fix(infra): VM reader policy org id; defer compute only on fresh provision#761
Merged
Conversation
… fresh provision Production deploy fixes for the Scaleway credential refactor (SOVRUN §3.3): - vm-reader IAM policy now sets `organizationId` explicitly (resolved from SCW_DEFAULT_ORGANIZATION_ID, else derived from the project) instead of relying on the provider's default org env, which the "Apply infra change" flow left empty and caused `organization_id is wrongly formatted`. helpers.ts exports the resolved org id for reuse. - Rename the `bootstrap:applyInProgress` marker to `bootstrap:computeDeferred` and set it ONLY during a fresh provision. "Apply infra change" no longer defers compute (or snapshots/restores the stack file), so running it on an established stack no longer tears down live VMs/LB. infra-cli surfaces the marker as an informational notice; the obsolete apply-backup machinery and gitignore entry are removed. - classifyPermissionError treats IAM `policy` writes as bootstrap-owned so the permission hint points to Apply mode rather than the impossible "Rotate CI". - Runtime secrets are now derived generically from the central registry: KNOWN_SECRET_KEYS and pulumi-owned secret values come from runtimeSecrets, so a new registry entry needs no hand edits in yaml-secrets.ts or secrets.ts. Validated: pnpm check green; infra typecheck clean; infra vitest passing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Production deploy fixes for the Scaleway credential refactor (SOVRUN §3.3) plus a registry-driven runtime-secrets cleanup.
Changes
vm-reader-policynow setsorganizationIdexplicitly (fromSCW_DEFAULT_ORGANIZATION_ID, else derived from the project) instead of relying on the provider's default org env. The bootstrap "Apply infra change" flow left that env empty, producingorganization_id is wrongly formattedon the policy create.helpers.tsexports the resolved org id.applyInProgress→computeDeferred, fresh-flow only — the compute-gating marker is renamed for clarity and set only during a fresh provision (registry has no images yet). "Apply infra change" no longer defers compute or snapshots/restores the stack file, so running it on an established stack no longer tears down live VMs/LB. The obsolete apply-backup machinery and gitignore entry are removed;infra-clishows the marker as an informational notice.classifyPermissionErrortreats IAMpolicywrites as bootstrap-owned, so the hint points to Apply mode instead of the impossible "Rotate CI".KNOWN_SECRET_KEYSand pulumi-owned secret values are derived from the centralruntimeSecretsregistry, so a new registry entry needs no hand edits inyaml-secrets.tsorsecrets.ts.Validation
pnpm checkgreen (sdk + all typechecks + biome)