fix: re-register hostname and cert binding after container app updates

When Terraform modifies azurerm_container_app (e.g. adding ADMIN_GITHUB_LOGINS),
the Azure provider sends the full ingress config without custom hostnames, wiping
any previously-registered hostname. The null_resource.hostname_registration was
not re-triggered because its triggers (hostname + app_id) are stable across
modifications — only creation changes the ID.

Add `replace_triggered_by = [azurerm_container_app.this]` to both
null_resource.hostname_registration and null_resource.cert_binding so they
re-run on every container app update, ensuring:
1. The custom hostname is re-registered (required before cert can be issued)
2. The SniEnabled cert binding is re-applied (required for HTTPS to work)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: rajbos

sharing-server/infra/main.tf

@@ -208,6 +208,12 @@ resource "null_resource" "hostname_registration" {
     app_id   = azurerm_container_app.this.id
   }
 
+  # Re-run whenever the container app is modified, because ACA updates reset
+  # the ingress configuration and strip any previously-registered custom hostnames.
+  lifecycle {
+    replace_triggered_by = [azurerm_container_app.this]
+  }
+
   provisioner "local-exec" {
     command = "az containerapp hostname add --name '${azurerm_container_app.this.name}' --resource-group '${var.resource_group_name}' --hostname '${var.custom_domain}' 2>/dev/null || true"
   }
@@ -242,6 +248,12 @@ resource "null_resource" "cert_binding" {
     hostname = var.custom_domain
   }
 
+  # Re-run whenever the container app is modified, because ACA updates reset
+  # the ingress configuration and strip any previously-applied cert bindings.
+  lifecycle {
+    replace_triggered_by = [azurerm_container_app.this]
+  }
+
   provisioner "local-exec" {
     environment = {
       CERT_ID  = azurerm_container_app_environment_managed_certificate.this[0].id