretRotationProviderTemplate } from "../types";
+import { MYSQL_TEMPLATE } from "./mysql";
+import { POSTGRES_TEMPLATE } from "./postgres";
+import { SENDGRID_TEMPLATE } from "./sendgrid";
+
+export const rotationTemplates: ISecretRotationProviderTemplate[] = [
+  {
+    name: "sendgrid",
+    title: "Twilio Sendgrid",
+    image: "sendgrid.png",
+    description: "Rotate Twilio Sendgrid API keys",
+    template: SENDGRID_TEMPLATE
+  },
+  {
+    name: "postgres",
+    title: "PostgreSQL",
+    image: "postgres.png",
+    description: "Rotate PostgreSQL/CockroachDB user credentials",
+    template: POSTGRES_TEMPLATE
+  },
+  {
+    name: "mysql",
+    title: "MySQL",
+    image: "mysql.png",
+    description: "Rotate MySQL@7/MariaDB user credentials",
+    template: MYSQL_TEMPLATE
+  }
+];

backend/src/ee/secretRotation/templates/mysql.ts

@@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const MYSQL_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "3306" },
+      username1: {
+        type: "string",
+        default: "infisical-sql-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-sql-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} IDENTIFIED BY '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};

backend/src/ee/secretRotation/templates/postgres.ts

@@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const POSTGRES_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "5432" },
+      username1: {
+        type: "string",
+        default: "infisical-pg-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-pg-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} WITH PASSWORD '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};

backend/src/ee/secretRotation/templates/sendgrid.ts

@@ -0,0 +1,63 @@
+import { TAssignOp, TProviderFunctionTypes } from "../types";
+
+export const SENDGRID_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_api_key: { type: "string" as const, desc: "Sendgrid admin api key to create new keys" },
+      api_key_scopes: {
+        type: "array",
+        items: { type: "string" as const },
+        desc: "Scopes for created tokens by rotation(Array)"
+      }
+    },
+    required: ["admin_api_key", "api_key_scopes"],
+    additionalProperties: false
+  },
+  outputs: {
+    api_key: { type: "string" }
+  },
+  internal: {
+    api_key_id: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys",
+      method: "POST",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      body: {
+        name: "infisical-${random | 16}",
+        scopes: { ref: "inputs.api_key_scopes" }
+      },
+      setter: {
+        "outputs.api_key": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key"
+        },
+        "internal.api_key_id": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key_id"
+        }
+      }
+    },
+    remove: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "DELETE"
+    },
+    test: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "GET"
+    }
+  }
+};

backend/src/ee/secretRotation/types.ts

@@ -0,0 +1,131 @@
+import { Document, Types } from "mongoose";
+
+export interface ISecretRotation extends Document {
+  _id: Types.ObjectId;
+  name: string;
+  interval: number;
+  provider: string;
+  customProvider: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  secretPath: string;
+  outputs: Array<{
+    key: string;
+    secret: Types.ObjectId;
+  }>;
+  status?: "success" | "failed";
+  lastRotatedAt?: string;
+  statusMessage?: string;
+  encryptedData: string;
+  encryptedDataIV: string;
+  encryptedDataTag: string;
+  algorithm: string;
+  keyEncoding: string;
+}
+
+export type ISecretRotationEncData = {
+  inputs: Record<string, unknown>;
+  creds: Array<{
+    outputs: Record<string, unknown>;
+    internal: Record<string, unknown>;
+  }>;
+};
+
+export type ISecretRotationData = {
+  inputs: Record<string, unknown>;
+  outputs: Record<string, unknown>;
+  internal: Record<string, unknown>;
+};
+
+export type ISecretRotationProviderTemplate = {
+  name: string;
+  title: string;
+  image?: string;
+  description?: string;
+  template: TProviderTemplate;
+};
+
+export enum TProviderFunctionTypes {
+  HTTP = "http",
+  DB = "database"
+}
+
+export enum TDbProviderClients {
+  // postgres, cockroack db, amazon red shift
+  Pg = "pg",
+  // mysql and maria db
+  Sql = "sql"
+}
+
+export enum TAssignOp {
+  Direct = "direct",
+  JmesPath = "jmesopath"
+}
+
+export type TJmesPathAssignOp = {
+  assign: TAssignOp.JmesPath;
+  path: string;
+};
+
+export type TDirectAssignOp = {
+  assign: TAssignOp.Direct;
+  value: string;
+};
+
+export type TAssignFunction = TJmesPathAssignOp | TDirectAssignOp;
+
+export type THttpProviderFunction = {
+  type: TProviderFunctionTypes.HTTP;
+  url: string;
+  method: string;
+  header?: Record<string, string>;
+  query?: Record<string, string>;
+  body?: Record<string, unknown>;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TDbProviderFunction = {
+  type: TProviderFunctionTypes.DB;
+  client: TDbProviderClients;
+  username: string;
+  password: string;
+  host: string;
+  database: string;
+  port: string;
+  query: string;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TProviderFunction = THttpProviderFunction | TDbProviderFunction;
+
+export type TProviderTemplate = {
+  inputs: {
+    type: "object";
+    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
+    required?: string[];
+  };
+  outputs: Record<string, unknown>;
+  functions: {
+    set: TProviderFunction;
+    remove?: TProviderFunction;
+    test: TProviderFunction;
+  };
+};
+
+// function type args
+export type TGetProviderTemplates = {
+  workspaceId: string;
+};
+
+export type TCreateSecretRotation = {
+  provider: string;
+  customProvider?: string;
+  workspaceId: string;
+  secretPath: string;
+  environment: string;
+  interval: number;
+  inputs: Record<string, unknown>;
+  outputs: Record<string, string>;
+};

backend/src/ee/services/EELicenseService.ts

@@ -38,6 +38,7 @@ interface FeatureSet {
     trial_end: number | null;
     has_used_trial: boolean;
     secretApproval: boolean;
+    secretRotation: boolean;
 }
 
 /**
@@ -74,7 +75,8 @@ class EELicenseService {
         status: null,
         trial_end: null,
         has_used_trial: true,
-        secretApproval: false
+        secretApproval: false,
+        secretRotation: true,
     }
 
     public localFeatureSet: NodeCache;

backend/src/ee/services/ProjectRoleService.ts

@@ -50,7 +50,8 @@ export enum ProjectPermissionSub {
   Workspace = "workspace",
   Secrets = "secrets",
   SecretRollback = "secret-rollback",
-  SecretApproval = "secret-approval"
+  SecretApproval = "secret-approval",
+  SecretRotation = "secret-rotation"
 }
 
 type SubjectFields = {
@@ -74,6 +75,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
   | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
@@ -92,6 +94,11 @@ const buildAdminPermission = () => {
   can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretApproval);
 
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretRotation);
+
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
 
@@ -162,6 +169,7 @@ const buildMemberPermission = () => {
   can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
@@ -214,6 +222,7 @@ const buildViewerPermission = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

backend/src/ee/validation/secretRotation.ts

@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+export const createSecretRotationV1 = z.object({
+  body: z.object({
+    workspaceId: z.string().trim(),
+    secretPath: z.string().trim(),
+    environment: z.string().trim(),
+    interval: z.number().min(1),
+    provider: z.string().trim(),
+    customProvider: z.string().trim().optional(),
+    inputs: z.record(z.unknown()),
+    outputs: z.record(z.string())
+  })
+});
+
+export const restartSecretRotationV1 = z.object({
+  body: z.object({
+    id: z.string().trim()
+  })
+});
+
+export const getSecretRotationV1 = z.object({
+  query: z.object({
+    workspaceId: z.string().trim()
+  })
+});
+
+export const removeSecretRotationV1 = z.object({
+  params: z.object({
+    id: z.string().trim()
+  })
+});

backend/src/ee/validation/secretRotationProvider.ts

@@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const getSecretRotationProvidersV1 = z.object({
+  params: z.object({
+    workspaceId: z.string()
+  })
+});

backend/src/helpers/secrets.ts

@@ -553,14 +553,22 @@ export const getSecretsHelper = async ({
   workspaceId,
   environment,
   authData,
-  folderId,
   secretPath = "/"
 }: GetSecretsParams) => {
   let secrets: ISecret[] = [];
   // if using service token filter towards the folderId by secretpath
 
