drift-check recursive

ansible/playbooks/check_confd_content.yml

@@ -0,0 +1,38 @@
+---
+# Helper task to compare individual rsyslog.d config file content
+# Called from drift-check.yml with loop_var: confd_file
+
+- name: Read Git version of {{ confd_file }}
+  slurp:
+    src: "{{ playbook_dir }}/../../files/rsyslog.d/{{ confd_file }}"
+  delegate_to: localhost
+  register: git_file_content
+
+- name: Read server version of {{ confd_file }}
+  slurp:
+    src: "{{ rsyslog_config_dir }}/{{ confd_file }}"
+  register: server_file_content
+
+- name: Normalize and compare {{ confd_file }} content
+  set_fact:
+    git_normalized: "{{ git_file_content.content | b64decode | replace('\r\n', '\n') }}"
+    server_normalized: "{{ server_file_content.content | b64decode | replace('\r\n', '\n') }}"
+
+- name: Check if {{ confd_file }} content matches
+  set_fact:
+    file_matches: "{{ git_normalized == server_normalized }}"
+
+- name: Debug {{ confd_file }} comparison
+  debug:
+    msg: |
+      File: {{ confd_file }}
+      Git size: {{ git_normalized | length }} chars
+      Server size: {{ server_normalized | length }} chars
+      Match: {{ file_matches }}
+  when: not file_matches
+
+- name: Mark drift if {{ confd_file }} differs
+  set_fact:
+    drift_detected: true
+    drifted_files: "{{ drifted_files + ['rsyslog.d/' + confd_file] }}"
+  when: not file_matches

ansible/playbooks/drift-check.yml

@@ -52,7 +52,7 @@
       when: not main_conf_match
 
     # ─────────────────────────────────────────────────────────────────────────
-    # Compare rsyslog.d directory files
+    # Compare rsyslog.d directory files (filenames and content)
     # ─────────────────────────────────────────────────────────────────────────
     - name: List Git rsyslog.d files
       find:
@@ -78,12 +78,21 @@
       set_fact:
         confd_match: "{{ git_confd_names == server_confd_names }}"
 
-    - name: Mark drift if rsyslog.d files differ
+    - name: Mark drift if rsyslog.d file list differs
       set_fact:
         drift_detected: true
         drifted_files: "{{ drifted_files + ['rsyslog.d/'] }}"
       when: not confd_match
 
+    # Compare content of each file in rsyslog.d (only if filenames match)
+    - name: Compare content of rsyslog.d config files
+      include_tasks:
+        file: check_confd_content.yml
+      loop: "{{ git_confd_names }}"
+      loop_control:
+        loop_var: confd_file
+      when: confd_match
+
     # ─────────────────────────────────────────────────────────────────────────
     # Output markers for update-gitops-status.sh parsing
     # ─────────────────────────────────────────────────────────────────────────