fix: wire time_rotating to auth proxy TLS cert for actual rotation

nandajavarma · ona-agent · nandajavarma · commit baf64e675462 · 2026-05-07T13:38:33.000Z
time_rotating.auth_proxy_cert_rotation was declared but never
referenced by tls_private_key.auth_proxy or tls_self_signed_cert.auth_proxy.
The cert had a 1-year validity but would never rotate automatically.

Add replace_triggered_by to both resources so they regenerate every
30 days when the time_rotating resource triggers.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/runner-vm.tf b/runner-vm.tf
@@ -36,9 +36,9 @@ resource "tls_private_key" "auth_proxy" {
   algorithm = "RSA"
   rsa_bits  = 2048
 
-  # Force recreation when rotation time changes
   lifecycle {
     create_before_destroy = true
+    replace_triggered_by  = [time_rotating.auth_proxy_cert_rotation]
   }
 }
 
@@ -52,9 +52,9 @@ resource "tls_self_signed_cert" "auth_proxy" {
 
   validity_period_hours = 8760 # 1 year
 
-  # Force recreation when rotation time changes
   lifecycle {
     create_before_destroy = true
+    replace_triggered_by  = [time_rotating.auth_proxy_cert_rotation]
   }
 
   allowed_uses = [

Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,9 @@ resource "tls_private_key" "auth_proxy" {`
`36`	`36`	`algorithm = "RSA"`
`37`	`37`	`rsa_bits = 2048`
`38`	`38`
`39`		`- # Force recreation when rotation time changes`
`40`	`39`	`lifecycle {`
`41`	`40`	`create_before_destroy = true`
	`41`	`+ replace_triggered_by = [time_rotating.auth_proxy_cert_rotation]`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`@@ -52,9 +52,9 @@ resource "tls_self_signed_cert" "auth_proxy" {`
`52`	`52`
`53`	`53`	`validity_period_hours = 8760 # 1 year`
`54`	`54`
`55`		`- # Force recreation when rotation time changes`
`56`	`55`	`lifecycle {`
`57`	`56`	`create_before_destroy = true`
	`57`	`+ replace_triggered_by = [time_rotating.auth_proxy_cert_rotation]`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`allowed_uses = [`