diff --git a/docs/superpowers/plans/2026-06-18-hermes-agent-lxc.md b/docs/superpowers/plans/2026-06-18-hermes-agent-lxc.md index c008fb6..8ec97d1 100644 --- a/docs/superpowers/plans/2026-06-18-hermes-agent-lxc.md +++ b/docs/superpowers/plans/2026-06-18-hermes-agent-lxc.md @@ -277,12 +277,19 @@ git commit -m "feat: add Hermes Agent LXC outputs" - [ ] **Step 1: Review the plan** Run: `terraform plan` -Expected: plan shows `2 to add` — `proxmox_virtual_environment_download_file.debian12_template_gihyeon` and `proxmox_virtual_environment_container.hermes`. **0 to change, 0 to destroy.** Confirm it does NOT touch `proxmox_virtual_environment_container.pbs`. +Expected: `2 to add` — `proxmox_virtual_environment_download_file.debian12_template_gihyeon` and `proxmox_virtual_environment_container.hermes`. -- [ ] **Step 2: Apply** +> ⚠️ **Known pre-existing drift:** the plan ALSO shows `1 to change` — `proxmox_virtual_environment_container.pbs` disk `size = 48 -> 16`. The live PBS rootfs is 48GB but `pbs.tf` declares 16GB. A blanket apply would try to **shrink** the PBS disk (dangerous). Do NOT untargeted-apply. Reconcile separately by setting `pbs.tf` `size = 48` to match reality (no infra change), or leave it and always target hermes. -Run: `terraform apply` -Expected: `Apply complete! Resources: 2 added, 0 changed, 0 destroyed.` Outputs include `hermes_container_id = 118`. +- [ ] **Step 2: Apply (TARGETED to hermes only)** + +Run: +```bash +terraform apply \ + -target=proxmox_virtual_environment_download_file.debian12_template_gihyeon \ + -target=proxmox_virtual_environment_container.hermes +``` +Expected: `Apply complete! Resources: 2 added, 0 changed, 0 destroyed.` Outputs include `hermes_container_id = 118`. The `-target` flags ensure the PBS disk drift is NOT touched. > If apply errors with a permission/`root@pam`-only message on any container attribute, STOP — it means an attribute in `hermes.tf` is host-restricted. The skeleton here is intentionally limited to attributes the PBS container already created successfully via the same token, so this is not expected.