feat: support multiple firebase audiences

[ChaoticTempest]

addresses #251

the OIDC token already has the audience, so this PR just moves towards having only the OIDC token be a part of the verification. This should allow us to do multiple firebase audiences as the only thing preventing us before was the verification step of the token.

We don't use the audience value anywhere else, so just added a deprecation warning to the CLI flag as well.

[github-actions]

Terraform Dev Environment

Terraform Format and Style 🖌success

Format Check Output

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan

data.external.git_checkout: Reading...
data.external.git_checkout: Read complete after 0s [id=-]
google_artifact_registry_repository.mpc_recovery: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/repositories/mpc-recovery-dev]
google_service_account.service_account: Refreshing state... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
google_project_iam_member.service-account-datastore-user: Refreshing state... [id=pagoda-discovery-platform-dev/roles/datastore.user/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
google_service_account_iam_binding.serivce-account-iam: Refreshing state... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com/roles/iam.serviceAccountUser]
docker_image.mpc_recovery: Refreshing state... [id=sha256:9a56f69cbcf9ab1fd4f7358dca880b51d31f5e77f80023eacbda67544024f725us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e]
docker_registry_image.mpc_recovery: Refreshing state... [id=sha256:1e44a730677bae9ebb07839d79899748b4660366e3d5aff8e5edfb1c56d44ed0]
module.signer[1].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev]
module.signer[2].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev]
module.signer[0].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev]
module.signer[0].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev]
module.signer[1].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev]
module.signer[2].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev]
module.signer[2].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev/versions/1]
module.signer[2].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-2-dev/versions/1]
module.signer[0].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-0-dev/versions/1]
module.signer[2].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-1-dev/versions/1]
module.signer[1].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev/versions/1]
module.signer[1].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev/versions/1]
module.signer[0].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev]
module.signer[0].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev]
module.signer[1].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev]
module.signer[0].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev/roles/run.invoker/allUsers]
module.signer[1].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev/roles/run.invoker/allUsers]
module.signer[2].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev/roles/run.invoker/allUsers]
module.leader.google_secret_manager_secret.account_creator_sk: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev]
module.leader.google_secret_manager_secret_version.account_creator_sk_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev/versions/2]
module.leader.google_secret_manager_secret_iam_member.account_creator_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_cloud_run_v2_service.leader: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev]
module.leader.google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev/roles/run.invoker/allUsers]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # docker_image.mpc_recovery has been deleted
  - resource "docker_image" "mpc_recovery" {
        id       = "sha256:9a56f69cbcf9ab1fd4f7358dca880b51d31f5e77f80023eacbda67544024f725us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e"
      - name     = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e" -> null
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.leader.google_cloud_run_v2_service.leader has changed
  ~ resource "google_cloud_run_v2_service" "leader" {
      + client                  = "cloud-console"
      ~ conditions              = [
          ~ {
              ~ last_transition_time = "2023-09-04T21:55:44.297930Z" -> "2023-09-05T08:41:25.730688Z"
                # (7 unchanged attributes hidden)
            },
          ~ {
              ~ last_transition_time = "2023-09-04T21:55:26.111576Z" -> "2023-09-05T08:41:06.141173Z"
                # (7 unchanged attributes hidden)
            },
        ]
      ~ etag                    = "\"CM2k2acGEMC3lP8C/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1sZWFkZXItZGV2\"" -> "\"CKHT26cGEPijp7gC/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1sZWFkZXItZGV2\""
      ~ generation              = "37" -> "38"
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev"
      ~ latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev/revisions/mpc-recovery-leader-dev-00037-8zk" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev/revisions/mpc-recovery-leader-dev-00038-dr8"
      ~ latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev/revisions/mpc-recovery-leader-dev-00037-8zk" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev/revisions/mpc-recovery-leader-dev-00038-dr8"
        name                    = "mpc-recovery-leader-dev"
      ~ observed_generation     = "37" -> "38"
      ~ terminal_condition      = [
          ~ {
              ~ last_transition_time = "2023-09-04T21:55:44.214336Z" -> "2023-09-05T08:41:25.645265Z"
                # (7 unchanged attributes hidden)
            },
        ]
        # (10 unchanged attributes hidden)

      ~ template {
          ~ labels                           = {
              + "client.knative.dev/nonce" = "11791463-df74-483d-9a8a-f9f11f1d10c4"
            }
            # (5 unchanged attributes hidden)

          ~ containers {
                # (3 unchanged attributes hidden)

              ~ resources {
                  ~ limits            = {
                      ~ "cpu"    = "2" -> "2000m"
                        # (1 unchanged element hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

                # (12 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # docker_image.mpc_recovery will be created
  + resource "docker_image" "mpc_recovery" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
      + repo_digest = (known after apply)

      + build {
          + cache_from   = []
          + context      = "/home/runner/work/mpc-recovery/mpc-recovery/infra/.."
          + dockerfile   = "Dockerfile"
          + extra_hosts  = []
          + remove       = true
          + security_opt = []
          + tag          = []
        }
    }

  # docker_registry_image.mpc_recovery must be replaced
-/+ resource "docker_registry_image" "mpc_recovery" {
      ~ id                   = "sha256:1e44a730677bae9ebb07839d79899748b4660366e3d5aff8e5edfb1c56d44ed0" -> (known after apply)
      ~ name                 = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" # forces replacement
      ~ sha256_digest        = "sha256:1e44a730677bae9ebb07839d79899748b4660366e3d5aff8e5edfb1c56d44ed0" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.leader.google_cloud_run_v2_service.leader will be updated in-place
  ~ resource "google_cloud_run_v2_service" "leader" {
      - client                  = "cloud-console" -> null
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev"
        name                    = "mpc-recovery-leader-dev"
        # (17 unchanged attributes hidden)

      ~ template {
          ~ labels                           = {
              - "client.knative.dev/nonce" = "11791463-df74-483d-9a8a-f9f11f1d10c4" -> null
            }
            # (5 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

              ~ env {
                  ~ name  = "PAGODA_FIREBASE_AUDIENCE_ID" -> "MPC_RECOVERY_GCP_PROJECT_ID"
                  ~ value = "pagoda-oboarding-dev" -> "pagoda-discovery-platform-dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> "MPC_RECOVERY_ENV"
                  ~ value = "pagoda-discovery-platform-dev" -> "dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_ENV" -> "RUST_LOG"
                  ~ value = "dev" -> "mpc_recovery=debug"
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

              ~ resources {
                  ~ limits            = {
                      ~ "cpu"    = "2000m" -> "2"
                        # (1 unchanged element hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

                # (8 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.leader.google_secret_manager_secret.allowed_oidc_providers will be created
  + resource "google_secret_manager_secret" "allowed_oidc_providers" {
      + create_time = (known after apply)
      + expire_time = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + project     = (known after apply)
      + secret_id   = "mpc-recovery-allowed-oidc-providers-leader-dev"

      + replication {
          + automatic = true
        }
    }

  # module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be created
  + resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com"
      + project   = (known after apply)
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = (known after apply)
    }

  # module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data will be created
  + resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      + create_time  = (known after apply)
      + destroy_time = (known after apply)
      + enabled      = true
      + id           = (known after apply)
      + name         = (known after apply)
      + secret       = (known after apply)
      + secret_data  = (sensitive value)
      + version      = (known after apply)
    }

  # module.signer[0].google_cloud_run_v2_service.signer will be updated in-place
  ~ resource "google_cloud_run_v2_service" "signer" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev"
        name                    = "mpc-recovery-signer-0-dev"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

              ~ env {
                  ~ name  = "PAGODA_FIREBASE_AUDIENCE_ID" -> "MPC_RECOVERY_GCP_PROJECT_ID"
                  ~ value = "pagoda-oboarding-dev" -> "pagoda-discovery-platform-dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> "MPC_RECOVERY_ENV"
                  ~ value = "pagoda-discovery-platform-dev" -> "dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_ENV" -> "RUST_LOG"
                  ~ value = "dev" -> "mpc_recovery=debug"
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

                # (5 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.signer[0].google_secret_manager_secret.allowed_oidc_providers will be created
  + resource "google_secret_manager_secret" "allowed_oidc_providers" {
      + create_time = (known after apply)
      + expire_time = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + project     = (known after apply)
      + secret_id   = "mpc-recovery-allowed-oidc-providers-0-dev"

      + replication {
          + automatic = true
        }
    }

  # module.signer[0].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be created
  + resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com"
      + project   = (known after apply)
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = (known after apply)
    }

  # module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data will be created
  + resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      + create_time  = (known after apply)
      + destroy_time = (known after apply)
      + enabled      = true
      + id           = (known after apply)
      + name         = (known after apply)
      + secret       = (known after apply)
      + secret_data  = (sensitive value)
      + version      = (known after apply)
    }

  # module.signer[1].google_cloud_run_v2_service.signer will be updated in-place
  ~ resource "google_cloud_run_v2_service" "signer" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev"
        name                    = "mpc-recovery-signer-1-dev"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

              ~ env {
                  ~ name  = "PAGODA_FIREBASE_AUDIENCE_ID" -> "MPC_RECOVERY_GCP_PROJECT_ID"
                  ~ value = "pagoda-oboarding-dev" -> "pagoda-discovery-platform-dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> "MPC_RECOVERY_ENV"
                  ~ value = "pagoda-discovery-platform-dev" -> "dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_ENV" -> "RUST_LOG"
                  ~ value = "dev" -> "mpc_recovery=debug"
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

