Thanks Dick, 'policy scar tissue' :') Thats great, I am going to use that. It's more that we have had no CM, it all been manual in the past. Have tried to say by implementing Ansible we do no need the complete separation, so will have to prove it. The agentless of ansible was the key point for me in going with it.
On Wednesday, February 17, 2016 at 12:14:17 AM UTC+13, Dick Davies wrote: > > We run the same playbooks against 7 (!) various staging environments, > with a different inventory > for each. Per-environment config goes into the inventory under the > [all:vars] key - including things > like versions of RPMs etc. > > SSH credentials are managed out of band, but there's a central git > repo to hold all this that can > be checked out to a bastion host on the relevant environment. > > We've occasionally branched the repo to allow big changes in playbook > structure to be proven > on dev. environment configs but try to merge those into master asap. > > As others have said, a playbook per environment is likely to involve > unproven playbook > runs against production. > > (as an aside, the restrictions you are being presented with sound like > 'policy scar tissue' after someone > got burned by a different CM solution like Puppet or Chef. The > agentless nature of Ansible makes > it a lot less likely a change can 'leak' into prod without some > operator explicitly wanting it). > > On 14 February 2016 at 20:23, Byron Mabbett <mab...@gmail.com > <javascript:>> wrote: > > HI All, > > First post and we are looking to implement Ansible into a new cloud > > environment for multiple legacy systems. > > > > Sorry but there is a bit of a story first and this is more a > setup/component > > architecture question as we have a security constraint that production > and > > non-production data centers can never talk to each other. Meaning > components > > such as version control and configuration management have to have two > > instances (prod and non-prod) with separate login's etc and syncing > taking > > place between them. > > > > I think this is mad, and have managed to talk them down to have only one > > version control instance. > > > > However, compromise was a prod and non prod Ansible, which we can sort > of > > justify, as we have a lack of maturity with tools as we are just > starting to > > implement Ansible. > > > > Do others have experience in running two instances of Ansible, and > keeping > > common config in sync? > > > > eg: > > 1. One source repository for Ansible config containing both prod and > > non-prod config > > 2. Two source repository's for Ansible config, one prod and one non-prod > > config > > > > Any steer's appreciated. > > > > Cheers > > Byron > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ansible-proje...@googlegroups.com <javascript:>. > > To post to this group, send email to ansible...@googlegroups.com > <javascript:>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/ea685c2a-0084-49b6-b692-1934c366d45f%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2194db62-7238-4b48-814e-c14134740da2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
