Blueprints
Security & Compliance, Detect and Alert on Infrastructure Configuration Drift with Ansible
Source
yaml
id: ansible-config-drift
namespace: company.team
description: >
Run an Ansible playbook from inline inventory and playbook definitions, then
alert in Slack only when configuration drift is detected on any host.
tasks:
- id: set_up_env
type: io.kestra.plugin.ansible.cli.AnsibleCLI
inputFiles:
inventory.ini: |
[servers]
server1.example.test ansible_user=admin ansible_ssh_private_key_file=~/.ssh/id_rsa
server2.example.test ansible_user=admin ansible_ssh_private_key_file=~/.ssh/id_rsa
server3.example.test ansible_user=admin ansible_ssh_private_key_file=~/.ssh/id_rsa
myplaybook.yml: |
---
- name: Ensure environment variable is set correctly
hosts: servers
become: true
tasks:
- name: Ensure MY_APP_MODE is set
lineinfile:
path: /home/{{ ansible_user }}/.bashrc
regexp: '^MY_APP_MODE='
line: 'MY_APP_MODE=production'
state: present
notify: Refresh environment
handlers:
- name: Refresh environment
shell: . /home/{{ ansible_user }}/.bashrc
changed_when: false
taskRunner:
type: io.kestra.plugin.core.runner.Process
ansibleConfig: |
[defaults]
interpreter_python = auto_silent
log_path={{ workingDir }}/ansible.log
stdout_callback = yaml
commands:
- ansible-playbook -i inventory.ini myplaybook.yml
- id: loop_hosts
type: io.kestra.plugin.core.flow.ForEach
values: "{{ outputs.set_up_env.vars.outputs }}"
tasks:
- id: check_drift
type: io.kestra.plugin.slack.SlackIncomingWebhook
runIf: "{{ (taskrun.value | jq('.changed') | first) == true }}"
url: "{{ secret('SLACK_WEBHOOK') }}"
payload: |
{
"text": "Configuration updated - {{ taskrun.value | jq('.msg') | first ?? Null }}"
}
triggers:
- id: check_nightly
type: io.kestra.plugin.core.trigger.Schedule
cron: 0 3 * * *
disabled: true
About this blueprint
Infrastructure
This workflow implements an infrastructure configuration drift detection pattern using Ansible, automatically identifying deviations from the desired system state and alerting teams only when corrective changes occur.
It demonstrates how to:
- Run Ansible playbooks from inline inventory and playbook definitions for reproducible Infrastructure as Code (IaC) workflows.
- Enforce configuration compliance across multiple servers by validating and correcting system settings.
- Detect configuration drift by inspecting Ansible task results on a per-host basis.
- Trigger Slack alerts only when drift is detected, reducing alert noise and focusing attention on real compliance issues.
- Schedule recurring drift checks (e.g. nightly) to continuously monitor infrastructure state.
This flow is ideal for security, compliance, and platform engineering teams looking to automate configuration governance and drift detection using Ansible.
More Related Blueprints