Background
DropletDriver.Diff cannot detect drift on the following Droplet config keys because the godo Read API does not surface them in the returned *godo.Droplet:
user_data — write-only at create time, not exposed via Droplet.Getssh_keys — Droplet API returns no SSH key list post-createmonitoring — no dedicated boolean field on godo.Dropletipv6 — no dedicated boolean field on godo.Droplet (presence of an IPv6 network address is unreliable as a signal because some images allocate it whether or not IPv6: true was requested)
As a result, changing any of these in the YAML config after the Droplet is created produces no plan action — the Droplet keeps running the original cloud-init / SSH key list / observability flag set.
Workarounds (today)
Operators must taint the Droplet manually (or delete + re-apply) when they need to change one of these fields. The Diff Doc-comment now spells this out and links to this issue.
Resolution path
Implement strict drift detection here once one of:
- godo upstream exposes any of these fields on
Droplet.Get (subscribe to https://github.com/digitalocean/godo for new fields), OR
- We add a side-channel state file that persists the desired-config snapshot for these keys (similar to what Terraform / Pulumi do), so Diff can compare desired-vs-snapshot rather than desired-vs-API-Read.
Option 2 is more invasive (introduces a new persistence concern) but is the only path that doesn't require an upstream API change.
Reference
Copilot review round-2 finding #8 on PR #55. See internal/drivers/droplet.go Diff comment + // TODO(workflow-plugin-digitalocean#NNN) reference.
Background
DropletDriver.Diffcannot detect drift on the following Droplet config keys because the godo Read API does not surface them in the returned*godo.Droplet:user_data— write-only at create time, not exposed viaDroplet.Getssh_keys— Droplet API returns no SSH key list post-createmonitoring— no dedicated boolean field ongodo.Dropletipv6— no dedicated boolean field ongodo.Droplet(presence of an IPv6 network address is unreliable as a signal because some images allocate it whether or notIPv6: truewas requested)As a result, changing any of these in the YAML config after the Droplet is created produces no plan action — the Droplet keeps running the original cloud-init / SSH key list / observability flag set.
Workarounds (today)
Operators must
taintthe Droplet manually (or delete + re-apply) when they need to change one of these fields. TheDiffDoc-comment now spells this out and links to this issue.Resolution path
Implement strict drift detection here once one of:
Droplet.Get(subscribe to https://github.com/digitalocean/godo for new fields), OROption 2 is more invasive (introduces a new persistence concern) but is the only path that doesn't require an upstream API change.
Reference
Copilot review round-2 finding #8 on PR #55. See
internal/drivers/droplet.goDiff comment +// TODO(workflow-plugin-digitalocean#NNN)reference.