fix: add create_before_destroy to trust bundle GCS object

Without a lifecycle block, a content change causes Terraform to
destroy the old object before creating the new one. If the apply is
interrupted between destroy and create, the bucket is left empty
with no trust bundle — breaking CA trust for runner and environment
VMs until the next successful apply.

Adding create_before_destroy ensures the new object is written
before the old one is removed, eliminating the gap.

Co-authored-by: Ona <no-reply@ona.com>

Author: nandajavarma

storage.tf

@@ -264,7 +264,9 @@ locals {
   has_certificates = var.ca_certificate != null || (var.certificate_secret_id != "" && var.certificate_secret_read)
 }
 
-# Upload combined trust bundle certificate to GCS bucket
+# Upload combined trust bundle certificate to GCS bucket.
+# create_before_destroy ensures the new object is written before the old
+# one is removed, preventing a gap if terraform apply is interrupted.
 resource "google_storage_bucket_object" "trust_bundle" {
   count = local.has_certificates ? 1 : 0
 
@@ -284,6 +286,10 @@ resource "google_storage_bucket_object" "trust_bundle" {
     has_ca_cert     = var.ca_certificate != null ? "true" : "false"
     has_secret_cert = var.certificate_secret_id != "" && var.certificate_secret_read ? "true" : "false"
   }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # Upload Docker config.json to GCS bucket if provided