-  if (!folderId) {
-    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  });
+  let folderId = "root";
+  if (!folders && folderId !== "root") return [];
+  // get folder from folder tree
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) return [];
+    folderId = folder?.id;
   }
 
   // get personal secrets first

backend/src/index.ts

@@ -27,8 +27,10 @@ import {
   users as eeUsersRouter,
   workspace as eeWorkspaceRouter,
   roles as v1RoleRouter,
-  secretApprovalPolicy as v1SecretApprovalPolicy,
-  secretApprovalRequest as v1SecretApprovalRequest,
+  secretApprovalPolicy as v1SecretApprovalPolicyRouter,
+  secretApprovalRequest as v1SecretApprovalRequestRouter,
+  secretRotation as v1SecretRotation,
+  secretRotationProvider as v1SecretRotationProviderRouter,
   secretScanning as v1SecretScanningRouter
 } from "./ee/routes/v1";
 import { apiKeyData as v3apiKeyDataRouter } from "./ee/routes/v3";
@@ -194,6 +196,8 @@ const main = async () => {
   app.use("/api/v1/cloud-products", eeCloudProductsRouter);
   app.use("/api/v3/api-key", v3apiKeyDataRouter); // new
   app.use("/api/v3/service-token", v3ServiceTokenDataRouter); // new
+  app.use("/api/v1/secret-rotation-providers", v1SecretRotationProviderRouter);
+  app.use("/api/v1/secret-rotations", v1SecretRotation);
 
   // v1 routes
   app.use("/api/v1/signup", v1SignupRouter);
@@ -217,9 +221,9 @@ const main = async () => {
   app.use("/api/v1/webhooks", v1WebhooksRouter);
   app.use("/api/v1/secret-imports", v1SecretImpsRouter);
   app.use("/api/v1/roles", v1RoleRouter);
-  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicy);
+  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicyRouter);
   app.use("/api/v1/sso", v1SSORouter);
-  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequest);
+  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequestRouter);
 
   // v2 routes (improvements)
   app.use("/api/v2/signup", v2SignupRouter);

backend/src/interfaces/middleware/index.ts

@@ -1,39 +1,27 @@
 import { Types } from "mongoose";
-import {
-    IServiceTokenData,
-    IServiceTokenDataV3,
-    IUser,
-} from "../../models";
-import { 
-    ServiceActor,
-    ServiceActorV3,
-    UserActor,
-    UserAgentType
-} from "../../ee/models";
+import { IServiceTokenData, IServiceTokenDataV3, IUser } from "../../models";
+import { ServiceActor, ServiceActorV3, UserActor, UserAgentType } from "../../ee/models";
 
 interface BaseAuthData {
-    ipAddress: string;
-    userAgent: string;
-    userAgentType: UserAgentType;
-    tokenVersionId?: Types.ObjectId;
+  ipAddress: string;
+  userAgent: string;
+  userAgentType: UserAgentType;
+  tokenVersionId?: Types.ObjectId;
 }
 
 export interface UserAuthData extends BaseAuthData {
-    actor: UserActor;
-    authPayload: IUser;
+  actor: UserActor;
+  authPayload: IUser;
 }
 
 export interface ServiceTokenV3AuthData extends BaseAuthData {
-    actor: ServiceActorV3;
-    authPayload: IServiceTokenDataV3;
+  actor: ServiceActorV3;
+  authPayload: IServiceTokenDataV3;
 }
 
 export interface ServiceTokenAuthData extends BaseAuthData {
-    actor: ServiceActor;
-    authPayload: IServiceTokenData;
+  actor: ServiceActor;
+  authPayload: IServiceTokenData;
 }
 
-export type AuthData =
-    | UserAuthData
-    | ServiceTokenV3AuthData
-    | ServiceTokenAuthData;
+export type AuthData = UserAuthData | ServiceTokenV3AuthData | ServiceTokenAuthData;

backend/src/interfaces/services/SecretService/index.ts

@@ -26,7 +26,6 @@ export interface CreateSecretParams {
 export interface GetSecretsParams {
   workspaceId: Types.ObjectId;
   environment: string;
-  folderId?: string;
   secretPath: string;
   authData: AuthData;
 }

backend/src/validation/secrets.ts

@@ -228,7 +228,6 @@ export const GetSecretsRawV3 = z.object({
     workspaceId: z.string().trim().optional(),
     environment: z.string().trim().optional(),
     secretPath: z.string().trim().default("/"),
-    folderId: z.string().trim().optional(),
     include_imports: z
       .enum(["true", "false"])
       .default("false")
@@ -302,7 +301,6 @@ export const GetSecretsV3 = z.object({
     workspaceId: z.string().trim(),
     environment: z.string().trim(),
     secretPath: z.string().trim().default("/"),
-    folderId: z.string().trim().optional(),
     include_imports: z
       .enum(["true", "false"])
       .default("false")

docs/documentation/platform/secret-rotation/mysql.mdx

@@ -0,0 +1,37 @@
+---
+title: "MySQL/MariaDB"
+description: "Rotated database user password of a MySQL or MariaDB"
+---
+
+Infisical will update periodically the provided database user's password.
+
+<Warning>
+	At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
+</Warning>
+
+## Working
+
+1. User's has to create the two user's for Infisical to rotate and provide them required database access
+2. Infisical will connect with your database with admin access
+3. If last rotated one was username1, then username2 is chosen to be rotated
+5. Update it's password with random value
+6. After testing it gets saved to the provided secret mapping
+
+## Rotation Configuration
+
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `MySQL`
+3. Provide the inputs
+	- Admin Username: DB admin username
+	- Admin Password: DB admin password
+	- Host: DB host
+	- Port: DB port(number)
+	- Username1: The first username in two to rotate
+	- Username2: The second username in two to rotate
+	- CA: Certificate to connect with database(string)
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Congrats. You have 10x your MySQL/MariaDB access security. 

docs/documentation/platform/secret-rotation/overview.mdx

@@ -0,0 +1,37 @@
+---
+title: "Secret Rotation Overview"
+description: "Keep your credentials safe by rotation"
+---
+
+Secret rotation is the process of periodically changing the values of secrets. This is done to reduce the risk of secrets being compromised and used to gain unauthorized access to systems or data.
+
+Rotated secrets can be
+1. API key for an external service
+2. Database credentials
+
+## How does the rotation happen?
+
+There are four phases in secret rotation and its triggered periodically in an internval.
+
+1. Creation
+
+System will create secret by calling an external service like an API call, or randomly generate a value. 
+Now there exist three valid secrets.
+
+2. Test
+
+Test the new secret key by some check to ensure its working one. Thus only two will be considered active and the other is considered inactive.
+
+3. Deletion
+
+System will remove the inactive secret and now there exist two valid secrets
+
+4. Finish
+
+System will switch the secret value from the rotated ones and trigger side effects like webhooks and events.
+
+## Infisical Secret Rotation Strategies
+
+1. [SendGrid](./sendgrid)
+2. [PostgreSQL/CockroachDB](./postgres)
+3. [MySQL/MariaDB](./mysql)

docs/documentation/platform/secret-rotation/postgres.mdx

@@ -0,0 +1,37 @@
+---
+title: "PostgreSQL/CockroachDB"
+description: "Rotated database user password of a postgreSQL or cochroach db"
+---
+
+Infisical will update periodically the provided database user's password.
+
+<Warning>
+	At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
+</Warning>
+
+## Working
+
+1. User's has to create the two user's for Infisical to rotate and provide them required database access
+2. Infisical will connect with your database with admin access
+3. If last rotated one was username1, then username2 is chosen to be rotated
+5. Update it's password with random value
+6. After testing it gets saved to the provided secret mapping
+
+## Rotation Configuration
+
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `PostgreSQL`
+3. Provide the inputs
+	- Admin Username: DB admin username
+	- Admin Password: DB admin password
+	- Host: DB host
+	- Port: DB port(number)
+	- Username1: The first username in two to rotate
+	- Username2: The second username in two to rotate
+	- CA: Certificate to connect with database(string)
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Congrats. You have 10x your PostgreSQL/CockroachDB access security. 