                # (5 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.signer[1].google_secret_manager_secret.allowed_oidc_providers will be created
  + resource "google_secret_manager_secret" "allowed_oidc_providers" {
      + create_time = (known after apply)
      + expire_time = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + project     = (known after apply)
      + secret_id   = "mpc-recovery-allowed-oidc-providers-1-dev"

      + replication {
          + automatic = true
        }
    }

  # module.signer[1].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be created
  + resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com"
      + project   = (known after apply)
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = (known after apply)
    }

  # module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data will be created
  + resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      + create_time  = (known after apply)
      + destroy_time = (known after apply)
      + enabled      = true
      + id           = (known after apply)
      + name         = (known after apply)
      + secret       = (known after apply)
      + secret_data  = (sensitive value)
      + version      = (known after apply)
    }

  # module.signer[2].google_cloud_run_v2_service.signer will be updated in-place
  ~ resource "google_cloud_run_v2_service" "signer" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev"
        name                    = "mpc-recovery-signer-2-dev"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:2802800630126bbbc693953c71d39966e70e7c8e" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev/mpc-recovery-dev:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

              ~ env {
                  ~ name  = "PAGODA_FIREBASE_AUDIENCE_ID" -> "MPC_RECOVERY_GCP_PROJECT_ID"
                  ~ value = "pagoda-oboarding-dev" -> "pagoda-discovery-platform-dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> "MPC_RECOVERY_ENV"
                  ~ value = "pagoda-discovery-platform-dev" -> "dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_ENV" -> "RUST_LOG"
                  ~ value = "dev" -> "mpc_recovery=debug"
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

                # (5 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.signer[2].google_secret_manager_secret.allowed_oidc_providers will be created
  + resource "google_secret_manager_secret" "allowed_oidc_providers" {
      + create_time = (known after apply)
      + expire_time = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + project     = (known after apply)
      + secret_id   = "mpc-recovery-allowed-oidc-providers-2-dev"

      + replication {
          + automatic = true
        }
    }

  # module.signer[2].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be created
  + resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:mpc-recovery-dev@pagoda-discovery-platform-dev.iam.gserviceaccount.com"
      + project   = (known after apply)
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = (known after apply)
    }

  # module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data will be created
  + resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      + create_time  = (known after apply)
      + destroy_time = (known after apply)
      + enabled      = true
      + id           = (known after apply)
      + name         = (known after apply)
      + secret       = (known after apply)
      + secret_data  = (sensitive value)
      + version      = (known after apply)
    }

Plan: 14 to add, 4 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @ChaoticTempest, Action: pull_request, Working Directory: ``, Workflow: Terraform Dev

[github-actions]

Terraform Feature Environment (dev-264)

Terraform Initialization ⚙️success

Terraform Apply success

Show Apply Plan

data.external.git_checkout: Reading...
data.external.git_checkout: Read complete after 0s [id=-]
google_service_account.service_account: Refreshing state... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
google_artifact_registry_repository.mpc_recovery: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/repositories/mpc-recovery-dev-264]
google_project_iam_member.service-account-datastore-user: Refreshing state... [id=pagoda-discovery-platform-dev/roles/datastore.user/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
google_service_account_iam_binding.serivce-account-iam: Refreshing state... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com/roles/iam.serviceAccountUser]
docker_image.mpc_recovery: Refreshing state... [id=sha256:7c1ce32ad28e7bc31b46e82812b6a761e5e33cc1b98ca65bbdb1051dcc738663us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402]
docker_registry_image.mpc_recovery: Refreshing state... [id=sha256:301a4a338618ed9d81d50321ac8edda318d8ce1e48b8611ae9a8b87cf4a5a39e]
module.signer[2].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264]
module.signer[2].google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264]
module.signer[0].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264]
module.signer[1].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264]
module.signer[0].google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264]
module.signer[1].google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264]
module.signer[2].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264]
module.signer[1].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264]
module.signer[0].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264]
module.signer[2].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/1]
module.signer[0].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264]
module.signer[2].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264]
module.signer[1].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264]
module.signer[2].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/roles/run.invoker/allUsers]
module.signer[0].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/roles/run.invoker/allUsers]
module.signer[1].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/roles/run.invoker/allUsers]
module.leader.google_secret_manager_secret.account_creator_sk: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264]
module.leader.google_secret_manager_secret_version.account_creator_sk_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264/versions/1]
module.leader.google_secret_manager_secret_iam_member.account_creator_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_cloud_run_v2_service.leader: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264]
module.leader.google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264/roles/run.invoker/allUsers]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # docker_image.mpc_recovery has been deleted
  - resource "docker_image" "mpc_recovery" {
        id       = "sha256:7c1ce32ad28e7bc31b46e82812b6a761e5e33cc1b98ca65bbdb1051dcc738663us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402"
      - name     = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402" -> null
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.signer[0].google_cloud_run_v2_service.signer has changed
  ~ resource "google_cloud_run_v2_service" "signer" {
      ~ conditions              = [
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:19.875188Z" -> "2023-09-05T11:11:27.808712Z"
              ~ message              = <<-EOT
                  - Revision 'mpc-recovery-signer-0-dev-264-00007-8zd' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                  + Revision 'mpc-recovery-signer-0-dev-264-00008-t2h' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                    
                  - Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-0-dev-264/revision_name/mpc-recovery-signer-0-dev-264-00007-8zd&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-0-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-0-dev-264-00007-8zd%22 
                  + Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-0-dev-264/revision_name/mpc-recovery-signer-0-dev-264-00008-t2h&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-0-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-0-dev-264-00008-t2h%22 
                    For more troubleshooting guidance, see https://cloud.google.com/run/docs/troubleshooting#container-failed-to-start
                EOT
                # (6 unchanged attributes hidden)
            },
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:13.733568Z" -> "2023-09-05T11:11:20.765349Z"
                # (7 unchanged attributes hidden)
            },
        ]
      ~ etag                    = "\"CNmJ3KcGEPikptcB/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMC1kZXYtMjY0\"" -> "\"CNiZ3KcGEIj3-9YB/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMC1kZXYtMjY0\""
      ~ generation              = "7" -> "8"
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264"
      ~ latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/revisions/mpc-recovery-signer-0-dev-264-00007-8zd" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/revisions/mpc-recovery-signer-0-dev-264-00008-t2h"
      ~ latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/revisions/mpc-recovery-signer-0-dev-264-00006-km2" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/revisions/mpc-recovery-signer-0-dev-264-00007-8zd"
        name                    = "mpc-recovery-signer-0-dev-264"
      ~ observed_generation     = "7" -> "8"
      ~ terminal_condition      = [
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:19.875188Z" -> "2023-09-05T11:11:27.808712Z"
              ~ message              = <<-EOT
                  - Revision 'mpc-recovery-signer-0-dev-264-00007-8zd' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                  + Revision 'mpc-recovery-signer-0-dev-264-00008-t2h' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                    
                  - Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-0-dev-264/revision_name/mpc-recovery-signer-0-dev-264-00007-8zd&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-0-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-0-dev-264-00007-8zd%22 
                  + Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-0-dev-264/revision_name/mpc-recovery-signer-0-dev-264-00008-t2h&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-0-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-0-dev-264-00008-t2h%22 
                    For more troubleshooting guidance, see https://cloud.google.com/run/docs/troubleshooting#container-failed-to-start
                EOT
                # (6 unchanged attributes hidden)
            },
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.signer[1].google_cloud_run_v2_service.signer has changed
  ~ resource "google_cloud_run_v2_service" "signer" {
      ~ conditions              = [
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:19.876001Z" -> "2023-09-05T11:11:26.114572Z"
              ~ message              = <<-EOT
                  - Revision 'mpc-recovery-signer-1-dev-264-00007-rll' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                  + Revision 'mpc-recovery-signer-1-dev-264-00008-6nn' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                    
                  - Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-1-dev-264/revision_name/mpc-recovery-signer-1-dev-264-00007-rll&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-1-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-1-dev-264-00007-rll%22 
                  + Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-1-dev-264/revision_name/mpc-recovery-signer-1-dev-264-00008-6nn&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-1-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-1-dev-264-00008-6nn%22 
                    For more troubleshooting guidance, see https://cloud.google.com/run/docs/troubleshooting#container-failed-to-start
                EOT
                # (6 unchanged attributes hidden)
            },
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:14.636425Z" -> "2023-09-05T11:11:20.820435Z"
                # (7 unchanged attributes hidden)
            },
        ]
      ~ etag                    = "\"CNmJ3KcGEMiZr9cB/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMS1kZXYtMjY0\"" -> "\"CNiZ3KcGEID8pPwB/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMS1kZXYtMjY0\""
      ~ generation              = "7" -> "8"
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264"
      ~ latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/revisions/mpc-recovery-signer-1-dev-264-00007-rll" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/revisions/mpc-recovery-signer-1-dev-264-00008-6nn"
      ~ latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/revisions/mpc-recovery-signer-1-dev-264-00006-9vv" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/revisions/mpc-recovery-signer-1-dev-264-00007-rll"
        name                    = "mpc-recovery-signer-1-dev-264"
      ~ observed_generation     = "7" -> "8"
      ~ terminal_condition      = [
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:19.876001Z" -> "2023-09-05T11:11:26.114572Z"
              ~ message              = <<-EOT
                  - Revision 'mpc-recovery-signer-1-dev-264-00007-rll' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                  + Revision 'mpc-recovery-signer-1-dev-264-00008-6nn' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                    
                  - Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-1-dev-264/revision_name/mpc-recovery-signer-1-dev-264-00007-rll&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-1-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-1-dev-264-00007-rll%22 
                  + Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-1-dev-264/revision_name/mpc-recovery-signer-1-dev-264-00008-6nn&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-1-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-1-dev-264-00008-6nn%22 
                    For more troubleshooting guidance, see https://cloud.google.com/run/docs/troubleshooting#container-failed-to-start
                EOT
                # (6 unchanged attributes hidden)
            },
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.signer[2].google_cloud_run_v2_service.signer has changed
  ~ resource "google_cloud_run_v2_service" "signer" {
      ~ conditions              = [
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:19.855999Z" -> "2023-09-05T11:11:27.815898Z"
              ~ message              = <<-EOT
                  - Revision 'mpc-recovery-signer-2-dev-264-00007-6bb' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                  + Revision 'mpc-recovery-signer-2-dev-264-00008-k8h' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                    
                  - Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-2-dev-264/revision_name/mpc-recovery-signer-2-dev-264-00007-6bb&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-2-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-2-dev-264-00007-6bb%22 
                  + Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-2-dev-264/revision_name/mpc-recovery-signer-2-dev-264-00008-k8h&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-2-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-2-dev-264-00008-k8h%22 
                    For more troubleshooting guidance, see https://cloud.google.com/run/docs/troubleshooting#container-failed-to-start
                EOT
                # (6 unchanged attributes hidden)
            },
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:13.708418Z" -> "2023-09-05T11:11:20.676659Z"
                # (7 unchanged attributes hidden)
            },
        ]
      ~ etag                    = "\"CNmJ3KcGELj-mtgB/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMi1kZXYtMjY0\"" -> "\"CNiZ3KcGEPCModcB/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMi1kZXYtMjY0\""
      ~ generation              = "7" -> "8"
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264"
      ~ latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/revisions/mpc-recovery-signer-2-dev-264-00007-6bb" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/revisions/mpc-recovery-signer-2-dev-264-00008-k8h"
      ~ latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/revisions/mpc-recovery-signer-2-dev-264-00006-v77" -> "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/revisions/mpc-recovery-signer-2-dev-264-00007-6bb"
        name                    = "mpc-recovery-signer-2-dev-264"
      ~ observed_generation     = "7" -> "8"
      ~ terminal_condition      = [
          ~ {
              ~ last_transition_time = "2023-09-05T10:37:19.855999Z" -> "2023-09-05T11:11:27.815898Z"
              ~ message              = <<-EOT
                  - Revision 'mpc-recovery-signer-2-dev-264-00007-6bb' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                  + Revision 'mpc-recovery-signer-2-dev-264-00008-k8h' is not ready and cannot serve traffic. The user-provided container failed to start and listen on the port defined provided by the PORT=3000 environment variable. Logs for this revision might contain more information.
                    
