Close the known gap. Docker auto-assigns the subnet's first host (.1) as the bridge gateway — a field we never declared — so `pulumi up --refresh` surfaced it as a spurious foundation-net ipamConfigs drift. `gateway` is a ForceNew input, so reconciling it (whether by declaring it OR by applying the refreshed diff) REPLACES the network and disconnects every container. (Verified: adding the gateway turned a clean plan into a network + 6-container + commands replacement.) The IPAM is immutable by design (subnet fixed by CONTRACT_003), so ignore drift on it: ignoreChanges:["ipamConfigs"]. Plain `up` stays clean (44 unchanged) and `up --refresh` no longer wants to recreate the network/containers. Residual, NON-destructive: `preview --refresh` still shows pessimistic "~triggers" replaces on the vault-init + credential-writer commands, because a refreshed container.id resolves to [unknown] in the preview (a Pulumi preview artifact). At real apply the id is known + unchanged; worst case the commands re-run idempotently. Documented for CI (T14). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| components | ||
| lib | ||
| config.ts | ||
| index.ts | ||
| package.json | ||
| Pulumi.foundation.yaml | ||
| Pulumi.yaml | ||
| run.sh | ||
| tsconfig.json | ||
| vault-unseal.sh | ||