Step 9: Analyze & Edit Playbook Library

Version 11542 — Review playbooks, configure validations, and tune durations

How This Step Works

This step lets you review and edit everything about your playbook library and its validation pipeline before MOPs are mapped in Step 10. Follow the sub-workflow below:

9A. Review Playbooks

Expand any playbook to view or edit its YAML source inline. Save changes without leaving this page.

9B. Edit Category Settings

Update descriptions, risk levels, and estimated durations for each category.

9C. Manage Validations

Add, edit, or remove validation modules for each category. Assign them to run after specific playbooks.

9D. Continue to Mapping

Once satisfied, proceed to Step 10 to map MOPs to these categories and playbooks.

Legend

Automated validation (runs without human input)

Manual validation (pauses for operator)

category Category mapping label

high medium low Risk levels

Estimated duration in minutes

Playbook YAML file

9 Playbooks 12 Categories 7 Validation Types Available

---
- name: Certificate Rotation
  hosts: "{{ region }}_{{ target_group | default('web') }}"
  become: yes
  gather_facts: yes
  
  vars:
    cert_source: "{{ cert_source_path | default('/etc/pki/tls/certs') }}"
    cert_name: "{{ certificate_name | default('server') }}"
    key_vault_name: "{{ azure_key_vault | default('') }}"
    backup_old_cert: "{{ backup_existing | default(true) }}"
    restart_services_after: "{{ restart_services | default(['nginx', 'httpd']) }}"
    
  pre_tasks:
    - name: Display certificate rotation parameters
      debug:
        msg: |
          Certificate Rotation for {{ region }}
          Certificate: {{ cert_name }}
          Source: {{ cert_source }}
          Key Vault: {{ key_vault_name | default('local') }}
          Backup existing: {{ backup_old_cert }}
          
    - name: Check current certificate expiry
      command: >
        openssl x509 -enddate -noout 
        -in {{ cert_source }}/{{ cert_name }}.crt
      register: cert_expiry
      ignore_errors: yes
      
    - name: Display current certificate info
      debug:
        var: cert_expiry.stdout
      when: cert_expiry.rc == 0
      
  tasks:
    - name: Backup existing certificate
      copy:
        src: "{{ cert_source }}/{{ cert_name }}.crt"
        dest: "{{ cert_source }}/{{ cert_name }}.crt.backup-{{ ansible_date_time.epoch }}"
        remote_src: yes
      when: backup_old_cert | bool
      ignore_errors: yes
      
    - name: Download new certificate from Azure Key Vault
      command: >
        az keyvault certificate download
        --vault-name {{ key_vault_name }}
        --name {{ cert_name }}
        --file {{ cert_source }}/{{ cert_name }}.crt
      when: key_vault_name | length > 0
      
    - name: Copy new certificate from local source
      copy:
        src: "certs/{{ cert_name }}.crt"
        dest: "{{ cert_source }}/{{ cert_name }}.crt"
        owner: root
        group: root
        mode: '0644'
      when: key_vault_name | length == 0
      
    - name: Verify new certificate
      command: >
        openssl x509 -noout -text 
        -in {{ cert_source }}/{{ cert_name }}.crt
      register: new_cert_info
      
    - name: Restart affected services
      systemd:
        name: "{{ item }}"
        state: restarted
      loop: "{{ restart_services_after }}"
      
  post_tasks:
    - name: Verify services after certificate rotation
      command: "systemctl is-active {{ item }}"
      loop: "{{ restart_services_after }}"
      register: service_status
      
    - name: Generate rotation report
      debug:
        msg: |
          Certificate rotation completed for {{ inventory_hostname }}
          Old expiry: {{ cert_expiry.stdout | default('unknown') }}
          New certificate installed: yes
          Services restarted: {{ restart_services_after | join(', ') }}

87 lines · 2.8 KB

---
- name: Commit Configuration Changes to Git
  hosts: localhost
  gather_facts: yes
  
  vars:
    git_repo_path: "{{ git_repo_path | default('.') }}"
    git_branch: "{{ git_branch | default('main') }}"
    commit_message: "{{ commit_message | default('Update configuration via MOP automation') }}"
    git_user_name: "{{ git_user_name | default('MOP Automation') }}"
    git_user_email: "{{ git_user_email | default('mop-automation@company.com') }}"
    
  tasks:
    - name: Display Git operation information
      debug:
        msg: |
          Git Repository: {{ git_repo_path }}
          Target Branch: {{ git_branch }}
          Commit Message: {{ commit_message }}
          
