From 409783a8e1c8a1bba0a87ca2e33449aac84a589d Mon Sep 17 00:00:00 2001 From: ben-fornefeld Date: Sat, 18 Apr 2026 00:22:05 -0700 Subject: [PATCH 1/3] chore(terraform): load dashboard supabase DB URL from Secret Manager --- iac/provider-gcp/api.tf | 17 +++++++++++++++++ iac/provider-gcp/main.tf | 10 +++++----- iac/provider-gcp/nomad/main.tf | 6 +++++- iac/provider-gcp/nomad/variables.tf | 6 ++---- iac/provider-gcp/variables.tf | 6 ------ 5 files changed, 29 insertions(+), 16 deletions(-) diff --git a/iac/provider-gcp/api.tf b/iac/provider-gcp/api.tf index 746646495c..0c106d4c20 100644 --- a/iac/provider-gcp/api.tf +++ b/iac/provider-gcp/api.tf @@ -27,6 +27,23 @@ resource "google_secret_manager_secret_version" "postgres_read_replica_connectio } } +resource "google_secret_manager_secret" "supabase_db_connection_string" { + secret_id = "${var.prefix}supabase-db-connection-string" + + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "supabase_db_connection_string" { + secret = google_secret_manager_secret.supabase_db_connection_string.name + secret_data = " " + + lifecycle { + ignore_changes = [secret_data] + } +} + resource "random_password" "api_secret" { length = 32 special = false diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf index 2be4a75b4b..4b02dd428b 100644 --- a/iac/provider-gcp/main.tf +++ b/iac/provider-gcp/main.tf @@ -281,11 +281,11 @@ module "nomad" { otel_collector_resources_cpu_count = var.otel_collector_resources_cpu_count # Dashboard API - dashboard_api_count = var.dashboard_api_count - dashboard_api_admin_token_secret_name = module.init.dashboard_api_admin_token_secret_name - supabase_db_connection_string = var.supabase_db_connection_string - enable_auth_user_sync_background_worker = var.enable_auth_user_sync_background_worker - enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink + dashboard_api_count = var.dashboard_api_count + dashboard_api_admin_token_secret_name = module.init.dashboard_api_admin_token_secret_name + supabase_db_connection_string_secret_version = google_secret_manager_secret_version.supabase_db_connection_string + enable_auth_user_sync_background_worker = var.enable_auth_user_sync_background_worker + enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink # Docker reverse proxy docker_reverse_proxy_port = var.docker_reverse_proxy_port diff --git a/iac/provider-gcp/nomad/main.tf b/iac/provider-gcp/nomad/main.tf index c477d09544..84cc44aed8 100644 --- a/iac/provider-gcp/nomad/main.tf +++ b/iac/provider-gcp/nomad/main.tf @@ -33,6 +33,10 @@ data "google_secret_manager_secret_version" "dashboard_api_admin_token" { secret = var.dashboard_api_admin_token_secret_name } +data "google_secret_manager_secret_version" "supabase_db_connection_string" { + secret = var.supabase_db_connection_string_secret_version.secret +} + # Telemetry data "google_secret_manager_secret_version" "analytics_collector_host" { secret = var.analytics_collector_host_secret_name @@ -159,7 +163,7 @@ module "dashboard_api" { postgres_connection_string = data.google_secret_manager_secret_version.postgres_connection_string.secret_data auth_db_connection_string = data.google_secret_manager_secret_version.postgres_connection_string.secret_data auth_db_read_replica_connection_string = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data) - supabase_db_connection_string = var.supabase_db_connection_string + supabase_db_connection_string = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data) clickhouse_connection_string = local.clickhouse_connection_string supabase_jwt_secrets = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data) redis_url = local.redis_url diff --git a/iac/provider-gcp/nomad/variables.tf b/iac/provider-gcp/nomad/variables.tf index 5c950056dd..97c1fa8cb1 100644 --- a/iac/provider-gcp/nomad/variables.tf +++ b/iac/provider-gcp/nomad/variables.tf @@ -458,10 +458,8 @@ variable "dashboard_api_count" { default = 0 } -variable "supabase_db_connection_string" { - type = string - default = "" - sensitive = true +variable "supabase_db_connection_string_secret_version" { + type = any } variable "enable_auth_user_sync_background_worker" { diff --git a/iac/provider-gcp/variables.tf b/iac/provider-gcp/variables.tf index 6d8337fa2a..cc0ee888d8 100644 --- a/iac/provider-gcp/variables.tf +++ b/iac/provider-gcp/variables.tf @@ -230,12 +230,6 @@ variable "dashboard_api_count" { default = 0 } -variable "supabase_db_connection_string" { - type = string - default = "" - sensitive = true -} - variable "enable_auth_user_sync_background_worker" { type = bool default = false From f7c56b1affbe96eb66e2d574ff4fd463c04d3e9d Mon Sep 17 00:00:00 2001 From: ben-fornefeld Date: Mon, 20 Apr 2026 11:41:32 -0700 Subject: [PATCH 2/3] refactor(terraform): move supabase db secret setup into init --- iac/provider-gcp/api.tf | 17 ----------------- iac/provider-gcp/init/outputs.tf | 4 ++++ iac/provider-gcp/init/secrets.tf | 19 +++++++++++++++++++ iac/provider-gcp/main.tf | 2 +- 4 files changed, 24 insertions(+), 18 deletions(-) diff --git a/iac/provider-gcp/api.tf b/iac/provider-gcp/api.tf index 0c106d4c20..746646495c 100644 --- a/iac/provider-gcp/api.tf +++ b/iac/provider-gcp/api.tf @@ -27,23 +27,6 @@ resource "google_secret_manager_secret_version" "postgres_read_replica_connectio } } -resource "google_secret_manager_secret" "supabase_db_connection_string" { - secret_id = "${var.prefix}supabase-db-connection-string" - - replication { - auto {} - } -} - -resource "google_secret_manager_secret_version" "supabase_db_connection_string" { - secret = google_secret_manager_secret.supabase_db_connection_string.name - secret_data = " " - - lifecycle { - ignore_changes = [secret_data] - } -} - resource "random_password" "api_secret" { length = 32 special = false diff --git a/iac/provider-gcp/init/outputs.tf b/iac/provider-gcp/init/outputs.tf index 738ff22cdf..4c62a1f908 100644 --- a/iac/provider-gcp/init/outputs.tf +++ b/iac/provider-gcp/init/outputs.tf @@ -70,6 +70,10 @@ output "supabase_jwt_secret_name" { value = google_secret_manager_secret_version.supabase_jwt_secrets.secret } +output "supabase_db_connection_string_secret_version" { + value = google_secret_manager_secret_version.supabase_db_connection_string +} + output "postgres_connection_string_secret_name" { value = google_secret_manager_secret.postgres_connection_string.name } diff --git a/iac/provider-gcp/init/secrets.tf b/iac/provider-gcp/init/secrets.tf index 8412453553..0750024627 100644 --- a/iac/provider-gcp/init/secrets.tf +++ b/iac/provider-gcp/init/secrets.tf @@ -210,6 +210,25 @@ resource "google_secret_manager_secret" "supabase_jwt_secrets" { depends_on = [time_sleep.secrets_api_wait_60_seconds] } +resource "google_secret_manager_secret" "supabase_db_connection_string" { + secret_id = "${var.prefix}supabase-db-connection-string" + + replication { + auto {} + } + + depends_on = [time_sleep.secrets_api_wait_60_seconds] +} + +resource "google_secret_manager_secret_version" "supabase_db_connection_string" { + secret = google_secret_manager_secret.supabase_db_connection_string.name + secret_data = " " + + lifecycle { + ignore_changes = [secret_data] + } +} + resource "google_secret_manager_secret_version" "supabase_jwt_secrets" { secret = google_secret_manager_secret.supabase_jwt_secrets.name secret_data = " " diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf index 4b02dd428b..beaba6a6e7 100644 --- a/iac/provider-gcp/main.tf +++ b/iac/provider-gcp/main.tf @@ -283,7 +283,7 @@ module "nomad" { # Dashboard API dashboard_api_count = var.dashboard_api_count dashboard_api_admin_token_secret_name = module.init.dashboard_api_admin_token_secret_name - supabase_db_connection_string_secret_version = google_secret_manager_secret_version.supabase_db_connection_string + supabase_db_connection_string_secret_version = module.init.supabase_db_connection_string_secret_version enable_auth_user_sync_background_worker = var.enable_auth_user_sync_background_worker enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink From 50e0a273c05195d2fd3b293a02b75e0cae6d32b0 Mon Sep 17 00:00:00 2001 From: ben-fornefeld Date: Tue, 21 Apr 2026 09:51:45 -0700 Subject: [PATCH 3/3] fix(terraform): keep supabase db secret migration compatible --- iac/provider-gcp/main.tf | 1 + iac/provider-gcp/nomad/main.tf | 17 +++++++++-------- iac/provider-gcp/nomad/variables.tf | 6 ++++++ iac/provider-gcp/variables.tf | 6 ++++++ 4 files changed, 22 insertions(+), 8 deletions(-) diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf index beaba6a6e7..271cf7f8f2 100644 --- a/iac/provider-gcp/main.tf +++ b/iac/provider-gcp/main.tf @@ -284,6 +284,7 @@ module "nomad" { dashboard_api_count = var.dashboard_api_count dashboard_api_admin_token_secret_name = module.init.dashboard_api_admin_token_secret_name supabase_db_connection_string_secret_version = module.init.supabase_db_connection_string_secret_version + supabase_db_connection_string = var.supabase_db_connection_string enable_auth_user_sync_background_worker = var.enable_auth_user_sync_background_worker enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink diff --git a/iac/provider-gcp/nomad/main.tf b/iac/provider-gcp/nomad/main.tf index 84cc44aed8..74b8378cc3 100644 --- a/iac/provider-gcp/nomad/main.tf +++ b/iac/provider-gcp/nomad/main.tf @@ -1,11 +1,12 @@ locals { - clickhouse_connection_string = var.clickhouse_server_count > 0 ? "clickhouse://${var.clickhouse_username}:${random_password.clickhouse_password.result}@clickhouse.service.consul:${var.clickhouse_server_port.port}/${var.clickhouse_database}" : "" - redis_url = trimspace(data.google_secret_manager_secret_version.redis_cluster_url.secret_data) == "" ? "redis.service.consul:${var.redis_port.port}" : "" - redis_cluster_url = trimspace(data.google_secret_manager_secret_version.redis_cluster_url.secret_data) - loki_url = "http://loki.service.consul:${var.loki_service_port.port}" - enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink - dashboard_api_billing_server_url = local.enable_billing_http_team_provision_sink ? trimspace(data.google_secret_manager_secret_version.billing_server_url[0].secret_data) : "" - dashboard_api_billing_server_api_token = local.enable_billing_http_team_provision_sink ? data.google_secret_manager_secret_version.billing_server_api_token[0].secret_data : "" + clickhouse_connection_string = var.clickhouse_server_count > 0 ? "clickhouse://${var.clickhouse_username}:${random_password.clickhouse_password.result}@clickhouse.service.consul:${var.clickhouse_server_port.port}/${var.clickhouse_database}" : "" + redis_url = trimspace(data.google_secret_manager_secret_version.redis_cluster_url.secret_data) == "" ? "redis.service.consul:${var.redis_port.port}" : "" + redis_cluster_url = trimspace(data.google_secret_manager_secret_version.redis_cluster_url.secret_data) + loki_url = "http://loki.service.consul:${var.loki_service_port.port}" + enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink + dashboard_api_billing_server_url = local.enable_billing_http_team_provision_sink ? trimspace(data.google_secret_manager_secret_version.billing_server_url[0].secret_data) : "" + dashboard_api_billing_server_api_token = local.enable_billing_http_team_provision_sink ? data.google_secret_manager_secret_version.billing_server_api_token[0].secret_data : "" + dashboard_api_supabase_db_connection_string = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data) != "" ? trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data) : var.supabase_db_connection_string } # API @@ -163,7 +164,7 @@ module "dashboard_api" { postgres_connection_string = data.google_secret_manager_secret_version.postgres_connection_string.secret_data auth_db_connection_string = data.google_secret_manager_secret_version.postgres_connection_string.secret_data auth_db_read_replica_connection_string = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data) - supabase_db_connection_string = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data) + supabase_db_connection_string = local.dashboard_api_supabase_db_connection_string clickhouse_connection_string = local.clickhouse_connection_string supabase_jwt_secrets = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data) redis_url = local.redis_url diff --git a/iac/provider-gcp/nomad/variables.tf b/iac/provider-gcp/nomad/variables.tf index 97c1fa8cb1..bb258bc180 100644 --- a/iac/provider-gcp/nomad/variables.tf +++ b/iac/provider-gcp/nomad/variables.tf @@ -462,6 +462,12 @@ variable "supabase_db_connection_string_secret_version" { type = any } +variable "supabase_db_connection_string" { + type = string + default = "" + sensitive = true +} + variable "enable_auth_user_sync_background_worker" { type = bool default = false diff --git a/iac/provider-gcp/variables.tf b/iac/provider-gcp/variables.tf index cc0ee888d8..bcc42df6fe 100644 --- a/iac/provider-gcp/variables.tf +++ b/iac/provider-gcp/variables.tf @@ -184,6 +184,12 @@ variable "client_proxy_port" { } } +variable "supabase_db_connection_string" { + type = string + default = "" + sensitive = true +} + variable "loki_cluster_size" { type = number default = 0