diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf
index aed2c747..9011da1d 100644
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@@ -219,55 +219,55 @@ resource "kubernetes_config_map" "vault_woodpecker_sync" {
   }
 
   data = {
-    "sync.sh" = <<-'SCRIPT'
+    "sync.sh" = <<-SCRIPT
       #!/bin/sh
       set -e
       VAULT_ADDR="http://vault-active.vault.svc.cluster.local:8200"
       WP_API="http://woodpecker-server.woodpecker.svc.cluster.local:8000/api"
 
       # Authenticate to Vault via K8s SA
-      SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-      VAULT_TOKEN=$(curl -sf -X POST "$VAULT_ADDR/v1/auth/kubernetes/login" \
-        -d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
+      SA_TOKEN=$$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+      VAULT_TOKEN=$$(curl -sf -X POST "$$VAULT_ADDR/v1/auth/kubernetes/login" \
+        -d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$$SA_TOKEN\"}" | jq -r .auth.client_token)
 
-      if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
+      if [ -z "$$VAULT_TOKEN" ] || [ "$$VAULT_TOKEN" = "null" ]; then
         echo "ERROR: Failed to authenticate to Vault"
         exit 1
       fi
 
       # Get Woodpecker API token from Vault
-      WP_TOKEN=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
-        "$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
+      WP_TOKEN=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
+        "$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
 
-      if [ -z "$WP_TOKEN" ]; then
+      if [ -z "$$WP_TOKEN" ]; then
         echo "ERROR: No woodpecker_api_token in secret/ci/global"
         exit 1
       fi
 
       # Sync global secrets
-      SECRETS=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
-        "$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
+      SECRETS=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
+        "$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
 
       synced=0
-      for entry in $SECRETS; do
-        NAME=$(echo "$entry" | base64 -d | jq -r .key)
-        VALUE=$(echo "$entry" | base64 -d | jq -r .value)
+      for entry in $$SECRETS; do
+        NAME=$$(echo "$$entry" | base64 -d | jq -r .key)
+        VALUE=$$(echo "$$entry" | base64 -d | jq -r .value)
 
         # Try PATCH first (update), fall back to POST (create)
-        STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X PATCH "$WP_API/secrets/$NAME" \
-          -H "Authorization: Bearer $WP_TOKEN" \
+        STATUS=$$(curl -sf -o /dev/null -w "%%{http_code}" -X PATCH "$$WP_API/secrets/$$NAME" \
+          -H "Authorization: Bearer $$WP_TOKEN" \
           -H "Content-Type: application/json" \
-          -d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
+          -d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
 
-        if [ "$STATUS" != "200" ]; then
-          curl -sf -X POST "$WP_API/secrets" \
-            -H "Authorization: Bearer $WP_TOKEN" \
+        if [ "$$STATUS" != "200" ]; then
+          curl -sf -X POST "$$WP_API/secrets" \
+            -H "Authorization: Bearer $$WP_TOKEN" \
             -H "Content-Type: application/json" \
-            -d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
+            -d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
         fi
-        synced=$((synced + 1))
+        synced=$$((synced + 1))
       done
-      echo "Synced $synced global secrets from Vault to Woodpecker"
+      echo "Synced $$synced global secrets from Vault to Woodpecker"
     SCRIPT
   }
 }