@celilo/cli 0.5.0-alpha.0 → 0.5.0-alpha.2

package/src/templates/generator.ts

@@ -6,6 +6,7 @@ import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
 import { generateAnsibleSecrets } from '../ansible/secrets';
 import { log } from '../cli/prompts';
+import { getModuleStoragePath } from '../config/paths';
 import { type DbClient, getDb } from '../db/client';
 import {
   capabilities,
@@ -195,12 +196,69 @@ export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): st
     // schema attributes in telmate ~>2.9 and `terraform validate` rejects them.
     // `nameserver` stays for the original DNS reason; `rootfs.size` is NOT ignored
     // so a disk grow still applies in place.
-    injected.push(`${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]`);
+    // ISS-0089: also ignore `ssh_public_keys` — it's ForceNew, and on a module
+    // deployed before the current fleet key, the LXC's birth keys differ from the
+    // regenerated config, forcing a spurious REPLACE on redeploy. Rotating the
+    // authorized keys must never recreate the container. We do NOT ignore
+    // `target_node` — a node change is real and is handled by migration (ISS-0090),
+    // never silently dropped.
+    injected.push(
+      `${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]`,
+    );
     injected.push(`${inner}}`);
     return injected.join('\n');
   });
 }
 
+/**
+ * Extract the node a proxmox_lxc resource is deployed on from a parsed terraform
+ * state object. Pure logic (Rule 10), split from the file read for testability.
+ * Prefers the explicit `target_node` attribute; falls back to parsing the
+ * resource id (`<node>/lxc/<vmid>`). Returns null when there's no proxmox_lxc
+ * resource (e.g. an empty/fresh state).
+ */
+export function targetNodeFromTfState(state: {
+  resources?: Array<{
+    type?: string;
+    instances?: Array<{ attributes?: { target_node?: string; id?: string } }>;
+  }>;
+}): string | null {
+  const lxc = state.resources?.find((r) => r.type === 'proxmox_lxc');
+  const attrs = lxc?.instances?.[0]?.attributes;
+  if (!attrs) {
+    return null;
+  }
+  if (attrs.target_node) {
+    return attrs.target_node;
+  }
+  // id format: "<node>/lxc/<vmid>"
+  return attrs.id?.split('/')[0] || null;
+}
+
+/**
+ * Read the node a module's container is currently deployed on, from its terraform
+ * state file. This is celilo's authoritative record of placement (ISS-0090).
+ * Returns null when no state exists yet (a first deploy) or it can't be read —
+ * the caller then falls back to the service `default_target_node`.
+ */
+async function readDeployedTargetNode(moduleId: string): Promise<string | null> {
+  const statePath = join(
+    getModuleStoragePath(),
+    moduleId,
+    'generated',
+    'terraform',
+    'terraform.tfstate',
+  );
+  if (!existsSync(statePath)) {
+    return null;
+  }
+  try {
+    return targetNodeFromTfState(JSON.parse(await readFile(statePath, 'utf-8')));
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Discover template files in directory recursively
  *
@@ -638,9 +696,28 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         storage: string;
       };
 
+      // ISS-0090: target the node the container ACTUALLY lives on, not the
+      // service default. `default_target_node` governs only NEW placement; a
+      // changed default must NEVER relocate a running system. celilo's terraform
+      // state is its authoritative record of where it placed this container (kept
+      // in sync by deploy and by `module migrate`), so read the deployed node from
+      // there. Fall back to the default only when there's no state yet — a first
+      // deploy. Deliberate relocation is an explicit `module migrate`, not a
+      // side-effect of the default changing.
+      let targetNode = providerConfig.default_target_node;
+      const deployedNode = await readDeployedTargetNode(moduleId);
+      if (deployedNode) {
+        if (deployedNode !== targetNode) {
+          log.info(
+            `${moduleId} is already deployed on node '${deployedNode}' — targeting it (service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
+          );
+        }
+        targetNode = deployedNode;
+      }
+
       // Store provider config values as temporary config (similar to IPAM allocation)
       const infraProperties = [
-        { key: 'target_node', value: providerConfig.default_target_node },
+        { key: 'target_node', value: targetNode },
         { key: 'lxc_template', value: providerConfig.lxc_template },
         { key: 'storage', value: providerConfig.storage },
       ];
@@ -649,9 +726,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         upsertModuleConfig(db, moduleId, `__infra_${prop.key}`, prop.value);
       }
 
-      log.success(
-        `Infrastructure properties resolved from service: target_node=${providerConfig.default_target_node}`,
-      );
+      log.success(`Infrastructure properties resolved from service: target_node=${targetNode}`);
     }
   }