                  - Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-2-dev-264/revision_name/mpc-recovery-signer-2-dev-264-00007-6bb&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-2-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-2-dev-264-00007-6bb%22 
                  + Logs URL: https://console.cloud.google.com/logs/viewer?project=pagoda-discovery-platform-dev&resource=cloud_run_revision/service_name/mpc-recovery-signer-2-dev-264/revision_name/mpc-recovery-signer-2-dev-264-00008-k8h&advancedFilter=resource.type%3D%22cloud_run_revision%22%0Aresource.labels.service_name%3D%22mpc-recovery-signer-2-dev-264%22%0Aresource.labels.revision_name%3D%22mpc-recovery-signer-2-dev-264-00008-k8h%22 
                    For more troubleshooting guidance, see https://cloud.google.com/run/docs/troubleshooting#container-failed-to-start
                EOT
                # (6 unchanged attributes hidden)
            },
        ]
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # docker_image.mpc_recovery will be created
  + resource "docker_image" "mpc_recovery" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
      + repo_digest = (known after apply)

      + build {
          + cache_from   = []
          + context      = "/home/runner/work/mpc-recovery/mpc-recovery/infra/.."
          + dockerfile   = "Dockerfile"
          + extra_hosts  = []
          + remove       = true
          + security_opt = []
          + tag          = []
        }
    }

  # docker_registry_image.mpc_recovery must be replaced
-/+ resource "docker_registry_image" "mpc_recovery" {
      ~ id                   = "sha256:301a4a338618ed9d81d50321ac8edda318d8ce1e48b8611ae9a8b87cf4a5a39e" -> (known after apply)
      ~ name                 = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" # forces replacement
      ~ sha256_digest        = "sha256:301a4a338618ed9d81d50321ac8edda318d8ce1e48b8611ae9a8b87cf4a5a39e" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.leader.google_cloud_run_v2_service.leader will be updated in-place
  ~ resource "google_cloud_run_v2_service" "leader" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264"
        name                    = "mpc-recovery-leader-dev-264"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:94a14d5f49cffa579f2d6d87f0522af9e1e5e37a" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

              ~ env {
                  ~ name  = "PAGODA_FIREBASE_AUDIENCE_ID" -> "MPC_RECOVERY_GCP_PROJECT_ID"
                  ~ value = "pagoda-oboarding-dev" -> "pagoda-discovery-platform-dev"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> "MPC_RECOVERY_ENV"
                  ~ value = "pagoda-discovery-platform-dev" -> "dev-264"
                }
              ~ env {
                  ~ name  = "MPC_RECOVERY_ENV" -> "RUST_LOG"
                  ~ value = "dev-264" -> "mpc_recovery=debug"
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

                # (9 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.leader.google_secret_manager_secret.allowed_oidc_providers will be created
  + resource "google_secret_manager_secret" "allowed_oidc_providers" {
      + create_time = (known after apply)
      + expire_time = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + project     = (known after apply)
      + secret_id   = "mpc-recovery-allowed-oidc-providers-leader-dev-264"

      + replication {
          + automatic = true
        }
    }

  # module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be created
  + resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com"
      + project   = (known after apply)
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = (known after apply)
    }

  # module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data will be created
  + resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      + create_time  = (known after apply)
      + destroy_time = (known after apply)
      + enabled      = true
      + id           = (known after apply)
      + name         = (known after apply)
      + secret       = (known after apply)
      + secret_data  = (sensitive value)
      + version      = (known after apply)
    }

  # module.signer[0].google_cloud_run_v2_service.signer will be updated in-place
  ~ resource "google_cloud_run_v2_service" "signer" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264"
        name                    = "mpc-recovery-signer-0-dev-264"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

                # (8 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data must be replaced
-/+ resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      ~ create_time  = "2023-09-05T09:30:36.451789Z" -> (known after apply)
      + destroy_time = (known after apply)
      ~ id           = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/1" -> (known after apply)
      ~ name         = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/1" -> (known after apply)
      ~ secret_data  = (sensitive value) # forces replacement
      ~ version      = "1" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.signer[1].google_cloud_run_v2_service.signer will be updated in-place
  ~ resource "google_cloud_run_v2_service" "signer" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264"
        name                    = "mpc-recovery-signer-1-dev-264"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

                # (8 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data must be replaced
-/+ resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      ~ create_time  = "2023-09-05T09:30:36.260881Z" -> (known after apply)
      + destroy_time = (known after apply)
      ~ id           = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/1" -> (known after apply)
      ~ name         = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/1" -> (known after apply)
      ~ secret_data  = (sensitive value) # forces replacement
      ~ version      = "1" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.signer[2].google_cloud_run_v2_service.signer will be updated in-place
  ~ resource "google_cloud_run_v2_service" "signer" {
        id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264"
        name                    = "mpc-recovery-signer-2-dev-264"
        # (17 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:3641a97ebed184d8d8af7217e3a98b966306f402" -> "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8"
                # (2 unchanged attributes hidden)