    - name: Check if directory is a Git repository
      stat:
        path: "{{ git_repo_path }}/.git"
      register: git_repo_check
      
    - name: Fail if not a Git repository
      fail:
        msg: "Directory {{ git_repo_path }} is not a Git repository"
      when: not git_repo_check.stat.exists
      
    - name: Configure Git user name
      git_config:
        name: user.name
        value: "{{ git_user_name }}"
        scope: local
        repo: "{{ git_repo_path }}"
        
    - name: Configure Git user email
      git_config:
        name: user.email
        value: "{{ git_user_email }}"
        scope: local
        repo: "{{ git_repo_path }}"
        
    - name: Check Git status
      command: git status --porcelain
      args:
        chdir: "{{ git_repo_path }}"
      register: git_status
      changed_when: false
      
    - name: Display current Git status
      debug:
        msg: |
          Git Status:
          {{ git_status.stdout if git_status.stdout else 'Working directory clean' }}
          
    - name: Check if there are changes to commit
      set_fact:
        has_changes: "{{ git_status.stdout | length > 0 }}"
        
    - name: Add all changes to Git staging
      command: git add .
      args:
        chdir: "{{ git_repo_path }}"
      when: has_changes
      
    - name: Create commit with changes
      command: |
        git commit -m "{{ commit_message }}"
      args:
        chdir: "{{ git_repo_path }}"
      register: git_commit_result
      when: has_changes
      
    - name: Display commit information
      debug:
        msg: |
          Commit Status: {{ 'Created' if has_changes else 'No changes to commit' }}
          {% if has_changes and git_commit_result is defined %}
          Commit Output: {{ git_commit_result.stdout }}
          {% endif %}
          
    - name: Get current branch
      command: git branch --show-current
      args:
        chdir: "{{ git_repo_path }}"
      register: current_branch
      changed_when: false
      
    - name: Switch to target branch if different
      command: git checkout {{ git_branch }}
      args:
        chdir: "{{ git_repo_path }}"
      when: 
        - current_branch.stdout != git_branch
        - has_changes
      register: branch_switch
      
    - name: Push changes to remote repository
      command: git push origin {{ git_branch }}
      args:
        chdir: "{{ git_repo_path }}"
      register: git_push_result
      when: has_changes
      ignore_errors: yes
      
    - name: Handle push results
      debug:
        msg: |
          Push Status: {{ 'SUCCESS' if git_push_result is succeeded else 'FAILED' }}
          {% if git_push_result is defined %}
          Push Output: {{ git_push_result.stdout | default('') }}
          {% if git_push_result is failed %}
          Push Error: {{ git_push_result.stderr | default('') }}
          {% endif %}
          {% endif %}
          
    - name: Create Git operation summary
      copy:
        content: |
          Git Operation Summary
          ====================
          Repository: {{ git_repo_path }}
          Branch: {{ git_branch }}
          Date: {{ ansible_date_time.iso8601 }}
          
          Operation Results:
          - Changes Detected: {{ has_changes }}
          {% if has_changes %}
          - Commit Created: {{ git_commit_result is succeeded }}
          - Push Status: {{ 'SUCCESS' if git_push_result is succeeded else 'FAILED' }}
          {% if git_commit_result is defined %}
          - Commit Hash: {{ git_commit_result.stdout | regex_search('\[.*\]') | default('N/A') }}
          {% endif %}
          {% endif %}
          
          Modified Files:
          {{ git_status.stdout if git_status.stdout else 'No files modified' }}
        dest: "/tmp/git-operation-{{ ansible_date_time.epoch }}.log"
        mode: '0644'
        
    - name: Fail if push failed
      fail:
        msg: "Git push failed: {{ git_push_result.stderr | default('Unknown error') }}"
      when: 
        - has_changes
        - git_push_result is defined
        - git_push_result is failed

