make certificates replacable

[vchrisb]

Update a certificate for the GCP load balancer in place is not possible.
It is necessary to first create a new one before destroying the old one.

This is supported by google_compute_ssl_certificate by using a name_prefix and configure create_before_destroy

name = "${var.env_name}-lbcert" in router.tf should be replaced by name_prefix = "${var.env_name}-lbcert-"

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[vchrisb]

I've seen we recently switched from name_prefix to name because of hashicorp/terraform-provider-google#1054.
So the fix would be to keep name but add a random string at the end:

resource "random_id" "cert" {
  byte_length = 8
}

resource "google_compute_ssl_certificate" "cert" {
  name        = "${var.env_name}-lbcert-${random_id.cert.dec}"
  description = "user provided ssl private key / ssl certificate pair"
  certificate = "${length(var.ssl_ca_cert) > 0 ? element(concat(tls_locally_signed_cert.ssl_cert.*.cert_pem, list("")), 0) : var.ssl_cert}"
  private_key = "${length(var.ssl_ca_cert) > 0 ? element(concat(tls_private_key.ssl_private_key.*.private_key_pem, list("")), 0) : var.ssl_private_key}"

  lifecycle = {
    create_before_destroy = true
  }
}

I'll try it and do a pull request...

[nwmahoney]

I'll try it and do a pull request...

Thanks @vchrisb! That's super helpful.

[vchrisb]

While digging further into it and struggling with getting keepers right, I saw that the deprecation of name_prefix was actually reverted, exactly because of this issue
hashicorp/terraform-provider-google#1326
hashicorp/terraform-provider-google#1622

I'm going to update the pull request to just revert back to use name_prefix