Executing Playbooks

How to review, approve, run, monitor, and audit a Playbook execution.

Before execution — Bundle review

When a Playbook is triggered, Escher materialises a Bundle — the exact execution steps — and presents it for review before anything runs.

Bundle: Restrict SSH Access — prod-core
  Plan version: v2
  Estate snapshot: v12 (12 min ago)
  Steps: 5
  Blast radius:
    Restarts required: No
    Downtime expected: No
    Reversible: Yes
    Rollback available: Yes

  Step 1: Capture current SG rules (snapshot)
  Step 2: Validate targeted security groups exist
  Step 3: Revoke ingress rule — sg-0abc123 port 22 0.0.0.0/0
  Step 4: Verify rule removed
  Step 5: (Rollback — only if Step 3 fails)

Review each step. Expand any step to see the exact API call that will be made.

WARNING

If the EstateView has drifted since the Bundle was created, the Bundle is marked STALE. Refresh the estate and re-materialise the Bundle before approving.

Approving

Click Approve and Execute (or type the resource identifier for destructive-class Playbooks).

Escher records the approval:

Approved by: alice@company.com
Approved at: 2026-05-05 14:22:31 UTC

During execution

The Run view shows real-time progress:

Run: Restrict SSH Access — prod-core
  Status: Running
  Started: 14:22:35 UTC
  Duration: 2m 14s

  ✓ Step 1: Capture SG rules snapshot (0.8s)
  ✓ Step 2: Validate targets (0.4s)
  ⟳ Step 3: Revoke ingress rule sg-0abc123... (running)
    Step 4: Verify (waiting)

Available controls during execution:

Pause — suspends after the current step completes
Abort — triggers rollback if a rollback step is defined

After execution

Run: Restrict SSH Access — prod-core
  Status: Completed
  Duration: 4m 12s

  ✓ Step 1: Capture SG rules snapshot (0.8s)
  ✓ Step 2: Validate targets (0.4s)
  ✓ Step 3: Revoke ingress rule sg-0abc123 (1.2s)
  ✓ Step 4: Verify rule removed (0.9s)

  Finding: EC2 SSH Open to Internet → Closed
  Evidence: attached (4 records)

Viewing the Evidence record

Navigate to Evidence tab on the Run:

Evidence: Run-2847
  Step 1 — Before state:
    sg-0abc123: ingress [{ port: 22, cidr: "0.0.0.0/0" }]

  Step 3 — API call:
    ec2:RevokeSecurityGroupIngress
    group-id: sg-0abc123
    port: 22
    cidr: 0.0.0.0/0
    response: success

  Step 4 — After state:
    sg-0abc123: ingress [] (empty — no public rules)

  Approval record:
    alice@company.com at 14:22:31 UTC

Next steps

Evidence & Reports — Export and audit evidence
Writing Playbooks — Author your own playbooks

Executing Playbooks ​

Before execution — Bundle review ​

Approving ​

During execution ​

After execution ​

Viewing the Evidence record ​