150 lines · 4.7 KB

---
- name: Database Maintenance Operations
  hosts: "{{ region }}_{{ target_group | default('db') }}"
  become: yes
  gather_facts: yes
  
  vars:
    db_type: "{{ database_type | default('postgresql') }}"
    maintenance_type: "{{ maintenance_action | default('vacuum') }}"
    db_name: "{{ database_name | default('') }}"
    backup_before: "{{ create_backup | default(true) }}"
    max_connections_during: "{{ max_conn | default(10) }}"
    
  pre_tasks:
    - name: Display maintenance parameters
      debug:
        msg: |
          Database Maintenance for {{ region }}
          Type: {{ db_type }}
          Action: {{ maintenance_type }}
          Database: {{ db_name | default('all') }}
          Backup before: {{ backup_before }}
          
    - name: Check database service status
      systemd:
        name: "{{ db_type }}"
      register: db_service
      
  tasks:
    - name: Create pre-maintenance backup
      command: >
        pg_dump {{ db_name }} 
        -f /var/backup/{{ db_name }}-pre-maint-{{ ansible_date_time.epoch }}.sql
      become_user: postgres
      when: 
        - backup_before | bool
        - db_type == 'postgresql'
        - db_name | length > 0
      
    - name: Run VACUUM ANALYZE (PostgreSQL)
      command: "psql -d {{ db_name }} -c 'VACUUM ANALYZE;'"
      become_user: postgres
      when:
        - db_type == 'postgresql'
        - maintenance_type == 'vacuum'
        - db_name | length > 0
        
    - name: Run REINDEX (PostgreSQL)
      command: "psql -d {{ db_name }} -c 'REINDEX DATABASE {{ db_name }};'"
      become_user: postgres
      when:
        - db_type == 'postgresql'
        - maintenance_type == 'reindex'
        - db_name | length > 0
        
    - name: Check table bloat (PostgreSQL)
      command: >
        psql -d {{ db_name }} -c 
        "SELECT schemaname, tablename, 
         pg_size_pretty(pg_total_relation_size(schemaname||'.'||tablename)) as size
         FROM pg_tables WHERE schemaname = 'public' ORDER BY pg_total_relation_size(schemaname||'.'||tablename) DESC LIMIT 10;"
      become_user: postgres
      register: table_sizes
      when:
        - db_type == 'postgresql'
        - db_name | length > 0
        
  post_tasks:
    - name: Display table sizes
      debug:
        var: table_sizes.stdout_lines
      when: table_sizes is defined
      
    - name: Verify database is accepting connections
      command: "pg_isready"
      when: db_type == 'postgresql'

77 lines · 2.4 KB

---
- name: Edit YAML Configuration Files
  hosts: localhost
  gather_facts: yes
  
  vars:
    config_file: "{{ config_file | default('config/default.yml') }}"
    backup_dir: "/tmp/config-backups"
    
  tasks:
    - name: Display configuration update information
      debug:
        msg: |
          Updating configuration file: {{ config_file }}
          Target region: {{ region }}
          Backup directory: {{ backup_dir }}
    
    - name: Create backup directory
      file:
        path: "{{ backup_dir }}"
        state: directory
        mode: '0755'
        
    - name: Check if configuration file exists
      stat:
        path: "{{ config_file }}"
      register: config_file_stat
      
    - name: Create configuration file if it doesn't exist
      file:
        path: "{{ config_file }}"
        state: touch
        mode: '0644'
      when: not config_file_stat.stat.exists
      
    - name: Backup existing configuration
      copy:
        src: "{{ config_file }}"
        dest: "{{ backup_dir }}/{{ config_file | basename }}.{{ ansible_date_time.epoch }}"
        backup: yes
      when: config_file_stat.stat.exists
      
    - name: Read current configuration
      slurp:
        src: "{{ config_file }}"
      register: current_config
      when: config_file_stat.stat.exists
      
    - name: Parse current YAML configuration
      set_fact:
        current_yaml: "{{ current_config.content | b64decode | from_yaml }}"
      when: 
        - config_file_stat.stat.exists
        - current_config.content | length > 0
      ignore_errors: yes
      
