docs: azure connection & syncs

.env.example

@@ -92,20 +92,24 @@ ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
 
 # App Connections
 
-# aws assume-role
+# aws assume-role connection
 INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
 INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
 
-# github oauth
+# github oauth connection
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
 
-#github app
+#github app connection
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 
-#gcp app
+#gcp app connection
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
+
+# azure app connection
+INF_APP_CONNECTION_AZURE_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=

backend/src/lib/config/env.ts

@@ -204,6 +204,10 @@ const envSchema = z
     // gcp app
     INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
 
+    // azure app
+    INF_APP_CONNECTION_AZURE_CLIENT_ID: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_AZURE_CLIENT_SECRET: zpStr(z.string().optional()),
+
     /* CORS ----------------------------------------------------------------------------- */
 
     CORS_ALLOWED_ORIGINS: zpStr(

backend/src/services/app-connection/azure/azure-connection-fns.ts

@@ -14,7 +14,11 @@ import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TAppConnectionDALFactory } from "../app-connection-dal";
 import { AppConnection } from "../app-connection-enums";
 import { AzureConnectionMethod, AzureResources } from "./azure-connection-enums";
-import { TAzureConnectionConfig, TAzureConnectionCredentials } from "./azure-connection-types";
+import {
+  ExchangeCodeAzureResponse,
+  TAzureConnectionConfig,
+  TAzureConnectionCredentials
+} from "./azure-connection-types";
 
 const resourceScopes: Record<AzureResources, string> = {
   [AzureResources.AppConfiguration]: "https://azconfig.io/.default",
@@ -49,8 +53,8 @@ export const getAzureConnectionAccessToken = async (
     new URLSearchParams({
       grant_type: "refresh_token",
       scope: `openid offline_access`,
-      client_id: appCfg.CLIENT_ID_AZURE!,
+      client_id: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID!,
-      client_secret: appCfg.CLIENT_SECRET_AZURE!,
+      client_secret: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET!,
       refresh_token: credentials.refreshToken
     })
   );
@@ -84,32 +88,22 @@ export const getAzureConnectionAccessToken = async (
 };
 
 export const getAzureConnectionListItem = () => {
-  const { CLIENT_ID_AZURE } = getConfig();
+  const { INF_APP_CONNECTION_AZURE_CLIENT_ID } = getConfig();
 
   return {
     name: "Azure" as const,
     app: AppConnection.Azure as const,
     methods: Object.values(AzureConnectionMethod) as [AzureConnectionMethod.OAuth],
-    oauthClientId: CLIENT_ID_AZURE
+    oauthClientId: INF_APP_CONNECTION_AZURE_CLIENT_ID
   };
 };
 
-type ExchangeCodeAzureResponse = {
-  token_type: string;
-  scope: string;
-  expires_in: number;
-  ext_expires_in: number;
-  access_token: string;
-  refresh_token: string;
-  id_token: string;
-};
-
 export const validateAzureConnectionCredentials = async (config: TAzureConnectionConfig) => {
   const { credentials: inputCredentials, method } = config;
 
-  const { CLIENT_ID_AZURE, CLIENT_SECRET_AZURE } = getConfig();
+  const { INF_APP_CONNECTION_AZURE_CLIENT_ID, INF_APP_CONNECTION_AZURE_CLIENT_SECRET, SITE_URL } = getConfig();
 
-  if (!CLIENT_ID_AZURE || !CLIENT_SECRET_AZURE) {
+  if (!INF_APP_CONNECTION_AZURE_CLIENT_ID || !INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
     throw new InternalServerError({
       message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
     });
@@ -119,23 +113,17 @@ export const validateAzureConnectionCredentials = async (config: TAzureConnectio
   let tokenError: AxiosError | null = null;
 
