How do I handle hosts removal from an Ansible Inventory Group, either because the host is completely unavailable or repurposed?
Let me give a brief example of 3 (exemplary) Ansible roles. They don't represent what is actually done but help to explain my question:
- A webserver role installs a certain webserver application, copies the HTML content to the target hosts and opens ports 80 and/or 443 in the firewall (e.g. using the
ufw module
). - A Kubernetes role joins a host to an existing Kubernetes cluster. In order for the networking to work, it opens firewall ports on both, the affected host and all other cluster members.
- A nodexporter role installs Prometheus Node Exporter and opens its port in the Firewall to allow incoming connections from a certain Prometheus server.
The main playbook applies the roles to hosts in corresponding Inventory Groups.
Now consider 2 scenarios.
- A host is member of the nodeexporter and webserver groups. The host need to be reused for another purpose and therefore removed from the webserver Inventory Group. This still leaves the ports 80/443 open.
- A physical host is member of the nodeexporter and kubernetes Inventory Groups. The machine is defective and completely removed from the system. This leaves the firewall rule for its old IP open on all of the remaining Kubernetes nodes.
The way I was writing my roles is to add / ensure things like firewall ports. The nodeexporter role servers as an example why I can't simply flush the firewall. So how can I ensure a proper state if a host leaves a group to the host itself and other affected hosts like in the Kubernetes example?
My current workaround for the Kubernetes case is to maintain an auto-generated file on each host that contains the list of allowed IP addresses. This is (on each playbook run) matched with the actual granted IPs. What this approach doesn't work very well with e.g. installed software packages that might become stale if a group was left.
Is there a better way to do this?