                # (8 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data must be replaced
-/+ resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      ~ create_time  = "2023-09-05T09:30:36.028253Z" -> (known after apply)
      + destroy_time = (known after apply)
      ~ id           = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/1" -> (known after apply)
      ~ name         = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/1" -> (known after apply)
      ~ secret_data  = (sensitive value) # forces replacement
      ~ version      = "1" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 8 to add, 4 to change, 4 to destroy.
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
docker_registry_image.mpc_recovery: Destroying... [id=sha256:301a4a338618ed9d81d50321ac8edda318d8ce1e48b8611ae9a8b87cf4a5a39e]
docker_registry_image.mpc_recovery: Destruction complete after 0s
docker_image.mpc_recovery: Creating...
docker_image.mpc_recovery: Still creating... [10s elapsed]
docker_image.mpc_recovery: Still creating... [20s elapsed]
docker_image.mpc_recovery: Still creating... [30s elapsed]
docker_image.mpc_recovery: Still creating... [40s elapsed]
docker_image.mpc_recovery: Still creating... [50s elapsed]
docker_image.mpc_recovery: Still creating... [1m0s elapsed]
docker_image.mpc_recovery: Still creating... [1m10s elapsed]
docker_image.mpc_recovery: Still creating... [1m20s elapsed]
docker_image.mpc_recovery: Still creating... [1m30s elapsed]
docker_image.mpc_recovery: Still creating... [1m40s elapsed]
docker_image.mpc_recovery: Still creating... [1m50s elapsed]
docker_image.mpc_recovery: Still creating... [2m0s elapsed]
docker_image.mpc_recovery: Still creating... [2m10s elapsed]
docker_image.mpc_recovery: Still creating... [2m20s elapsed]
docker_image.mpc_recovery: Still creating... [2m30s elapsed]
docker_image.mpc_recovery: Still creating... [2m40s elapsed]
docker_image.mpc_recovery: Still creating... [2m50s elapsed]
docker_image.mpc_recovery: Still creating... [3m0s elapsed]
docker_image.mpc_recovery: Still creating... [3m10s elapsed]
docker_image.mpc_recovery: Still creating... [3m20s elapsed]
docker_image.mpc_recovery: Still creating... [3m30s elapsed]
docker_image.mpc_recovery: Still creating... [3m40s elapsed]
docker_image.mpc_recovery: Still creating... [3m50s elapsed]
docker_image.mpc_recovery: Still creating... [4m0s elapsed]
docker_image.mpc_recovery: Still creating... [4m10s elapsed]
docker_image.mpc_recovery: Still creating... [4m20s elapsed]
docker_image.mpc_recovery: Still creating... [4m30s elapsed]
docker_image.mpc_recovery: Still creating... [4m40s elapsed]
docker_image.mpc_recovery: Still creating... [4m50s elapsed]
docker_image.mpc_recovery: Still creating... [5m0s elapsed]
docker_image.mpc_recovery: Still creating... [5m10s elapsed]
docker_image.mpc_recovery: Still creating... [5m20s elapsed]
docker_image.mpc_recovery: Still creating... [5m30s elapsed]
docker_image.mpc_recovery: Still creating... [5m40s elapsed]
docker_image.mpc_recovery: Still creating... [5m50s elapsed]
docker_image.mpc_recovery: Still creating... [6m0s elapsed]
docker_image.mpc_recovery: Still creating... [6m10s elapsed]
docker_image.mpc_recovery: Still creating... [6m20s elapsed]
docker_image.mpc_recovery: Still creating... [6m30s elapsed]
docker_image.mpc_recovery: Still creating... [6m40s elapsed]
docker_image.mpc_recovery: Still creating... [6m50s elapsed]
docker_image.mpc_recovery: Still creating... [7m0s elapsed]
docker_image.mpc_recovery: Still creating... [7m10s elapsed]
docker_image.mpc_recovery: Still creating... [7m20s elapsed]
docker_image.mpc_recovery: Still creating... [7m30s elapsed]
docker_image.mpc_recovery: Still creating... [7m40s elapsed]
docker_image.mpc_recovery: Still creating... [7m50s elapsed]
docker_image.mpc_recovery: Still creating... [8m0s elapsed]
docker_image.mpc_recovery: Still creating... [8m10s elapsed]
docker_image.mpc_recovery: Still creating... [8m20s elapsed]
docker_image.mpc_recovery: Still creating... [8m30s elapsed]
docker_image.mpc_recovery: Still creating... [8m40s elapsed]
docker_image.mpc_recovery: Still creating... [8m50s elapsed]
docker_image.mpc_recovery: Still creating... [9m0s elapsed]
docker_image.mpc_recovery: Still creating... [9m10s elapsed]
docker_image.mpc_recovery: Still creating... [9m20s elapsed]
docker_image.mpc_recovery: Still creating... [9m30s elapsed]
docker_image.mpc_recovery: Still creating... [9m40s elapsed]
docker_image.mpc_recovery: Still creating... [9m50s elapsed]
docker_image.mpc_recovery: Still creating... [10m0s elapsed]
docker_image.mpc_recovery: Still creating... [10m10s elapsed]
docker_image.mpc_recovery: Still creating... [10m20s elapsed]
docker_image.mpc_recovery: Still creating... [10m30s elapsed]
docker_image.mpc_recovery: Still creating... [10m40s elapsed]
docker_image.mpc_recovery: Still creating... [10m50s elapsed]
docker_image.mpc_recovery: Still creating... [11m0s elapsed]
docker_image.mpc_recovery: Still creating... [11m10s elapsed]
docker_image.mpc_recovery: Still creating... [11m20s elapsed]
docker_image.mpc_recovery: Still creating... [11m30s elapsed]
docker_image.mpc_recovery: Still creating... [11m40s elapsed]
docker_image.mpc_recovery: Still creating... [11m50s elapsed]
docker_image.mpc_recovery: Still creating... [12m0s elapsed]
docker_image.mpc_recovery: Still creating... [12m10s elapsed]
docker_image.mpc_recovery: Still creating... [12m20s elapsed]
docker_image.mpc_recovery: Still creating... [12m30s elapsed]
docker_image.mpc_recovery: Still creating... [12m40s elapsed]
docker_image.mpc_recovery: Still creating... [12m50s elapsed]
docker_image.mpc_recovery: Still creating... [13m0s elapsed]
docker_image.mpc_recovery: Creation complete after 13m9s [id=sha256:8779203ee0992703d9dcfd3b04f868e0477b57386e2b2773432945262dd61d2dus-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8]
docker_registry_image.mpc_recovery: Creating...
docker_registry_image.mpc_recovery: Creation complete after 6s [id=sha256:44d2497a0f6fcd23e9176f9a44ebb5be6cd3e4be1b643d03907cd655fec4e256]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Creating...
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Creating...
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Creating...
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Creation complete after 1s [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/2]
module.signer[1].google_cloud_run_v2_service.signer: Modifying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Creation complete after 1s [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/2]
module.signer[0].google_cloud_run_v2_service.signer: Modifying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264]
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Creation complete after 1s [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/2]
module.signer[2].google_cloud_run_v2_service.signer: Modifying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264]
module.signer[1].google_cloud_run_v2_service.signer: Still modifying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-1-dev-264, 10s elapsed]
module.signer[0].google_cloud_run_v2_service.signer: Still modifying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-0-dev-264, 10s elapsed]
module.signer[2].google_cloud_run_v2_service.signer: Still modifying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-2-dev-264, 10s elapsed]
module.signer[1].google_cloud_run_v2_service.signer: Still modifying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-1-dev-264, 20s elapsed]
module.signer[0].google_cloud_run_v2_service.signer: Still modifying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-0-dev-264, 20s elapsed]
module.signer[2].google_cloud_run_v2_service.signer: Still modifying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-2-dev-264, 20s elapsed]
module.signer[2].google_cloud_run_v2_service.signer: Modifications complete after 21s [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264]
module.signer[1].google_cloud_run_v2_service.signer: Modifications complete after 21s [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264]
module.signer[0].google_cloud_run_v2_service.signer: Modifications complete after 21s [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264]
module.leader.google_secret_manager_secret.allowed_oidc_providers: Creating...
module.leader.google_secret_manager_secret.allowed_oidc_providers: Creation complete after 0s [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264]
module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data: Creating...
module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Creating...
module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data: Creation complete after 1s [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/versions/1]
module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Creation complete after 4s [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_cloud_run_v2_service.leader: Modifying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264]
module.leader.google_cloud_run_v2_service.leader: Still modifying... [id=projects/pagoda-discovery-platform-dev/...1/services/mpc-recovery-leader-dev-264, 10s elapsed]
module.leader.google_cloud_run_v2_service.leader: Still modifying... [id=projects/pagoda-discovery-platform-dev/...1/services/mpc-recovery-leader-dev-264, 20s elapsed]
module.leader.google_cloud_run_v2_service.leader: Modifications complete after 21s [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264]

Apply complete! Resources: 8 added, 4 changed, 4 destroyed.

Outputs:

leader_node = "https://mpc-recovery-leader-dev-264-7tk2cmmtcq-ue.a.run.app"

Pusher: @ChaoticTempest, Action: pull_request, Working Directory: ``, Workflow: Terraform Feature Env

URL: https://mpc-recovery-leader-dev-264-7tk2cmmtcq-ue.a.run.app

[volovyks]

We can not just stop checking aud value. That is a crucial part of the Id Token. By merging the current implementation of the multi-project support we are opening a huge vector for attacks. Id Token from another project with the same user Id can get access to the key.

Instead, as we agreed at the meeting, we should whitelist supported Projects by whitelisting their aud's.

I was proposing to introduce a struct that will represent a partner. It can include aud, relayer URL, and relayer API key. The only thing that is important for this PR is aud, other parameters can be added with #249

As we discussed, it's better to keep the list of structs that represent partners outside of our codebase. Probably in terraform config.

Another important thing that we should keep in mind is that accounts for different partners should be completely separate even if the user uses the same Email. In practice, it means, that the internal_acc_id formula should be changed from iss:sub to iss:aud:sub. This should ensure that our service returns different keys for different projects for the same email (user). Since we already have the old iss:sub Pagoda project account, the internal_acc_id for them should remain the same.

[ChaoticTempest]

I was under the assumption that this would be safe since the decoding key we retrieve does a signature check on the part of the OIDC token which includes the audience as well. Does this not suffice or do we need to add in an additional check via the whitelisted audiences config?

The decoding keys are from get_pagoda_firebase_public_keys which hits "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com". Is this our specific public keys for pagoda or are these just generic firebase keys?

[ChaoticTempest]

discussed with @volovyks, in summary:

• will add an allowlist for a list of audiences (in addition to other items that will be added later after this PR)
• @itegulov we're thinking of adding this list to terraform to propagate to sign nodes as well and keep relayer API keys purely on secrets manager. WDYT?

[ChaoticTempest]

hopefully my makeshift work of terraform works out

[ChaoticTempest]

@itegulov let's just say I have no idea what I'm doing with all this terraform stuff. I'll try to fix all those, but was just trying to fit it in with what we had before with a singular audience id

[itegulov]

Also, let's add another firebase to allowlist here just to make sure that it works as expected on the feature environment

[volovyks]

probably needs to be something like "partners", "partners_list" or "partners_allowlist"

[volovyks]

Are we trying to store the partner list in secret manager here?

