From 9cf283859e59a59cf463b180e7e67d83c45dd7fb Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Fri, 9 May 2025 11:58:55 -0700
Subject: [PATCH 1/3] move secrets to it's own folder

---
 index.tf                               | 12 +++++++++++-
 secrets/output.tf                      |  3 +++
 {infrastructure => secrets}/secrets.tf |  0
 secrets/variables.tf                   |  4 ++++
 4 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 secrets/output.tf
 rename {infrastructure => secrets}/secrets.tf (100%)
 create mode 100644 secrets/variables.tf

diff --git a/index.tf b/index.tf
index f452b0d..ecbd90b 100644
--- a/index.tf
+++ b/index.tf
@@ -14,7 +14,7 @@ module "functions" {
   project         = var.project
   region          = var.region
   project_id      = var.project_id
-  secret_ids      = module.infrastructure.secret_ids
+  secret_ids      = module.secrets.secret_ids
   deploy_sa_email = var.deploy_sa_email != null ? var.deploy_sa_email : module.infrastructure.deploy_sa_email
   local_variables = local.local_variables # this passes the vars in terraform.tfvars to module as a map, this is a hack to make the vars available to the yamls
   owner           = var.owner
@@ -54,3 +54,13 @@ module "pubsubs" {
     module.infrastructure
   ]
 }
+
+module "secrets" {
+  source = "./secrets"
+
+  owner = var.owner
+
+  depends_on = [
+    module.infrastructure
+  ]
+}
\ No newline at end of file
diff --git a/secrets/output.tf b/secrets/output.tf
new file mode 100644
index 0000000..9b6d331
--- /dev/null
+++ b/secrets/output.tf
@@ -0,0 +1,3 @@
+output "secret_ids" {
+  value = { for s in google_secret_manager_secret.secret : s.secret_id => s.secret_id }
+}
\ No newline at end of file
diff --git a/infrastructure/secrets.tf b/secrets/secrets.tf
similarity index 100%
rename from infrastructure/secrets.tf
rename to secrets/secrets.tf
diff --git a/secrets/variables.tf b/secrets/variables.tf
new file mode 100644
index 0000000..523e104
--- /dev/null
+++ b/secrets/variables.tf
@@ -0,0 +1,4 @@
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
\ No newline at end of file

From 6b3ede074d15c50084886549942883747e61686e Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Fri, 9 May 2025 11:59:24 -0700
Subject: [PATCH 2/3] update readme

---
 README.md         | 7 ++-----
 secrets/readme.md | 6 ++++++
 2 files changed, 8 insertions(+), 5 deletions(-)
 create mode 100644 secrets/readme.md

diff --git a/README.md b/README.md
index 6aef11e..3e0ee7c 100644
--- a/README.md
+++ b/README.md
@@ -46,8 +46,5 @@ When you created a Pull Request to main on this repository, `terraform plan` wil
 Once merged, `terraform apply` will kick in and automatically apply changes to ensure your environment matches terraform state.
 
 # Secrets Management
-Secret is a tricky item, we don't want to hardcode the secret values in Terraform for obvious reasons, but we do want to manage everything else like access in code, hence we take a special approach. We create the secret in Terraform [here](/infrastructure/secrets.tf), but not the value, which will need to be added to GCP Secret Manager after the secret was created by Terraform.
-Because of this, if you try to create a secret and add it to resources (e.g. cloud function) in one terraform apply, it will guarantee to fail because the secret has no value available. There's a few workarounds for this: 
-1. Separate the changes to multiple terraform apply: First create the secret and apply changes, next manually add the value to it in GCP console, then make changes to resources that need access to the secret
-2. Rerun terraform apply after failure: Do everything in one terraform apply and expect it to fail, even with the failure terraform should still create the secret. Manually add the secret value in GCP console, then re-run the same terraform apply, this time it should pass with no error.
-3. [For people who are fast at clicking buttons] Add secret value during terraform apply: while terraform is applying, there will be a time gap between secret being created and resources getting access to it, depends on how big your terraform is it can be something like a few seconds to a few minutes. You can technically monitor the terraform apply log closely and once you see the secret is created, go to GCP console and add the value to it immediately, and if you are fast enough you will have the secret value ready before terraform gets to secret <> resource binding :) 
\ No newline at end of file
+
+See [secrets/readme.md](secrets/readme.md) for details.
\ No newline at end of file
diff --git a/secrets/readme.md b/secrets/readme.md
new file mode 100644
index 0000000..c8f2579
--- /dev/null
+++ b/secrets/readme.md
@@ -0,0 +1,6 @@
+# Secrets Management
+Secret is a tricky item, we don't want to hardcode the secret values in Terraform for obvious reasons, but we do want to manage everything else like access in code, hence we take a special approach. We create the secret in Terraform [here](secrets.tf), but not the value, which will need to be added to GCP Secret Manager after the secret was created by Terraform.
+Because of this, if you try to create a secret and add it to resources (e.g. cloud function) in one terraform apply, it will guarantee to fail because the secret has no value available. There's a few workarounds for this: 
+1. Separate the changes to multiple terraform apply: First create the secret and apply changes, next manually add the value to it in GCP console, then make changes to resources that need access to the secret
+2. Rerun terraform apply after failure: Do everything in one terraform apply and expect it to fail, even with the failure terraform should still create the secret. Manually add the secret value in GCP console, then re-run the same terraform apply, this time it should pass with no error.
+3. [For people who are fast at clicking buttons] Add secret value during terraform apply: while terraform is applying, there will be a time gap between secret being created and resources getting access to it, depends on how big your terraform is it can be something like a few seconds to a few minutes. You can technically monitor the terraform apply log closely and once you see the secret is created, go to GCP console and add the value to it immediately, and if you are fast enough you will have the secret value ready before terraform gets to secret <> resource binding :) 
\ No newline at end of file

From 9b8e32f5c0c96265f34c6a36c340c41019006485 Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Fri, 9 May 2025 12:04:52 -0700
Subject: [PATCH 3/3] Update outputs.tf

---
 infrastructure/outputs.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/infrastructure/outputs.tf b/infrastructure/outputs.tf
index e51b22c..12187f1 100644
--- a/infrastructure/outputs.tf
+++ b/infrastructure/outputs.tf
@@ -1,8 +1,3 @@
-
-output "secret_ids" {
-  value = { for s in google_secret_manager_secret.secret : s.secret_id => s.secret_id }
-}
-
 output "deploy_sa_email" {
   value = var.deploy_sa_email != null ? var.deploy_sa_email : google_service_account.gha_cloud_functions_deployment[0].email
 }