resource "docker_secret" "secrets" {
  for_each = nonsensitive(var.secrets) # tf complains about sensitive values, but keys are not sensitive

  # Because secrets names can only be 64 characters long, we're hashing the key to shorten it & make it unique.
  # This makes the key name harder to read, but it's not like we're going to look at it often anyway.
  name = "grafana_${md5("${each.key}-${replace(timestamp(), ":", ".")}")}"

  data = base64encode(each.value)
  lifecycle {
    ignore_changes        = [name]
    create_before_destroy = true
  }
}