ARA and central mgmt node

While sysadmins having ssh/sudo rights on servers can trigger themselves remotely ad-hoc or role tasks through ansible from their main station, that's not the best practice.

Based on the Env, we have usually (can depend on ENV requirements), one host that is used to control the whole Infra/ENV.

On that host, we use ARA to keep track of playbooks execution on that host, while we also have log_path set to also log to on-disk log files (rotated)

So the workflow goes like this :

• sysadmin with RWC rights pushes needed change[s] to either inventory, filestore or pkistore git repo
• two cases :
  • it can wait next automatic execution: do nothing and ansible will deploy your change (like for example a simple TLS cert replace and reload) when the next (cron) "play all roles on all nodes" task will run
  • it has to be done now : you kick the role task from the central ansible host to be ran directly