docs/documentation/platform/secret-rotation/sendgrid.mdx

@@ -0,0 +1,31 @@
+---
+title: "Twilio SendGrid"
+description: "Rotate Twilio SendGrid API keys"
+---
+
+Twilio SendGrid is a cloud-based email delivery platform that helps businesses send transactional and marketing emails.
+It uses an API key to do various operations. Using Infisical you can easily dynamically change the keys.
+
+## Working
+
+1. Infisical will need an admin token of SendGrid to create API keys dynamically.
+2. Using the given admin token and scope by user Infisical will create and rotate API keys periodically
+3. Under the hood infisical uses [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys)
+
+## Rotation Configuration
+
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `Twilio SendGrid Card`
+3. Provide the inputs
+	- Admin API Key: 
+		SendGrid admin key to create lower scoped API keys.
+	- API Key Scopes
+		SendGrid generated API Key's scopes. For more info refer [this doc](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions)
+
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Now your output mapped secret value will be replaced periodically by SendGrid.
+		

docs/mint.json

@@ -34,7 +34,10 @@
     }
   },
   "topbarLinks": [
-    { "name": "Log In", "url": "https://app.infisical.com/login" }
+    {
+      "name": "Log In",
+      "url": "https://app.infisical.com/login"
+    }
   ],
   "topbarCtaButton": {
     "name": "Start for Free",
@@ -120,6 +123,15 @@
         "documentation/platform/audit-logs",
         "documentation/platform/token",
         "documentation/platform/mfa",
+        {
+          "group": "Secret Rotation",
+          "pages": [
+            "documentation/platform/secret-rotation/overview",
+            "documentation/platform/secret-rotation/sendgrid",
+            "documentation/platform/secret-rotation/postgres",
+            "documentation/platform/secret-rotation/mysql"
+          ]
+        },
         {
           "group": "SSO",
           "pages": [

frontend/src/components/v2/FormControl/FormControl.tsx

@@ -9,16 +9,24 @@ export type FormLabelProps = {
   isRequired?: boolean;
   label?: ReactNode;
   icon?: ReactNode;
+  className?: string;
 };
 
-export const FormLabel = ({ id, label, isRequired, icon }: FormLabelProps) => (
+export const FormLabel = ({ id, label, isRequired, icon, className }: FormLabelProps) => (
   <Label.Root
-    className="mb-0.5 ml-1 block flex items-center text-sm font-normal text-mineshaft-400"
+    className={twMerge(
+      "mb-0.5 ml-1 block flex items-center text-sm font-normal text-mineshaft-400",
+      className
+    )}
     htmlFor={id}
   >
     {label}
     {isRequired && <span className="ml-1 text-red">*</span>}
-    {icon && <span className="ml-2 text-mineshaft-300 hover:text-mineshaft-200 cursor-default">{icon}</span>}
+    {icon && (
+      <span className="ml-2 text-mineshaft-300 hover:text-mineshaft-200 cursor-default">
+        {icon}
+      </span>
+    )}
   </Label.Root>
 );
 

frontend/src/components/v2/Stepper/Stepper.tsx

@@ -0,0 +1,78 @@
+import { Children, cloneElement, ReactElement, ReactNode } from "react";
+import { faCheck } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
+
+export type StepperProps = {
+  activeStep: number;
+  children: ReactNode;
+  direction: "vertical" | "horizontal";
+  className?: string;
+};
+
+export const Stepper = ({ activeStep, children, direction, className }: StepperProps) => {
+  return (
+    <div
+      className={twMerge(
+        "flex items-center w-full space-x-3 p-2 border border-bunker-300/30 rounded-md",
+        className
+      )}
+    >
+      {Children.map(children as ReactNode, (child: ReactNode, index) => {
+        const isCompleted = activeStep > index;
+        const isActive = index === activeStep;
+        const isNotLast = index + 1 !== (children as Array<ReactNode>).length;
+        return (
+          <div
+            className={twMerge(
+              "flex items-center space-x-3 flex-shrink-0",
+              isNotLast && "flex-grow"
+            )}
+          >
+            <div className="flex items-center space-x-2 flex-shrink-0">
+              <div
+                className={twMerge(
+                  "w-7 h-7 flex items-center justify-center font-medium text-mineshaft-800 text-sm rounded-full transition-all",
+                  isCompleted ? "bg-primary" : "border text-bunker-300 border-primary/30",
+                  isActive && "bg-primary text-mineshaft-800"
+                )}
+              >
+                {isCompleted ? <FontAwesomeIcon icon={faCheck} /> : index + 1}
+              </div>
+              {cloneElement(child as ReactElement, {
+                direction,
+                activeStep,
+                isCompleted,
+                isActive
+              })}
+            </div>
+            {isNotLast && (
+              <div
+                style={{ height: "1px" }}
+                className={twMerge("flex-grow bg-bunker-300/30", isCompleted && "bg-primary")}
+              />
+            )}
+          </div>
+        );
+      })}
+    </div>
+  );
+};
+
+export type StepProps = {
+  title: string;
+  description?: ReactNode;
+  // isActive?: boolean;
+  // isCompleted?: boolean;
+  // activeStep?: number;
+  // direction?: "vertical" | "horizontal";
+};
+
+export const Step = ({ title, description }: StepProps) => {
+  return (
+    <div className="flex flex-col text-gray-300">
+      <div className="font-medium text-sm">{title}</div>
+      {description && <div className="text-xs">{description}</div>}
+    </div>
+  );
+};

frontend/src/components/v2/Stepper/index.tsx

@@ -0,0 +1,2 @@
+export type { StepperProps,StepProps } from "./Stepper";
+export { Step,Stepper } from "./Stepper";

frontend/src/components/v2/index.tsx

@@ -22,6 +22,7 @@ export * from "./SecretInput";
 export * from "./Select";
 export * from "./Skeleton";
 export * from "./Spinner";
+export * from "./Stepper";
 export * from "./Switch";
 export * from "./Table";
 export * from "./Tabs";

frontend/src/context/ProjectPermissionContext/types.ts

@@ -21,7 +21,8 @@ export enum ProjectPermissionSub {
   Workspace = "workspace",
   Secrets = "secrets",
   SecretRollback = "secret-rollback",
-  SecretApproval = "secret-approval"
+  SecretApproval = "secret-approval",
+  SecretRotation = "secret-rotation"
 }
 
 type SubjectFields = {
@@ -45,6 +46,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
   | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]

frontend/src/hooks/api/index.tsx

@@ -12,6 +12,7 @@ export * from "./secretApproval";
 export * from "./secretApprovalRequest";
 export * from "./secretFolders";
 export * from "./secretImports";
+export * from "./secretRotation";
 export * from "./secrets";
 export * from "./secretSnapshots";
 export * from "./serviceAccounts";

