Backend: Secret Rotation API Implementation (Database & Endpoints)

Summary

This issue focuses on implementing the initial phase of the secret rotation functionality by building the API endpoints to accept rotation input and creating the necessary database structure to store rotation information. This implementation is based on ADR 010: Using Rails ActiveRecord for Secret Rotation Metadata.

Proposal

We will implement the database structure and API endpoints required to support secret rotation scheduling, following the design outlined in ADR 010. This includes:

Creating a new rotation_infos table to store metadata about secret rotation schedules
Updating GraphQL mutations to accept rotation configuration
Supporting both standard intervals (30/60/90 days) and custom number of days.
- We are setting a minimum value of 7 days.

Database Schema

CREATE TABLE rotation_infos (
  id SERIAL PRIMARY KEY,
  project_id INTEGER NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
  secret_name VARCHAR NOT NULL,

  -- Rotation scheduling
  rotation_interval_days INTEGER NOT NULL,
  next_reminder_at TIMESTAMP NOT NULL,

  -- Notification tracking
  last_reminder_sent_at TIMESTAMP,

  created_at TIMESTAMP NOT NULL,
  updated_at TIMESTAMP NOT NULL
);

-- Indexes for performance
CREATE UNIQUE INDEX idx_rotation_infos_project_secret ON rotation_infos(project_id, secret_name);
CREATE INDEX idx_rotation_infos_reminder_at ON rotation_infos(next_reminder_at);

Notes on the schema:

The combination of project_id and secret_name must be unique
We're indexing next_reminder_at to support efficient querying by future background jobs

GraphQL Changes

We'll update the following GraphQL mutations:

ProjectSecretCreate in mutations/secrets_management/project_secrets/create.rb
ProjectSecretUpdate in mutations/secrets_management/project_secrets/update.rb

Adding the following argument to both mutations:

argument :rotation_interval_days, GraphQL::Types::Int,
  required: false,
  description: 'Number of days between rotation reminders (minimum 7 days).'

And updating the respective service classes:

SecretsManagement::ProjectSecrets::CreateService
SecretsManagement::ProjectSecrets::UpdateService

to handle the rotation configuration and create/update records in the rotation_infos table.

Out of Scope

The following items are intentionally excluded from this implementation and will be addressed in future issues:

Background jobs for scanning secrets and sending reminders
UI changes to display rotation related alerts and indicators when viewing secrets
GraphQL resolvers for returning rotation attributes (will be addressed in a separate issue)

Implementation Table

Group	Issue Link
backend	👈 You are here
backend	Secret Rotation in GraphQL Resolvers
frontend	Secret Rotation UI Implementation (Update/Create) #472982
backend	Background Jobs for Secret Rotation Reminders
frontend	Secret Rotation UI for Indicators and Alerts

Links/References

Frontend implementation: #472982 (closed)
Technical Evaluation for Storage Architecture: #547863 (closed)

Edited Aug 10, 2025 by 🤖 GitLab Bot 🤖