Infisical · akhilmhdh · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/backend/src/@types/fastify.d.ts b/backend/src/@types/fastify.d.ts
@@ -54,7 +54,6 @@ import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-con
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-types";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
-import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretScanningV2ServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-service";
@@ -305,7 +304,6 @@ declare module "fastify" {
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
       secretApprovalRequest: TSecretApprovalRequestServiceFactory;
-      secretRotation: TSecretRotationServiceFactory;
       snapshot: TSecretSnapshotServiceFactory;
       saml: TSamlConfigServiceFactory;
       scim: TScimServiceFactory;

diff --git a/backend/src/@types/knex.d.ts b/backend/src/@types/knex.d.ts
@@ -500,15 +500,6 @@ import {
   TSecretReferencesV2,
   TSecretReferencesV2Insert,
   TSecretReferencesV2Update,
-  TSecretRotationOutputs,
-  TSecretRotationOutputsInsert,
-  TSecretRotationOutputsUpdate,
-  TSecretRotationOutputV2,
-  TSecretRotationOutputV2Insert,
-  TSecretRotationOutputV2Update,
-  TSecretRotations,
-  TSecretRotationsInsert,
-  TSecretRotationsUpdate,
   TSecretRotationsV2,
   TSecretRotationsV2Insert,
   TSecretRotationsV2Update,
@@ -1282,16 +1273,6 @@ declare module "knex/types/tables" {
       TSecretApprovalPoliciesEnvironmentsInsert,
       TSecretApprovalPoliciesEnvironmentsUpdate
     >;
-    [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
-      TSecretRotations,
-      TSecretRotationsInsert,
-      TSecretRotationsUpdate
-    >;
-    [TableName.SecretRotationOutput]: KnexOriginal.CompositeTableType<
-      TSecretRotationOutputs,
-      TSecretRotationOutputsInsert,
-      TSecretRotationOutputsUpdate
-    >;
     [TableName.Snapshot]: KnexOriginal.CompositeTableType<
       TSecretSnapshots,
       TSecretSnapshotsInsert,
@@ -1392,11 +1373,6 @@ declare module "knex/types/tables" {
       TSecretApprovalRequestSecretTagsV2Insert,
       TSecretApprovalRequestSecretTagsV2Update
     >;
-    [TableName.SecretRotationOutputV2]: KnexOriginal.CompositeTableType<
-      TSecretRotationOutputV2,
-      TSecretRotationOutputV2Insert,
-      TSecretRotationOutputV2Update
-    >;
     // KMS service
     [TableName.KmsServerRootConfig]: KnexOriginal.CompositeTableType<
       TKmsRootConfig,

diff --git a/backend/src/db/migrations/20240102152111_secret-rotation.ts b/backend/src/db/migrations/20240102152111_secret-rotation.ts
@@ -4,8 +4,8 @@ import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 
 export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretRotation))) {
-    await knex.schema.createTable(TableName.SecretRotation, (t) => {
+  if (!(await knex.schema.hasTable(TableName.DeprecatedSecretRotationV1))) {
+    await knex.schema.createTable(TableName.DeprecatedSecretRotationV1, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.string("provider").notNullable();
       t.string("secretPath").notNullable();
@@ -23,22 +23,22 @@ export async function up(knex: Knex): Promise<void> {
       t.timestamps(true, true, true);
     });
   }
-  await createOnUpdateTrigger(knex, TableName.SecretRotation);
+  await createOnUpdateTrigger(knex, TableName.DeprecatedSecretRotationV1);
 
-  if (!(await knex.schema.hasTable(TableName.SecretRotationOutput))) {
-    await knex.schema.createTable(TableName.SecretRotationOutput, (t) => {
+  if (!(await knex.schema.hasTable(TableName.DeprecatedSecretRotationOutput))) {
+    await knex.schema.createTable(TableName.DeprecatedSecretRotationOutput, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.string("key").notNullable();
       t.uuid("secretId").notNullable();
       t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
       t.uuid("rotationId").notNullable();
-      t.foreign("rotationId").references("id").inTable(TableName.SecretRotation).onDelete("CASCADE");
+      t.foreign("rotationId").references("id").inTable(TableName.DeprecatedSecretRotationV1).onDelete("CASCADE");
     });
   }
 }
 
 export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretRotationOutput);
-  await knex.schema.dropTableIfExists(TableName.SecretRotation);
-  await dropOnUpdateTrigger(knex, TableName.SecretRotation);
+  await dropOnUpdateTrigger(knex, TableName.DeprecatedSecretRotationV1);
+  await knex.schema.dropTableIfExists(TableName.DeprecatedSecretRotationOutput);
+  await knex.schema.dropTableIfExists(TableName.DeprecatedSecretRotationV1);
 }
diff --git a/backend/src/db/migrations/20240730181850_secret-v2.ts b/backend/src/db/migrations/20240730181850_secret-v2.ts
@@ -134,14 +134,14 @@ export async function up(knex: Knex): Promise<void> {
     });
   }
 
