docs(tailscale): Phase 1.5 apply ops verification#7267
Conversation
Document apply success evidence (workflow runs, resources created), WIF verification procedure (argocd-diff flow), and finalize rollback procedures. Update CLAUDE.md to reflect Phase 1.5 completion status. Ref: PR #7263, PR #7266, T-20260227-014 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ACL was already created in the failed run #22478747958 and persisted in state. The successful run #22479672276 only added the remaining 3 resources. Corrected to avoid misleading incident/rollback analysis. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 566e40e6dc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 1. **Tailscale 管理コンソール** で以下を手動削除: | ||
| - Trust Credential (WIF) | ||
| - ACL policy のカスタムルール | ||
| 2. **AWS SSM Parameter Store** で `/lolice/tailscale/subnet-router-auth-key` を手動削除 |
There was a problem hiding this comment.
In section 3.3, the manual cleanup list removes the WIF credential and ACL but does not remove the Tailscale auth key, even though the next step runs terraform state rm tailscale_tailnet_key.subnet_router. In a state-repair rollback, this leaves a reusable preauthorized key orphaned in the tailnet while Terraform no longer tracks it, which weakens rollback completeness and can leave active credentials behind.
Useful? React with 👍 / 👎.
| ```bash | ||
| terraform state rm tailscale_acl.this | ||
| terraform state rm tailscale_federated_identity.github_actions_argocd_diff | ||
| terraform state rm tailscale_tailnet_key.subnet_router | ||
| terraform state rm aws_ssm_parameter.subnet_router_auth_key |
There was a problem hiding this comment.
The state-repair procedure starts with terraform state rm commands but does not establish the Terraform working directory/backend context in this section. If an operator follows 3.3 from a fresh shell (not from 3.2), these commands can target the wrong state or fail unexpectedly, which is risky during rollback. Add an explicit cd terraform/tailscale/lolice/ (or terraform -chdir=...) before the state operations.
Useful? React with 👍 / 👎.
1 participant
Summary
変更内容
新規: docs/project_docs/T-20260227-014/plan.md
更新: CLAUDE.md
関連
Test plan
Generated with Claude Code