Adds lifecycle policy to aws_acm_certificates

This solves a number of issues that happen where the certificate can't
be updated because it's still being used and follows official
recommendations from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate

No need to tag. It'll only get picked up on changes, and there will
be a new tag before then.

base/customer_portal/certificate.tf

@@ -3,6 +3,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "portal.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/github/certificate.tf

@@ -5,6 +5,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "*.github.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   subject_alternative_names = [
     "github.${var.dns_info["private"]["zone"]}"
   ]
@@ -43,6 +47,10 @@ resource "aws_acm_certificate" "cert_public" {
   domain_name       = "*.github.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   subject_alternative_names = [
     "github.${var.dns_info["public"]["zone"]}"
   ]

base/jira/instance_jira/certificate.tf

@@ -5,6 +5,10 @@ resource "aws_acm_certificate" "cert_public" {
   domain_name       = "jira.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/nessus/instance_security_center/certificate.tf

@@ -5,6 +5,10 @@ resource "aws_acm_certificate" "cert_private" {
   domain_name       = "security-center.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/openvpn/certificate.tf

@@ -3,6 +3,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "openvpn.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/phantom/certificate.tf

@@ -5,6 +5,10 @@ resource "aws_acm_certificate" "cert_private" {
   domain_name       = "phantom.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/sensu/certificate.tf

@@ -7,6 +7,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "sensu.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 
@@ -43,6 +47,10 @@ resource "aws_acm_certificate" "cert_public" {
   domain_name       = "sensu.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 
@@ -68,4 +76,4 @@ resource "aws_route53_record" "cert_validation_public" {
   ttl             = 60
   type            = each.value.type
   zone_id         = var.dns_info["public"]["zone_id"]
-}
+}

base/splunk_servers/alsi/certificate-elastic.tf

@@ -4,6 +4,10 @@ resource "aws_acm_certificate" "cert_elastic" {
   domain_name       = "${var.prefix}-alsi-elastic.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/alsi/certificate-hec.tf

@@ -4,6 +4,10 @@ resource "aws_acm_certificate" "cert_hec" {
   domain_name       = "${var.prefix}-alsi-hec.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/alsi/certificate-master.tf

@@ -3,6 +3,10 @@ resource "aws_acm_certificate" "cert_master" {
   domain_name       = "${var.prefix}-alsi.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/indexer_cluster/elb-private.tf

@@ -25,6 +25,10 @@ resource "aws_acm_certificate" "hec_pvt_cert" {
   domain_name       = "${var.prefix}-hec.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/indexer_cluster/elb-with-acks.tf

@@ -23,6 +23,10 @@ resource "aws_acm_certificate" "hec_classiclb_cert" {
   domain_name       = "${var.prefix}-hec-ack.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/indexer_cluster/elb-without-ack.tf

@@ -23,6 +23,10 @@ resource "aws_acm_certificate" "hec_cert" {
   domain_name       = "${var.prefix}-hec.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/legacy_hec/elb-with-acks.tf

@@ -39,6 +39,10 @@ resource "aws_acm_certificate" "hec_classiclb_cert" {
   domain_name       = "${var.prefix}-hec-ack.${var.dns_info["legacy_public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -75,6 +75,10 @@ resource "aws_acm_certificate" "hec_cert" {
   domain_name       = "${var.prefix}-hec.${var.dns_info["legacy_public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   subject_alternative_names = local.is_moose ? [ "iratemoses.${var.dns_info["legacy_public"]["zone"]}" ] : [ ]
 
   tags = merge(var.standard_tags, var.tags)

base/splunk_servers/searchhead/certificate.tf

@@ -3,6 +3,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "${local.alb_name}.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/teleport-single-instance/certificate-internal.tf

@@ -3,6 +3,10 @@ resource "aws_acm_certificate" "cert_internal" {
   domain_name       = "${var.instance_name}-alb.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/teleport-single-instance/certificate.tf

@@ -3,6 +3,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "${var.instance_name}.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/vault/certificate.tf

@@ -2,6 +2,10 @@ resource "aws_acm_certificate" "cert" {
   domain_name       = "vault.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 
@@ -27,4 +31,4 @@ resource "aws_route53_record" "cert_validation" {
   ttl             = 60
   type            = each.value.type
   zone_id         = var.dns_info["public"]["zone_id"]
-}
+}