feat(Playbook): Secret parameter

.github/workflows/lint.yml

@@ -36,22 +36,7 @@ jobs:
           npm run build
 
       - name: Check for broken file references
-        run: |
-          cd "${{ matrix.repo }}/build"
-          echo "Checking for broken files in $(pwd)"
-
-          echo "Total files: $(ls -alh . | wc -l)"
-          echo "Total HTML files: $(find . -type f -name "*.html" | wc -l)"
-
-          echo "Ripgrep"
-          if rg 'file=../../../modules' -g '*.html' | grep -q .; then
-            echo "Matches found. Exiting with code 0."
-            rg 'file=../../../modules' -g '*.html'
-            exit 1
-          else
-            echo "No matches found"
-            exit 0
-          fi
+        run: make file-ref-check
 
   prettier:
     name: prettier

Makefile

@@ -46,6 +46,26 @@ fmt:
 fmt-check:
 	npx prettier --check --log-level=debug "**/*.md"
 
+.PHONY: build
+build:
+	@echo "Building mission-control documentation..."
+	@cd modules && make all
+	@cd mission-control && npm ci && npm run build
+
+.PHONY: file-ref-check
+file-ref-check: ## Check for broken file references in build output
+	@echo "Checking for broken files in mission-control/build"
+	@cd mission-control/build && \
+		echo "Total files: $$(ls -alh . | wc -l)" && \
+		echo "Total HTML files: $$(find . -type f -name "*.html" | wc -l)" && \
+		if rg 'file=../../../modules' -g '*.html' | grep -q .; then \
+			echo "ERROR: Found broken file references:" && \
+			rg 'file=../../../modules' -g '*.html' && \
+			exit 1; \
+		else \
+			echo "No broken file references found"; \
+		fi
+
 .PHONY:
 sync:
 	git submodule update --init --recursive

common/src/components/Fields.jsx

@@ -118,6 +118,89 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
     return a.field.localeCompare(b.field)
   }
 