-  if (!(await knex.schema.hasTable(TableName.SecretRotationOutputV2))) {
-    await knex.schema.createTable(TableName.SecretRotationOutputV2, (t) => {
+  if (!(await knex.schema.hasTable(TableName.DeprecatedSecretRotationOutputV2))) {
+    await knex.schema.createTable(TableName.DeprecatedSecretRotationOutputV2, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.string("key").notNullable();
       t.uuid("secretId").notNullable();
       t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
       t.uuid("rotationId").notNullable();
-      t.foreign("rotationId").references("id").inTable(TableName.SecretRotation).onDelete("CASCADE");
+      t.foreign("rotationId").references("id").inTable(TableName.DeprecatedSecretRotationV1).onDelete("CASCADE");
     });
   }
 }
@@ -154,7 +154,7 @@ export async function down(knex: Knex): Promise<void> {
   await knex.schema.dropTableIfExists(TableName.SecretV2JnTag);
   await knex.schema.dropTableIfExists(TableName.SecretReferenceV2);
 
-  await knex.schema.dropTableIfExists(TableName.SecretRotationOutputV2);
+  await knex.schema.dropTableIfExists(TableName.DeprecatedSecretRotationOutputV2);
 
   await dropOnUpdateTrigger(knex, TableName.SecretVersionV2);
   await knex.schema.dropTableIfExists(TableName.SecretVersionV2Tag);

diff --git a/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts b/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
@@ -2,7 +2,6 @@ import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { KmsDataKey } from "@app/services/kms/kms-types";
@@ -15,11 +14,14 @@ import { getMigrationEncryptionServices, getMigrationHsmService } from "./utils/
 
 const BATCH_SIZE = 500;
 export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
+  const hasEncryptedRotationData = await knex.schema.hasColumn(
+    TableName.DeprecatedSecretRotationV1,
+    "encryptedRotationData"
+  );
 
-  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
+  const hasRotationTable = await knex.schema.hasTable(TableName.DeprecatedSecretRotationV1);
   if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+    await knex.schema.alterTable(TableName.DeprecatedSecretRotationV1, (t) => {
       if (!hasEncryptedRotationData) t.binary("encryptedRotationData");
     });
   }
@@ -36,9 +38,9 @@ export async function up(knex: Knex): Promise<void> {
   const projectEncryptionRingBuffer =
     createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
 
-  const secretRotations = await knex(TableName.SecretRotation)
-    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretRotation}.envId`)
-    .select(selectAllTableCols(TableName.SecretRotation))
+  const secretRotations = await knex(TableName.DeprecatedSecretRotationV1)
+    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.DeprecatedSecretRotationV1}.envId`)
+    .select(`${TableName.DeprecatedSecretRotationV1}.*`)
     .select(knex.ref("projectId").withSchema(TableName.Environment))
     .orderBy(`${TableName.Environment}.projectId` as "projectId");
 
@@ -88,25 +90,28 @@ export async function up(knex: Knex): Promise<void> {
 
   for (let i = 0; i < updatedRotationData.length; i += BATCH_SIZE) {
     // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.SecretRotation)
+    await knex(TableName.DeprecatedSecretRotationV1)
       .insert(updatedRotationData.slice(i, i + BATCH_SIZE))
       .onConflict("id")
       .merge();
   }
 
   if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+    await knex.schema.alterTable(TableName.DeprecatedSecretRotationV1, (t) => {
       if (!hasEncryptedRotationData) t.binary("encryptedRotationData").notNullable().alter();
     });
   }
 }
 
 export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
+  const hasEncryptedRotationData = await knex.schema.hasColumn(
+    TableName.DeprecatedSecretRotationV1,
+    "encryptedRotationData"
+  );
 