    - name: Initialize empty config if parsing failed
      set_fact:
        current_yaml: {}
      when: current_yaml is not defined
      
    - name: Update configuration with new values
      set_fact:
        updated_config: |
          {% set config = current_yaml | default({}) %}
          {% if agent_version is defined %}
          {% set _ = config.update({'agent_version': agent_version}) %}
          {% endif %}
          {% if target_systems is defined %}
          {% set _ = config.update({'target_systems': target_systems}) %}
          {% endif %}
          {% if region is defined %}
          {% set _ = config.update({'region': region}) %}
          {% endif %}
          {% if upgrade_strategy is defined %}
          {% set _ = config.update({'upgrade_strategy': upgrade_strategy}) %}
          {% endif %}
          {% set _ = config.update({'last_updated': ansible_date_time.iso8601}) %}
          {% set _ = config.update({'updated_by': 'mop-ansible-renderer'}) %}
          {{ config }}
          
    - name: Write updated configuration
      copy:
        content: "{{ updated_config | to_nice_yaml }}"
        dest: "{{ config_file }}"
        mode: '0644'
        backup: yes
      register: config_update_result
      
    - name: Validate YAML syntax
      include_vars:
        file: "{{ config_file }}"
      register: yaml_validation
      ignore_errors: yes
      
    - name: Report validation results
      debug:
        msg: |
          Configuration update completed
          File: {{ config_file }}
          Validation: {{ 'PASSED' if yaml_validation is succeeded else 'FAILED' }}
          Backup created: {{ config_update_result.backup_file | default('N/A') }}
          
    - name: Fail if YAML validation failed
      fail:
        msg: "YAML validation failed for {{ config_file }}"
      when: yaml_validation is failed
      
    - name: Display updated configuration
      debug:
        msg: "{{ updated_config | from_yaml }}"
        
    - name: Create update summary
      copy:
        content: |
          Configuration Update Summary
          ===========================
          File: {{ config_file }}
          Date: {{ ansible_date_time.iso8601 }}
          Status: {{ 'SUCCESS' if yaml_validation is succeeded else 'FAILED' }}
          Backup: {{ config_update_result.backup_file | default('N/A') }}
          
          Updated Values:
          {% if agent_version is defined %}
          - agent_version: {{ agent_version }}
          {% endif %}
          {% if target_systems is defined %}
          - target_systems: {{ target_systems }}
          {% endif %}
          {% if region is defined %}
          - region: {{ region }}
          {% endif %}
          {% if upgrade_strategy is defined %}
          - upgrade_strategy: {{ upgrade_strategy }}
          {% endif %}
        dest: "{{ backup_dir }}/update-summary-{{ ansible_date_time.epoch }}.txt"
        mode: '0644'

138 lines · 4.4 KB

---
- name: Patch Linux Systems
  hosts: "{{ region }}_{{ target_group | default('web') }}"
  become: yes
  gather_facts: yes
  
  vars:
    patch_group: "{{ patch_group | default('all') }}"
    maintenance_window: "{{ maintenance_window | default('02:00-04:00') }}"
    reboot_required: "{{ reboot_required | default(true) }}"
    
  pre_tasks:
    - name: Display patch information
      debug:
        msg: |
          Starting patch process for {{ region }} region
          Patch Group: {{ patch_group }}
          Maintenance Window: {{ maintenance_window }}
          Reboot Required: {{ reboot_required }}
    
    - name: Check system uptime
      debug:
        var: ansible_uptime_seconds
        
    - name: Create patch backup point
      file:
        path: /var/backup/pre-patch-{{ ansible_date_time.epoch }}
        state: directory
        mode: '0755'
  
  tasks:
    - name: Update package cache (RedHat/CentOS)
      yum:
        update_cache: yes
      when: ansible_os_family == "RedHat"
      
    - name: Update package cache (Debian/Ubuntu)
      apt:
        update_cache: yes
        cache_valid_time: 3600
      when: ansible_os_family == "Debian"
      
    - name: Install security updates (RedHat/CentOS)
      yum:
        name: "*"
        state: latest
        security: yes
      when: ansible_os_family == "RedHat"
      register: yum_updates
      
