VED-728: Specify S3 object version for truststores to allow cert rotation.

Author: mfjarvis

infrastructure/instance/modules/api_gateway/api.tf

@@ -38,7 +38,8 @@ resource "aws_apigatewayv2_domain_name" "service_api_domain_name" {
     security_policy = "TLS_1_2"
   }
   mutual_tls_authentication {
-    truststore_uri = "s3://${aws_s3_bucket.truststore_bucket.bucket}/${local.truststore_file_name}"
+    truststore_uri     = "s3://${aws_s3_bucket.truststore_bucket.bucket}/${local.truststore_file_name}"
+    truststore_version = aws_s3_object_copy.copy_cert_from_storage.version_id
   }
   tags = {
     Name = "${var.prefix}-api-domain-name"

infrastructure/instance/modules/api_gateway/mtls_cert.tf

@@ -17,8 +17,18 @@ resource "aws_s3_bucket" "truststore_bucket" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_versioning" "truststore_bucket" {
+  bucket = aws_s3_bucket.truststore_bucket.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_object_copy" "copy_cert_from_storage" {
   bucket = aws_s3_bucket.truststore_bucket.bucket
   key    = local.truststore_file_name
   source = "${data.aws_s3_object.cert.bucket}/${local.truststore_file_name}"
+  lifecycle {
+    replace_triggered_by = [data.aws_s3_object.cert.etag]
+  }
 }