Merge pull request #25 from gitpod-io/nv/fix-cert-rotation

nandajavarma · web-flow · commit 2f3dccf00864 · 2026-05-07T16:41:02.000+02:00
fix: wire time_rotating to auth proxy TLS cert for actual rotation (N10)
diff --git a/runner-vm.tf b/runner-vm.tf
@@ -36,9 +36,9 @@ resource "tls_private_key" "auth_proxy" {
   algorithm = "RSA"
   rsa_bits  = 2048
 
-  # Force recreation when rotation time changes
   lifecycle {
     create_before_destroy = true
+    replace_triggered_by  = [time_rotating.auth_proxy_cert_rotation]
   }
 }
 
@@ -52,9 +52,9 @@ resource "tls_self_signed_cert" "auth_proxy" {
 
   validity_period_hours = 8760 # 1 year
 
-  # Force recreation when rotation time changes
   lifecycle {
     create_before_destroy = true
+    replace_triggered_by  = [time_rotating.auth_proxy_cert_rotation]
   }
 
   allowed_uses = [

Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,9 @@ resource "tls_private_key" "auth_proxy" {`
`36`	`36`	`algorithm = "RSA"`
`37`	`37`	`rsa_bits = 2048`
`38`	`38`
`39`		`- # Force recreation when rotation time changes`
`40`	`39`	`lifecycle {`
`41`	`40`	`create_before_destroy = true`
	`41`	`+ replace_triggered_by = [time_rotating.auth_proxy_cert_rotation]`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`@@ -52,9 +52,9 @@ resource "tls_self_signed_cert" "auth_proxy" {`
`52`	`52`
`53`	`53`	`validity_period_hours = 8760 # 1 year`
`54`	`54`
`55`		`- # Force recreation when rotation time changes`
`56`	`55`	`lifecycle {`
`57`	`56`	`create_before_destroy = true`
	`57`	`+ replace_triggered_by = [time_rotating.auth_proxy_cert_rotation]`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`allowed_uses = [`