sphr2k · September 19, 2025 10:42
diff --git a/secretmanager.tf b/secretmanager.tf

 locals {
  secrets = yamldecode(file("${path.module}/secrets/secrets-staging.plain.yml"))

  # Derive numeric versions from the first 15 characters of the SHA-256 hash of the secret values
  # to trigger replacement when the secret value changes.
  secret_data_wo_versions = {
    for key, value in local.secrets : key =>
      parseint(substr(sha256(tostring(value)), 0, 15), 16)
  }
 }

 resource "google_secret_manager_secret" "secret" {
  for_each = local.secrets

  project = var.project_id
  secret_id = each.key

  replication {
    user_managed {
      replicas {
        location = var.region
        customer_managed_encryption {
          kms_key_name = var.secrets_kms_key_name
        }
      }
    }
  }
 }

 resource "google_secret_manager_secret_version" "secret_version" {
  for_each = local.secrets

  secret = google_secret_manager_secret.secret[each.key].id
  secret_data_wo = sensitive(each.value)
  secret_data_wo_version = local.secret_data_wo_versions[each.key]
 }

	locals {
	secrets = yamldecode(file("${path.module}/secrets/secrets-staging.plain.yml"))

	# Derive numeric versions from the first 15 characters of the SHA-256 hash of the secret values
	# to trigger replacement when the secret value changes.
	secret_data_wo_versions = {
	for key, value in local.secrets : key =>
	parseint(substr(sha256(tostring(value)), 0, 15), 16)
	}
	}

	resource "google_secret_manager_secret" "secret" {
	for_each = local.secrets

	project = var.project_id
	secret_id = each.key

	replication {
	user_managed {
	replicas {
	location = var.region
	customer_managed_encryption {
	kms_key_name = var.secrets_kms_key_name
	}
	}
	}
	}
	}

	resource "google_secret_manager_secret_version" "secret_version" {
	for_each = local.secrets

	secret = google_secret_manager_secret.secret[each.key].id
	secret_data_wo = sensitive(each.value)
	secret_data_wo_version = local.secret_data_wo_versions[each.key]
	}