foundation/bootstrap/components/network.ts
Andreas Niemann 82c34c9a42 fix(network): ignore ipamConfigs drift so up --refresh can't recreate the net
Close the known gap. Docker auto-assigns the subnet's first host (.1) as the
bridge gateway — a field we never declared — so `pulumi up --refresh` surfaced
it as a spurious foundation-net ipamConfigs drift. `gateway` is a ForceNew
input, so reconciling it (whether by declaring it OR by applying the refreshed
diff) REPLACES the network and disconnects every container. (Verified: adding
the gateway turned a clean plan into a network + 6-container + commands
replacement.)

The IPAM is immutable by design (subnet fixed by CONTRACT_003), so ignore
drift on it: ignoreChanges:["ipamConfigs"]. Plain `up` stays clean (44
unchanged) and `up --refresh` no longer wants to recreate the network/containers.

Residual, NON-destructive: `preview --refresh` still shows pessimistic
"~triggers" replaces on the vault-init + credential-writer commands, because a
refreshed container.id resolves to [unknown] in the preview (a Pulumi
preview artifact). At real apply the id is known + unchanged; worst case the
commands re-run idempotently. Documented for CI (T14).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 23:36:50 +02:00

32 lines
1.4 KiB
TypeScript

// components/network.ts
//
// The foundation-net user-defined bridge (CONTRACT_003 §3.1). Created once, on the
// shared provider; every service container attaches to it and reaches peers by
// container name via Docker's embedded DNS. This is the first thing the bootstrap
// creates — all data-plane and forge components depend on it.
import * as docker from "@pulumi/docker";
import { BaseCtx } from "../lib/context";
export function deployNetwork(ctx: BaseCtx): docker.Network {
return new docker.Network(
"foundation-net",
{
name: ctx.cfg.network.name, // "foundation-net" (CONTRACT_003)
driver: "bridge",
attachable: true,
ipamConfigs: [{ subnet: ctx.cfg.network.subnet }], // "172.30.0.0/24"
},
{
provider: ctx.provider,
deleteBeforeReplace: true,
// Docker auto-assigns the subnet's first host (.1) as the bridge gateway —
// a field we never declared, so a `pulumi up --refresh` surfaced it as a
// spurious ipamConfigs drift. `gateway` is ForceNew, so reconciling it
// (either by declaring it OR by applying the refreshed diff) would REPLACE
// the network and disconnect every container. The IPAM is immutable by
// design (subnet fixed by CONTRACT_003), so we ignore drift on it: plain
// `up` stays clean AND `up --refresh` no longer wants to recreate the net.
ignoreChanges: ["ipamConfigs"],
},
);
}