How I messed up with enabling firewalld service?

 How I messed up with enabling firewalld service?
I am learning ansible. My co-worker has been working with ansible for years probably from beta release. He has very sophisticated playbook.

I reviewed one of the ansible playbook and saw "firewall_PSERVs" and through of running against it.

There were 20+ servers and I just ran against it.

$ ansible-playbook -i myhosts -l firewall-PSERVs firewall-info.yaml -K


I see some of the servers were ok and then skipping and saw CHANGED.
"WTH" - i just souted myself.

I sent the output and rightaway called my lead and asked if firewall should be on or off on these systems.
He told me to wait and called me back within 5-6 minutes. Told me to disable.

I disable within couple of minutes.

He generated a report and tole me that firewall was disable less the 14 minutes. I don't know what matrix he used but I am ok with that.

We have millions on records added and millions are query generated. Our operation team didn't find any failed jobs.

My lead set up and meeting with our manager and discussed in depth.

He asked me why did I ran the playbook?
My answer was simple, if you manage services using ansible, it does not matter how many times you run or why I run. I was checking the firewall status on the servers. I told him about 'idempotent' and that is the beauty about automation.

he mentioned that the repo I was using was a wrong one and the inventory file I was using was a month old.

The biggest problem,
$ when I sync repo, I used to use
$ git pull

Nothing was syncing. Later he told me that I should use --rebase as well.

I ran again, I see tons of updates.
$ git pull --rebase

Damm, I screwed !!!

I had conversation with my manager for an 1/2 hours and he dropped. My team lead didn't agree and we discussed for another half hour and come to an conclusion that we have to work and collaborate.

We will test, verify and certify every playbook going forward. There was little bit of my fault and little bit of his fault. But mine was bigger.

He modified inventory file and moved around the servers.
The servers whose service were enabled were moved to different group.
That inventory file was not updated on my end.

I removed this repo and pull the new update.

you not only pull it, but pull with --rebase

Later, my program manager stop by my desk and explain about his experience and told me we all made mistake and its ok.

a big releif.

But the beauty was that there was no downtime !!!

I don't know why firewall didn't stop the operation (:)

something learned !!!