e2b-dev · dobrac · Apr 21, 2026 · Apr 18, 2026 · Apr 20, 2026 · Apr 21, 2026
diff --git a/iac/provider-gcp/api.tf b/iac/provider-gcp/api.tf
@@ -27,6 +27,23 @@ resource "google_secret_manager_secret_version" "postgres_read_replica_connectio
   }
 }
 
+resource "google_secret_manager_secret" "supabase_db_connection_string" {
+  secret_id = "${var.prefix}supabase-db-connection-string"
+
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "supabase_db_connection_string" {
+  secret      = google_secret_manager_secret.supabase_db_connection_string.name
+  secret_data = " "
+
+  lifecycle {
+    ignore_changes = [secret_data]
+  }
+}
+
 resource "random_password" "api_secret" {
   length  = 32
   special = false

@@ -281,11 +281,11 @@ module "nomad" {
   otel_collector_resources_cpu_count = var.otel_collector_resources_cpu_count
 
   # Dashboard API
-  dashboard_api_count                     = var.dashboard_api_count
-  dashboard_api_admin_token_secret_name   = module.init.dashboard_api_admin_token_secret_name
-  supabase_db_connection_string           = var.supabase_db_connection_string
-  enable_auth_user_sync_background_worker = var.enable_auth_user_sync_background_worker
-  enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink
+  dashboard_api_count                          = var.dashboard_api_count
+  dashboard_api_admin_token_secret_name        = module.init.dashboard_api_admin_token_secret_name
+  supabase_db_connection_string_secret_version = google_secret_manager_secret_version.supabase_db_connection_string
+  enable_auth_user_sync_background_worker      = var.enable_auth_user_sync_background_worker
+  enable_billing_http_team_provision_sink      = var.enable_billing_http_team_provision_sink
 
   # Docker reverse proxy
   docker_reverse_proxy_port                = var.docker_reverse_proxy_port

@@ -33,6 +33,10 @@ data "google_secret_manager_secret_version" "dashboard_api_admin_token" {
   secret = var.dashboard_api_admin_token_secret_name
 }
 
+data "google_secret_manager_secret_version" "supabase_db_connection_string" {
+  secret = var.supabase_db_connection_string_secret_version.secret
+}
+
 # Telemetry
 data "google_secret_manager_secret_version" "analytics_collector_host" {
   secret = var.analytics_collector_host_secret_name
@@ -159,7 +163,7 @@ module "dashboard_api" {
   postgres_connection_string              = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
   auth_db_connection_string               = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
   auth_db_read_replica_connection_string  = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
-  supabase_db_connection_string           = var.supabase_db_connection_string
+  supabase_db_connection_string           = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data)
   clickhouse_connection_string            = local.clickhouse_connection_string
   supabase_jwt_secrets                    = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
   redis_url                               = local.redis_url

@@ -458,10 +458,8 @@ variable "dashboard_api_count" {
   default = 0
 }
 
-variable "supabase_db_connection_string" {
-  type      = string
-  default   = ""
-  sensitive = true
+variable "supabase_db_connection_string_secret_version" {
+  type = any
 }
 
 variable "enable_auth_user_sync_background_worker" {

@@ -230,12 +230,6 @@ variable "dashboard_api_count" {
   default = 0
 }
 
-variable "supabase_db_connection_string" {
-  type      = string
-  default   = ""
-  sensitive = true
-}
-
 variable "enable_auth_user_sync_background_worker" {
   type    = bool
   default = false