chore(terraform): load dashboard supabase DB URL from Secret Manager

iac/provider-gcp/init/outputs.tf

@@ -70,6 +70,10 @@ output "supabase_jwt_secret_name" {
   value = google_secret_manager_secret_version.supabase_jwt_secrets.secret
 }
 
+output "supabase_db_connection_string_secret_version" {
+  value = google_secret_manager_secret_version.supabase_db_connection_string
+}
+
 output "postgres_connection_string_secret_name" {
   value = google_secret_manager_secret.postgres_connection_string.name
 }

iac/provider-gcp/init/secrets.tf

@@ -210,6 +210,25 @@ resource "google_secret_manager_secret" "supabase_jwt_secrets" {
   depends_on = [time_sleep.secrets_api_wait_60_seconds]
 }
 
+resource "google_secret_manager_secret" "supabase_db_connection_string" {
+  secret_id = "${var.prefix}supabase-db-connection-string"
+
+  replication {
+    auto {}
+  }
+
+  depends_on = [time_sleep.secrets_api_wait_60_seconds]
+}
+
+resource "google_secret_manager_secret_version" "supabase_db_connection_string" {
+  secret      = google_secret_manager_secret.supabase_db_connection_string.name
+  secret_data = " "
+
+  lifecycle {
+    ignore_changes = [secret_data]
+  }
+}
+
 resource "google_secret_manager_secret_version" "supabase_jwt_secrets" {
   secret      = google_secret_manager_secret.supabase_jwt_secrets.name
   secret_data = " "

iac/provider-gcp/main.tf

@@ -281,11 +281,11 @@ module "nomad" {
   otel_collector_resources_cpu_count = var.otel_collector_resources_cpu_count
 
   # Dashboard API
-  dashboard_api_count                     = var.dashboard_api_count
-  dashboard_api_admin_token_secret_name   = module.init.dashboard_api_admin_token_secret_name
-  supabase_db_connection_string           = var.supabase_db_connection_string
-  enable_auth_user_sync_background_worker = var.enable_auth_user_sync_background_worker
-  enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink
+  dashboard_api_count                          = var.dashboard_api_count
+  dashboard_api_admin_token_secret_name        = module.init.dashboard_api_admin_token_secret_name
+  supabase_db_connection_string_secret_version = module.init.supabase_db_connection_string_secret_version
+  enable_auth_user_sync_background_worker      = var.enable_auth_user_sync_background_worker
+  enable_billing_http_team_provision_sink      = var.enable_billing_http_team_provision_sink
 
   # Docker reverse proxy
   docker_reverse_proxy_port                = var.docker_reverse_proxy_port

iac/provider-gcp/nomad/main.tf

@@ -33,6 +33,10 @@ data "google_secret_manager_secret_version" "dashboard_api_admin_token" {
   secret = var.dashboard_api_admin_token_secret_name
 }
 
+data "google_secret_manager_secret_version" "supabase_db_connection_string" {
+  secret = var.supabase_db_connection_string_secret_version.secret
+}
+
 # Telemetry
 data "google_secret_manager_secret_version" "analytics_collector_host" {
   secret = var.analytics_collector_host_secret_name
@@ -159,7 +163,7 @@ module "dashboard_api" {
   postgres_connection_string              = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
   auth_db_connection_string               = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
   auth_db_read_replica_connection_string  = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
-  supabase_db_connection_string           = var.supabase_db_connection_string
+  supabase_db_connection_string           = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data)
   clickhouse_connection_string            = local.clickhouse_connection_string
   supabase_jwt_secrets                    = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
   redis_url                               = local.redis_url

iac/provider-gcp/nomad/variables.tf

@@ -458,10 +458,8 @@ variable "dashboard_api_count" {
   default = 0
 }
 
-variable "supabase_db_connection_string" {
-  type      = string
-  default   = ""
-  sensitive = true
+variable "supabase_db_connection_string_secret_version" {
+  type = any
 }
 
 variable "enable_auth_user_sync_background_worker" {

iac/provider-gcp/variables.tf

@@ -230,12 +230,6 @@ variable "dashboard_api_count" {
   default = 0
 }
 
-variable "supabase_db_connection_string" {
-  type      = string
-  default   = ""
-  sensitive = true
-}
-
 variable "enable_auth_user_sync_background_worker" {
   type    = bool
   default = false