Blueprints

Security & Compliance, Detect and Alert on Infrastructure Configuration Drift with Ansible

Source

yaml
id: ansible-config-drift
namespace: company.team
description: >
  Run an Ansible playbook from inline inventory and playbook definitions, then
  alert in Slack only when configuration drift is detected on any host.

tasks:
  - id: set_up_env
    type: io.kestra.plugin.ansible.cli.AnsibleCLI
    inputFiles:
      inventory.ini: |
        [servers]
        server1.example.test ansible_user=admin ansible_ssh_private_key_file=~/.ssh/id_rsa
        server2.example.test ansible_user=admin ansible_ssh_private_key_file=~/.ssh/id_rsa
        server3.example.test ansible_user=admin ansible_ssh_private_key_file=~/.ssh/id_rsa
      myplaybook.yml: |
        ---
        - name: Ensure environment variable is set correctly
          hosts: servers
          become: true

          tasks:
            - name: Ensure MY_APP_MODE is set
              lineinfile:
                path: /home/{{ ansible_user }}/.bashrc
                regexp: '^MY_APP_MODE='
                line: 'MY_APP_MODE=production'
                state: present
              notify: Refresh environment

          handlers:
            - name: Refresh environment
              shell: . /home/{{ ansible_user }}/.bashrc
              changed_when: false
    taskRunner:
      type: io.kestra.plugin.core.runner.Process
    ansibleConfig: |
      [defaults]
      interpreter_python = auto_silent
      log_path={{ workingDir }}/ansible.log
      stdout_callback = yaml
    commands:
      - ansible-playbook -i inventory.ini myplaybook.yml

  - id: loop_hosts
    type: io.kestra.plugin.core.flow.ForEach
    values: "{{ outputs.set_up_env.vars.outputs }}"
    tasks:
      - id: check_drift
        type: io.kestra.plugin.slack.SlackIncomingWebhook
        runIf: "{{ (taskrun.value | jq('.changed') | first) == true }}"
        url: "{{ secret('SLACK_WEBHOOK') }}"
        payload: |
          {
            "text": "Configuration updated - {{ taskrun.value | jq('.msg') | first ?? Null }}"
          }

triggers:
  - id: check_nightly
    type: io.kestra.plugin.core.trigger.Schedule
    cron: 0 3 * * *
    disabled: true
See more

About this blueprint

Infrastructure

This workflow implements an infrastructure configuration drift detection pattern using Ansible, automatically identifying deviations from the desired system state and alerting teams only when corrective changes occur.

It demonstrates how to:

  1. Run Ansible playbooks from inline inventory and playbook definitions for reproducible Infrastructure as Code (IaC) workflows.
  2. Enforce configuration compliance across multiple servers by validating and correcting system settings.
  3. Detect configuration drift by inspecting Ansible task results on a per-host basis.
  4. Trigger Slack alerts only when drift is detected, reducing alert noise and focusing attention on real compliance issues.
  5. Schedule recurring drift checks (e.g. nightly) to continuously monitor infrastructure state.

This flow is ideal for security, compliance, and platform engineering teams looking to automate configuration governance and drift detection using Ansible.

Ansible CLI

Process

For Each

Slack Incoming Webhook

Schedule

More Related Blueprints

CoreInfrastructureSystem
Set up alerts for failed workflow executions using Discord
CloudInfrastructure
Ansible Scalability, Deploy Configuration Files to Multiple Servers at Scale
Infrastructure
Ansible 101, How to Orchestrate and Run a Simple Ansible Playbook

New to Kestra?

Use blueprints to kickstart your first workflows.

Get started with Kestra