[ChaoticTempest]

yup, I thought that's what we discussed we'd do? I wouldn't know where else we'd store it, and doing it from terraform where we can potentially inject it would be best with defaults. Alternatively, in the future, we can just have a smart contract that stores all this metadata

[volovyks]

The name seems a bit generic. Maybe "Partner"?

[ChaoticTempest]

I feel like Partner would make it too pagoda-centric. Probably OidcProvider would be better

[volovyks]

Same here. Allowlist of what? :)

[ChaoticTempest]

@itegulov @volovyks should be good to go

[itegulov]

Tested using fastauth frontend and it seems to work!

[volovyks]

Nice work @ChaoticTempest !
@itegulov thanks for heavily testing this feature.

[github-actions]

Terraform Feature Environment Destroy (dev-264)

Terraform Initialization ⚙️success

Terraform Destroy success

Show Destroy Plan

data.external.git_checkout: Reading...
data.external.git_checkout: Read complete after 0s [id=-]
google_service_account.service_account: Refreshing state... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
google_artifact_registry_repository.mpc_recovery: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/repositories/mpc-recovery-dev-264]
google_service_account_iam_binding.serivce-account-iam: Refreshing state... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com/roles/iam.serviceAccountUser]
google_project_iam_member.service-account-datastore-user: Refreshing state... [id=pagoda-discovery-platform-dev/roles/datastore.user/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
docker_image.mpc_recovery: Refreshing state... [id=sha256:8779203ee0992703d9dcfd3b04f868e0477b57386e2b2773432945262dd61d2dus-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8]
docker_registry_image.mpc_recovery: Refreshing state... [id=sha256:44d2497a0f6fcd23e9176f9a44ebb5be6cd3e4be1b643d03907cd655fec4e256]
module.signer[2].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264]
module.signer[2].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264]
module.signer[0].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264]
module.signer[1].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264]
module.signer[0].google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264]
module.signer[1].google_secret_manager_secret.secret_share: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264]
module.signer[1].google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264]
module.signer[2].google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264]
module.signer[0].google_secret_manager_secret.cipher_key: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264]
module.signer[1].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_iam_member.secret_share_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_version.secret_share_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.cipher_key_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_iam_member.cipher_key_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/2]
module.signer[0].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/2]
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/2]
module.signer[1].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264]
module.signer[2].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264]
module.signer[0].google_cloud_run_v2_service.signer: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264]
module.signer[2].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/roles/run.invoker/allUsers]
module.signer[0].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/roles/run.invoker/allUsers]
module.signer[1].google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/roles/run.invoker/allUsers]
module.leader.google_secret_manager_secret.allowed_oidc_providers: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264]
module.leader.google_secret_manager_secret.account_creator_sk: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264]
module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/versions/1]
module.leader.google_secret_manager_secret_version.account_creator_sk_data: Refreshing state... [id=projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264/versions/1]
module.leader.google_secret_manager_secret_iam_member.account_creator_secret_access: Refreshing state... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_cloud_run_v2_service.leader: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264]
module.leader.google_cloud_run_v2_service_iam_member.allow_all: Refreshing state... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264/roles/run.invoker/allUsers]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # docker_registry_image.mpc_recovery will be destroyed
  - resource "docker_registry_image" "mpc_recovery" {
      - id                   = "sha256:44d2497a0f6fcd23e9176f9a44ebb5be6cd3e4be1b643d03907cd655fec4e256" -> null
      - insecure_skip_verify = false -> null
      - keep_remotely        = true -> null
      - name                 = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" -> null
      - sha256_digest        = "sha256:44d2497a0f6fcd23e9176f9a44ebb5be6cd3e4be1b643d03907cd655fec4e256" -> null
    }

  # google_artifact_registry_repository.mpc_recovery will be destroyed
  - resource "google_artifact_registry_repository" "mpc_recovery" {
      - create_time   = "2023-08-16T01:40:37.076564Z" -> null
      - format        = "DOCKER" -> null
      - id            = "projects/pagoda-discovery-platform-dev/locations/us-east1/repositories/mpc-recovery-dev-264" -> null
      - labels        = {} -> null
      - location      = "us-east1" -> null
      - mode          = "STANDARD_REPOSITORY" -> null
      - name          = "mpc-recovery-dev-264" -> null
      - project       = "pagoda-discovery-platform-dev" -> null
      - repository_id = "mpc-recovery-dev-264" -> null
      - update_time   = "2023-08-16T01:40:37.076564Z" -> null
    }

  # google_project_iam_member.service-account-datastore-user will be destroyed
  - resource "google_project_iam_member" "service-account-datastore-user" {
      - etag    = "BwYErMKSOFM=" -> null
      - id      = "pagoda-discovery-platform-dev/roles/datastore.user/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member  = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project = "pagoda-discovery-platform-dev" -> null
      - role    = "roles/datastore.user" -> null
    }

  # google_service_account.service_account will be destroyed
  - resource "google_service_account" "service_account" {
      - account_id   = "mpc-recovery-dev-264" -> null
      - disabled     = false -> null
      - display_name = "MPC Recovery dev-264 Account" -> null
      - email        = "mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - id           = "projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member       = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - name         = "projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project      = "pagoda-discovery-platform-dev" -> null
      - unique_id    = "102498823293615720240" -> null
    }

  # google_service_account_iam_binding.serivce-account-iam will be destroyed
  - resource "google_service_account_iam_binding" "serivce-account-iam" {
      - etag               = "BwYDAGHpTJ0=" -> null
      - id                 = "projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com/roles/iam.serviceAccountUser" -> null
      - members            = [
          - "serviceAccount:mpc-recovery@pagoda-discovery-platform-dev.iam.gserviceaccount.com",
        ] -> null
      - role               = "roles/iam.serviceAccountUser" -> null
      - service_account_id = "projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
    }

  # module.leader.google_cloud_run_v2_service.leader will be destroyed
  - resource "google_cloud_run_v2_service" "leader" {
      - annotations             = {} -> null
      - conditions              = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:54.947971Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "RoutesReady"
            },
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:37.473675Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "ConfigurationsReady"
            },
        ] -> null
      - etag                    = "\"CJCz3KcGEOiB0NoD/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1sZWFkZXItZGV2LTI2NA\"" -> null
      - generation              = "2" -> null
      - id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264" -> null
      - ingress                 = "INGRESS_TRAFFIC_ALL" -> null
      - labels                  = {} -> null
      - latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264/revisions/mpc-recovery-leader-dev-264-00002-dsj" -> null
      - latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264/revisions/mpc-recovery-leader-dev-264-00002-dsj" -> null
      - launch_stage            = "GA" -> null
      - location                = "us-east1" -> null
      - name                    = "mpc-recovery-leader-dev-264" -> null
      - observed_generation     = "2" -> null
      - project                 = "pagoda-discovery-platform-dev" -> null
      - reconciling             = false -> null
      - terminal_condition      = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:54.848398Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "Ready"
            },
        ] -> null
      - traffic_statuses        = [
          - {
              - percent  = 100
              - revision = ""
              - tag      = ""
              - type     = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
              - uri      = ""
            },
        ] -> null
      - uid                     = "fb526fd5-f9b9-4c80-8323-70f88c467992" -> null
      - uri                     = "https://mpc-recovery-leader-dev-264-7tk2cmmtcq-ue.a.run.app" -> null

      - template {
          - annotations                      = {} -> null
          - labels                           = {} -> null
          - max_instance_request_concurrency = 80 -> null
          - service_account                  = "mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
          - session_affinity                 = false -> null
          - timeout                          = "300s" -> null

          - containers {
              - args    = [
                  - "start-leader",
                ] -> null
              - command = [] -> null
              - image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" -> null

              - env {
                  - name  = "MPC_RECOVERY_WEB_PORT" -> null
                  - value = "3000" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_SIGN_NODES" -> null
                  - value = "https://mpc-recovery-signer-0-dev-264-7tk2cmmtcq-ue.a.run.app,https://mpc-recovery-signer-1-dev-264-7tk2cmmtcq-ue.a.run.app,https://mpc-recovery-signer-2-dev-264-7tk2cmmtcq-ue.a.run.app" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_NEAR_RPC" -> null
                  - value = "https://rpc.testnet.near.org" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_RELAYER_URL" -> null
                  - value = "http://34.70.226.83:3030" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_NEAR_ROOT_ACCOUNT" -> null
                  - value = "testnet" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_ACCOUNT_CREATOR_ID" -> null
                  - value = "tmp_acount_creator.serhii.testnet" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> null
                  - value = "pagoda-discovery-platform-dev" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_ENV" -> null
                  - value = "dev-264" -> null
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

              - ports {
                  - container_port = 3000 -> null
                  - name           = "http1" -> null
                }

              - resources {
                  - cpu_idle          = false -> null
                  - limits            = {
                      - "cpu"    = "2"
                      - "memory" = "2Gi"
                    } -> null
                  - startup_cpu_boost = false -> null
                }

              - startup_probe {
                  - failure_threshold     = 1 -> null
                  - initial_delay_seconds = 0 -> null
                  - period_seconds        = 240 -> null
                  - timeout_seconds       = 240 -> null

                  - tcp_socket {
                      - port = 3000 -> null
                    }
                }
            }

          - scaling {
              - max_instance_count = 1 -> null
              - min_instance_count = 1 -> null
            }
        }

      - traffic {
          - percent = 100 -> null
          - type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST" -> null
        }
    }