frontend/src/hooks/api/secretRotation/index.ts

@@ -0,0 +1,6 @@
+export {
+  useCreateSecretRotation,
+  useDeleteSecretRotation,
+  useRestartSecretRotation
+} from "./mutation";
+export { useGetSecretRotationProviders, useGetSecretRotations } from "./queries";

frontend/src/hooks/api/secretRotation/mutation.tsx

@@ -0,0 +1,52 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { secretRotationKeys } from "./queries";
+import {
+  TCreateSecretRotationDTO,
+  TDeleteSecretRotationDTO,
+  TRestartSecretRotationDTO
+} from "./types";
+
+export const useCreateSecretRotation = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, TCreateSecretRotationDTO>({
+    mutationFn: async (dto) => {
+      const { data } = await apiRequest.post("/api/v1/secret-rotations", dto);
+      return data;
+    },
+    onSuccess: (_, { workspaceId }) => {
+      queryClient.invalidateQueries(secretRotationKeys.list({ workspaceId }));
+    }
+  });
+};
+
+export const useDeleteSecretRotation = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, TDeleteSecretRotationDTO>({
+    mutationFn: async (dto) => {
+      const { data } = await apiRequest.delete(`/api/v1/secret-rotations/${dto.id}`);
+      return data;
+    },
+    onSuccess: (_, { workspaceId }) => {
+      queryClient.invalidateQueries(secretRotationKeys.list({ workspaceId }));
+    }
+  });
+};
+
+export const useRestartSecretRotation = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, TRestartSecretRotationDTO>({
+    mutationFn: async (dto) => {
+      const { data } = await apiRequest.post("/api/v1/secret-rotations/restart", { id: dto.id });
+      return data;
+    },
+    onSuccess: (_, { workspaceId }) => {
+      queryClient.invalidateQueries(secretRotationKeys.list({ workspaceId }));
+    }
+  });
+};

frontend/src/hooks/api/secretRotation/queries.tsx

@@ -0,0 +1,110 @@
+import { useCallback } from "react";
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import {
+  decryptAssymmetric,
+  decryptSymmetric
+} from "@app/components/utilities/cryptography/crypto";
+import { apiRequest } from "@app/config/request";
+
+import {
+  TGetSecretRotationList,
+  TGetSecretRotationProviders,
+  TSecretRotation,
+  TSecretRotationProviderList
+} from "./types";
+
+export const secretRotationKeys = {
+  listProviders: ({ workspaceId }: TGetSecretRotationProviders) => [
+    { workspaceId },
+    "secret-rotation-providers"
+  ],
+  list: ({ workspaceId }: Omit<TGetSecretRotationList, "decryptFileKey">) =>
+    [{ workspaceId }, "secret-rotations"] as const
+};
+
+const fetchSecretRotationProviders = async ({ workspaceId }: TGetSecretRotationProviders) => {
+  const { data } = await apiRequest.get<TSecretRotationProviderList>(
+    `/api/v1/secret-rotation-providers/${workspaceId}`
+  );
+  return data;
+};
+
+export const useGetSecretRotationProviders = ({
+  workspaceId,
+  options = {}
+}: TGetSecretRotationProviders & {
+  options?: Omit<
+    UseQueryOptions<
+      TSecretRotationProviderList,
+      unknown,
+      TSecretRotationProviderList,
+      ReturnType<typeof secretRotationKeys.listProviders>
+    >,
+    "queryKey" | "queryFn"
+  >;
+}) =>
+  useQuery({
+    ...options,
+    queryKey: secretRotationKeys.listProviders({ workspaceId }),
+    enabled: Boolean(workspaceId) && (options?.enabled ?? true),
+    queryFn: async () => fetchSecretRotationProviders({ workspaceId })
+  });
+
+const fetchSecretRotations = async ({
+  workspaceId
+}: Omit<TGetSecretRotationList, "decryptFileKey">) => {
+  const { data } = await apiRequest.get<{ secretRotations: TSecretRotation[] }>(
+    "/api/v1/secret-rotations",
+    { params: { workspaceId } }
+  );
+  return data.secretRotations;
+};
+
+export const useGetSecretRotations = ({
+  workspaceId,
+  decryptFileKey,
+  options = {}
+}: TGetSecretRotationList & {
+  options?: Omit<
+    UseQueryOptions<
+      TSecretRotation[],
+      unknown,
+      TSecretRotation<{ key: string }>[],
+      ReturnType<typeof secretRotationKeys.list>
+    >,
+    "queryKey" | "queryFn"
+  >;
+}) =>
+  useQuery({
+    ...options,
+    queryKey: secretRotationKeys.list({ workspaceId }),
+    enabled: Boolean(workspaceId) && (options?.enabled ?? true),
+    queryFn: async () => fetchSecretRotations({ workspaceId }),
+    select: useCallback(
+      (data: TSecretRotation[]) => {
+        const PRIVATE_KEY = localStorage.getItem("PRIVATE_KEY") as string;
+        const decryptKey = decryptAssymmetric({
+          ciphertext: decryptFileKey.encryptedKey,
+          nonce: decryptFileKey.nonce,
+          publicKey: decryptFileKey.sender.publicKey,
+          privateKey: PRIVATE_KEY
+        });
+        return data.map((el) => ({
+          ...el,
+          outputs: el.outputs.map(({ key, secret }) => ({
+            key,
+            secret: {
+              key: decryptSymmetric({
+                ciphertext: secret.secretValueCiphertext,
+                iv: secret.secretValueIV,
+                tag: secret.secretValueTag,
+                key: decryptKey
+              })
+            }
+          }))
+        }));
+      },
+      [decryptFileKey]
+    )
+  });

frontend/src/hooks/api/secretRotation/types.ts

@@ -0,0 +1,133 @@
+import { UserWsKeyPair } from "../keys/types";
+import { EncryptedSecret } from "../secrets/types";
+
+export enum TProviderFunctionTypes {
+  HTTP = "http",
+  DB = "database"
+}
+
+export enum TDbProviderClients {
+  // postgres, cockroack db, amazon red shift
+  Pg = "pg",
+  // mysql and maria db
+  Sql = "sql"
+}
+
+export enum TAssignOp {
+  Direct = "direct",
+  JmesPath = "jmesopath"
+}
+
+export type TJmesPathAssignOp = {
+  assign: TAssignOp.JmesPath;
+  path: string;
+};
+
+export type TDirectAssignOp = {
+  assign: TAssignOp.Direct;
+  value: string;
+};
+
+export type TAssignFunction = TJmesPathAssignOp | TDirectAssignOp;
+
+export type THttpProviderFunction = {
+  type: TProviderFunctionTypes.HTTP;
+  url: string;
+  method: string;
+  header?: Record<string, string>;
+  query?: Record<string, string>;
+  body?: Record<string, unknown>;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TDbProviderFunction = {
+  type: TProviderFunctionTypes.DB;
+  client: TDbProviderClients;
+  username: string;
+  password: string;
+  host: string;
+  database: string;
+  port: string;
+  query: string;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TProviderFunction = THttpProviderFunction | TDbProviderFunction;
+
+export type TProviderTemplate = {
+  inputs: {
+    properties: Record<string, { type: string; helperText?: string; defaultValue?: string }>;
+    type: "object";
+    required: string[];
+  };
+  outputs: Record<string, unknown>;
+  functions: {
+    set: TProviderFunction;
+    remove?: TProviderFunction;
+    test: TProviderFunction;
+  };
+};
+
+export type TSecretRotation<T extends unknown = EncryptedSecret> = {
+  _id: string;
+  interval: number;
+  provider: string;
+  customProvider: string;
+  workspace: string;
+  environment: string;
+  secretPath: string;
+  outputs: Array<{
+    key: string;
+    secret: T;
+  }>;
+  status?: "success" | "failed";
+  lastRotatedAt?: string;
+  statusMessage?: string;
+  algorithm: string;
+  keyEncoding: string;
+};
+
+export type TSecretRotationProvider = {
+  name: string;
+  image: string;
+  title: string;
+  description: string;
+  template: TProviderTemplate;
+};
+
+export type TSecretRotationProviderList = {
+  custom: TSecretRotationProvider[];
+  providers: TSecretRotationProvider[];
+};
+
+export type TGetSecretRotationProviders = {
+  workspaceId: string;
+};
+
+export type TGetSecretRotationList = {
+  workspaceId: string;
+  decryptFileKey: UserWsKeyPair;
+};
+
+export type TCreateSecretRotationDTO = {
+  workspaceId: string;
+  secretPath: string;
+  environment: string;
+  interval: number;
+  provider: string;
+  customProvider?: string;
+  inputs: Record<string, unknown>;
+  outputs: Record<string, string>;
+};
+
+export type TDeleteSecretRotationDTO = {
+  id: string;
+  workspaceId: string;
+};
+
+export type TRestartSecretRotationDTO = {
+  id: string;
+  workspaceId: string;
+};

