fix: prevent port 8000 wipe by avoiding ForceNew on InstancePublicPorts#42
Merged
Conversation
port_info is ForceNew in the Pulumi/Terraform AWS provider — adding or removing entries triggers a resource replacement. The default create-before-delete order causes the delete step to wipe ports set by the create (PutInstancePublicPorts is a replace-all API). This is a known issue (pulumi/pulumi-aws#1511). Two-layer fix: 1. Always keep both port entries — map SSH_CIDRS=none to a non-routable CIDR (192.0.2.1/32, RFC 5737 TEST-NET) instead of removing the entry. Only cidrs changes, which is NOT ForceNew. 2. Add deleteBeforeReplace as a safety net — if a replacement is ever triggered by other changes, delete-old runs first so create-new sets the final state correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
aliasunder
force-pushed
the
fix/lightsail-ports-forcenew
branch
from
b57d08e to
0c200ce
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
aliasunder
force-pushed
the
fix/lightsail-ports-forcenew
branch
from
0c200ce to
099e28b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
port_infoisForceNewin the Pulumi/Terraform AWS provider — adding or removing entries triggers a resource replacement (delete → create). The default create-before-delete order causes the delete step to wipe the newly created ports becausePutInstancePublicPortsis a replace-all API. This is a known Pulumi bugSSH_CIDRS=none, triggering replacement and leaving port 8000 closed (503 on healthcheck)Fix (two layers)
SSH_CIDRS=noneto a non-routable CIDR (192.0.2.1/32, RFC 5737 TEST-NET) instead of removing the entry. Sincecidrsis NOTForceNew, this is an in-place update — no replacement ever triggereddeleteBeforeReplace: true— safety net for any future replacement trigger. Reverses the order to delete-old → create-new so the create happens last and sticksTest plan
npm run build+npm run lint+npm testpassSSH_CIDRSunset → both ports open at0.0.0.0/0SSH_CIDRS=none→ port 22 CIDRs set to192.0.2.1/32, port 8000 unchanged at0.0.0.0/0aws lightsail get-instance-port-statesthat both ports are always present🤖 Generated with Claude Code