+  // Common AWS connection fields
+  const awsFields = [
+    {
+      field: oss ? null : "connection",
+      description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`",
+      scheme: "Connection",
+    },
+    {
+      field: "accessKey",
+      description: "Access Key ID",
+      scheme: "EnvVar"
+    },
+    {
+      field: "secretKey",
+      description: "Secret Access Key",
+      scheme: "EnvVar"
+    },
+    {
+      field: "region",
+      description: "The AWS region",
+      scheme: "string"
+    },
+    {
+      field: "endpoint",
+      scheme: "string",
+      description: "Custom AWS Endpoint to use",
+    },
+    {
+      field: "skipTLSVerify",
+      description: "Skip TLS verify when connecting to AWS",
+      scheme: 'bool'
+    }
+  ]
+
+  // Common GCP connection fields
+  const gcpFields = [
+    {
+      field: oss ? null : 'connection',
+      description:
+        'The connection url to use, mutually exclusive with `credentials`',
+      scheme: 'Connection'
+    },
+    {
+      field: 'credentials',
+      description: 'The credentials to use for authentication',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'endpoint',
+      description: 'Custom GCP Endpoint to use',
+      scheme: 'string'
+    },
+    {
+      field: 'skipTLSVerify',
+      description: 'Skip TLS verification when connecting to GCP',
+      scheme: 'bool'
+    }
+  ]
+
+  // Common Azure connection fields
+  const azureFields = [
+    {
+      field: oss ? null : "connection",
+      description: "The connection url to use, mutually exclusive with `tenantId`, `clientId`, and `clientSecret`",
+      scheme: "Connection",
+    },
+    {
+      field: "tenantId",
+      description: "The Azure Active Directory tenant ID",
+      required: true
+    },
+    {
+      field: "clientId",
+      description: "The Azure client/application ID",
+      scheme: "EnvVar"
+    },
+    {
+      field: "clientSecret",
+      description: "The Azure client/application secret",
+      scheme: "EnvVar"
+    }
+  ]
+
   if (connection == "url") {
     rows = rows.concat([
       {
@@ -200,62 +283,9 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
       }
     ])
   } else if (connection == "aws") {
-    rows = rows.concat([
-      {
-        field: oss ? null : "connection",
-        description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`",
-        scheme: "Connection",
-      },
-      {
-        field: "accessKey",
-        description: "Access Key ID",
-        scheme: "EnvVar"
-      },
-      {
-        field: "secretKey",
-        description: "Secret Access Key",
-        scheme: "EnvVar"
-      },
-      {
-        field: "region",
-        description: "The AWS region",
-        scheme: "string"
-      },
-      {
-        field: "endpoint",
-        scheme: "string",
-        description: "Custom AWS Endpoint to use",
-      },
-      {
-        field: "skipTLSVerify",
-        description: "Skip TLS verify when connecting to AWS",
-        scheme: 'bool'
-      }
-    ])
+    rows = rows.concat(awsFields)
   } else if (connection == "gcp") {
-    rows = rows.concat([
-      {
-        field: oss ? null : 'connection',
-        description:
-          'The connection url to use, mutually exclusive with `credentials`',
-        scheme: 'Connection'
-      },
-      {
-        field: 'credentials',
-        description: 'The credentials to use for authentication',
-        scheme: 'EnvVar'
-      },
-      {
-        field: 'endpoint',
-        description: 'Custom GCP Endpoint to use',
-        scheme: 'string'
-      },
-      {
-        field: 'skipTLSVerify',
-        description: 'Skip TLS verification when connecting to GCP',
-        scheme: 'bool'
-      }
-    ])
+    rows = rows.concat(gcpFields)
   } else if (connection == "sftp") {
     rows = rows.concat([
       {
@@ -347,34 +377,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
         scheme: "[CNRM](/reference/connections/kubernetes/#cnrm-connection)",
       }])
   } else if (connection == "azure") {
-    rows = rows.concat([
-      {
-        field: oss ? null : "connection",
-        description: "The connection url to use, mutually exclusive with `tenantId`, `subscriptionId`, `clientId`, and `clientSecret`",
-        scheme: "Connection",
-      },
-      {
-        field: "tenantId",
-        description: "The Azure Active Directory tenant ID",
-        required: true
-      },
-      {
-        field: "subscriptionId",
-        description: "The Azure subscription ID",
-        required: true,
-        scheme: "EnvVar"
-      },
-      {
-        field: "clientId",
-        description: "The Azure client/application ID",
-        scheme: "EnvVar"
-      },
-      {
-        field: "clientSecret",
-        description: "The Azure client/application secret",
-        scheme: "EnvVar"
-      }
-    ])
+    rows = rows.concat(azureFields)
   } else if (connection == "openai") {
     rows = rows.concat([
       {
@@ -618,6 +621,33 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
   } else if (connection == "prometheus") {
     // Prometheus extends HTTP connection, so HTTP fields will be included
     rows = rows.concat([])
+  } else if (connection == "aws_kms") {
+    rows = rows.concat(awsFields.concat([
+      {
+        field: "keyID",
+        description: "KMS key ID, alias, or ARN. Can include region specification for aliases (e.g., alias/ExampleAlias?region=us-east-1)",
+        scheme: "string",
+        required: true
+      }
+    ]))
+  } else if (connection == "gcp_kms") {
+    rows = rows.concat(gcpFields.concat([
+      {
+        field: "keyID",
+        description: "KMS key resource path in the format: projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY",
+        scheme: "string",
+        required: true
+      }
+    ]))
+  } else if (connection == "azure_key_vault") {
+    rows = rows.concat(azureFields.concat([
+      {
+        field: "keyID",
+        description: "Key Vault key URL in the format: https://vault-name.vault.azure.net/keys/key-name",
+        scheme: "string",
+        required: true
+      }
+    ]))
   }
 
   rows = rows.concat(common.filter(row => row.required)).filter(i => i.field != null)

mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx

@@ -0,0 +1,43 @@
+---
+title: Sensitive Data
+sidebar_custom_props:
+  icon: material-symbols-light:security
+---
+
+Sensitive data includes passwords, API keys, tokens, and other confidential information that requires protection from unauthorized access or exposure. Mission Control provides comprehensive protection for sensitive data throughout the entire playbook lifecycle.
+
+## Secret Parameters
+
+Use `secret` type parameters to handle sensitive data in playbooks:
+
+```yaml
+parameters:
+  - name: database_password
+    type: secret
+    label: "Database Password"
+    description: "Password for database connection"
+    required: true
+```
+
+## KMS Connection
+
+:::info
+Your Mission Control instance **must** have a KMS connection configured to use secret parameters. 
+:::
+
+Configure this using the `--secret-keeper-connection` flag:
+
+```bash
+mission-control serve --secret-keeper-connection "connection://default/my-kms-key"
+```
+
+or in the helm chart:
+
+```yaml
+kmsConnection: "connection://default/my-kms-key"
+```
+
+Supported connection types:
+- AWS KMS
+- Azure Key Vault  
+- GCP KMS