Add a rule around inventory and credential matching

[bontreger]

This topic has come up a few times in the past week around managing multiple credentials on a single job template. Adding this rule to be explicit on one-to-one inventory/credential/job template mapping

[djdanielsson]

I think we need to probably create a new section for AAP related practices.

[bontreger]

I think inventory/credential mapping still makes sense in a CLI implementation only manner. You can get clever with defining connection details in an inventory, and while possible, it's a slippery slope and unmaintainable long-term

[ericzolf]

I don't agree with the way this is formulated: it would be for me completely valid to have Linux and Windows hosts in the same inventory, and they would have different machine credentials, albeit at the group level probably. Also the fact that you express the recommendation with a "should" is in my eyes a bad sign, that means you're not sure it applies always.

Shouldn't the recommendation actually be to not use individual credentials? This can be easily argumented against, due to maintenance effort or when using an external vault, performance impact because you'd need to query its API individually for each host (a colleague heard this actually from a vault provider employee, can't remember which one).

And this recommendation is independent from the execution place, AAP or CLI.