    - name: Install security updates (Debian/Ubuntu)
      apt:
        upgrade: safe
      when: ansible_os_family == "Debian"
      register: apt_updates
      
    - name: Check if reboot is required (RedHat/CentOS)
      stat:
        path: /var/run/reboot-required
      register: reboot_required_file
      when: ansible_os_family == "RedHat"
      
    - name: Check if reboot is required (Debian/Ubuntu)
      stat:
        path: /var/run/reboot-required
      register: reboot_required_file
      when: ansible_os_family == "Debian"
      
    - name: Reboot system if required and enabled
      reboot:
        reboot_timeout: 600
        test_command: uptime
      when: 
        - reboot_required | bool
        - reboot_required_file.stat.exists | default(false) or yum_updates.changed | default(false) or apt_updates.changed | default(false)
      
  post_tasks:
    - name: Verify system status after patching
      command: uptime
      register: post_patch_uptime
      
    - name: Display post-patch status
      debug:
        msg: |
          Patching completed for {{ inventory_hostname }}
          System uptime: {{ post_patch_uptime.stdout }}
          Updates installed: {{ yum_updates.changed | default(false) or apt_updates.changed | default(false) }}
          
    - name: Generate patch report
      copy:
        content: |
          Patch Report for {{ inventory_hostname }}
          =====================================
          Date: {{ ansible_date_time.iso8601 }}
          Region: {{ region }}
          Patch Group: {{ patch_group }}
          Updates Applied: {{ yum_updates.changed | default(false) or apt_updates.changed | default(false) }}
          Reboot Performed: {{ reboot_required and (reboot_required_file.stat.exists | default(false) or yum_updates.changed | default(false) or apt_updates.changed | default(false)) }}
          Final Uptime: {{ post_patch_uptime.stdout }}
        dest: /var/log/patch-report-{{ ansible_date_time.epoch }}.txt
        mode: '0644'

  handlers:
    - name: restart services
      systemd:
        name: "{{ item }}"
        state: restarted
      loop:
        - NetworkManager
        - sshd
      listen: "restart critical services"

112 lines · 3.5 KB

---
- name: Trigger Azure DevOps Pipeline
  hosts: localhost
  gather_facts: yes
  
  vars:
    # Use region-specific ADO organization configuration
    current_region: "{{ region | default('wus2') }}"
    region_ado_config: "{{ ado_organizations[current_region] }}"
    pipeline_name: "{{ pipeline_name | default('azure-deployment-' + current_region) }}"
    devops_organization: "{{ region_ado_config.organization }}"
    devops_project: "{{ region_ado_config.project }}"
    pipeline_id: "{{ region_ado_config.pipeline_id }}"
    azure_devops_token: "{{ region_ado_config.token }}"
    environment_name: "{{ region_ado_config.environment }}"
    base_url: "{{ region_ado_config.base_url }}"
    wait_for_completion: "{{ wait_for_completion | default(true) }}"
    pipeline_timeout: "{{ pipeline_timeout | default(1800) }}"  # 30 minutes
    check_interval: "{{ check_interval | default(30) }}"  # 30 seconds
    
  tasks:
    - name: Display pipeline trigger information
      debug:
        msg: |
          Pipeline: {{ pipeline_name }}
          Organization: {{ devops_organization }}
          Project: {{ devops_project }}
          Wait for Completion: {{ wait_for_completion }}
          Region: {{ region | default('N/A') }}
          
    - name: Validate region and ADO organization configuration
      assert:
        that:
          - current_region in ado_organizations
          - region_ado_config is defined
          - region_ado_config.organization is defined
          - region_ado_config.project is defined
          - region_ado_config.pipeline_id is defined
          - region_ado_config.token is defined
        fail_msg: "Region {{ current_region }} ADO organization not configured or missing credentials"
        
    - name: Check Azure CLI availability
      command: az --version
      register: az_cli_check
      failed_when: false
      changed_when: false
      
    - name: Install Azure CLI if not available (simulation)
      debug:
        msg: "Azure CLI would be installed here in a real environment"
      when: az_cli_check.rc != 0
      
    - name: Simulate Azure DevOps authentication check
      debug:
        msg: "Checking Azure DevOps authentication..."
        
