Only allow `--check` and / or `--diff` for certain Ansible hosts / groups

Question

I would like to restrict Ansible deployment actions to dry-run only (i.e. --check and / or --diff) for certain hosts / groups.

The best I was able to come up with, is to check in every playbook, maybe as a pre_task, if deployment happens to such a dry-run only machine. If so check if ansible_check_mode is set, if not exit with a message otherwise proceed. This is everything but a nice approach.

Is there something similar to ansible_ssh_extra_args for Ansible args I missed?

At least nothing is mentioned in the docs at Connecting to hosts: behavioral inventory parameters.

Any alternatives?

Answer 1

Because of variable precedence it seems not to be possible to force ansible_check_mode to true based on group_vars, set_fact or others, except enforcing on task level.

This will one leave with the already mentioned approach of

---
- hosts: test
  become: false
  gather_facts: false

  pre_tasks:

  - name: Check Mode
    fail:
      msg: The system may not be provisioned according to the CMDB status.
    when: not ansible_check_mode and 'test' in group_names

  tasks:

  - debug:
      var: ansible_check_mode

and resulting into an output of

TASK [Check Mode] ****************************************************
fatal: [test.example.com]: FAILED! => changed=false
  msg: The system may not be provisioned according to the CMDB status.

or when running with --check of

TASK [debug] *********************************************************
ok: [test.example.com] =>
  ansible_check_mode: true

Such is also a feasible approach to prevent generally the execution under certain user accounts

  pre_tasks:

  - name: Check Ansible User
    fail:
      msg: Do not execute under root!
    when: ansible_user == 'root'

or when a --limit has to be specified.

Further Documentation

• Set the order of task execution in Ansible with two keywords
• Playbook keywords
• fail module – Fail with custom message