   try {
-    const appCfg = getConfig();
-    if (!appCfg.CLIENT_ID_AZURE || !appCfg.CLIENT_SECRET_AZURE) {
-      throw new BadRequestError({ message: "Missing client id and client secret" });
-    }
-
     tokenResp = await request.post<ExchangeCodeAzureResponse>(
       IntegrationUrls.AZURE_TOKEN_URL.replace("common", inputCredentials.tenantId || "common"),
       new URLSearchParams({
         grant_type: "authorization_code",
         code: inputCredentials.code,
         scope: `openid offline_access ${resourceScopes[inputCredentials.resource]}`,
-        client_id: appCfg.CLIENT_ID_AZURE,
+        client_id: INF_APP_CONNECTION_AZURE_CLIENT_ID,
-        client_secret: appCfg.CLIENT_SECRET_AZURE,
+        client_secret: INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
-        redirect_uri: `${appCfg.SITE_URL}/organization/app-connections/azure/oauth/callback`
+        redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
       })
     );
-    // TODO(daniel): handle token refreshing
   } catch (e: unknown) {
     if (e instanceof AxiosError) {
       tokenError = e;

docs/integrations/app-connections/azure.mdx

@@ -0,0 +1,96 @@
+---
+title: "Azure Connection"
+description: "Learn how to configure a Azure Connection for Infisical."
+---
+
+Infisical currently only supports one method for connecting to Azure, which is OAuth.
+
+<Accordion title="Self-Hosted Instance">
+  Using the Azure App Configuration integration on a self-hosted instance of Infisical requires configuring an application in Azure
+  and registering your instance with it.
+
+  **Prerequisites:**
+
+  - Set up Azure and have an existing App Configuration instance.
+
+  <Steps>
+    <Step title="Create an application in Azure">
+      Navigate to Azure Active Directory > App registrations to create a new application.
+
+      <Info>
+        Azure Active Directory is now Microsoft Entra ID.
+      </Info>
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/config-aad.png)
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/config-new-app.png)
+
+      Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/integrations/azure-app-configuration/oauth2/callback`.
+      <Tip>
+        The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
+      </Tip>
+
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/app-registration-redirect.png)
+    </Step>
+    <Step title="Assign API permissions to the application">
+
+      For the Azure Connection to work with both Key Vault and App Configuration, you need to assign multiple permissions to the application.
+
+      #### Azure App Configuration permissions
+
+      Set the API permissions of the Azure application to include the following Azure App Configuration permissions: `KeyValue.Delete`, `KeyValue.Read`, and `KeyValue.Write`.
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/app-api-permissions.png)
+
+      #### Azure Key Vault permissions
+
+      Set the API permissions of the Azure application to include `user.impersonation` for the Key Vault API.
+      ![integrations Azure keyvault](/images/app-connections/azure/keyvault-azure-permissions.png)
+
+    </Step>
+    <Step title="Add your application credentials to Infisical">
+      Obtain the **Application (Client) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
+
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/config-credentials-1.png)
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/config-credentials-2.png)
+      ![integrations Azure app config](../../images/integrations/azure-app-configuration/config-credentials-3.png)
+
+      Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.
+
+      - `INF_APP_CONNECTION_AZURE_CLIENT_ID`: The **Application (Client) ID** of your Azure application.
+      - `INF_APP_CONNECTION_AZURE_CLIENT_SECRET`: The **Client Secret** of your Azure application.
+
+      Once added, restart your Infisical instance and use the Azure App Configuration integration.
+    </Step>
+    </Steps>    
+
+</Accordion>
+
+## Setup Azure Connection in Infisical
+
+<Steps>
+	<Step title="Navigate to the App Connections">
+		Navigate to the **App Connections** tab on the **Organization Settings** page. ![App Connections
+		Tab](/images/app-connections/general/add-connection.png)
+	</Step>
+	<Step title="Add Connection">
+		Select the **Azure Connection** option from the connection options modal. ![Select Azure Connection](/images/app-connections/azure/select-connection.png)
+	</Step>
+	<Step title="Authorize Connection">
+		You must select the resource that you intend to use this connection for _(Azure Key Vault or Azure App Configuration)_.
+
+    You can optionally authenticate against a specific tenant by providing the Azure Tenant or Directory ID.
+
+    Now select the **OAuth** method and click **Connect to Azure**. 
+
+    ![Connect via Azure OAUth](/images/app-connections/azure/create-oauth-method.png)
+
+    
+
+	</Step>
+	<Step title="Grant Access">
+		You will then be redirected to the GitHub to grant Infisical access to your GitHub account (organization and repo privileges). Once granted,
+		you will redirect you back to Infisical's App Connections page. ![GitHub
+		Authorization](/images/app-connections/azure/grant-access.png)
+	</Step>
+	<Step title="Connection Created">
+		Your **GitHub Connection** is now available for use. ![Assume Role AWS Connection](/images/app-connections/azure/oauth-connection.png)
+	</Step>
+</Steps>

