On Wed, Apr 29, 2015, at 11:22, Martin wrote: > Hi, > > how about doing something like this: > > 1. wrap the actual playbook run > 2. run only thru wrapper!! > 3. tag in version control > > You might want to swap steps 2 and 3 depending on your requirements. > Basically it resembles a rather basic CI environment where any build > (regardless of outcome) triggers a tag in your preferred SCM. >
It gets really hard to draw the line; at some point you have to say "we trust the person with access to run the playbook is not malicious" because if you require a wrapper (ours will be Tower) someone with ssh access could run without Tower to get around it... and if they can do that, why couldn't they disable the additional logging, modules, etc? There will always be someone with access to bypass these controls, so I'd like to not add too much complication to the design. I'm also a little concerned about the insane amount of noise introduced into the VCS with automatic commits like that, but it's something I've also been thinking about. If I can show that the log indicates the run results and what the playbook looked like it will pacify those with concerns, so that's the current goal. Thanks for the idea, though. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1430325534.4068857.260252389.5EB8938C%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
