fix(sync): self-heal absent task-SG load balancer ingress rule on sync#95
Open
stevethomas wants to merge 1 commit into
Open
fix(sync): self-heal absent task-SG load balancer ingress rule on sync#95stevethomas wants to merge 1 commit into
stevethomas wants to merge 1 commit into
Conversation
…-heals ensureLoadBalancerIngressRule wrote the task-SG ingress rule but recorded no Change on the plan (dry-run) pass, so the runner's pending filter pruned the step before apply. A task SG that existed without the rule — e.g. a create interrupted mid-flight — could therefore never be self-healed by a later sync; it was only ever authorised at create-time. Move the recordChange() before the dry-run guard (mirroring AuthorisesTaskIngress) so the plan flags the step pending, it survives the prune, and apply adds the rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I made a thing! 🥳
Great! Now please answer the following questions to help out your assigned reviewer:
What problems are you solving?
ensureLoadBalancerIngressRule(inSyncTaskSecurityGroupStep) wrote the task-SG → load-balancer ingress rule but recorded noChangeon the plan (dry-run) pass. The runner'splanEntryHasWorkfilter only keeps a step for the apply pass if it returns aWOULD_*status or recorded a change — so this step got pruned before apply.syncwhose create was interrupted mid-flight — could never be self-healed by a later sync.sync productionreported clean while the SG was silently missing its container-port ingress.Fix: move
recordChange()to before the$dryRunguard (mirroringAuthorisesTaskIngress), so the plan flags the step pending → it survives the prune → apply self-heals any SG missing the rule. The reconcile stays purely additive — it never revokes an out-of-band rule, and records nothing when a matching rule already exists (no phantom drift).Is there anything the reviewer needs to know to deploy this?
ingress 8000/tcp from load balancer security groupas a pending change and authorises it on apply. No revokes, ever.yolo sync productionon convict will detect and add the missing rule — the permanent manual unblock is no longer required (a one-off manual rule-add was the only prior workaround).--dry-run(survives the prune), and an already-authorised SG records no ingress change.🤖 Generated with Claude Code