Improve the reliability and security of Ansible Playbooks with Steampunk Spotter

This post was originally published on DevOps Madness.com .

The author of this blog post is Ioannis Moustakis, Solutions Architect at AWS and creator of DevOpsMadness.com blog. Opinions expressed are solely his own.

Ansible has been one of the most dominant tools for enabling configuration management and automation in complex systems. Playbooks are fundamental building blocks of Ansible as a primary way to automate a series of tasks. However, ensuring their reliability, security, quality, and effectiveness can take time, knowledge, and effort. Enter Steampunk Spotter , an Ansible Playbook scanning tool that helps you effortlessly create, maintain, and update Ansible Playbooks and achieve reliable and secure execution of automation. In this blog post, we’ll talk about what Spotter is, how to use it, and what benefits it brings. Let’s dive in.

What is Steampunk Spotter?

Spotter is an Ansible Playbook scanning tool that analyzes playbooks and provides recommendations for improvements. By analyzing our playbooks, the tool can help us produce safe-to-run playbooks, save time and achieve automation in a reliable fashion. This tool identifies hard-to-catch and time-consuming errors, fixes specific ones automatically, recommends improving playbooks to avoid undesirable results, and helps us follow automation and security best practices. If you are intrigued, check out the See Spotter in action demo. One of the things I like about Spotter is its flexibility and that you can use it in many ways. The tool provides diverse options for scanning playbooks and roles, offering valuable feedback and recommendations. In its simplest form, you can scan Ansible content via CLI when writing and testing your playbooks locally. Another option is to use it via VS Code and speed up your playbook writing with the Assisted Playbook Writing mode. Similarly to how we have automated quality assurance and security tests backed in our CI/CD pipelines for software code, you can integrate Spotter with your favorite CI/CD tool, such as GitLab and GitHub Actions , and integrate playbook scanning into your CI/CD workflows. Lastly, the Spotter application records all your scans and provides analytics and the ability to produce reports allowing seamless collaboration with others.

Benefits and Features

Advanced Ansible Playbook Scanning

Running spotter scan command executes a comprehensive playbook analysis that will help you spot even the most elusive errors and helps you follow automation best practices. Spotter goes beyond syntax checking and provides module-specific suggestions. This tool identifies invalid configurations, module and collection name changes and redirects, missing collection requirements, checks for fully qualified collection names or if certified collections and correct module parameters are used, etc. It helps you find errors that would be hard to catch or take a lot of time to fix and allows you to get optimized risk-free playbooks effortlessly.

This is what a scan performed by Spotter looks like:

Scan profiles

Spotter offers different scan profiles. Whether upgrading your Ansible environment to a newer version of Ansible or improving playbooks for a current version, different projects have different needs. With scan profiles, Spotter ensures that the check results generated by Spotter are relevant to the specific project.

With the optional argument --profile, you can specify a scan profile that contains a selected set of checks for scanning. Spotter currently supports the following profiles:

• Default profile is suitable for day-to-day testing and improving Ansible Playbooks. It includes best practices, validation, and basic security checks but excludes upgrade and advanced security checks. It is used by default when executing the basic spotter scan command.
• Full profile displays the full range of check results in the default profile and includes upgrade and advanced security checks.
• Security profile includes checks for potential security issues. So make sure to add suitable arguments to your commands to make your scanning experience optimal. Or, to be safe, use Spotter with all its power, and run

$ spotter scan — profile full playbook.yaml

Assisted playbook writing

Not just identifying errors in your playbooks, Spotter also speeds up your playbook writing with an Assisted playbook writing feature that offers you recommendations for suitable tasks based on your input. Since you don’t have to search for suitable tasks yourself, you can save a lot of time, hassle, and nerves. If you are ready to start, look at the Assisted Playbook Writing Feature demo.

Secure playbook execution

One of the most common concerns when writing, upgrading, or adding new functionality to playbooks is what will actually happen when we run them. Will they do what they expect, or will our systems enter an unstable and unknown state due to failures? To assist in this, Spotter includes security checks, adding an extra layer of protection for our playbooks. This versatile tool helps us achieve secure playbook execution by highlighting potential misconfigurations and security risks. Following Spotter’s recommendations, we can minimize vulnerabilities and ensure compliance with security best practices.

To execute only security checks, run spotter scan --profile security command. If you want to get more valuable scan reports and discover additional tips for improvements, you can include additional data to get more insights, for example, the optional --include-values switch. Sensitive data is identified as Spotter detects secrets and blanks them out.

Simplified Ansible upgrades

Adopting new Ansible versions and migrating playbooks to newer versions can be challenging. Spotter can validate if your playbooks are compatible with a specific Ansible version , helps you ensure compatibility in case they are not, and allows you to speed up the upgrade with other convenient features, such as the rewrite function mentioned below.

To check if your playbook is compatible with a specific Ansible version, use the --ansible-version flag and add the version you want Spotter to scan against. So, for example, if you want to check if your existing playbooks are compatible with Ansible 2.15, execute:

$ spotter scan — ansible-version 2.15 playbook.yaml

Add the --profile full switch to make sure Spotter executes upgrades-related checks and checks regarding Ansible Automation Platform migration and execution environments.

Custom rules and policies

A common practice in configuration management and infrastructure as code systems is the ability for teams and organizations to set up custom rules and policies that allows them to achieve the necessary security and compliance posture. Spotter can include custom checks and rules , which means you can tailor the tool to your needs and ensure that all playbooks meet your specific requirements and use cases. It has an integrated Open Policy Agent (OPA) -compliant policy definition engine, generating OPA-based policies to be included in Spotter with minimum additional effort. They are written in Rego, a rule-based language that checks Spotter’s extracted data from Ansible tasks or playbooks that need to meet the defined conditions returning the desired result. You can specify allowed modules and collections, define naming conventions, and limit required values on specific modules and entities, such as exposed ports and virtual machine sizes.

All we need to do is use the set-policies command and define the folder or file with the policies.

Rewrite function and links to documentation

With Spotter, you can automatically fix specific errors in your Ansible Playbooks by running the Spotter scan command and the --rewrite switch. For example, Spotter can automatically fix all FQCN for you, saving you valuable time.

The rewrite feature automatically generates a requirements.yml with all the collections you need for the installation, saving you again a lot of time.

When Spotter finds errors or offers warnings and hints, it also provides you with direct links to documentation of the module or collections you need to fix, so you don’t have to spend precious time looking for them.

Reporting and data analysis

No matter where you perform your scans, whether CLI, VSC, CI/CD pipelines, you can see the scan history and analytics in the Spotter app. You don’t have to do anything; they are automatically imported into the app. Spotter’s intuitive reporting feature gives you valuable insights into your scan activity and data. With detailed reports, you can easily spot trends and monitor your progress. This allows you to track a complete scan history and collaborate with your team easily.

Key Points

In this blog post, we explored Steampunk Spotter, a great tool to take your Ansible Playbooks game to the next level. Spotter assists users in writing reliable, secure, efficient, and error-free playbooks, ultimately speeding up playbook writing and upgrades. Whether you’re a developer, quality assurance professional, operations specialist, or security professional, Steampunk Spotter is a valuable addition to your toolkit.

Interested in Spotter, but don’t know how to start? Explore our Getting started guide.