LPX-695: destroy:app — never tear down the hosted zone, withdraw only its records#162
Open
stevethomas wants to merge 1 commit into
Open
LPX-695: destroy:app — never tear down the hosted zone, withdraw only its records#162stevethomas wants to merge 1 commit into
stevethomas wants to merge 1 commit into
Conversation
…rds (LPX-695) A hosted zone is domain-level infrastructure — the registrar's NS delegation points at it, and the domain's email/verification DNS and any sibling environment's records all live in it — so it outlives any single app. The previous teardown deleted the whole zone when it was "pure-YOLO", which is the wrong call: app teardown should withdraw only the records YOLO inserted and leave the zone (and everything else in it) standing. (YOLO *does* create the zone on first sync — SyncHostedZoneStep — but create ≠ own-to-destroy, exactly like the BYO data bucket.) - HostedZone no longer implements Deletable. `removeAppRecords()` deletes only this app's A/AAAA records (canonical host + apex/www sibling); the zone is never deleted. `appRecordsExist()` is the plan/re-run check. - TeardownHostedZoneStep withdraws those records (no ownership gate, no zone deletion — the fail-open/fail-closed concern is moot once nothing deletes the zone; we only ever touch this app's own record names). - Arch invariant: HostedZone joins S3Bucket as a deliberate non-Deletable App-scoped resource, asserted directly so the exclusion can't rot. - Docs updated (the teardown order + a "zone is never deleted" preservation note). This also supersedes the two Route 53 review blockers from #158 (fail-open ownership read; wiping all DNS records) — both vanish when the zone is never deleted. Full suite 1351 green; Pint/Rector/PHPStan clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I made a thing! 🥳
Follow-up to the merged #158. (LPX-695)
What problems are you solving?
destroy:appcould delete the whole Route 53 hosted zone (when it was reduced to NS/SOA). That's the wrong call: a hosted zone is domain-level infrastructure — the registrar's NS delegation points at it, and the domain's email/verification DNS and any sibling environment's records all live in it — so it outlives any single app. App teardown should withdraw only the records YOLO inserted and leave the zone standing.SyncHostedZoneStep), but create ≠ own-to-destroy here — same stance as the BYO data bucket.Is there anything the reviewer needs to know to deploy this?
destroy:app's Route 53 teardown behaviour changes (anddestroy:appis admin-tier, human-gated, not in any automated path).HostedZoneno longer implementsDeletable. NewremoveAppRecords()deletes only this app's A/AAAA records (canonical host + apex/www sibling); the zone is never deleted.TeardownHostedZoneStepwithdraws those records — no ownership gate (it only ever touches this app's own record names, so the shared-zone hazard is gone).HostedZonejoinsS3Bucketas a deliberate non-DeletableApp-scoped resource, asserted directly so the exclusion can't rot.🤖 Generated with Claude Code