  # module.leader.google_cloud_run_v2_service_iam_member.allow_all will be destroyed
  - resource "google_cloud_run_v2_service_iam_member" "allow_all" {
      - etag     = "BwYDAJDc/oM=" -> null
      - id       = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264/roles/run.invoker/allUsers" -> null
      - location = "us-east1" -> null
      - member   = "allUsers" -> null
      - name     = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264" -> null
      - project  = "pagoda-discovery-platform-dev" -> null
      - role     = "roles/run.invoker" -> null
    }

  # module.leader.google_secret_manager_secret.account_creator_sk will be destroyed
  - resource "google_secret_manager_secret" "account_creator_sk" {
      - create_time = "2023-08-16T01:53:20.372139Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-account-creator-sk-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.leader.google_secret_manager_secret.allowed_oidc_providers will be destroyed
  - resource "google_secret_manager_secret" "allowed_oidc_providers" {
      - create_time = "2023-09-05T12:05:33.066670Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-allowed-oidc-providers-leader-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.leader.google_secret_manager_secret_iam_member.account_creator_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "account_creator_secret_access" {
      - etag      = "BwYDAI9lAWo=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264" -> null
    }

  # module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      - etag      = "BwYEm3GlFfM=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264" -> null
    }

  # module.leader.google_secret_manager_secret_version.account_creator_sk_data will be destroyed
  - resource "google_secret_manager_secret_version" "account_creator_sk_data" {
      - create_time = "2023-08-16T01:53:20.697181Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data will be destroyed
  - resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      - create_time = "2023-09-05T12:05:33.393981Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.signer[0].google_cloud_run_v2_service.signer will be destroyed
  - resource "google_cloud_run_v2_service" "signer" {
      - annotations             = {} -> null
      - conditions              = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:25.899898Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "RoutesReady"
            },
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:12.298124Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "ConfigurationsReady"
            },
        ] -> null
      - etag                    = "\"CPiy3KcGELjIlg8/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMC1kZXYtMjY0\"" -> null
      - generation              = "9" -> null
      - id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264" -> null
      - ingress                 = "INGRESS_TRAFFIC_ALL" -> null
      - labels                  = {} -> null
      - latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/revisions/mpc-recovery-signer-0-dev-264-00009-t2s" -> null
      - latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/revisions/mpc-recovery-signer-0-dev-264-00009-t2s" -> null
      - launch_stage            = "GA" -> null
      - location                = "us-east1" -> null
      - name                    = "mpc-recovery-signer-0-dev-264" -> null
      - observed_generation     = "9" -> null
      - project                 = "pagoda-discovery-platform-dev" -> null
      - reconciling             = false -> null
      - terminal_condition      = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:25.801966Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "Ready"
            },
        ] -> null
      - traffic_statuses        = [
          - {
              - percent  = 100
              - revision = ""
              - tag      = ""
              - type     = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
              - uri      = ""
            },
        ] -> null
      - uid                     = "070442e3-1c00-494e-b650-77d9531f8833" -> null
      - uri                     = "https://mpc-recovery-signer-0-dev-264-7tk2cmmtcq-ue.a.run.app" -> null

      - template {
          - annotations                      = {} -> null
          - labels                           = {} -> null
          - max_instance_request_concurrency = 80 -> null
          - service_account                  = "mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
          - session_affinity                 = false -> null
          - timeout                          = "300s" -> null

          - containers {
              - args    = [
                  - "start-sign",
                ] -> null
              - command = [] -> null
              - image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" -> null

              - env {
                  - name  = "MPC_RECOVERY_WEB_PORT" -> null
                  - value = "3000" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_NODE_ID" -> null
                  - value = "0" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> null
                  - value = "pagoda-discovery-platform-dev" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_ENV" -> null
                  - value = "dev-264" -> null
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

              - ports {
                  - container_port = 3000 -> null
                  - name           = "http1" -> null
                }

              - resources {
                  - cpu_idle          = false -> null
                  - limits            = {
                      - "cpu"    = "2"
                      - "memory" = "2Gi"
                    } -> null
                  - startup_cpu_boost = false -> null
                }

              - startup_probe {
                  - failure_threshold     = 1 -> null
                  - initial_delay_seconds = 0 -> null
                  - period_seconds        = 240 -> null
                  - timeout_seconds       = 240 -> null

                  - tcp_socket {
                      - port = 3000 -> null
                    }
                }
            }

          - scaling {
              - max_instance_count = 1 -> null
              - min_instance_count = 1 -> null
            }
        }

      - traffic {
          - percent = 100 -> null
          - type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST" -> null
        }
    }

  # module.signer[0].google_cloud_run_v2_service_iam_member.allow_all will be destroyed
  - resource "google_cloud_run_v2_service_iam_member" "allow_all" {
      - etag     = "BwYDAI8hAUQ=" -> null
      - id       = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/roles/run.invoker/allUsers" -> null
      - location = "us-east1" -> null
      - member   = "allUsers" -> null
      - name     = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264" -> null
      - project  = "pagoda-discovery-platform-dev" -> null
      - role     = "roles/run.invoker" -> null
    }

  # module.signer[0].google_secret_manager_secret.allowed_oidc_providers will be destroyed
  - resource "google_secret_manager_secret" "allowed_oidc_providers" {
      - create_time = "2023-09-05T09:30:34.716422Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-allowed-oidc-providers-0-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[0].google_secret_manager_secret.cipher_key will be destroyed
  - resource "google_secret_manager_secret" "cipher_key" {
      - create_time = "2023-08-16T01:53:00.426243Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-encryption-cipher-0-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[0].google_secret_manager_secret.secret_share will be destroyed
  - resource "google_secret_manager_secret" "secret_share" {
      - create_time = "2023-08-16T01:53:00.360145Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-secret-share-0-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[0].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      - etag      = "BwYEmUdvfYs=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264" -> null
    }

  # module.signer[0].google_secret_manager_secret_iam_member.cipher_key_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "cipher_key_secret_access" {
      - etag      = "BwYDAI5ABlc=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264" -> null
    }

  # module.signer[0].google_secret_manager_secret_iam_member.secret_share_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" {
      - etag      = "BwYDAI4z2Qs=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264" -> null
    }

  # module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data will be destroyed
  - resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      - create_time = "2023-09-05T12:05:11.452498Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/2" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/2" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "2" -> null
    }

  # module.signer[0].google_secret_manager_secret_version.cipher_key_data will be destroyed
  - resource "google_secret_manager_secret_version" "cipher_key_data" {
      - create_time = "2023-08-16T01:53:01.506402Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.signer[0].google_secret_manager_secret_version.secret_share_data will be destroyed
  - resource "google_secret_manager_secret_version" "secret_share_data" {
      - create_time = "2023-08-16T01:53:00.969475Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.signer[1].google_cloud_run_v2_service.signer will be destroyed
  - resource "google_cloud_run_v2_service" "signer" {
      - annotations             = {} -> null
      - conditions              = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:28.985899Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "RoutesReady"
            },
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:12.422424Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "ConfigurationsReady"
            },
        ] -> null
      - etag                    = "\"CPiy3KcGEKDG3gY/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMS1kZXYtMjY0\"" -> null
      - generation              = "9" -> null
      - id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264" -> null
      - ingress                 = "INGRESS_TRAFFIC_ALL" -> null
      - labels                  = {} -> null
      - latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/revisions/mpc-recovery-signer-1-dev-264-00009-vt4" -> null
      - latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/revisions/mpc-recovery-signer-1-dev-264-00009-vt4" -> null
      - launch_stage            = "GA" -> null
      - location                = "us-east1" -> null
      - name                    = "mpc-recovery-signer-1-dev-264" -> null
      - observed_generation     = "9" -> null
      - project                 = "pagoda-discovery-platform-dev" -> null
      - reconciling             = false -> null
      - terminal_condition      = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:28.855002Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "Ready"
            },
        ] -> null
      - traffic_statuses        = [
          - {
              - percent  = 100
              - revision = ""
              - tag      = ""
              - type     = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
              - uri      = ""
            },
        ] -> null
      - uid                     = "756cf9f4-9278-4464-b1da-083c9be4d8ed" -> null
      - uri                     = "https://mpc-recovery-signer-1-dev-264-7tk2cmmtcq-ue.a.run.app" -> null

      - template {
          - annotations                      = {} -> null
          - labels                           = {} -> null
          - max_instance_request_concurrency = 80 -> null
          - service_account                  = "mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
          - session_affinity                 = false -> null
          - timeout                          = "300s" -> null

          - containers {
              - args    = [
                  - "start-sign",
                ] -> null
              - command = [] -> null
              - image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" -> null

              - env {
                  - name  = "MPC_RECOVERY_WEB_PORT" -> null
                  - value = "3000" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_NODE_ID" -> null
                  - value = "1" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> null
                  - value = "pagoda-discovery-platform-dev" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_ENV" -> null
                  - value = "dev-264" -> null
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

              - ports {
                  - container_port = 3000 -> null
                  - name           = "http1" -> null
                }

              - resources {
                  - cpu_idle          = false -> null
                  - limits            = {
                      - "cpu"    = "2"
                      - "memory" = "2Gi"
                    } -> null
                  - startup_cpu_boost = false -> null
                }

              - startup_probe {
                  - failure_threshold     = 1 -> null
                  - initial_delay_seconds = 0 -> null
                  - period_seconds        = 240 -> null
                  - timeout_seconds       = 240 -> null

                  - tcp_socket {
                      - port = 3000 -> null
                    }
                }
            }

