fix(network): ignore ipamConfigs drift so up --refresh can't recreate the net
Close the known gap. Docker auto-assigns the subnet's first host (.1) as the bridge gateway — a field we never declared — so `pulumi up --refresh` surfaced it as a spurious foundation-net ipamConfigs drift. `gateway` is a ForceNew input, so reconciling it (whether by declaring it OR by applying the refreshed diff) REPLACES the network and disconnects every container. (Verified: adding the gateway turned a clean plan into a network + 6-container + commands replacement.) The IPAM is immutable by design (subnet fixed by CONTRACT_003), so ignore drift on it: ignoreChanges:["ipamConfigs"]. Plain `up` stays clean (44 unchanged) and `up --refresh` no longer wants to recreate the network/containers. Residual, NON-destructive: `preview --refresh` still shows pessimistic "~triggers" replaces on the vault-init + credential-writer commands, because a refreshed container.id resolves to [unknown] in the preview (a Pulumi preview artifact). At real apply the id is known + unchanged; worst case the commands re-run idempotently. Documented for CI (T14). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
522c5d7a54
commit
82c34c9a42
1 changed files with 12 additions and 1 deletions
|
|
@ -16,6 +16,17 @@ export function deployNetwork(ctx: BaseCtx): docker.Network {
|
||||||
attachable: true,
|
attachable: true,
|
||||||
ipamConfigs: [{ subnet: ctx.cfg.network.subnet }], // "172.30.0.0/24"
|
ipamConfigs: [{ subnet: ctx.cfg.network.subnet }], // "172.30.0.0/24"
|
||||||
},
|
},
|
||||||
{ provider: ctx.provider, deleteBeforeReplace: true },
|
{
|
||||||
|
provider: ctx.provider,
|
||||||
|
deleteBeforeReplace: true,
|
||||||
|
// Docker auto-assigns the subnet's first host (.1) as the bridge gateway —
|
||||||
|
// a field we never declared, so a `pulumi up --refresh` surfaced it as a
|
||||||
|
// spurious ipamConfigs drift. `gateway` is ForceNew, so reconciling it
|
||||||
|
// (either by declaring it OR by applying the refreshed diff) would REPLACE
|
||||||
|
// the network and disconnect every container. The IPAM is immutable by
|
||||||
|
// design (subnet fixed by CONTRACT_003), so we ignore drift on it: plain
|
||||||
|
// `up` stays clean AND `up --refresh` no longer wants to recreate the net.
|
||||||
|
ignoreChanges: ["ipamConfigs"],
|
||||||
|
},
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue