Secret Distribution

The same INTERNAL_AUTH_TOKEN value is pushed to two secret stores by Terraform in a single apply:

random_password (secrets.tf)
       │
       ├── GCP Secret Manager
       │   secret_id: gateway-internal-auth-token-{env}
       │   consumer:  cf-proxy (reads at VM boot via gcloud CLI in startup script)
       │
       └── CF Secrets Store (eigenoid store)
           secret_name: gateway-{env}-internal-auth-token
           consumer:    Workers (reads at runtime via SecretBinding.get())

The push to CF Secrets Store is done by a terraform_data resource with a local-exec provisioner that calls the Cloudflare API directly. It runs on terraform apply whenever the password changes.

Rotation

Run terraform apply after terraform taint random_password.internal_auth_token. Both stores are updated atomically in the same apply. The MIG will replace the VM (new startup script picks up the new GCP SM version) and the Worker's next isolate creation will fetch the new value from CF Secrets Store.

Authentication flow — how these secrets are used at runtime
Cloudflare Workers — Worker-side secret binding configuration
Repository map — secrets.tf location

Rotation​

Related pages​

Rotation

Related pages