diff --git a/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl b/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl
index b6863ced..5e27853f 100644
--- a/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl
+++ b/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl
@@ -2,21 +2,21 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "6.12.0"
-  constraints = "6.12.0"
+  version     = "6.28.0"
+  constraints = "6.28.0"
   hashes = [
-    "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=",
-    "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c",
-    "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8",
-    "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8",
-    "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475",
-    "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688",
-    "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8",
-    "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f",
-    "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9",
-    "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3",
-    "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b",
-    "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79",
+    "h1:s/EZB00Y4Mct8G43Vp/X1BpDNGq9j7AbIPBj4icIv0A=",
+    "zh:2528b47d20d378283478feafdf16aade01d56d42c3283d7c904fd7a108f150f0",
+    "zh:36ef5e5b960375a166434f5836b5b957d760c34edfa256133c575e865ff4ee3c",
+    "zh:5fb97ca9465379dc5b965e407c5ccaa6c41fc1984214497fbf5b2bb49a585297",
+    "zh:78d2adcf6623f170aab3956d26d115032fecea11db4f62ee9ee76b67389546f3",
+    "zh:832bb0a957d4d1e664391186791af1cea14e0af878ea12d1b0ce5bb0a5dc98ef",
+    "zh:8c1eee42fd21b64596b72b4808595b6b1e07c3c614990e22b347c35a42360fed",
+    "zh:8fcb3165c29944d4465ce9db93daf2b9c816223bf6fcbd95818814525a706038",
+    "zh:931d05f9ba329942e6888873022e31c458048a8c2a3e42a6d1952337d2f9b240",
+    "zh:b78472cd5750b6d2d363c735a5e8d2a7bb98d0979ab7e42b8c5f9d17a2e5bbb6",
+    "zh:d203df11df368d2316894c481d34be2de9e54d1f90cec0056ef5154d06a9edc7",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fecb0db6ab81777a0f48d315838f911753e9c5d66e22eebd491abd83c49fde2c",
   ]
 }
\ No newline at end of file
diff --git a/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl b/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl
index f5a3aab9..c898d4b9 100644
--- a/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl
+++ b/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl
@@ -2,22 +2,22 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "6.12.0"
-  constraints = "6.12.0"
+  version     = "6.28.0"
+  constraints = "6.28.0"
   hashes = [
-    "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=",
-    "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c",
-    "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8",
-    "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8",
-    "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475",
-    "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688",
-    "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8",
-    "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f",
-    "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9",
-    "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3",
-    "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b",
-    "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79",
+    "h1:s/EZB00Y4Mct8G43Vp/X1BpDNGq9j7AbIPBj4icIv0A=",
+    "zh:2528b47d20d378283478feafdf16aade01d56d42c3283d7c904fd7a108f150f0",
+    "zh:36ef5e5b960375a166434f5836b5b957d760c34edfa256133c575e865ff4ee3c",
+    "zh:5fb97ca9465379dc5b965e407c5ccaa6c41fc1984214497fbf5b2bb49a585297",
+    "zh:78d2adcf6623f170aab3956d26d115032fecea11db4f62ee9ee76b67389546f3",
+    "zh:832bb0a957d4d1e664391186791af1cea14e0af878ea12d1b0ce5bb0a5dc98ef",
+    "zh:8c1eee42fd21b64596b72b4808595b6b1e07c3c614990e22b347c35a42360fed",
+    "zh:8fcb3165c29944d4465ce9db93daf2b9c816223bf6fcbd95818814525a706038",
+    "zh:931d05f9ba329942e6888873022e31c458048a8c2a3e42a6d1952337d2f9b240",
+    "zh:b78472cd5750b6d2d363c735a5e8d2a7bb98d0979ab7e42b8c5f9d17a2e5bbb6",
+    "zh:d203df11df368d2316894c481d34be2de9e54d1f90cec0056ef5154d06a9edc7",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fecb0db6ab81777a0f48d315838f911753e9c5d66e22eebd491abd83c49fde2c",
   ]
 }
 
diff --git a/deployment/live/gcp/test/.terraform.lock.hcl b/deployment/live/gcp/test/.terraform.lock.hcl
index f5a3aab9..c898d4b9 100644
--- a/deployment/live/gcp/test/.terraform.lock.hcl
+++ b/deployment/live/gcp/test/.terraform.lock.hcl
@@ -2,22 +2,22 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "6.12.0"
-  constraints = "6.12.0"
+  version     = "6.28.0"
+  constraints = "6.28.0"
   hashes = [
-    "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=",
-    "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c",
-    "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8",
-    "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8",
-    "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475",
-    "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688",
-    "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8",
-    "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f",
-    "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9",
-    "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3",
-    "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b",
-    "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79",
+    "h1:s/EZB00Y4Mct8G43Vp/X1BpDNGq9j7AbIPBj4icIv0A=",
+    "zh:2528b47d20d378283478feafdf16aade01d56d42c3283d7c904fd7a108f150f0",
+    "zh:36ef5e5b960375a166434f5836b5b957d760c34edfa256133c575e865ff4ee3c",
+    "zh:5fb97ca9465379dc5b965e407c5ccaa6c41fc1984214497fbf5b2bb49a585297",
+    "zh:78d2adcf6623f170aab3956d26d115032fecea11db4f62ee9ee76b67389546f3",
+    "zh:832bb0a957d4d1e664391186791af1cea14e0af878ea12d1b0ce5bb0a5dc98ef",
+    "zh:8c1eee42fd21b64596b72b4808595b6b1e07c3c614990e22b347c35a42360fed",
+    "zh:8fcb3165c29944d4465ce9db93daf2b9c816223bf6fcbd95818814525a706038",
+    "zh:931d05f9ba329942e6888873022e31c458048a8c2a3e42a6d1952337d2f9b240",
+    "zh:b78472cd5750b6d2d363c735a5e8d2a7bb98d0979ab7e42b8c5f9d17a2e5bbb6",
+    "zh:d203df11df368d2316894c481d34be2de9e54d1f90cec0056ef5154d06a9edc7",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fecb0db6ab81777a0f48d315838f911753e9c5d66e22eebd491abd83c49fde2c",
   ]
 }
 
diff --git a/deployment/modules/gcp/artifactregistry/main.tf b/deployment/modules/gcp/artifactregistry/main.tf
index 1bc437b7..6f870cd4 100644
--- a/deployment/modules/gcp/artifactregistry/main.tf
+++ b/deployment/modules/gcp/artifactregistry/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
-      version = "6.12.0"
+      version = "6.28.0"
     }
   }
 }
diff --git a/deployment/modules/gcp/cloudbuild/conformance/main.tf b/deployment/modules/gcp/cloudbuild/conformance/main.tf
index 8e53c2f2..f40d75bb 100644
--- a/deployment/modules/gcp/cloudbuild/conformance/main.tf
+++ b/deployment/modules/gcp/cloudbuild/conformance/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
-      version = "6.12.0"
+      version = "6.28.0"
     }
   }
 }
diff --git a/deployment/modules/gcp/cloudbuild/preloaded/main.tf b/deployment/modules/gcp/cloudbuild/preloaded/main.tf
index d1f5545d..c7e51d19 100644
--- a/deployment/modules/gcp/cloudbuild/preloaded/main.tf
+++ b/deployment/modules/gcp/cloudbuild/preloaded/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
-      version = "6.12.0"
+      version = "6.28.0"
     }
   }
 }
diff --git a/deployment/modules/gcp/cloudrun/main.tf b/deployment/modules/gcp/cloudrun/main.tf
index 92fbade9..6eb404dc 100644
--- a/deployment/modules/gcp/cloudrun/main.tf
+++ b/deployment/modules/gcp/cloudrun/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
-      version = "6.12.0"
+      version = "6.28.0"
     }
   }
 }
diff --git a/deployment/modules/gcp/insecuretlskey/README.md b/deployment/modules/gcp/insecuretlskey/README.md
new file mode 100644
index 00000000..71ec8b26
--- /dev/null
+++ b/deployment/modules/gcp/insecuretlskey/README.md
@@ -0,0 +1,3 @@
+# [WARNING]
+# This module will store unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
diff --git a/deployment/modules/gcp/insecuretlskey/main.tf b/deployment/modules/gcp/insecuretlskey/main.tf
new file mode 100644
index 00000000..d84f23fd
--- /dev/null
+++ b/deployment/modules/gcp/insecuretlskey/main.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.6"
+    }
+  }
+}
+
+# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
+#
+# Security Notice
+# The private key generated by this resource will be stored unencrypted in your 
+# Terraform state file. Use of this resource for production deployments is not 
+# recommended.
+#
+# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+resource "tls_private_key" "ecdsa_p256" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
diff --git a/deployment/modules/gcp/insecuretlskey/outputs.tf b/deployment/modules/gcp/insecuretlskey/outputs.tf
new file mode 100644
index 00000000..dccf986b
--- /dev/null
+++ b/deployment/modules/gcp/insecuretlskey/outputs.tf
@@ -0,0 +1,9 @@
+output "tls_private_key_ecdsa_p256_public_key_pem" {
+  value     = tls_private_key.ecdsa_p256.public_key_pem
+  sensitive = true
+}
+
+output "tls_private_key_ecdsa_p256_private_key_pem" {
+  value     = tls_private_key.ecdsa_p256.private_key_pem
+  sensitive = true
+}
diff --git a/deployment/modules/gcp/secretmanager/main.tf b/deployment/modules/gcp/secretmanager/main.tf
index d68b3355..6306490d 100644
--- a/deployment/modules/gcp/secretmanager/main.tf
+++ b/deployment/modules/gcp/secretmanager/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
-      version = "6.12.0"
+      version = "6.28.0"
     }
   }
 }
@@ -14,19 +14,6 @@ resource "google_project_service" "secretmanager_googleapis_com" {
   disable_on_destroy = false
 }
 
-# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
-#
-# Security Notice
-# The private key generated by this resource will be stored unencrypted in your 
-# Terraform state file. Use of this resource for production deployments is not 
-# recommended.
-#
-# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
-resource "tls_private_key" "sctfe_ecdsa_p256" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
 resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
   secret_id = "${var.base_name}-ecdsa-p256-public-key"
 
@@ -44,7 +31,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
 resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
   secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
 
-  secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
+  secret_data = var.tls_private_key_ecdsa_p256_public_key_pem
 }
 
 resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
@@ -62,7 +49,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
 }
 
 resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
-  secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
-
-  secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
+  secret                 = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
+  secret_data_wo_version = 1
+  secret_data_wo         = var.tls_private_key_ecdsa_p256_private_key_pem
 }
diff --git a/deployment/modules/gcp/secretmanager/variables.tf b/deployment/modules/gcp/secretmanager/variables.tf
index 8fbfd505..af6aaa49 100644
--- a/deployment/modules/gcp/secretmanager/variables.tf
+++ b/deployment/modules/gcp/secretmanager/variables.tf
@@ -2,3 +2,15 @@ variable "base_name" {
   description = "Base name to use when naming resources"
   type        = string
 }
+
+variable "tls_private_key_ecdsa_p256_public_key_pem" {
+  description = "Public ECDSA key with P256 elliptic curve in PEM format."
+  type        = string
+  sensitive   = true
+}
+
+variable "tls_private_key_ecdsa_p256_private_key_pem" {
+  description = "Private ECDSA key with P256 elliptic curve in PEM format."
+  type        = string
+  sensitive   = true
+}
diff --git a/deployment/modules/gcp/storage/main.tf b/deployment/modules/gcp/storage/main.tf
index 8c95592f..ad26cf41 100644
--- a/deployment/modules/gcp/storage/main.tf
+++ b/deployment/modules/gcp/storage/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "registry.terraform.io/hashicorp/google"
-      version = "6.12.0"
+      version = "6.28.0"
     }
   }
 }
diff --git a/deployment/modules/gcp/tesseract/conformance/main.tf b/deployment/modules/gcp/tesseract/conformance/main.tf
index e067fb60..d267f634 100644
--- a/deployment/modules/gcp/tesseract/conformance/main.tf
+++ b/deployment/modules/gcp/tesseract/conformance/main.tf
@@ -14,7 +14,16 @@ module "storage" {
 module "secretmanager" {
   source = "../../secretmanager"
 
-  base_name = var.base_name
+  base_name                                  = var.base_name
+  tls_private_key_ecdsa_p256_public_key_pem  = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
+  tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
+}
+
+# [WARNING]
+# This module will store unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
+module "insecuretlskey" {
+  source = "../../insecuretlskey"
 }
 
 module "cloudrun" {
diff --git a/deployment/modules/gcp/tesseract/test/main.tf b/deployment/modules/gcp/tesseract/test/main.tf
index bcb40b58..fb85d2ba 100644
--- a/deployment/modules/gcp/tesseract/test/main.tf
+++ b/deployment/modules/gcp/tesseract/test/main.tf
@@ -14,5 +14,14 @@ module "storage" {
 module "secretmanager" {
   source = "../../secretmanager"
 
-  base_name = var.base_name
+  base_name                                  = var.base_name
+  tls_private_key_ecdsa_p256_public_key_pem  = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
+  tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
+}
+
+# [WARNING]
+# This module will store unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
+module "insecuretlskey" {
+  source = "../../insecuretlskey"
 }