          - scaling {
              - max_instance_count = 1 -> null
              - min_instance_count = 1 -> null
            }
        }

      - traffic {
          - percent = 100 -> null
          - type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST" -> null
        }
    }

  # module.signer[1].google_cloud_run_v2_service_iam_member.allow_all will be destroyed
  - resource "google_cloud_run_v2_service_iam_member" "allow_all" {
      - etag     = "BwYDAI8X1Co=" -> null
      - id       = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/roles/run.invoker/allUsers" -> null
      - location = "us-east1" -> null
      - member   = "allUsers" -> null
      - name     = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264" -> null
      - project  = "pagoda-discovery-platform-dev" -> null
      - role     = "roles/run.invoker" -> null
    }

  # module.signer[1].google_secret_manager_secret.allowed_oidc_providers will be destroyed
  - resource "google_secret_manager_secret" "allowed_oidc_providers" {
      - create_time = "2023-09-05T09:30:34.679878Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-allowed-oidc-providers-1-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[1].google_secret_manager_secret.cipher_key will be destroyed
  - resource "google_secret_manager_secret" "cipher_key" {
      - create_time = "2023-08-16T01:53:00.360069Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-encryption-cipher-1-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[1].google_secret_manager_secret.secret_share will be destroyed
  - resource "google_secret_manager_secret" "secret_share" {
      - create_time = "2023-08-16T01:53:00.347462Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-secret-share-1-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[1].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      - etag      = "BwYEmUdvkdg=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264" -> null
    }

  # module.signer[1].google_secret_manager_secret_iam_member.cipher_key_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "cipher_key_secret_access" {
      - etag      = "BwYDAI4z3+k=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264" -> null
    }

  # module.signer[1].google_secret_manager_secret_iam_member.secret_share_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" {
      - etag      = "BwYDAI4z0XU=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264" -> null
    }

  # module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data will be destroyed
  - resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      - create_time = "2023-09-05T12:05:11.407284Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/2" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/2" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "2" -> null
    }

  # module.signer[1].google_secret_manager_secret_version.cipher_key_data will be destroyed
  - resource "google_secret_manager_secret_version" "cipher_key_data" {
      - create_time = "2023-08-16T01:53:00.955602Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.signer[1].google_secret_manager_secret_version.secret_share_data will be destroyed
  - resource "google_secret_manager_secret_version" "secret_share_data" {
      - create_time = "2023-08-16T01:53:00.996216Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.signer[2].google_cloud_run_v2_service.signer will be destroyed
  - resource "google_cloud_run_v2_service" "signer" {
      - annotations             = {} -> null
      - conditions              = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:23.962316Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "RoutesReady"
            },
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:12.375965Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "ConfigurationsReady"
            },
        ] -> null
      - etag                    = "\"CPiy3KcGENi-qSk/cHJvamVjdHMvcGFnb2RhLWRpc2NvdmVyeS1wbGF0Zm9ybS1kZXYvbG9jYXRpb25zL3VzLWVhc3QxL3NlcnZpY2VzL21wYy1yZWNvdmVyeS1zaWduZXItMi1kZXYtMjY0\"" -> null
      - generation              = "9" -> null
      - id                      = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264" -> null
      - ingress                 = "INGRESS_TRAFFIC_ALL" -> null
      - labels                  = {} -> null
      - latest_created_revision = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/revisions/mpc-recovery-signer-2-dev-264-00009-n5x" -> null
      - latest_ready_revision   = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/revisions/mpc-recovery-signer-2-dev-264-00009-n5x" -> null
      - launch_stage            = "GA" -> null
      - location                = "us-east1" -> null
      - name                    = "mpc-recovery-signer-2-dev-264" -> null
      - observed_generation     = "9" -> null
      - project                 = "pagoda-discovery-platform-dev" -> null
      - reconciling             = false -> null
      - terminal_condition      = [
          - {
              - execution_reason     = ""
              - last_transition_time = "2023-09-05T12:05:23.857958Z"
              - message              = ""
              - reason               = ""
              - revision_reason      = ""
              - severity             = ""
              - state                = "CONDITION_SUCCEEDED"
              - type                 = "Ready"
            },
        ] -> null
      - traffic_statuses        = [
          - {
              - percent  = 100
              - revision = ""
              - tag      = ""
              - type     = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
              - uri      = ""
            },
        ] -> null
      - uid                     = "dc98b3d1-ad49-4706-9a55-13795b1be9b7" -> null
      - uri                     = "https://mpc-recovery-signer-2-dev-264-7tk2cmmtcq-ue.a.run.app" -> null

      - template {
          - annotations                      = {} -> null
          - labels                           = {} -> null
          - max_instance_request_concurrency = 80 -> null
          - service_account                  = "mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
          - session_affinity                 = false -> null
          - timeout                          = "300s" -> null

          - containers {
              - args    = [
                  - "start-sign",
                ] -> null
              - command = [] -> null
              - image   = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery-dev-264/mpc-recovery-dev-264:13c78fe6c88560bf5057e3b3ce1d32f089407cf8" -> null

              - env {
                  - name  = "MPC_RECOVERY_WEB_PORT" -> null
                  - value = "3000" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_NODE_ID" -> null
                  - value = "2" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_GCP_PROJECT_ID" -> null
                  - value = "pagoda-discovery-platform-dev" -> null
                }
              - env {
                  - name  = "MPC_RECOVERY_ENV" -> null
                  - value = "dev-264" -> null
                }
              - env {
                  - name  = "RUST_LOG" -> null
                  - value = "mpc_recovery=debug" -> null
                }

              - ports {
                  - container_port = 3000 -> null
                  - name           = "http1" -> null
                }

              - resources {
                  - cpu_idle          = false -> null
                  - limits            = {
                      - "cpu"    = "2"
                      - "memory" = "2Gi"
                    } -> null
                  - startup_cpu_boost = false -> null
                }

              - startup_probe {
                  - failure_threshold     = 1 -> null
                  - initial_delay_seconds = 0 -> null
                  - period_seconds        = 240 -> null
                  - timeout_seconds       = 240 -> null

                  - tcp_socket {
                      - port = 3000 -> null
                    }
                }
            }

          - scaling {
              - max_instance_count = 1 -> null
              - min_instance_count = 1 -> null
            }
        }

      - traffic {
          - percent = 100 -> null
          - type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST" -> null
        }
    }

  # module.signer[2].google_cloud_run_v2_service_iam_member.allow_all will be destroyed
  - resource "google_cloud_run_v2_service_iam_member" "allow_all" {
      - etag     = "BwYDAI8ZNUo=" -> null
      - id       = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/roles/run.invoker/allUsers" -> null
      - location = "us-east1" -> null
      - member   = "allUsers" -> null
      - name     = "projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264" -> null
      - project  = "pagoda-discovery-platform-dev" -> null
      - role     = "roles/run.invoker" -> null
    }

  # module.signer[2].google_secret_manager_secret.allowed_oidc_providers will be destroyed
  - resource "google_secret_manager_secret" "allowed_oidc_providers" {
      - create_time = "2023-09-05T09:30:34.434149Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-allowed-oidc-providers-2-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[2].google_secret_manager_secret.cipher_key will be destroyed
  - resource "google_secret_manager_secret" "cipher_key" {
      - create_time = "2023-08-16T01:53:00.413191Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-encryption-cipher-2-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[2].google_secret_manager_secret.secret_share will be destroyed
  - resource "google_secret_manager_secret" "secret_share" {
      - create_time = "2023-08-16T01:53:00.359038Z" -> null
      - id          = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264" -> null
      - labels      = {} -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264" -> null
      - project     = "pagoda-discovery-platform-dev" -> null
      - secret_id   = "mpc-recovery-secret-share-2-dev-264" -> null

      - replication {
          - automatic = true -> null
        }
    }

  # module.signer[2].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "allowed_oidc_providers_secret_access" {
      - etag      = "BwYEmUdq/Wg=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264" -> null
    }

  # module.signer[2].google_secret_manager_secret_iam_member.cipher_key_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "cipher_key_secret_access" {
      - etag      = "BwYDAI4z2tY=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264" -> null
    }

  # module.signer[2].google_secret_manager_secret_iam_member.secret_share_secret_access will be destroyed
  - resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" {
      - etag      = "BwYDAI40NK0=" -> null
      - id        = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - member    = "serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com" -> null
      - project   = "pagoda-discovery-platform-dev" -> null
      - role      = "roles/secretmanager.secretAccessor" -> null
      - secret_id = "projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264" -> null
    }

  # module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data will be destroyed
  - resource "google_secret_manager_secret_version" "allowed_oidc_providers_data" {
      - create_time = "2023-09-05T12:05:11.452982Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/2" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/2" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "2" -> null
    }

  # module.signer[2].google_secret_manager_secret_version.cipher_key_data will be destroyed
  - resource "google_secret_manager_secret_version" "cipher_key_data" {
      - create_time = "2023-08-16T01:53:01.035257Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

  # module.signer[2].google_secret_manager_secret_version.secret_share_data will be destroyed
  - resource "google_secret_manager_secret_version" "secret_share_data" {
      - create_time = "2023-08-16T01:53:00.897011Z" -> null
      - enabled     = true -> null
      - id          = "projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264/versions/1" -> null
      - name        = "projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264/versions/1" -> null
      - secret      = "projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264" -> null
      - secret_data = (sensitive value) -> null
      - version     = "1" -> null
    }

Plan: 0 to add, 0 to change, 46 to destroy.

