Fix bad depends on

README.md

@@ -46,8 +46,5 @@ When you created a Pull Request to main on this repository, `terraform plan` wil
 Once merged, `terraform apply` will kick in and automatically apply changes to ensure your environment matches terraform state.
 
 # Secrets Management
-Secret is a tricky item, we don't want to hardcode the secret values in Terraform for obvious reasons, but we do want to manage everything else like access in code, hence we take a special approach. We create the secret in Terraform [here](/infrastructure/secrets.tf), but not the value, which will need to be added to GCP Secret Manager after the secret was created by Terraform.
-Because of this, if you try to create a secret and add it to resources (e.g. cloud function) in one terraform apply, it will guarantee to fail because the secret has no value available. There's a few workarounds for this: 
-1. Separate the changes to multiple terraform apply: First create the secret and apply changes, next manually add the value to it in GCP console, then make changes to resources that need access to the secret
-2. Rerun terraform apply after failure: Do everything in one terraform apply and expect it to fail, even with the failure terraform should still create the secret. Manually add the secret value in GCP console, then re-run the same terraform apply, this time it should pass with no error.
-3. [For people who are fast at clicking buttons] Add secret value during terraform apply: while terraform is applying, there will be a time gap between secret being created and resources getting access to it, depends on how big your terraform is it can be something like a few seconds to a few minutes. You can technically monitor the terraform apply log closely and once you see the secret is created, go to GCP console and add the value to it immediately, and if you are fast enough you will have the secret value ready before terraform gets to secret <> resource binding :) 
+
+See [secrets/readme.md](secrets/readme.md) for details.

index.tf

@@ -14,7 +14,7 @@ module "functions" {
   project         = var.project
   region          = var.region
   project_id      = var.project_id
-  secret_ids      = module.infrastructure.secret_ids
+  secret_ids      = module.secrets.secret_ids
   deploy_sa_email = var.deploy_sa_email != null ? var.deploy_sa_email : module.infrastructure.deploy_sa_email
   local_variables = local.local_variables # this passes the vars in terraform.tfvars to module as a map, this is a hack to make the vars available to the yamls
   owner           = var.owner
@@ -54,3 +54,13 @@ module "pubsubs" {
     module.infrastructure
   ]
 }
+
+module "secrets" {
+  source = "./secrets"
+
+  owner = var.owner
+
+  depends_on = [
+    module.infrastructure
+  ]
+}

infrastructure/outputs.tf

@@ -1,8 +1,3 @@
-
-output "secret_ids" {
-  value = { for s in google_secret_manager_secret.secret : s.secret_id => s.secret_id }
-}
-
 output "deploy_sa_email" {
   value = var.deploy_sa_email != null ? var.deploy_sa_email : google_service_account.gha_cloud_functions_deployment[0].email
 }

secrets/output.tf

@@ -0,0 +1,3 @@
+output "secret_ids" {
+  value = { for s in google_secret_manager_secret.secret : s.secret_id => s.secret_id }
+}

secrets/readme.md

@@ -0,0 +1,6 @@
+# Secrets Management
+Secret is a tricky item, we don't want to hardcode the secret values in Terraform for obvious reasons, but we do want to manage everything else like access in code, hence we take a special approach. We create the secret in Terraform [here](secrets.tf), but not the value, which will need to be added to GCP Secret Manager after the secret was created by Terraform.
+Because of this, if you try to create a secret and add it to resources (e.g. cloud function) in one terraform apply, it will guarantee to fail because the secret has no value available. There's a few workarounds for this: 
+1. Separate the changes to multiple terraform apply: First create the secret and apply changes, next manually add the value to it in GCP console, then make changes to resources that need access to the secret
+2. Rerun terraform apply after failure: Do everything in one terraform apply and expect it to fail, even with the failure terraform should still create the secret. Manually add the secret value in GCP console, then re-run the same terraform apply, this time it should pass with no error.
+3. [For people who are fast at clicking buttons] Add secret value during terraform apply: while terraform is applying, there will be a time gap between secret being created and resources getting access to it, depends on how big your terraform is it can be something like a few seconds to a few minutes. You can technically monitor the terraform apply log closely and once you see the secret is created, go to GCP console and add the value to it immediately, and if you are fast enough you will have the secret value ready before terraform gets to secret <> resource binding :) 

secrets/variables.tf

@@ -0,0 +1,4 @@
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}