docs/integrations/secret-syncs/azure-app-configuration.mdx

@@ -0,0 +1,139 @@
+---
+title: "Azure App Configuration Sync"
+description: "Learn how to configure an Azure App Configuration Sync for Infisical."
+---
+
+**Prerequisites:**
+
+        - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+        - Create a [Azure Connection](/integrations/app-connections/azure), configured for Azure App Configuration.
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+        ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+        2. Select the **Azure App Configuration** option.
+        ![Select Azure App Configuration](/images/secret-syncs/azure-app-configuration/select-app-config.png)
+
+        3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+        ![Configure Source](/images/secret-syncs/azure-app-configuration/app-config-source.png)
+
+            - **Environment**: The project environment to retrieve secrets from.
+            - **Secret Path**: The folder path to retrieve secrets from.
+
+        <Tip>
+            If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+        </Tip>
+
+        4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+        ![Configure Destination](/images/secret-syncs/azure-app-configuration/app-config-destination.png)
+
+            - **Azure Connection**: The Azure Connection to authenticate with.
+            - **Configuration URL**: The URL of your Azure App Configuration.
+            - **Label**: An optional label to attach to all secrets created by Infisical inside your Azure App Configuration.
+
+        5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+        ![Configure Options](/images/secret-syncs/azure-app-configuration/app-config-options.png)
+
+            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                <Note>
+                    Azure App Configuration does not support importing secrets.
+                </Note>
+            - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+
+        6. Configure the **Details** of your Azure App Configuration Sync, then click **Next**.
+        ![Configure Details](/images/secret-syncs/azure-app-configuration/app-config-details.png)
+
+            - **Name**: The name of your sync. Must be slug-friendly.
+            - **Description**: An optional description for your sync.
+
+        7. Review your Azure App Configuration Sync configuration, then click **Create Sync**.
+        ![Confirm Configuration](/images/secret-syncs/azure-app-configuration/app-config-review.png)
+
+        8. If enabled, your Azure App Configuration Sync will begin syncing your secrets to the destination endpoint.
+        ![Sync Secrets](/images/secret-syncs/azure-app-configuration/app-config-synced.png)
+
+    </Tab>
+    <Tab title="API">
+        To create an **Azure App Configuration Sync**, make an API request to the [Create Azure App Configuration Sync](/api-reference/endpoints/secret-syncs/azure-app-configuration/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+        --url https://app.infisical.com/api/v1/secret-syncs/azure-app-configuration \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-azure-app-configuration-sync",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "an example sync",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/my-secrets",
+            "isEnabled": true,
+            "syncOptions": {
+                "initialSyncBehavior": "overwrite-destination"
+            },
+            "destinationConfig": {
+              "configurationUrl": "https://my-azure-app-configuration.azconfig.io",
+              "label": "my-label"
+            }
+        }'
+        ```
+
+        ### Sample response
+
+        ```json Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-azure-app-configuration-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination"
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "azure",
+                    "name": "my-azure-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "azure-app-configuration",
+                "destinationConfig": {
+                    "configurationUrl": "https://my-azure-app-configuration.azconfig.io",
+                    "label": "my-label"
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>