frontend/src/hooks/api/subscriptions/types.ts

@@ -12,6 +12,7 @@ export type SubscriptionPlan = {
   secretVersioning: boolean;
   slug: string;
   secretApproval: string;
+  secretRotation: string;
   tier: number;
   workspaceLimit: number;
   workspacesUsed: number;

frontend/src/hooks/api/types.ts

@@ -13,6 +13,12 @@ export type {
 export { ApprovalStatus, CommitType } from "./secretApprovalRequest/types";
 export type { TSecretFolder } from "./secretFolders/types";
 export type { TImportedSecrets, TSecretImports } from "./secretImports/types";
+export type {
+  TGetSecretRotationProviders,
+  TProviderTemplate,
+  TSecretRotationProvider,
+  TSecretRotationProviderList
+} from "./secretRotation/types";
 export * from "./secrets/types";
 export type { CreateServiceTokenDTO, ServiceToken } from "./serviceTokens/types";
 export type { SubscriptionPlan } from "./subscriptions/types";

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -497,6 +497,18 @@ export const AppLayout = ({ children }: LayoutProps) => {
                           </MenuItem>
                         </a>
                       </Link>
+                      <Link href={`/project/${currentWorkspace?._id}/secret-rotation`} passHref>
+                        <a className="relative">
+                          <MenuItem
+                            isSelected={
+                              router.asPath === `/project/${currentWorkspace?._id}/secret-rotation`
+                            }
+                            icon="rotation"
+                          >
+                            Secret Rotation
+                          </MenuItem>
+                        </a>
+                      </Link>
                       <Link href={`/project/${currentWorkspace?._id}/approval`} passHref>
                         <a className="relative">
                           <MenuItem
@@ -505,7 +517,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
                             }
                             icon="system-outline-189-domain-verification"
                           >
-                            Secret approvals
+                            Secret Approvals
                             {Boolean(secretApprovalReqCount?.open) && (
                               <span className="ml-2 rounded border border-primary-400 bg-primary-600 py-0.5 px-1 text-xs font-semibold text-black">
                                 {secretApprovalReqCount?.open}

frontend/src/pages/project/[id]/secret-rotation/index.tsx

@@ -0,0 +1,23 @@
+import { useTranslation } from "react-i18next";
+import Head from "next/head";
+
+import { SecretRotationPage } from "@app/views/SecretRotationPage";
+
+const SecretRotation = () => {
+  const { t } = useTranslation();
+
+  return (
+    <div className="h-full bg-bunker-800">
+      <Head>
+        <title>{t("common.head-title", { title: t("settings.project.title") })}</title>
+        <link rel="icon" href="/infisical.ico" />
+        <meta property="og:image" content="/images/message.png" />
+      </Head>
+      <SecretRotationPage />
+    </div>
+  );
+};
+
+export default SecretRotation;
+
+SecretRotation.requireAuth = true;