Changes to Outputs:
  - leader_node = "https://mpc-recovery-leader-dev-264-7tk2cmmtcq-ue.a.run.app" -> null
google_service_account_iam_binding.serivce-account-iam: Destroying... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com/roles/iam.serviceAccountUser]
google_project_iam_member.service-account-datastore-user: Destroying... [id=pagoda-discovery-platform-dev/roles/datastore.user/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_cloud_run_v2_service_iam_member.allow_all: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264/roles/run.invoker/allUsers]
google_service_account_iam_binding.serivce-account-iam: Destruction complete after 4s
module.leader.google_cloud_run_v2_service_iam_member.allow_all: Destruction complete after 5s
module.leader.google_cloud_run_v2_service.leader: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-leader-dev-264]
google_project_iam_member.service-account-datastore-user: Destruction complete after 8s
module.leader.google_cloud_run_v2_service.leader: Still destroying... [id=projects/pagoda-discovery-platform-dev/...1/services/mpc-recovery-leader-dev-264, 10s elapsed]
module.leader.google_cloud_run_v2_service.leader: Destruction complete after 10s
module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/versions/1]
module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_secret_manager_secret_version.account_creator_sk_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-account-creator-sk-dev-264/versions/1]
module.leader.google_secret_manager_secret_iam_member.account_creator_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.leader.google_secret_manager_secret_version.account_creator_sk_data: Destruction complete after 0s
module.leader.google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
module.leader.google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destruction complete after 4s
module.leader.google_secret_manager_secret_iam_member.account_creator_secret_access: Destruction complete after 4s
module.leader.google_secret_manager_secret.allowed_oidc_providers: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-leader-dev-264]
module.leader.google_secret_manager_secret.account_creator_sk: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-account-creator-sk-dev-264]
module.leader.google_secret_manager_secret.allowed_oidc_providers: Destruction complete after 1s
module.leader.google_secret_manager_secret.account_creator_sk: Destruction complete after 1s
module.signer[1].google_cloud_run_v2_service_iam_member.allow_all: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264/roles/run.invoker/allUsers]
module.signer[2].google_cloud_run_v2_service_iam_member.allow_all: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264/roles/run.invoker/allUsers]
module.signer[0].google_cloud_run_v2_service_iam_member.allow_all: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264/roles/run.invoker/allUsers]
module.signer[1].google_cloud_run_v2_service_iam_member.allow_all: Destruction complete after 4s
module.signer[1].google_cloud_run_v2_service.signer: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-1-dev-264]
module.signer[0].google_cloud_run_v2_service_iam_member.allow_all: Destruction complete after 4s
module.signer[0].google_cloud_run_v2_service.signer: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-0-dev-264]
module.signer[2].google_cloud_run_v2_service_iam_member.allow_all: Destruction complete after 5s
module.signer[2].google_cloud_run_v2_service.signer: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/services/mpc-recovery-signer-2-dev-264]
module.signer[1].google_cloud_run_v2_service.signer: Still destroying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-1-dev-264, 10s elapsed]
module.signer[0].google_cloud_run_v2_service.signer: Still destroying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-0-dev-264, 10s elapsed]
module.signer[2].google_cloud_run_v2_service.signer: Still destroying... [id=projects/pagoda-discovery-platform-dev/...services/mpc-recovery-signer-2-dev-264, 10s elapsed]
module.signer[1].google_cloud_run_v2_service.signer: Destruction complete after 11s
module.signer[1].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_version.cipher_key_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-1-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264/versions/2]
module.signer[1].google_secret_manager_secret_version.secret_share_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-secret-share-1-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_iam_member.secret_share_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[1].google_secret_manager_secret_iam_member.cipher_key_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_cloud_run_v2_service.signer: Destruction complete after 10s
module.signer[2].google_secret_manager_secret_version.secret_share_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-secret-share-2-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_iam_member.secret_share_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_cloud_run_v2_service.signer: Destruction complete after 11s
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264/versions/2]
module.signer[1].google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
module.signer[1].google_secret_manager_secret_version.cipher_key_data: Destruction complete after 0s
module.signer[2].google_secret_manager_secret_iam_member.cipher_key_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.cipher_key_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-2-dev-264/versions/1]
module.signer[1].google_secret_manager_secret_version.secret_share_data: Destruction complete after 0s
module.signer[0].google_secret_manager_secret_version.cipher_key_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-encryption-cipher-0-dev-264/versions/1]
module.signer[2].google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
module.signer[0].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.secret_share_data: Destruction complete after 0s
module.signer[0].google_secret_manager_secret_iam_member.cipher_key_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[2].google_secret_manager_secret_version.cipher_key_data: Destruction complete after 0s
module.signer[0].google_secret_manager_secret_iam_member.secret_share_secret_access: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264/roles/secretmanager.secretAccessor/serviceAccount:mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
module.signer[0].google_secret_manager_secret_version.cipher_key_data: Destruction complete after 0s
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264/versions/2]
module.signer[0].google_secret_manager_secret_version.allowed_oidc_providers_data: Destruction complete after 0s
module.signer[0].google_secret_manager_secret_version.secret_share_data: Destroying... [id=projects/388645787527/secrets/mpc-recovery-secret-share-0-dev-264/versions/1]
module.signer[0].google_secret_manager_secret_version.secret_share_data: Destruction complete after 0s
module.signer[1].google_secret_manager_secret_iam_member.cipher_key_secret_access: Destruction complete after 4s
module.signer[1].google_secret_manager_secret.cipher_key: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-1-dev-264]
module.signer[1].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destruction complete after 4s
module.signer[1].google_secret_manager_secret_iam_member.secret_share_secret_access: Destruction complete after 4s
module.signer[1].google_secret_manager_secret.allowed_oidc_providers: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-1-dev-264]
module.signer[1].google_secret_manager_secret.secret_share: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-1-dev-264]
module.signer[2].google_secret_manager_secret_iam_member.secret_share_secret_access: Destruction complete after 4s
module.signer[2].google_secret_manager_secret.secret_share: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-2-dev-264]
module.signer[2].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destruction complete after 4s
module.signer[0].google_secret_manager_secret_iam_member.allowed_oidc_providers_secret_access: Destruction complete after 4s
module.signer[0].google_secret_manager_secret.allowed_oidc_providers: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-0-dev-264]
module.signer[2].google_secret_manager_secret.allowed_oidc_providers: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-allowed-oidc-providers-2-dev-264]
module.signer[2].google_secret_manager_secret_iam_member.cipher_key_secret_access: Destruction complete after 4s
module.signer[2].google_secret_manager_secret.cipher_key: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-2-dev-264]
module.signer[0].google_secret_manager_secret_iam_member.secret_share_secret_access: Destruction complete after 4s
module.signer[0].google_secret_manager_secret_iam_member.cipher_key_secret_access: Destruction complete after 4s
module.signer[0].google_secret_manager_secret.secret_share: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-secret-share-0-dev-264]
module.signer[0].google_secret_manager_secret.cipher_key: Destroying... [id=projects/pagoda-discovery-platform-dev/secrets/mpc-recovery-encryption-cipher-0-dev-264]
google_service_account.service_account: Destroying... [id=projects/pagoda-discovery-platform-dev/serviceAccounts/mpc-recovery-dev-264@pagoda-discovery-platform-dev.iam.gserviceaccount.com]
google_service_account.service_account: Destruction complete after 0s
module.signer[1].google_secret_manager_secret.allowed_oidc_providers: Destruction complete after 0s
module.signer[1].google_secret_manager_secret.cipher_key: Destruction complete after 0s
module.signer[1].google_secret_manager_secret.secret_share: Destruction complete after 1s
module.signer[2].google_secret_manager_secret.allowed_oidc_providers: Destruction complete after 1s
module.signer[2].google_secret_manager_secret.secret_share: Destruction complete after 1s
module.signer[2].google_secret_manager_secret.cipher_key: Destruction complete after 1s
module.signer[0].google_secret_manager_secret.allowed_oidc_providers: Destruction complete after 1s
module.signer[0].google_secret_manager_secret.secret_share: Destruction complete after 1s
module.signer[0].google_secret_manager_secret.cipher_key: Destruction complete after 1s
docker_registry_image.mpc_recovery: Destroying... [id=sha256:44d2497a0f6fcd23e9176f9a44ebb5be6cd3e4be1b643d03907cd655fec4e256]
docker_registry_image.mpc_recovery: Destruction complete after 0s
google_artifact_registry_repository.mpc_recovery: Destroying... [id=projects/pagoda-discovery-platform-dev/locations/us-east1/repositories/mpc-recovery-dev-264]
google_artifact_registry_repository.mpc_recovery: Destruction complete after 0s

Destroy complete! Resources: 46 destroyed.

Pusher: @volovyks, Action: pull_request, Working Directory: ``, Workflow: Terraform Feature Env (Destroy)

[volovyks]

Trying to understand better how our env variables work. Probably it's better to hop on the call. cc @itegulov @ChaoticTempest

[volovyks]

And this is only for tests? I'm struggling to understand how it's set in prod, especially when we will have api_keys in the same struct.

[ChaoticTempest]

this info is being passed via the CLI. For prod, it should be taken from secrets manager. If not set, the command in DEPLOY.md will just use the default audience we already have in prod in the current state

[volovyks]

Why are we passing oidc_providers and getting them back here?:)

[ChaoticTempest]

This is just the pattern we've been using for loading these parameters from secrets manager in the case that they are None

[volovyks]

One more:

• types of envs we have
• types of envs we want to have
  (related to secret management)

[volovyks]

@ChaoticTempest thank you for all the answers!