From 82c34c9a42651696a28d6a1126fcfad7dc0a312b Mon Sep 17 00:00:00 2001 From: Andreas Niemann Date: Tue, 30 Jun 2026 23:36:50 +0200 Subject: [PATCH] fix(network): ignore ipamConfigs drift so `up --refresh` can't recreate the net MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Close the known gap. Docker auto-assigns the subnet's first host (.1) as the bridge gateway — a field we never declared — so `pulumi up --refresh` surfaced it as a spurious foundation-net ipamConfigs drift. `gateway` is a ForceNew input, so reconciling it (whether by declaring it OR by applying the refreshed diff) REPLACES the network and disconnects every container. (Verified: adding the gateway turned a clean plan into a network + 6-container + commands replacement.) The IPAM is immutable by design (subnet fixed by CONTRACT_003), so ignore drift on it: ignoreChanges:["ipamConfigs"]. Plain `up` stays clean (44 unchanged) and `up --refresh` no longer wants to recreate the network/containers. Residual, NON-destructive: `preview --refresh` still shows pessimistic "~triggers" replaces on the vault-init + credential-writer commands, because a refreshed container.id resolves to [unknown] in the preview (a Pulumi preview artifact). At real apply the id is known + unchanged; worst case the commands re-run idempotently. Documented for CI (T14). Co-Authored-By: Claude Opus 4.8 (1M context) --- bootstrap/components/network.ts | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/bootstrap/components/network.ts b/bootstrap/components/network.ts index e9a7990..e99b188 100644 --- a/bootstrap/components/network.ts +++ b/bootstrap/components/network.ts @@ -16,6 +16,17 @@ export function deployNetwork(ctx: BaseCtx): docker.Network { attachable: true, ipamConfigs: [{ subnet: ctx.cfg.network.subnet }], // "172.30.0.0/24" }, - { provider: ctx.provider, deleteBeforeReplace: true }, + { + provider: ctx.provider, + deleteBeforeReplace: true, + // Docker auto-assigns the subnet's first host (.1) as the bridge gateway — + // a field we never declared, so a `pulumi up --refresh` surfaced it as a + // spurious ipamConfigs drift. `gateway` is ForceNew, so reconciling it + // (either by declaring it OR by applying the refreshed diff) would REPLACE + // the network and disconnect every container. The IPAM is immutable by + // design (subnet fixed by CONTRACT_003), so we ignore drift on it: plain + // `up` stays clean AND `up --refresh` no longer wants to recreate the net. + ignoreChanges: ["ipamConfigs"], + }, ); }