frontend/src/views/SecretRotationPage/SecretRotationPage.tsx

@@ -0,0 +1,407 @@
+import { useTranslation } from "react-i18next";
+import {
+  faArrowsSpin,
+  faExclamationTriangle,
+  faFolder,
+  faInfoCircle,
+  faRotate,
+  faTrash
+} from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { formatDistance } from "date-fns";
+
+import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import { ProjectPermissionCan } from "@app/components/permissions";
+import {
+  Button,
+  DeleteActionModal,
+  EmptyState,
+  IconButton,
+  Modal,
+  ModalContent,
+  Skeleton,
+  Spinner,
+  Table,
+  TableContainer,
+  TableSkeleton,
+  TBody,
+  Td,
+  Th,
+  THead,
+  Tooltip,
+  Tr,
+  UpgradePlanModal
+} from "@app/components/v2";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  useProjectPermission,
+  useSubscription,
+  useWorkspace
+} from "@app/context";
+import { withProjectPermission } from "@app/hoc";
+import { usePopUp } from "@app/hooks";
+import {
+  useDeleteSecretRotation,
+  useGetSecretRotationProviders,
+  useGetSecretRotations,
+  useGetUserWsKey,
+  useGetWorkspaceBot,
+  useRestartSecretRotation,
+  useUpdateBotActiveStatus
+} from "@app/hooks/api";
+import { TSecretRotationProvider } from "@app/hooks/api/types";
+
+import { CreateRotationForm } from "./components/CreateRotationForm";
+import { generateBotKey } from "./SecretRotationPage.utils";
+
+export const SecretRotationPage = withProjectPermission(
+  () => {
+    const { currentWorkspace } = useWorkspace();
+    const { t } = useTranslation();
+    const permission = useProjectPermission();
+    const { createNotification } = useNotificationContext();
+    const { popUp, handlePopUpOpen, handlePopUpToggle, handlePopUpClose } = usePopUp([
+      "createRotation",
+      "activeBot",
+      "deleteRotation",
+      "upgradePlan"
+    ] as const);
+    const workspaceId = currentWorkspace?._id || "";
+    const canCreateRotation = permission.can(
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.SecretRotation
+    );
+    const { subscription } = useSubscription();
+
+    const { data: userWsKey } = useGetUserWsKey(workspaceId);
+
+    const { data: secretRotationProviders, isLoading: isRotationProviderLoading } =
+      useGetSecretRotationProviders({ workspaceId });
+    const { data: secretRotations, isLoading: isRotationLoading } = useGetSecretRotations({
+      workspaceId,
+      decryptFileKey: userWsKey!
+    });
+
+    const {
+      mutateAsync: deleteSecretRotation,
+      variables: deleteSecretRotationVars,
+      isLoading: isDeletingRotation
+    } = useDeleteSecretRotation();
+    const {
+      mutateAsync: restartSecretRotation,
+      variables: restartSecretRotationVar,
+      isLoading: isRestartingRotation
+    } = useRestartSecretRotation();
+
+    const { data: bot } = useGetWorkspaceBot(workspaceId);
+    const { mutateAsync: updateBotActiveStatus } = useUpdateBotActiveStatus();
+
+    const isBotActive = Boolean(bot?.isActive);
+
+    const handleDeleteRotation = async () => {
+      const { id } = popUp.deleteRotation.data as { id: string };
+      try {
+        await deleteSecretRotation({
+          id,
+          workspaceId
+        });
+        handlePopUpClose("deleteRotation");
+        createNotification({
+          type: "success",
+          text: "Successfully removed rotation"
+        });
+      } catch (error) {
+        console.log(error);
+        createNotification({
+          type: "error",
+          text: "Failed to remove rotation"
+        });
+      }
+    };
+
+    const handleRestartRotation = async (id: string) => {
+      try {
+        await restartSecretRotation({
+          id,
+          workspaceId
+        });
+        createNotification({
+          type: "success",
+          text: "Secret rotation  initiated"
+        });
+      } catch (error) {
+        console.log(error);
+        createNotification({
+          type: "error",
+          text: "Failed to restart rotation"
+        });
+      }
+    };
+
+    const handleUserAcceptBotCondition = async () => {
+      const provider = popUp.activeBot?.data as TSecretRotationProvider;
+      try {
+        if (bot?._id) {
+          const botKey = generateBotKey(bot.publicKey, userWsKey!);
+          await updateBotActiveStatus({
+            isActive: true,
+            botId: bot._id,
+            workspaceId,
+            botKey
+          });
+        }
+        handlePopUpOpen("createRotation", provider);
+        handlePopUpClose("activeBot");
+      } catch (error) {
+        console.log(error);
+        createNotification({
+          type: "error",
+          text: "Failed to create bot"
+        });
+      }
+    };
+
+    const handleCreateRotation = async (provider: TSecretRotationProvider) => {
+      if (subscription && !subscription?.secretRotation) {
+        handlePopUpOpen("upgradePlan");
+        return;
+      }
+      if (!canCreateRotation) {
+        createNotification({ type: "error", text: "Access permission denied!!" });
+        return;
+      }
+      if (isBotActive) {
+        handlePopUpOpen("createRotation", provider);
+      } else {
+        handlePopUpOpen("activeBot", provider);
+      }
+    };
+
+    return (
+      <div className="container mx-auto bg-bunker-800 text-white w-full h-full max-w-7xl px-6">
+        <div className="my-6">
+          <h2 className="text-3xl font-semibold text-gray-200">Secret Rotation</h2>
+          <p className="text-bunker-300">Auto rotate secrets for better security</p>
+        </div>
+        <div className="mb-6">
+          <div className="text-xl font-semibold text-gray-200 mb-2">Rotated Secrets</div>
+          <div className="flex flex-col space-y-2">
+            <TableContainer>
+              <Table>
+                <THead>
+                  <Tr>
+                    <Th>Secret Name</Th>
+                    <Th>Environment</Th>
+                    <Th>Provider</Th>
+                    <Th>Status</Th>
+                    <Th>Last Rotation</Th>
+                    <Th className="text-right">Action</Th>
+                  </Tr>
+                </THead>
+                <TBody>
+                  {isRotationLoading && (
+                    <TableSkeleton
+                      innerKey="secret-rotation-loading"
+                      columns={6}
+                      className="bg-mineshaft-700"
+                    />
+                  )}
+                  {!isRotationLoading && secretRotations?.length === 0 && (
+                    <Tr>
+                      <Td colSpan={6}>
+                        <EmptyState title="No rotation strategy found" icon={faArrowsSpin} />
+                      </Td>
+                    </Tr>
+                  )}
+                  {secretRotations?.map(
+                    ({
+                      environment,
+                      secretPath,
+                      outputs,
+                      provider,
+                      _id,
+                      lastRotatedAt,
+                      status,
+                      statusMessage
+                    }) => {
+                      const isDeleting = deleteSecretRotationVars?.id === _id && isDeletingRotation;
+                      const isRestarting =
+                        restartSecretRotationVar?.id === _id && isRestartingRotation;
+                      return (
+                        <Tr key={_id}>
+                          <Td>
+                            {outputs
+                              .map(({ key }) => key)
+                              .join(",")
+                              .toUpperCase()}
+                          </Td>
+                          <Td>
+                            <div className="flex items-center border border-bunker-400 rounded p-1 px-2 w-min">
+                              <div>{environment}</div>
+                              <div className="flex items-center border-l border-bunker-400 pl-1 ml-1 text-xs">
+                                <FontAwesomeIcon icon={faFolder} className="mr-1" />
+                                {secretPath}
+                              </div>
+                            </div>
+                          </Td>
+                          <Td>{provider}</Td>
+                          <Td>
+                            <div className="flex items-center">
+                              {status}
+                              {status === "failed" && (
+                                <Tooltip content={statusMessage}>
+                                  <FontAwesomeIcon
+                                    icon={faExclamationTriangle}
+                                    size="sm"
+                                    className="ml-2 text-red"
+                                  />
+                                </Tooltip>
+                              )}
+                            </div>
+                          </Td>
+                          <Td>
+                            {lastRotatedAt
+                              ? formatDistance(new Date(lastRotatedAt), new Date())
+                              : "-"}
+                          </Td>
+                          <Td>
+                            <div className="flex space-x-2 justify-end">
+                              <ProjectPermissionCan
+                                I={ProjectPermissionActions.Edit}
+                                a={ProjectPermissionSub.SecretRotation}
+                                allowedLabel="Rotate now"
+                                renderTooltip
+                              >
+                                {(isAllowed) => (
+                                  <IconButton
+                                    variant="plain"
+                                    colorSchema="danger"
+                                    ariaLabel="delete-rotation"
+                                    isDisabled={isDeleting || !isAllowed}
+                                    onClick={() => handleRestartRotation(_id)}
+                                  >
+                                    {isRestarting ? (
+                                      <Spinner size="xs" />
+                                    ) : (
+                                      <FontAwesomeIcon icon={faRotate} />
+                                    )}
+                                  </IconButton>
+                                )}
+                              </ProjectPermissionCan>
+                              <ProjectPermissionCan
+                                I={ProjectPermissionActions.Delete}
+                                a={ProjectPermissionSub.SecretRotation}
+                                allowedLabel="Rotate now"
+                                renderTooltip
+                              >
+                                {(isAllowed) => (
+                                  <IconButton
+                                    variant="plain"
+                                    colorSchema="danger"
+                                    ariaLabel="delete-rotation"
+                                    isDisabled={isDeleting || !isAllowed}
+                                    onClick={() => handlePopUpOpen("deleteRotation", { id: _id })}
+                                  >
+                                    {isDeleting ? (
+                                      <Spinner size="xs" />
+                                    ) : (
+                                      <FontAwesomeIcon icon={faTrash} />
+                                    )}
+                                  </IconButton>
+                                )}
+                              </ProjectPermissionCan>
+                            </div>
+                          </Td>
+                        </Tr>
+                      );
+                    }
+                  )}
+                </TBody>
+              </Table>
+            </TableContainer>
+          </div>
+        </div>
+        <div className="text-xl font-semibold text-gray-200 mb-2">Infisical Rotation Providers</div>
+        <div className="grid grid-cols-2 lg:grid-cols-3 2xl:grid-cols-4 gap-4">
+          {isRotationProviderLoading &&
+            Array.from({ length: 12 }).map((_, index) => (
+              <Skeleton className="h-32" key={`rotation-provider-skeleton-${index + 1}`} />
+            ))}
+          {!isRotationProviderLoading &&
+            secretRotationProviders?.providers.map((provider) => (
+              <div
+                className="group relative cursor-pointer h-32 flex flex-row items-center rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
+                key={`infisical-rotation-provider-${provider.name}`}
+                tabIndex={0}
+                role="button"
+                onKeyDown={(evt) => {
+                  if (evt.key === "Enter") handlePopUpOpen("createRotation", provider);
+                }}
+                onClick={() => handleCreateRotation(provider)}
+              >
+                <img
+                  src={`/images/secretRotation/${provider.image}`}
+                  height={70}
+                  width={70}
+                  alt="rotation provider logo"
+                />
+                <div className="ml-4 max-w-xs text-xl font-semibold text-gray-300 duration-200 group-hover:text-gray-200">
+                  {provider.title}
+                </div>
+                <div className="group-hover:opacity-100 transition-all opacity-0 absolute top-1 right-1">
+                  <Tooltip content={provider.description} sideOffset={10}>
+                    <FontAwesomeIcon icon={faInfoCircle} className="text-bunker-300" />
+                  </Tooltip>
+                </div>
+              </div>
+            ))}
+        </div>
+        <CreateRotationForm
+          isOpen={popUp.createRotation.isOpen}
+          workspaceId={workspaceId}
+          onToggle={(isOpen) => handlePopUpToggle("createRotation", isOpen)}
+          provider={(popUp.createRotation.data as TSecretRotationProvider) || {}}
+        />
+        <Modal
+          isOpen={popUp.activeBot?.isOpen}
+          onOpenChange={(isOpen) => handlePopUpToggle("activeBot", isOpen)}
+        >
+          <ModalContent
+            title={t("integrations.grant-access-to-secrets") as string}
+            footerContent={
+              <div className="flex items-center space-x-2">
+                <Button onClick={() => handleUserAcceptBotCondition()}>
+                  {t("integrations.grant-access-button") as string}
+                </Button>
+                <Button
+                  onClick={() => handlePopUpClose("activeBot")}
+                  variant="outline_bg"
+                  colorSchema="secondary"
+                >
+                  Cancel
+                </Button>
+              </div>
+            }
+          >
+            {t("integrations.why-infisical-needs-access")}
+          </ModalContent>
+        </Modal>
+        <DeleteActionModal
+          isOpen={popUp.deleteRotation.isOpen}
+          title="Are you sure want to delete this rotation?"
+          subTitle="This will stop the rotation from dynamically changing. Secret won't be deleted"
+          onChange={(isOpen) => handlePopUpToggle("deleteRotation", isOpen)}
+          deleteKey="delete"
+          onDeleteApproved={handleDeleteRotation}
+        />
+        <UpgradePlanModal
+          isOpen={popUp.upgradePlan.isOpen}
+          onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+          text="You can add secret rotation if you switch to Infisical's Team plan."
+        />
+      </div>
+    );
+  },
+  { action: ProjectPermissionActions.Read, subject: ProjectPermissionSub.SecretRotation }
+);

