We automate tasks to simplify our work, but if the instructions for automation aren't well written, we haven't really accomplished much. That's where Steampunk Spotter comes in, an Ansible Playbook scanning tool that lets us effortlessly create, maintain, and update playbooks. Spotter analyzes playbooks and makes recommendations for improvements that help us reduce risks, save time, and achieve reliable automation. This tool identifies issues, automatically fixes specific ones, makes recommendations for playbook improvements to avoid undesirable results, and helps us . to follow automation and security best practices Note: I am part of the Steampunk Spotter team, here to share advice on how to make your Ansible Playbooks do what you want them to do. Install Spotter Install CLI Install the steampunk-spotter CLI tool as a (Python 3 is required). Python package pip install steampunk-spotter If you want to see all available commands and options Spotter offers, run: spotter --help Authenticate Spotter supports two kinds of login: (you can generate it in Spotter app user settings) API token To get your token, use global or set the SPOTTER_API_TOKEN environment variable. --api-token/-t Username and password To input your username and password, use the arguments*--username/-u*  and , or alternatively, set the environment variables SPOTTER_USERNAME and SPOTTER_PASSWORD. --password/-p Scan Ansible Content Spotter identifies invalid configurations, module and collection name changes and redirects, missing collection requirements, checks for fully qualified collection names or if certified collections and correct module parameters are used, etc. To initialize the scan with Spotter, type path/to/file. spotter scan So to execute a comprehensive playbook analysis, run: spotter scan playbook.yml Remember that running this general command performs a default scan. To perform a more comprehensive or targeted scan, use scan profiles. Use Scan Profiles Spotter offers several scanning profiles. Whether you want to upgrade your Ansible environment to a newer version of Ansible or improve the playbooks for a current version, the scan profiles ensure that the scan results meet your requirements. Spotter currently supports the following profiles: suitable for daily testing and improvement of Ansible Playbooks. It includes best practices, validation, and basic security checks but excludes upgrade and advanced security checks. Default profile: displays the full range of check results included in the default profile and also includes upgrade and extended security checks. Full profile: focuses on checking for potential security issues. Security profile: To specify a scan profile, use optional argument (- -profile full, --profile security). --profile So make sure to add suitable arguments to your commands to make your scanning experience optimal. Or, to be safe, use Spotter with all its power, and run: spotter scan --profile full playbook.yaml Automatically apply fixes Not only does Spotter find all the errors that could seriously ruin at least your day, if not your whole infrastructure, but it can also automatically fix specific ones for you ( ). For instance, Spotter will fix all FQCN for you, saving you a lot of time and hassle. The rewrite feature automatically generates a requirements.yml file encompassing all the necessary collections for the installation process. see demo Just run the Spotter scan command with the --rewrite switch: spotter scan --rewrite playbook.yaml Add custom rules You can add your own checks to Spotter. This tool allows you to define playbooks' standards, permitted modules and collections, naming conventions, and constraints on values for different modules and entities.  All you need to do is use the command and define the folder or file with the policies ( ). set-policies see demo Easily Upgrade Playbooks Spotter checks if playbooks are compatible with a specific Ansible version and pinpoints issues that need to be fixed. To see if your playbook is compatible with a specific Ansible version, use switch and add the version you want Spotter to scan against ( ). --ansible-version see demo So, for example, if you want to check if your existing playbooks are compatible with the freshly released Ansible 2.15, simply run: spotter scan --ansible-version 2.15 playbook.yaml and add switch that will make sure Spotter executes upgrades-related checks. --profile full Why use Spotter if we already have Ansible Lint? Good question. Because they complement each other. checks for programming errors, bugs, and stylistic errors. Spotter goes beyond syntax checking to help you find hard-to-find and time-consuming errors and is particularly useful for simplifying the Ansible upgrade process. So it’s best to use both tools to get risk-free playbooks. Ansible Lint Conclusion is an all-in-one Ansible Playbook tool that helps you write reliable, secure, and efficient playbooks and speeds up playbook writing and Ansible upgrades. Feel free to ask questions or share your thoughts on Spotter. I'd love to hear from you! Steampunk Spotter

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

How to Make Ansible Playbooks Reliable and Secure

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A Little Hashicorp Vault introduction:

Ansible 101: Ad-hoc Cmds and Inventory Files

Ansible 101: Modularization & Debugging

Ansible 101: Working With Facts and Templates

Automating MongoDB Sharded Cluster Deployment with Ansible

Building Cheap Raspberry Pi Cluster from Scratch

A Little Hashicorp Vault introduction:

Ansible 101: Ad-hoc Cmds and Inventory Files

Ansible 101: Modularization & Debugging

Ansible 101: Working With Facts and Templates

Automating MongoDB Sharded Cluster Deployment with Ansible

Building Cheap Raspberry Pi Cluster from Scratch

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps