[rudder-users] tags, comments and best practise

[François Armand]

Hello Tim! Sorry for the delay, we missed your email. Answers inline:

On 26/11/2019 17:59, tim taler wrote:
> while evaluating rudder (community version for now)
> I'm missing too features that I came to like in cfengine.
>
> First: is the ability to insert a couple of lines (block)
> at an arbitrary "anchor" in a config file
> (insert line-s after/before line matching)
> One use-case for this would be the
> editing of /etc/rsyslog.conf
>
> I usually like to use my own template, which needs
> to go into the "global directive" section rather than at the end of the file.
>
> therefor I would need to replace:
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> with:
> $template TraditionalFormatWithPRI,"%pri-text%: %timegenerated%
> %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
>
> $ActionFileDefaultTemplate TraditionalFormatWithPRI
> (or even more extensive templates)
>
> Can I do this with rudder right now?
> I'm aware of the discussion line replacement vs. template expansion
> (control the whole file...) but it to me it often seems easier to do
> a specific line editing than keeping than dealing with templates
> (like in case of slightly different flavors of the same file e.g.
> debian/ubuntu/...)

File edit is more the domain of Nicolas, I will let him answer (or 
anyone who can, actually).
I know that you can manage part of files based on anchor (in File Edit 
technique, things related to "enforce content by section", or "enforce 
content only in zone") but that's not quite what you need AFAIU.

> Second: another feature I'm missing are the comments per promise(!).
> I believe it would be useful to have a comment field on top of the
> individual promise to store various hints: reason for this promise,
> hints to different approaches etc.
>
> Use case here is documentation and a possibility to reference to
> external documents.
> On the directive level there is the possibility to ass tags an a short
> and extended description, but that seems "far away" and to general.
> a concrete case would be to map sections from
> https://www.cisecurity.org/
> (or https://verinice.com/)
> benchmarks/controls into a policy
> to simply show "we are X% CIS compatible"
>
> Before blindly filing feature request for this I would rather like to see
> if this topics might have been discussed before and if they make sense to
> others

That's funny because we're actually working on a plugin for CIS 
verification. It's a work in process especially for questions like the 
one you try to answer, and so we would love to have your feedback on it. 
I'm adding Félix in the conversation so that you can chat privately 
about it. Hope you will be interested!

Cheers,

-- 
François Armand