rsyslog/ansible/playbooks/drift-check.yml

---
- name: Check rsyslog configuration drift
  hosts: rsyslog_servers
  gather_facts: false

  # NOTE: src paths below resolve relative to the Ansible controller (the
  # Woodpecker CI container), so they always reflect the latest Git commit –
  # NOT the server's local clone, which may be stale.

  tasks:
    # -------------------------------------------------------------------------
    # Use Ansible copy in check_mode so it compares controller files (Git)
    # against live server files without actually writing anything.
    # changed=true  → file differs → drift
    # changed=false → files match  → synced
    # -------------------------------------------------------------------------
    - name: Check main rsyslog.conf
      ansible.builtin.copy:
        src: "{{ playbook_dir }}/../../files/rsyslog.conf"
        dest: "{{ rsyslog_main_config }}"
        owner: root
        group: root
        mode: '0644'
      check_mode: true
      diff: true
      register: main_config_check

    - name: Check rsyslog.d config files
      ansible.builtin.copy:
        src: "{{ playbook_dir }}/../../files/rsyslog.d/"
        dest: "{{ rsyslog_config_dir }}/"
        owner: root
        group: root
        mode: '0644'
      check_mode: true
      diff: true
      register: rsyslogd_check

    - name: Check for extra files on server not present in Git
      block:
        - name: Find config files on server
          ansible.builtin.find:
            paths: "{{ rsyslog_config_dir }}"
            patterns: "*.conf"
            recurse: false
          register: server_configs

        - name: Find config files in Git (controller)
          ansible.builtin.find:
            paths: "{{ playbook_dir }}/../../files/rsyslog.d"
            patterns: "*.conf"
            recurse: false
          delegate_to: localhost
          register: repo_configs

        - name: Build list of Git-managed filenames
          ansible.builtin.set_fact:
            git_filenames: "{{ repo_configs.files | map(attribute='path') | map('basename') | list }}"

        - name: Build list of server filenames
          ansible.builtin.set_fact:
            server_filenames: "{{ server_configs.files | map(attribute='path') | map('basename') | list }}"

        - name: Find server files that are managed by Git but missing on server
          ansible.builtin.set_fact:
            missing_on_server: "{{ git_filenames | difference(server_filenames) }}"

        - name: Flag if any Git-managed file is missing from server
          ansible.builtin.set_fact:
            extra_files_on_server: true
          when: missing_on_server | length > 0

        - name: Show missing files
          ansible.builtin.debug:
            msg: "Files in Git but missing on server: {{ missing_on_server }}"
          when: missing_on_server | length > 0

    - name: Set overall drift flag
      ansible.builtin.set_fact:
        drift_detected: "{{ main_config_check.changed or rsyslogd_check.changed or (extra_files_on_server | default(false)) }}"

    # ─────────────────────────────────────────────────────────────────────────
    # Debug: Show WHAT changed (for troubleshooting)
    # ─────────────────────────────────────────────────────────────────────────
    - name: Show main config change status
      ansible.builtin.debug:
        msg: "Main config (rsyslog.conf) changed: {{ main_config_check.changed }}"
      when: drift_detected

    - name: Show rsyslog.d change status
      ansible.builtin.debug:
        msg: "rsyslog.d directory changed: {{ rsyslogd_check.changed }}"
      when: drift_detected

    - name: Show main config diff if changed
      ansible.builtin.debug:
        var: main_config_check.diff
      when: main_config_check.changed and main_config_check.diff is defined

    - name: Show rsyslog.d diff if changed
      ansible.builtin.debug:
        var: rsyslogd_check.diff
      when: rsyslogd_check.changed and rsyslogd_check.diff is defined

    # ─────────────────────────────────────────────────────────────────────────
    # Build structured list of changed files for GitOps status server
    # This data is parsed by the update-gitops-status.sh wrapper script
    # ─────────────────────────────────────────────────────────────────────────
    - name: Initialize list of drifted files
      ansible.builtin.set_fact:
        drifted_files: []

    - name: Add main config to drifted files if changed
      ansible.builtin.set_fact:
        drifted_files: "{{ drifted_files + ['/etc/rsyslog.conf'] }}"
      when: main_config_check.changed

    - name: Extract specific rsyslog.d files that changed
      ansible.builtin.set_fact:
        changed_rsyslogd_files: "{{ rsyslogd_check.diff | map(attribute='dest') | list if rsyslogd_check.diff is defined else [] }}"
      when: rsyslogd_check.changed

    - name: Add changed rsyslog.d files to drifted list
      ansible.builtin.set_fact:
        drifted_files: "{{ drifted_files + changed_rsyslogd_files }}"
      when: 
        - rsyslogd_check.changed
        - changed_rsyslogd_files is defined and changed_rsyslogd_files | length > 0

    - name: Add missing files to drifted list
      ansible.builtin.set_fact:
        drifted_files: "{{ drifted_files + ['rsyslog.d/' + item] }}"
      loop: "{{ missing_on_server }}"
      when: missing_on_server is defined and missing_on_server | length > 0

    # ─────────────────────────────────────────────────────────────────────────
    # Debug output: Show structured drifted files for parsing
    # Format: DRIFTED_FILES=file1,file2,file3 (or empty if no drift)
    # This makes it easy for update-gitops-status.sh to extract changed files
    # ALWAYS output this line for reliable parsing, even when empty
    # ─────────────────────────────────────────────────────────────────────────
    - name: Output structured list of drifted files for GitOps status server
      ansible.builtin.debug:
        msg: "DRIFTED_FILES={{ drifted_files | join(',') if drifted_files | length > 0 else '' }}"

    - name: Output sync status marker for parsing
      ansible.builtin.debug:
        msg: "SYNC_STATUS=SYNCED"
      when: not drift_detected

    - name: Output sync status marker for parsing
      ansible.builtin.debug:
        msg: "SYNC_STATUS=OUT_OF_SYNC"
      when: drift_detected

    - name: Print SYNCED status
      ansible.builtin.debug:
        msg: |
          ╭─────────────────────────────╮
          │  ✓ SYNCED                   │
          │  Configuration is up-to-date │
          ╰─────────────────────────────╯
      when: not drift_detected

    - name: Print OUT OF SYNC status
      ansible.builtin.debug:
        msg: |
          ╭─────────────────────────────╮
          │  ✗ OUT OF SYNC              │
          │  Configuration has drifted   │
          ╰─────────────────────────────╯
      when: drift_detected

    - name: Fail if drift detected
      ansible.builtin.fail:
        msg: "Configuration drift detected. Live system does not match repository."
      when: drift_detected