paint-brush
How to Make Ansible Playbooks Reliable and Secureby@steampunkjess
646 reads
646 reads

How to Make Ansible Playbooks Reliable and Secure

by Jasna SimončičJune 7th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Steampunk Spotter is an Ansible Playbook scanning tool that lets us effortlessly create, maintain, and update playbooks. Spotter analyzes playbooks and makes recommendations for improvements that help us reduce risks, save time, and achieve reliable automation.
featured image - How to Make Ansible Playbooks Reliable and Secure
Jasna Simončič HackerNoon profile picture


We automate tasks to simplify our work, but if the instructions for automation aren't well written, we haven't really accomplished much. That's where Steampunk Spotter comes in, an Ansible Playbook scanning tool that lets us effortlessly create, maintain, and update playbooks.

Spotter analyzes playbooks and makes recommendations for improvements that help us reduce risks, save time, and achieve reliable automation. This tool identifies issues, automatically fixes specific ones, makes recommendations for playbook improvements to avoid undesirable results, and helps usto follow automation and security best practices.


Note: I am part of the Steampunk Spotter team, here to share advice on how to make your Ansible Playbooks do what you want them to do.



Install Spotter

Install CLI

Install the steampunk-spotter CLI tool as a Python package (Python 3 is required).

pip install steampunk-spotter


If you want to see all available commands and options Spotter offers, run:

spotter --help

Authenticate

Spotter supports two kinds of login:


  • API token (you can generate it in Spotter app user settings)


To get your token, use --api-token/-t global or set the SPOTTER_API_TOKEN environment variable.


  • Username and password


    To input your username and password, use the arguments*--username/-u*  and --password/-p, or alternatively, set the environment variables SPOTTER_USERNAME and SPOTTER_PASSWORD.


Scan Ansible Content

Spotter identifies invalid configurations, module and collection name changes and redirects, missing collection requirements, checks for fully qualified collection names or if certified collections and correct module parameters are used, etc. To initialize the scan with Spotter, type spotter scan path/to/file.


So to execute a comprehensive playbook analysis, run:

spotter scan playbook.yml 


Remember that running this general command performs a default scan. To perform a more comprehensive or targeted scan, use scan profiles.


Use Scan Profiles

Spotter offers several scanning profiles. Whether you want to upgrade your Ansible environment to a newer version of Ansible or improve the playbooks for a current version, the scan profiles ensure that the scan results meet your requirements.

Spotter currently supports the following profiles:


  • Default profile: suitable for daily testing and improvement of Ansible Playbooks. It includes best practices, validation, and basic security checks but excludes upgrade and advanced security checks.


  • Full profile: displays the full range of check results included in the default profile and also includes upgrade and extended security checks.


  • Security profile: focuses on checking for potential security issues.




To specify a scan profile, use --profile optional argument (- -profile full, --profile security).

So make sure to add suitable arguments to your commands to make your scanning experience optimal. Or, to be safe, use Spotter with all its power, and run:


spotter scan --profile full playbook.yaml 


Automatically apply fixes

Not only does Spotter find all the errors that could seriously ruin at least your day, if not your whole infrastructure, but it can also automatically fix specific ones for you (see demo). For instance, Spotter will fix all FQCN for you, saving you a lot of time and hassle. The rewrite feature automatically generates a requirements.yml file encompassing all the necessary collections for the installation process.


Just run the Spotter scan command with the --rewrite switch:

spotter scan --rewrite playbook.yaml 


Add custom rules

You can add your own checks to Spotter. This tool allows you to define playbooks' standards, permitted modules and collections, naming conventions, and constraints on values for different modules and entities. All you need to do is use the set-policies command and define the folder or file with the policies (see demo).


Easily Upgrade Playbooks

Spotter checks if playbooks are compatible with a specific Ansible version and pinpoints issues that need to be fixed. To see if your playbook is compatible with a specific Ansible version, use --ansible-version switch and add the version you want Spotter to scan against (see demo).


So, for example, if you want to check if your existing playbooks are compatible with the freshly released Ansible 2.15, simply run:


spotter scan --ansible-version 2.15 playbook.yaml


and add  --profile full switch that will make sure Spotter executes upgrades-related checks.



Why use Spotter if we already have Ansible Lint?

Good question. Because they complement each other. Ansible Lint checks for programming errors, bugs, and stylistic errors. Spotter goes beyond syntax checking to help you find hard-to-find and time-consuming errors and is particularly useful for simplifying the Ansible upgrade process. So it’s best to use both tools to get risk-free playbooks.


Conclusion

Steampunk Spotter is an all-in-one Ansible Playbook tool that helps you write reliable, secure, and efficient playbooks and speeds up playbook writing and Ansible upgrades. Feel free to ask questions or share your thoughts on Spotter. I'd love to hear from you!