rsyslog/ansible/playbooks/drift-check.yml

---
- name: Check rsyslog configuration drift
  hosts: rsyslog_servers
  gather_facts: false

  vars:
    drift_detected: false

  tasks:
    - name: Check main rsyslog.conf
      block:
        - name: Compare main configuration file
          command: diff {{ repo_root }}/files/rsyslog.conf {{ rsyslog_main_config }}
          register: main_diff
          changed_when: false
          failed_when: false

        - name: Fail if main config has drift
          fail:
            msg: "Main rsyslog.conf has drifted from Git. ({{ main_diff.stdout | default('no diff output') }})"
          when: main_diff.rc != 0
          ignore_errors: true
          register: main_drift

        - name: Set drift flag for main config
          set_fact:
            drift_detected: true
          when: main_diff.rc != 0

    - name: Check rsyslog.d directory
      block:
        - name: Find config files in repository
          find:
            paths: "{{ repo_root }}/files/rsyslog.d"
            patterns: "*.conf"
          register: repo_configs

        - name: Compare each config file
          command: diff {{ item.path }} {{ rsyslog_config_dir }}/{{ item.path | basename }}
          register: file_diffs
          changed_when: false
          failed_when: false
          loop: "{{ repo_configs.files }}"

        - name: Set drift flag if any file differs
          set_fact:
            drift_detected: true
          when: item.rc != 0
          loop: "{{ file_diffs.results }}"

    - name: Check for extra files on server
      block:
        - name: Find config files on server
          find:
            paths: "{{ rsyslog_config_dir }}"
            patterns: "*.conf"
          register: server_configs

        - name: Check for files in server but not in repo
          set_fact:
            drift_detected: true
          when:
            - (server_configs.files | length) > (repo_configs.files | length)

    - name: Report status
      block:
        - name: Print SYNCED status
          debug:
            msg: |
              ╭─────────────────────────────╮
              │  ✓ SYNCED                   │
              │  Configuration is up-to-date │
              ╰─────────────────────────────╯
          when: not drift_detected

        - name: Print OUT OF SYNC status
          debug:
            msg: |
              ╭─────────────────────────────╮
              │  ✗ OUT OF SYNC              │
              │  Configuration has drifted   │
              ╰─────────────────────────────╯
          when: drift_detected

        - name: Fail if drift detected
          fail:
            msg: "Configuration drift detected. Live system does not match repository."
          when: drift_detected