~/guide/chapters/09-automation $ cat README.md

Build a control plane
Automation becomes safe when inventory, desired state, execution, and evidence have clear ownership.
A practical progression
- Put documentation and service configuration in Git.
- Keep secrets outside Git and inject them at runtime.
- Establish inventory and IPAM as the source of truth.
- Use infrastructure as code for resources with stable provider support.
- Use configuration management for operating-system and application state.
- Wrap repeated service operations in a structured CLI.
- Add drift checks and reconciliation reports.
- Require preview, approval, and verification for mutations.
OpenTofu or Terraform can provision resources. Ansible can configure hosts. Neither should become an undocumented shell-script bucket for every service API. Keep service-specific operations close to typed clients and stable output.
Machine-readable operations
A JSON-first CLI is valuable even before AI enters the picture:
- scripts can distinguish success from partial failure;
- dashboards can consume the same health data as operators;
- dry runs can return the exact proposed objects;
- stable error envelopes can name missing configuration; and
- evidence can be stored and compared over time.
Discovery coverage can be broad, but each query still needs least-privilege authorization, bounded output, and redaction appropriate to its data. Mutations should be narrow. Destructive actions need an explicit target, a preview that matches execution, and proof of the final live state.
Field note: My lab became easier to operate when I stopped treating SSH as the interface. Inventory resolution, structured service clients, dry runs, and smoke checks turned one-off commands into a control plane that both people and software could reason about.
Primary references
Leave with
Inventory, desired state, preview, execution, and evidence.
Done when: Automation can explain what it will change and prove what it did.