frontend/src/views/SecretRotationPage/SecretRotationPage.utils.ts

@@ -0,0 +1,30 @@
+import { UserWsKeyPair } from "@app/hooks/api/types";
+
+import {
+  decryptAssymmetric,
+  encryptAssymmetric
+} from "../../components/utilities/cryptography/crypto";
+
+// refactor these to common function in frontend
+export const generateBotKey = (botPublicKey: string, latestKey: UserWsKeyPair) => {
+  const PRIVATE_KEY = localStorage.getItem("PRIVATE_KEY");
+
+  if (!PRIVATE_KEY) {
+    throw new Error("Private Key missing");
+  }
+
+  const WORKSPACE_KEY = decryptAssymmetric({
+    ciphertext: latestKey.encryptedKey,
+    nonce: latestKey.nonce,
+    publicKey: latestKey.sender.publicKey,
+    privateKey: PRIVATE_KEY
+  });
+
+  const { ciphertext, nonce } = encryptAssymmetric({
+    plaintext: WORKSPACE_KEY,
+    publicKey: botPublicKey,
+    privateKey: PRIVATE_KEY
+  });
+
+  return { encryptedKey: ciphertext, nonce };
+};

frontend/src/views/SecretRotationPage/components/CreateRotationForm/CreateRotationForm.tsx

@@ -0,0 +1,146 @@
+import { useRef, useState } from "react";
+import { AnimatePresence, motion } from "framer-motion";
+
+import { Modal, ModalContent, Step, Stepper } from "@app/components/v2";
+import { useCreateSecretRotation } from "@app/hooks/api";
+import { TSecretRotationProvider } from "@app/hooks/api/types";
+
+import { useNotificationContext } from "~/components/context/Notifications/NotificationProvider";
+
+import { RotationInputForm } from "./steps/RotationInputForm";
+import {
+  RotationOutputForm,
+  TFormSchema as TRotationOutputSchema
+} from "./steps/RotationOutputForm";
+
+const WIZARD_STEPS = [
+  {
+    title: "Inputs",
+    description: "Provider secrets"
+  },
+  {
+    title: "Outputs",
+    description: "Map rotated secrets to keys"
+  }
+];
+
+type Props = {
+  isOpen?: boolean;
+  onToggle: (isOpen: boolean) => void;
+  customProvider?: string;
+  workspaceId: string;
+  provider: TSecretRotationProvider;
+};
+
+export const CreateRotationForm = ({
+  isOpen,
+  onToggle,
+  provider,
+  workspaceId,
+  customProvider
+}: Props) => {
+  const [wizardStep, setWizardStep] = useState(0);
+  const wizardData = useRef<{
+    input?: Record<string, string>;
+    output?: TRotationOutputSchema;
+  }>({});
+  const { createNotification } = useNotificationContext();
+
+  const { mutateAsync: createSecretRotation } = useCreateSecretRotation();
+
+  const handleFormCancel = () => {
+    onToggle(false);
+    setWizardStep(0);
+    wizardData.current = {};
+  };
+
+  const handleFormSubmit = async () => {
+    if (!wizardData.current.input || !wizardData.current.output) return;
+    try {
+      await createSecretRotation({
+        workspaceId,
+        provider: provider.name,
+        customProvider,
+        secretPath: wizardData.current.output.secretPath,
+        environment: wizardData.current.output.environment,
+        interval: wizardData.current.output.interval,
+        inputs: wizardData.current.input,
+        outputs: wizardData.current.output.secrets
+      });
+      setWizardStep(0);
+      onToggle(false);
+      wizardData.current = {};
+    } catch (error) {
+      console.log(error);
+      createNotification({
+        type: "error",
+        text: "Failed to create secret rotation"
+      });
+    }
+  };
+
+  return (
+    <Modal
+      isOpen={isOpen}
+      onOpenChange={(state) => {
+        onToggle(state);
+        setWizardStep(0);
+        wizardData.current = {};
+      }}
+    >
+      <ModalContent
+        title={`Secret rotation for ${provider.name}`}
+        subTitle="Provide the required inputs needed for the rotation"
+        className="max-w-2xl"
+      >
+        <Stepper activeStep={wizardStep} direction="horizontal" className="mb-4">
+          {WIZARD_STEPS.map(({ title, description }, index) => (
+            <Step
+              title={title}
+              description={description}
+              key={`wizard-stepper-rotation-${index + 1}`}
+            />
+          ))}
+        </Stepper>
+        <AnimatePresence exitBeforeEnter>
+          {wizardStep === 0 && (
+            <motion.div
+              key="input-step"
+              transition={{ duration: 0.1 }}
+              initial={{ opacity: 0, translateX: 30 }}
+              animate={{ opacity: 1, translateX: 0 }}
+              exit={{ opacity: 0, translateX: -30 }}
+            >
+              <RotationInputForm
+                onCancel={handleFormCancel}
+                onSubmit={(data) => {
+                  wizardData.current.input = data;
+                  setWizardStep((state) => state + 1);
+                }}
+                inputSchema={provider.template?.inputs || {}}
+              />
+            </motion.div>
+          )}
+          {wizardStep === 1 && (
+            <motion.div
+              key="output-step"
+              transition={{ duration: 0.1 }}
+              initial={{ opacity: 0, translateX: 30 }}
+              animate={{ opacity: 1, translateX: 0 }}
+              exit={{ opacity: 0, translateX: -30 }}
+            >
+              <RotationOutputForm
+                outputSchema={provider.template?.outputs || {}}
+                onCancel={handleFormCancel}
+                onSubmit={async (data) => {
+                  wizardData.current.output = data;
+                  await handleFormSubmit();
+                }}
+              />
+            </motion.div>
+          )}
+        </AnimatePresence>
+      </ModalContent>
+    </Modal>
+  );
+};

frontend/src/views/SecretRotationPage/components/CreateRotationForm/index.tsx

@@ -0,0 +1 @@
+export { CreateRotationForm } from "./CreateRotationForm";

frontend/src/views/SecretRotationPage/components/CreateRotationForm/steps/RotationInputForm.tsx

