Rudder

Hello,

I'm not sure I get everything for your needs, so let me ask more questions:

- 1/ Compliance (enforce?) if Audit Success

I think that here, you want to be able to switch for a node from Audit to Enforce if Audit is OK. But I miss the big picture: do you that switch to be for ever? At node or at directive level?
My guess is that you want a kind of hysteresis (or latch, since there is no switch back), where a directive is on audit mode on a given node until that directive is fully 100% OK, and from that time, it switch to Enforce. The idea would be that if the node was correctly configured, it should remain OK automatically, but we don't want autocorrection before being sure everything is ok on the node (and perhaps even checking / correcting by hand for that part).

Could you tell us more that 1/ point?

- 2/ We could have two more modes on - I think - global level: Compliance if newly accepted node ; Audit if newly accepted node

I totally agree with your 2 kind of nodes: new nodes newly provisionned that should just get stuff installed on them, and new node that are really just node newly managed in Rudder, but are actually use for services and "work" and should be modified with care.

In 4.3, we added the possibility to decide of the compliance mode newly accepted node get (enforce or audit). So you will be able to decide globally what is the default. But we don't have condition to choose one or the other (so you won't be able to tell "if that node has that property, then audit mode, else enforce").

In 4.3, we also added node lifecycle state [Set-up, default, prepare EOL, + 2 specials "disable states": node get only system policies, and no new policies are generated for that node and the node is ignore in compliance calculus. You can create group base on node state, and you can choose on which state a node is accepted. So, not exactly what you want, but on the same functionnal domain.