plotting-book: TF baseline image follows what CI actually builds

Viktor asked to verify the book-plotting push->build->deploy chain.
The chain itself is healthy, but the Terraform baseline image said
ancamilea/book-plotter:latest while CI (GHA on
PassionProjectsAnca/Plotting-Your-Dream-Book) builds and deploys
viktorbarzin/book-plotter:<sha8> + :latest — a from-scratch apply
would have resurrected a stale March image. Baseline now
viktorbarzin/book-plotter:latest. No live change: the running tag is
CI-owned via ignore_changes, plan confirms the image attr is ignored.

[ci skip] deliberately: plan shows UNRELATED pre-existing drift on
this stack (live ns labels managed-by=vault-user-onboarding +
resource-governance/custom-quota=true would be stripped; deployment
keel.sh/policy=patch annotations removed) — auto-applying that needs
its own reviewed pass.

stacks/plotting-book/main.tf

@@ -8,7 +8,7 @@ resource "kubernetes_namespace" "plotting-book" {
     name = "plotting-book"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -122,8 +122,10 @@ resource "kubernetes_deployment" "plotting-book" {
           }
         }
         container {
-          image = "ancamilea/book-plotter:latest"
-          # image = "viktorbarzin/book-plotter:7"
+          # Baseline only — CI owns the live tag (GHA builds viktorbarzin/book-plotter:<sha8>,
+          # Woodpecker repo 43 set-images it; see ignore_changes above). :latest is pushed by
+          # the same GHA build, so a from-scratch apply starts on current code.
+          image             = "viktorbarzin/book-plotter:latest"
           name              = "plotting-book"
           image_pull_policy = "Always"
           env {