GCP Instance - Best way to upload an SSL cert?

Hi everyone

I manage GCP infrastructure with Terraform and one area I can’t quite figure out is the inclusion of a specific SSL certificate that I need to upload to the machine

As a temporary workaround I just include the cert & key in the startup script in plain text but this isn’t scalable or secure, plus it’s shown in plain text within the GCP console for custom metadata for that host

What is the best way to do this? I had thought about adding some SCP and pulling the cert from aother box in a more secure way but that seems like a clunky way to do it

I have been also looking at if there is a Vault use case for this too, to pull the file once the machine is running, but when I look at SSL/PKI related stuff for vault is seems to be for more complex use cases

Thanks in advance for any advice!