@@ -0,0 +1,78 @@
+import { Controller, useForm } from "react-hook-form";
+import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { Button, FormControl, FormLabel, SecretInput, Tooltip } from "@app/components/v2";
+
+type Props = {
+  onSubmit: (data: Record<string, string>) => void;
+  onCancel: () => void;
+  inputSchema: {
+    properties: Record<string, { type: string; desc?: string; default?: string }>;
+    required: string[];
+  };
+};
+
+const formSchema = z.record(z.string().trim().optional());
+
+export const RotationInputForm = ({ onSubmit, onCancel, inputSchema }: Props) => {
+  const {
+    control,
+    handleSubmit,
+    formState: { isSubmitting }
+  } = useForm<Record<string, string>>({
+    resolver: zodResolver(formSchema)
+  });
+
+  return (
+    <form onSubmit={handleSubmit(onSubmit)}>
+      {Object.keys(inputSchema.properties || {}).map((inputName) => (
+        <Controller
+          control={control}
+          name={inputName}
+          key={`provider-input-${inputName}`}
+          defaultValue={inputSchema.properties[inputName]?.default}
+          render={({ field }) => (
+            <FormControl
+              key={`provider-input-${inputName}`}
+              label={
+                <div className="flex items-center space-x-2">
+                  <FormLabel className="uppercase mb-0" label={inputName.replaceAll("_", " ")} />
+                  {Boolean(inputSchema.properties[inputName]?.desc) && (
+                    <Tooltip
+                      className="max-w-xs"
+                      content={inputSchema.properties[inputName]?.desc}
+                      position="right"
+                    >
+                      <FontAwesomeIcon
+                        icon={faQuestionCircle}
+                        size="xs"
+                        className="text-bunker-300"
+                      />
+                    </Tooltip>
+                  )}
+                </div>
+              }
+            >
+              <SecretInput
+                {...field}
+                containerClassName="normal-case text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800  px-2 py-1.5"
+                required={inputSchema.required.includes(inputName)}
+              />
+            </FormControl>
+          )}
+        />
+      ))}
+      <div className="mt-8 flex items-center space-x-4">
+        <Button type="submit" isLoading={isSubmitting} isDisabled={isSubmitting}>
+          Next
+        </Button>
+        <Button onClick={onCancel} colorSchema="secondary" variant="plain">
+          Cancel
+        </Button>
+      </div>
+    </form>
+  );
+};

frontend/src/views/SecretRotationPage/components/CreateRotationForm/steps/RotationOutputForm.tsx

@@ -0,0 +1,153 @@
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { Button, FormControl, Input, Select, SelectItem, Spinner } from "@app/components/v2";
+import { useWorkspace } from "@app/context";
+import { useGetProjectSecrets, useGetUserWsKey } from "@app/hooks/api";
+
+const formSchema = z.object({
+  environment: z.string().trim(),
+  secretPath: z.string().trim().default("/"),
+  interval: z.number().min(1),
+  secrets: z.record(z.string())
+});
+
+export type TFormSchema = z.infer<typeof formSchema>;
+type Props = {
+  outputSchema: Record<string, unknown>;
+  onSubmit: (data: TFormSchema) => void;
+  onCancel: () => void;
+};
+
+export const RotationOutputForm = ({ onSubmit, onCancel, outputSchema = {} }: Props) => {
+  const { currentWorkspace } = useWorkspace();
+  const environments = currentWorkspace?.environments || [];
+  const workspaceId = currentWorkspace?._id || "";
+  const {
+    control,
+    handleSubmit,
+    watch,
+    formState: { isSubmitting }
+  } = useForm<TFormSchema>({
+    resolver: zodResolver(formSchema)
+  });
+
+  const environment = watch("environment", environments?.[0]?.slug);
+  const secretPath = watch("secretPath");
+  const selectedSecrets = watch("secrets");
+
+  const { data: userWsKey } = useGetUserWsKey(workspaceId);
+  const { data: secrets, isLoading: isSecretsLoading } = useGetProjectSecrets({
+    workspaceId,
+    environment,
+    secretPath,
+    decryptFileKey: userWsKey!
+  });
+
+  return (
+    <form onSubmit={handleSubmit(onSubmit)}>
+      <Controller
+        control={control}
+        name="environment"
+        defaultValue={environments?.[0]?.slug}
+        render={({ field: { value, onChange } }) => (
+          <FormControl label="Environment">
+            <Select
+              value={value}
+              onValueChange={(val) => onChange(val)}
+              className="w-full border border-mineshaft-500"
+              defaultValue={environments?.[0]?.slug}
+              position="popper"
+            >
+              {environments.map((sourceEnvironment) => (
+                <SelectItem
+                  value={sourceEnvironment.slug}
+                  key={`source-environment-${sourceEnvironment.slug}`}
+                >
+                  {sourceEnvironment.name}
+                </SelectItem>
+              ))}
+            </Select>
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        name="secretPath"
+        defaultValue="/"
+        render={({ field }) => (
+          <FormControl className="capitalize" label="Secret path">
+            <Input {...field} />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        name="interval"
+        defaultValue={15}
+        render={({ field }) => (
+          <FormControl className="capitalize" label="Rotation Interval (Days)">
+            <Input
+              {...field}
+              min={1}
+              type="number"
+              onChange={(evt) => field.onChange(parseInt(evt.target.value, 10))}
+            />
+          </FormControl>
+        )}
+      />
+      <div className="flex flex-col mt-4 pt-4 mb-2 border-t border-bunker-300/30">
+        <div>Mapping</div>
+        <div className="text-bunker-300 text-sm">Select keys for rotated value to get saved</div>
+      </div>
+      {Object.keys(outputSchema).map((outputName) => (
+        <Controller
+          key={`provider-output-${outputName}`}
+          control={control}
+          name={`secrets.${outputName}`}
+          render={({ field: { value, onChange } }) => (
+            <FormControl className="uppercase" label={outputName.replaceAll("_", " ")} isRequired>
+              <Select
+                value={value}
+                onValueChange={(val) => onChange(val)}
+                className="w-full border border-mineshaft-500"
+                position="popper"
+              >
+                {!isSecretsLoading &&
+                  secrets
+                    ?.filter(
+                      ({ _id }) =>
+                        value === _id || !Object.values(selectedSecrets || {}).includes(_id)
+                    )
+                    ?.map(({ key, _id }) => (
+                      <SelectItem value={_id} key={_id}>
+                        {key}
+                      </SelectItem>
+                    ))}
+                {isSecretsLoading && (
+                  <SelectItem value="Loading" isDisabled>
+                    <Spinner size="xs" />
+                  </SelectItem>
+                )}
+                {!isSecretsLoading && secrets?.length === 0 && (
+                  <SelectItem value="Empty" isDisabled>
+                    No secrets found
+                  </SelectItem>
+                )}
+              </Select>
+            </FormControl>
+          )}
+        />
+      ))}
+      <div className="mt-8 flex items-center space-x-4">
+        <Button type="submit" isLoading={isSubmitting} isDisabled={isSubmitting}>
+          Submit
+        </Button>
+        <Button onClick={onCancel} colorSchema="secondary" variant="plain">
+          Cancel
+        </Button>
+      </div>
+    </form>
+  );
+};

frontend/src/views/SecretRotationPage/index.tsx

@@ -0,0 +1 @@
+export { SecretRotationPage } from "./SecretRotationPage";