VED-728: Specify version for truststores to allow cert rotation. (#1046)

* VED-728: Specify S3 object version for truststores to allow cert rotation.

* VED-728: Store cert version in Terraform state.

* VED-728: Store cert etag in case versioning is not enabled on the source bucket.

* VED-728: Undo IDE weirdness.

Author: mfjarvis

infrastructure/instance/modules/api_gateway/api.tf

@@ -38,7 +38,8 @@ resource "aws_apigatewayv2_domain_name" "service_api_domain_name" {
     security_policy = "TLS_1_2"
   }
   mutual_tls_authentication {
-    truststore_uri = "s3://${aws_s3_bucket.truststore_bucket.bucket}/${local.truststore_file_name}"
+    truststore_uri     = "s3://${aws_s3_bucket.truststore_bucket.bucket}/${local.truststore_file_name}"
+    truststore_version = aws_s3_object_copy.copy_cert_from_storage.version_id
   }
   tags = {
     Name = "${var.prefix}-api-domain-name"

infrastructure/instance/modules/api_gateway/mtls_cert.tf

@@ -12,13 +12,27 @@ data "aws_s3_object" "cert" {
   key    = local.truststore_file_name
 }
 
+resource "terraform_data" "cert_etag" {
+  input = data.aws_s3_object.cert.etag
+}
+
 resource "aws_s3_bucket" "truststore_bucket" {
   bucket        = "${var.prefix}-truststores"
   force_destroy = true
 }
 
+resource "aws_s3_bucket_versioning" "truststore_bucket" {
+  bucket = aws_s3_bucket.truststore_bucket.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_object_copy" "copy_cert_from_storage" {
   bucket = aws_s3_bucket.truststore_bucket.bucket
   key    = local.truststore_file_name
   source = "${data.aws_s3_object.cert.bucket}/${local.truststore_file_name}"
+  lifecycle {
+    replace_triggered_by = [terraform_data.cert_etag]
+  }
 }