Fixes #38335 - Document Ansible Diff Mode template option #3758
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Needs tech review
Open
6 tasks
bnerickson
force-pushed
the
ansible-diff-mode-doc
branch
from
a6abd6c to
99ec6d6
Compare
There was a problem hiding this comment.
Handing over to @aneta-petrova for additional style review regarding the emphasis.
| @@ -32,6 +32,13 @@ endif::[] | |||
| ifdef::satellite[] | |||
| For more information on Ansible check mode, see {RHDocsBaseURL}red_hat_ansible_automation_platform/latest/html-single/using_automation_execution/index[Using automation execution] in _Red{nbsp}Hat Ansible Automation Platform documentation_. | |||
| endif::[] | |||
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode, which reports detailed changes Ansible tasks make _if_ the underlying Ansible modules supports Ansible diff mode. If a module does not support Ansible diff mode, then the task will only report that a change occurred and nothing else. When used in conjunction with Ansible check mode, the Ansible playbook tasks report changes they _would_ have made to the host, and no changes are made to the host. Please note that if a task is used to deploy credentials and the task supports Ansible diff mode, then changes to the credentials _may_ be reported in clear text. This can be mitigated by adding `diff: false` or `no_log: true` to the task in question which will prevent change reports for that task. | |||
There was a problem hiding this comment.
Suggested change
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode, which reports detailed changes Ansible tasks make _if_ the underlying Ansible modules supports Ansible diff mode. If a module does not support Ansible diff mode, then the task will only report that a change occurred and nothing else. When used in conjunction with Ansible check mode, the Ansible playbook tasks report changes they _would_ have made to the host, and no changes are made to the host. Please note that if a task is used to deploy credentials and the task supports Ansible diff mode, then changes to the credentials _may_ be reported in clear text. This can be mitigated by adding `diff: false` or `no_log: true` to the task in question which will prevent change reports for that task. | |
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode, which reports detailed changes Ansible tasks make _if_ the underlying Ansible modules supports Ansible diff mode. | |
| If a module does not support Ansible diff mode, then the task will only report that a change occurred and nothing else. | |
| When used in conjunction with Ansible check mode, the Ansible playbook tasks report changes they _would_ have made to the host, and no changes are made to the host. | |
| Note that if a task is used to deploy credentials and the task supports Ansible diff mode, then changes to the credentials _may_ be reported in plain text. | |
| This can be mitigated by adding `diff: false` or `no_log: true` to the task in question which will prevent change reports for that task. |
Please conform to one sentence per line. I have also applied "plain" in favor of "clear" and dropped "please". I am currently unsure about the italic emphasis on certain words. To me, it strikes odd compared to most other modules.
There was a problem hiding this comment.
@maximiliankolb I noticed the "plain" vs "clear" text lint error, but "clear-text" is used more commonly when describing the transmission of unencrypted credentials which is what the line in the document is referring to. Isn't "plain-text" more of a way of describing un-formatted text and wouldn't apply here?
There was a problem hiding this comment.
Suggested change
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode, which reports detailed changes Ansible tasks make _if_ the underlying Ansible modules supports Ansible diff mode. If a module does not support Ansible diff mode, then the task will only report that a change occurred and nothing else. When used in conjunction with Ansible check mode, the Ansible playbook tasks report changes they _would_ have made to the host, and no changes are made to the host. Please note that if a task is used to deploy credentials and the task supports Ansible diff mode, then changes to the credentials _may_ be reported in clear text. This can be mitigated by adding `diff: false` or `no_log: true` to the task in question which will prevent change reports for that task. | |
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode. | |
| This mode reports detailed changes that Ansible tasks make if the underlying Ansible module supports Ansible diff mode. | |
| If a module does not support Ansible diff mode, the task only reports that a change occurred without providing details. | |
| When used with Ansible check mode, Ansible playbook tasks report the changes they would make to the host, but no actual changes occur. | |
| If a task deploys credentials and supports Ansible diff mode, the changes to the credentials may be reported in plain text. | |
| To prevent change reports for a task, add `diff: false` or `no_log: true` to the task. |
There was a problem hiding this comment.
"clear-text" is used more commonly when describing the transmission of unencrypted credentials
You make a good point! I am OK either way. Your call unless other maintainers voice a strong preference.
bangelic
suggested changes
Apr 2, 2025
| @@ -32,6 +32,13 @@ endif::[] | |||
| ifdef::satellite[] | |||
| For more information on Ansible check mode, see {RHDocsBaseURL}red_hat_ansible_automation_platform/latest/html-single/using_automation_execution/index[Using automation execution] in _Red{nbsp}Hat Ansible Automation Platform documentation_. | |||
| endif::[] | |||
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode, which reports detailed changes Ansible tasks make _if_ the underlying Ansible modules supports Ansible diff mode. If a module does not support Ansible diff mode, then the task will only report that a change occurred and nothing else. When used in conjunction with Ansible check mode, the Ansible playbook tasks report changes they _would_ have made to the host, and no changes are made to the host. Please note that if a task is used to deploy credentials and the task supports Ansible diff mode, then changes to the credentials _may_ be reported in clear text. This can be mitigated by adding `diff: false` or `no_log: true` to the task in question which will prevent change reports for that task. | |||
There was a problem hiding this comment.
Suggested change
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode, which reports detailed changes Ansible tasks make _if_ the underlying Ansible modules supports Ansible diff mode. If a module does not support Ansible diff mode, then the task will only report that a change occurred and nothing else. When used in conjunction with Ansible check mode, the Ansible playbook tasks report changes they _would_ have made to the host, and no changes are made to the host. Please note that if a task is used to deploy credentials and the task supports Ansible diff mode, then changes to the credentials _may_ be reported in clear text. This can be mitigated by adding `diff: false` or `no_log: true` to the task in question which will prevent change reports for that task. | |
| .. Select *Enable Ansible Diff Mode* to run jobs based on the template in Ansible diff mode. | |
| This mode reports detailed changes that Ansible tasks make if the underlying Ansible module supports Ansible diff mode. | |
| If a module does not support Ansible diff mode, the task only reports that a change occurred without providing details. | |
| When used with Ansible check mode, Ansible playbook tasks report the changes they would make to the host, but no actual changes occur. | |
| If a task deploys credentials and supports Ansible diff mode, the changes to the credentials may be reported in plain text. | |
| To prevent change reports for a task, add `diff: false` or `no_log: true` to the task. |
pr-processor
bot
added
the
Waiting on contributor
|
Took Maximilian's suggestion and eliminated the italics and passive voice where applicable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes are you introducing?
This PR adds a line of documentation explaining a new Enable Ansible Diff Mode option within Ansible Job Templates describing its basic functionality.
Why are you introducing these changes? (Explanation, links to references, issues, etc.)
Feature Request: https://projects.theforeman.org/issues/38335
This documentation explains the new functionality introduced in the following PRs:
Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)
This PR is dependent on the following PRs being approved/merged first:
I added some security-conscious suggestions in the documentation to advise administrators when to disable diff mode. The maintainers may remove it if they feel it is unnecessary. I feel it is warranted for the following reason:
Administrators may deploy files with credentials using Ansible (whether or not this is advisable is not up for debate). If they enable diff mode for a job template (diff mode is disabled by default) and the module they used to deploy the credentials supports diff mode, then those deployed credentials may be displayed in the Foreman template_invocation window (and in proxy.log) in clear text. This is no different than an administrator manually setting
diff: trueon their Ansible playbook tasks, so I don't see it as an additional security risk but rather as something that administrators should be mindful of when using diff mode.Checklists
Please cherry-pick my commits into: