Generate operational evidence
When To Use This
Use this to render readiness, certificate, keytab, temporary access, or drift reports without remediation.
Required Authority
Reports record supplied evidence. They do not enforce remediation.
Safety Boundary
This workflow is read-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.
Inputs
- Named target objects
- Credentials with the required IdM or platform authority
- A reviewed output path or downstream task
Steps
- Confirm the target objects and authority before running.
- Run the command or task with review-friendly output.
- Inspect the returned evidence before continuing to any mutating step.
ansible-playbook playbooks/report-idm-readiness.yml
Example Evidence Report
This vars file renders a deterministic readiness report from explicit check records supplied by inventory, surveys, or an earlier discovery job.
readiness-report-vars.yml
---
eigenstate_idm_readiness_report_site: prod-idm
eigenstate_idm_readiness_report_output_dir: ./artifacts
eigenstate_idm_readiness_report_checks:
- id: kerberos-auth
title: Kerberos authentication path
status: pass
severity: high
evidence: AAP has a mounted automation keytab credential.
recommendation: Keep keytab rotation under normal control.
- id: idm-api
title: IdM API reachability
status: pass
severity: high
evidence: Controller execution nodes can reach idm-01.example.com.
recommendation: Monitor API reachability from the EE subnet.
Run It
ansible-playbook playbooks/report-idm-readiness.yml -e @readiness-report-vars.yml
Expected Evidence
The playbook renders read-only JSON, YAML, and Markdown report artifacts. A
captured local validation run of playbooks/report-idm-readiness.yml produced
this output:
PLAY [Render IdM readiness report] *********************************************
TASK [eigenstate.ipa.idm_readiness_report : Validating arguments against arg spec 'main' - Render deterministic IdM readiness evidence reports.] ***
ok: [localhost]
TASK [eigenstate.ipa.idm_readiness_report : Validate IdM readiness report format choices] ***
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [eigenstate.ipa.idm_readiness_report : Build IdM readiness report object] ***
ok: [localhost]
TASK [eigenstate.ipa.idm_readiness_report : Render IdM readiness JSON report] ***
changed: [localhost]
TASK [eigenstate.ipa.idm_readiness_report : Render IdM readiness YAML report] ***
changed: [localhost]
TASK [eigenstate.ipa.idm_readiness_report : Render IdM readiness Markdown report] ***
changed: [localhost]
PLAY RECAP *********************************************************************
localhost : ok=8 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The JSON artifact carries stable review fields:
{
"schema": "eigenstate.ipa/idm_readiness_report/v1",
"schema_version": "1.0",
"role": "idm_readiness_report",
"read_only": true,
"summary": {
"total_checks": 2,
"passed_checks": 2,
"warning_checks": 0,
"failed_checks": 0,
"informational_checks": 0
}
}
Troubleshooting
- Permission failure: verify the account and delegated authority.
- Unexpected empty result: verify target names and source records.
- Unsafe output: redact payloads and add
no_log: truewhere secret material is present.