I'm working with ansible in some environments rather sensitive to
security/auditing and we have some significant controls designed around
playbooks working their way up to QA/Prod environments, but our test
environment of course needs to have some looser controls while we work
the kinks out of our playbooks.
I'm looking for a way to not only log the playbook run itself, but the
entire contents of the playbook so if an event somehow occurs and
something unsavory works its way into the dev environment we can see
what the playbook contents were at the exact time of the playbook run.
I may also consider settling for good, readable command line output of
exactly what was run; the playbook stdout is simply not sufficient.
Does anyone have any suggestions on how I could achieve this?
You might want to swap steps 2 and 3 depending on your requirements. Basically it resembles a rather basic CI environment where any build (regardless of outcome) triggers a tag in your preferred SCM.
It gets really hard to draw the line; at some point you have to say "we
trust the person with access to run the playbook is not malicious"
because if you require a wrapper (ours will be Tower) someone with ssh
access could run without Tower to get around it... and if they can do
that, why couldn't they disable the additional logging, modules, etc?
There will always be someone with access to bypass these controls, so
I'd like to not add too much complication to the design. I'm also a
little concerned about the insane amount of noise introduced into the
VCS with automatic commits like that, but it's something I've also been
thinking about.
If I can show that the log indicates the run results and what the
playbook looked like it will pacify those with concerns, so that's the
current goal.
One of the talks that were at our first Ansible meetups here in Berlin was about this very topic more or less. The guys were using an Ansible callback plugin to save the playbook run output in Elasticsearch.
I’m not sure if they managed to opensource their work yet but here’s another plugin doing that: https://gist.github.com/metmajer/7da2f9599c2d75d80ee5
I wouldn’t go for a wrapper. Callback plugins are so much more elegant.