docs/integrations/secret-syncs/azure-key-vault.mdx

@@ -0,0 +1,137 @@
+---
+title: "Azure Key Vault Sync"
+description: "Learn how to configure a Azure Key Vault Sync for Infisical."
+---
+
+**Prerequisites:**
+
+        - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+        - Create a [Azure Connection](/integrations/app-connections/azure), configured for Azure Key Vault.
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+        ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+        2. Select the **Azure Key Vault** option.
+        ![Select Key Vault](/images/secret-syncs/azure-key-vault/select-key-vault-option.png)
+
+        3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+        ![Configure Source](/images/secret-syncs/azure-key-vault/vault-source.png)
+
+            - **Environment**: The project environment to retrieve secrets from.
+            - **Secret Path**: The folder path to retrieve secrets from.
+
+        <Tip>
+            If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+        </Tip>
+
+        4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+        ![Configure Destination](/images/secret-syncs/azure-key-vault/vault-destination.png)
+
+            - **Azure Connection**: The Azure Connection to authenticate with.
+            - **Vault Base URL**: The URL of your Azure Key Vault.
+            <p class="height:1px"  />
+
+        5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+        ![Configure Options](/images/secret-syncs/azure-key-vault/vault-options.png)
+
+            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                <Note>
+                    Azure Key Vault does not support importing secrets.
+                </Note>
+            - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+
+        6. Configure the **Details** of your Azure Key Vault Sync, then click **Next**.
+        ![Configure Details](/images/secret-syncs/azure-key-vault/vault-details.png)
+
+            - **Name**: The name of your sync. Must be slug-friendly.
+            - **Description**: An optional description for your sync.
+
+        7. Review your Azure Key Vault Sync configuration, then click **Create Sync**.
+        ![Confirm Configuration](/images/secret-syncs/azure-key-vault/vault-review.png)
+
+        8. If enabled, your Azure Key Vault Sync will begin syncing your secrets to the destination endpoint.
+        ![Sync Secrets](/images/secret-syncs/azure-key-vault/vault-synced.png)
+
+    </Tab>
+    <Tab title="API">
+        To create a **Azure Key Vault Sync**, make an API request to the [Create Key Vault Sync](/api-reference/endpoints/secret-syncs/azure-key-vault/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl --request POST \
+        --url https://app.infisical.com/api/v1/secret-syncs/azure-key-vault \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-key-vault-sync",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "an example sync",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/my-secrets",
+            "isEnabled": true,
+            "syncOptions": {
+                "initialSyncBehavior": "overwrite-destination"
+            },
+            "destinationConfig": {
+                "vaultBaseUrl: "https://my-key-vault.vault.azure.net"
+            }
+        }'
+        ```
+
+        ### Sample response
+
+        ```json Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-key-vault-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination"
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "azure",
+                    "name": "my-azure-key-vault-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "azure-key-vault",
+                "destinationConfig": {
+                  "vaultBaseUrl": "https://my-key-vault.vault.azure.net"
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>

docs/integrations/secret-syncs/github.mdx

@@ -13,7 +13,7 @@ description: "Learn how to configure a GitHub Sync for Infisical."
         1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
         ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
 
-        2. Select the **GitHub Store** option.
+        2. Select the **GitHub** option.
         ![Select GitHub](/images/secret-syncs/github/select-github-option.png)
 
         3. Configure the **Source** from where secrets should be retrieved, then click **Next**.

docs/mint.json

@@ -393,7 +393,8 @@
           "pages": [
             "integrations/app-connections/aws",
             "integrations/app-connections/github",
-            "integrations/app-connections/gcp"
+            "integrations/app-connections/gcp",
+            "integrations/app-connections/azure"
           ]
         }
       ]
@@ -408,7 +409,9 @@
             "integrations/secret-syncs/aws-parameter-store",
             "integrations/secret-syncs/aws-secrets-manager",
             "integrations/secret-syncs/github",
-            "integrations/secret-syncs/gcp-secret-manager"
+            "integrations/secret-syncs/gcp-secret-manager",
+            "integrations/secret-syncs/azure-key-vault",
+            "integrations/secret-syncs/azure-app-configuration"
           ]
         }
       ]