-  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
+  const hasRotationTable = await knex.schema.hasTable(TableName.DeprecatedSecretRotationV1);
   if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+    await knex.schema.alterTable(TableName.DeprecatedSecretRotationV1, (t) => {
       if (hasEncryptedRotationData) t.dropColumn("encryptedRotationData");
     });
   }

diff --git a/backend/src/db/migrations/20260421074631_remove-rotation-v1.ts b/backend/src/db/migrations/20260421074631_remove-rotation-v1.ts
@@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasRotationOutputTable = await knex.schema.hasTable(TableName.DeprecatedSecretRotationOutput);
+  const hasRotationOutputV2Table = await knex.schema.hasTable(TableName.DeprecatedSecretRotationOutputV2);
+  const hasRotationTable = await knex.schema.hasTable(TableName.DeprecatedSecretRotationV1);
+
+  if (hasRotationOutputTable) await knex.schema.dropTable(TableName.DeprecatedSecretRotationOutput);
+  if (hasRotationOutputV2Table) await knex.schema.dropTable(TableName.DeprecatedSecretRotationOutputV2);
+
+  if (hasRotationTable) {
+    await dropOnUpdateTrigger(knex, TableName.DeprecatedSecretRotationV1);
+    await knex.schema.dropTableIfExists(TableName.DeprecatedSecretRotationV1);
+  }
+}
+
+export async function down(): Promise<void> {}
diff --git a/backend/src/db/schemas/index.ts b/backend/src/db/schemas/index.ts
@@ -196,10 +196,7 @@ export * from "./secret-folders";
 export * from "./secret-imports";
 export * from "./secret-references";
 export * from "./secret-references-v2";
-export * from "./secret-rotation-output-v2";
-export * from "./secret-rotation-outputs";
 export * from "./secret-rotation-v2-secret-mappings";
-export * from "./secret-rotations";
 export * from "./secret-rotations-v2";
 export * from "./secret-scanning-configs";
 export * from "./secret-scanning-data-sources";

diff --git a/backend/src/db/schemas/models.ts b/backend/src/db/schemas/models.ts
@@ -131,8 +131,6 @@ export enum TableName {
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
   SecretApprovalRequestSecretTag = "secret_approval_request_secret_tags",
   SecretApprovalPolicyEnvironment = "secret_approval_policies_environments",
-  SecretRotation = "secret_rotations",
-  SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
   LdapConfig = "ldap_configs",
   OidcConfig = "oidc_configs",
@@ -163,7 +161,6 @@ export enum TableName {
   JnSecretTag = "secret_tag_junction",
   SecretVersionTag = "secret_version_tag_junction",
   SecretVersionV2Tag = "secret_version_v2_tag_junction",
-  SecretRotationOutputV2 = "secret_rotation_output_v2",
   // KMS Service
   KmsServerRootConfig = "kms_root_config",
   KmsKey = "kms_keys",
@@ -288,11 +285,14 @@ export enum TableName {
   PkiSigners = "pki_signers",
   PkiSigningOperations = "pki_signing_operations",
 
+  CaSigningConfig = "ca_signing_configs",
+  SecretValidationRule = "secret_validation_rules",
+
   // Deprecated - Not used anymore now that Redis is persistent
   DeprecatedDurableQueueJobs = "queue_jobs",
-
-  CaSigningConfig = "ca_signing_configs",
-  SecretValidationRule = "secret_validation_rules"
+  DeprecatedSecretRotationV1 = "secret_rotations",
+  DeprecatedSecretRotationOutput = "secret_rotation_outputs",
+  DeprecatedSecretRotationOutputV2 = "secret_rotation_output_v2"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";

diff --git a/backend/src/db/schemas/secret-rotation-output-v2.ts b/backend/src/db/schemas/secret-rotation-output-v2.ts
diff --git a/backend/src/db/schemas/secret-rotation-outputs.ts b/backend/src/db/schemas/secret-rotation-outputs.ts
diff --git a/backend/src/db/schemas/secret-rotations.ts b/backend/src/db/schemas/secret-rotations.ts
diff --git a/backend/src/ee/routes/v1/index.ts b/backend/src/ee/routes/v1/index.ts
@@ -55,8 +55,6 @@ import { registerRelayRouter } from "./relay-router";
 import { registerSamlRouter } from "./saml-router";
 import { registerScimRouter } from "./scim-router";
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
-import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
-import { registerSecretRotationRouter } from "./secret-rotation-router";
 import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
@@ -102,9 +100,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerSecretApprovalRequestRouter, {
     prefix: "/secret-approval-requests"
   });
-  await server.register(registerSecretRotationProviderRouter, {
-    prefix: "/secret-rotation-providers"
-  });
 
   await server.register(registerAccessApprovalPolicyRouter, { prefix: "/access-approvals/policies" });
   await server.register(registerAccessApprovalRequestRouter, { prefix: "/access-approvals/requests" });
@@ -157,7 +152,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerScimRouter, { prefix: "/scim" });
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
-  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
   await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });