Rudder

If a node has a multi-instance technique, with at least two directives where one is on policy mode = enforce and the other is on policy mode = audit, then we must fails the generation with explicit debuging information for the user.

We can't prevent that case to happen simply by UI guards, because there is a lot of cases where nobody actively set the mode to reach that state. For example, a node inventory makes a node belong to a new dynamic group, which brings the incompatible directive. Other example: a directive mode is changed from the API from a script (and we don't know at that moment that it will lead to incompatibilities on a node without massively impacting performance).

This is because for now, we only know how to set policy mode for a technique, not individual directives.

The alternatives, which are rejected, were:

- set the whole technique to "policy mode = enforce" (and find a way to warn the user that it is not what he chose to do): that means that things that MUST NOT CHANGE will certainly change, which is the worst thing we can do,
- set the whole technique to "policy mode = audit" (and find a way to warn the user that it is not what he chose to do): that is barelly better than the privious case, because it mean that if something should have been configured as a whole, some parts were let unchanged (think: package install), and most certainly the whole is broken.
- replace the directives by error reports or by an "abort" for that node (the idea being to let the node handle the case so that the generation is not broken globally for all nodes): we prefer to fails early (at generation time), so that big problems are not let ignored because nobody was looking at the right moment. The correct solution is to provide a by node generation of policies.