Skip to content

feat(api): add audit log visibility for created/updated/deleted secrets in AWS sync#5718

Merged
IgorHorta merged 5 commits intomainfrom
igor/secrets-151-audit-log-aws-sync-details
Mar 18, 2026
Merged

feat(api): add audit log visibility for created/updated/deleted secrets in AWS sync#5718
IgorHorta merged 5 commits intomainfrom
igor/secrets-151-audit-log-aws-sync-details

Conversation

@IgorHorta
Copy link
Copy Markdown
Contributor

@IgorHorta IgorHorta commented Mar 16, 2026
edited
Loading

Context

Resolves SECRETS-151

When secrets are synced to AWS (Secrets Manager or Parameter Store), the audit log previously only recorded that a sync happened with a success/failure status. There was no visibility into which specific secrets were created, updated, or deleted at the destination.

This PR modifies the AWS sync functions to track and return the secret keys affected during each sync, then surfaces them in the existing SECRET_SYNC_SYNC_SECRETS audit log event metadata.

Example flow: Secret is deleted from Infisical → secret sync runs → secret is deleted from AWS SM/PS → audit log now includes the deleted secret key for visibility.

Changes

  • Added TSyncSecretsResult type with createdSecretKeys, updatedSecretKeys, and deletedSecretKeys arrays
  • AWS Secrets Manager syncSecrets now returns which keys were created, updated, or deleted (both OneToOne and ManyToOne mapping behaviors)
  • AWS Parameter Store syncSecrets now returns which keys were created, updated, or deleted
  • SecretSyncFns.syncSecrets dispatcher return type updated to Promise<TSyncSecretsResult | void> (non-breaking for other 28+ destinations)
  • Queue handler captures the sync result and includes all three key arrays in audit log metadata
  • Audit log SecretSyncSyncSecretsEvent type extended with three optional fields

No frontend changes needed — the existing audit log JSON renderer automatically surfaces the new fields.

Steps to verify the change

  1. Set up an AWS App Connection with an IAM user that can assume a role
  2. Create a secret sync to AWS Secrets Manager (OneToOne mapping)
  3. Create a few secrets in Infisical → trigger sync → check audit log for createdSecretKeys
  4. Update a secret value → trigger sync → check audit log for updatedSecretKeys
  5. Delete a secret → trigger sync → check audit log for deletedSecretKeys
  6. Repeat steps 2-5 with AWS Parameter Store
  7. Test ManyToOne mapping behavior on AWS Secrets Manager
  8. Test with disableSecretDeletion enabled — deletedSecretKeys should be []
  9. Verify non-AWS syncs still work (fields should be absent from audit log)

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@IgorHorta
feat(api): add audit log visibility for created/updated/deleted secre…
ed11a8b 
…ts in AWS sync

Track which secrets are created, updated, and deleted at the destination
during AWS Secrets Manager and AWS Parameter Store sync operations. The
sync functions now return a TSyncSecretsResult containing the three key
arrays, which are included in the SECRET_SYNC_SYNC_SECRETS audit log
metadata for full visibility into what changed at the destination.

Made-with: Cursor
@linear
Copy link
Copy Markdown

linear bot commented Mar 16, 2026

SECRETS-151 Add audit log for deleted/updated/created (all events) secrets in AWS from Infisical

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Mar 16, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@IgorHorta IgorHorta marked this pull request as ready for review March 16, 2026 20:03
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 16, 2026

Greptile Summary

This PR adds granular audit log visibility for AWS secret sync operations by tracking which specific secret keys were created, updated, or deleted during each sync cycle. A new TSyncSecretsResult type is introduced and returned by the AWS Parameter Store and AWS Secrets Manager syncSecrets functions, which is then passed through to the existing SECRET_SYNC_SYNC_SECRETS audit log event metadata. The change is non-breaking — the dispatcher return type is TSyncSecretsResult | void, so the other 28+ sync destinations continue to work unchanged.

  • New type: TSyncSecretsResult with createdSecretKeys, updatedSecretKeys, and deletedSecretKeys arrays
  • AWS Secrets Manager ManyToOne optimization: The ManyToOne path now skips no-op updates when neither the value nor KMS key has changed (previously always called updateSecret)
  • Audit log extension: Three optional fields added to SecretSyncSyncSecretsEvent metadata — backward-compatible, auto-rendered by the existing frontend JSON viewer
  • Minor concern: In the Parameter Store path, deletedSecretKeys is populated before the batch delete call executes — benign in practice since syncResult is discarded on failure, but inconsistent with the Secrets Manager approach

Confidence Score: 4/5

  • This PR is safe to merge — it extends audit log metadata with optional fields and introduces no breaking changes.
  • Score of 4 reflects clean, well-structured changes with only a minor style concern around deletion tracking order in the Parameter Store path. No breaking API changes, no security issues, and the existing 28+ sync destinations are unaffected.
  • Pay attention to aws-parameter-store-sync-fns.ts where deletedSecretKeys is populated before the actual batch delete call.

Important Files Changed

Filename Overview
backend/src/ee/services/audit-log/audit-log-types.ts Adds three optional string array fields (createdSecretKeys, updatedSecretKeys, deletedSecretKeys) to SecretSyncSyncSecretsEvent metadata — clean, backward-compatible extension.
backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts Tracks created/updated/deleted keys during Parameter Store sync. Minor ordering concern: deletedSecretKeys is populated before the batch delete call actually executes.
backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts Tracks created/updated/deleted keys for both OneToOne and ManyToOne behaviors. Also adds a beneficial optimization in ManyToOne to skip no-op updates.
backend/src/services/secret-sync/secret-sync-fns.ts Return type of syncSecrets dispatcher changed to `Promise<TSyncSecretsResult
backend/src/services/secret-sync/secret-sync-queue.ts Captures sync result and includes the three key arrays in audit log metadata. Correctly handles the void case with result ?? undefined.
backend/src/services/secret-sync/secret-sync-types.ts New TSyncSecretsResult type with three string arrays — clean type definition.

Last reviewed commit: ed11a8b

@IgorHorta
fix(api): populate deletedSecretKeys after successful batch deletion …
3e226cc 
…in AWS PS sync

Moves deletedSecretKeys population to after deleteParametersBatch returns,
ensuring consistency with the AWS SM path and preventing inaccurate key
tracking if the batch call fails mid-execution.

Made-with: Cursor
varonix0
varonix0 requested changes Mar 17, 2026
View reviewed changes
@IgorHorta IgorHorta requested a review from varonix0 March 17, 2026 22:51
@IgorHorta IgorHorta merged commit 10f7f36 into main Mar 18, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varonix0 varonix0 varonix0 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IgorHorta @maidul98 @varonix0