Implement Audit Logging for Coder Secrets

[evgeniy-scherbina]

As a security officer, I can audit secret access to track which workspaces have accessed what secrets and when so that I can investigate any malicious behavior or infiltration event.

Event Type	Details to Log
Secret Injection as ENV variable or file	User ID and name, Workspace ID and name, Timestamp (UTC), Secret name, Secret scope (User, Template, or Organization)
Secret Create/Update via CLI/API	User ID and name of initiator, ID and Name of the User/Template/Organization of the secret owner, Timestamp (UTC), Secret name
Secret Deletion via CLI/API	User ID and name of initiator, ID and Name of the User/Template/Organization of the secret owner, Timestamp (UTC), Secret name

• Example: Workspace dev started at 0500 and had accessed(injected as env variables) SECRET_A , SECRET_B
• Example: A user atif in workspace dev accessed personal secret SECRET_C at 0900 (CLI or API)
• Example: A user atif in workspace dev accessed SECRET_C from at 0900 (CLI or API)
• Example: A user atif in workspace dev updated SECRET_A at 1000 (CLI or API)
• Example: A user atif in workspace dev deleted SECRET_B at 0900 (CLI or API)

We will de-duplicate secret access logs similar to how we currently deal with workspace app connection logging.

[cstyan]

description would be useful, what do we want to audit log? every time a secret is pulled? every time a user creates/deletes/updates any secret? just org level secrets?

[evgeniy-scherbina]

I added initial requirements from RFC, but they may change by the time we'll start working on it.