    - name: Mock Azure DevOps login verification
      set_fact:
        auth_status: "authenticated"
        
    - name: Get pipeline ID (simulated)
      set_fact:
        pipeline_id: "{{ 999 | random(100) }}"
        
    - name: Display pipeline lookup results
      debug:
        msg: |
          Pipeline ID: {{ pipeline_id }}
          Pipeline Name: {{ pipeline_name }}
          Status: Found
          
    - name: Prepare pipeline parameters
      set_fact:
        pipeline_params: |
          {
            "region": "{{ region | default('eastus2') }}",
            "environment": "{{ environment | default('production') }}",
            "triggered_by": "mop-automation",
            "execution_time": "{{ ansible_date_time.iso8601 }}",
            {% if pipeline_parameters is defined %}
            {% for key, value in pipeline_parameters.items() %}
            "{{ key }}": "{{ value }}",
            {% endfor %}
            {% endif %}
            "mop_id": "{{ id | default('unknown') }}"
          }
          
    - name: Display pipeline parameters
      debug:
        msg: "Pipeline Parameters: {{ pipeline_params | from_json }}"
        
    - name: Trigger pipeline execution (simulated)
      uri:
        url: "https://dev.azure.com/{{ devops_organization }}/{{ devops_project }}/_apis/pipelines/{{ pipeline_id }}/runs"
        method: POST
        headers:
          Content-Type: "application/json"
          Authorization: "Bearer {{ azure_token }}"
        body_format: json
        body:
          resources:
            repositories:
              self:
                refName: "refs/heads/{{ git_branch | default('main') }}"
          variables: "{{ pipeline_params | from_json }}"
        status_code: [200, 201]
      register: pipeline_trigger_result
      failed_when: false
      # This would normally make the actual API call
      
    - name: Mock successful pipeline trigger
      set_fact:
        pipeline_run_id: "{{ 9999 | random(1000) }}"
        pipeline_trigger_success: true
        
    - name: Display pipeline trigger results
      debug:
        msg: |
          Pipeline Trigger: {{ 'SUCCESS' if pipeline_trigger_success else 'FAILED' }}
          Run ID: {{ pipeline_run_id }}
          Pipeline: {{ pipeline_name }}
          
    - name: Monitor pipeline execution
      block:
        - name: Wait for pipeline completion
          debug:
            msg: "Monitoring pipeline execution... ({{ item }}/{{ (pipeline_timeout | int / check_interval | int) | int }})"
          loop: "{{ range(1, (pipeline_timeout | int / check_interval | int) | int + 1) | list }}"
          delay: "{{ check_interval }}"
          when: 
            - wait_for_completion | bool
            - pipeline_trigger_success
            
        - name: Simulate pipeline status checks
          set_fact:
            pipeline_status: "{{ ['inProgress', 'inProgress', 'inProgress', 'completed'] | random }}"
            pipeline_result: "{{ ['succeeded', 'succeeded', 'failed'] | random }}"
          when: 
            - wait_for_completion | bool
            - pipeline_trigger_success
            
        - name: Mock final pipeline status
          set_fact:
            final_pipeline_status: "completed"
            final_pipeline_result: "succeeded"
          when:
            - wait_for_completion | bool
            - pipeline_trigger_success
            
      when: wait_for_completion | bool
      
    - name: Display pipeline execution results
      debug:
        msg: |
          {% if wait_for_completion | bool %}
          Pipeline Execution Complete
          Status: {{ final_pipeline_status | default('triggered') }}
          Result: {{ final_pipeline_result | default('pending') }}
          {% else %}
          Pipeline Triggered Successfully
          Status: Asynchronous execution
          Monitor: https://dev.azure.com/{{ devops_organization }}/{{ devops_project }}/_build/results?buildId={{ pipeline_run_id }}
          {% endif %}
          
    - name: Create pipeline execution log
      copy:
        content: |
          Azure DevOps Pipeline Execution Log
          ===================================
          Pipeline: {{ pipeline_name }}
          Organization: {{ devops_organization }}
          Project: {{ devops_project }}
          Run ID: {{ pipeline_run_id }}
          Triggered: {{ ansible_date_time.iso8601 }}
          
          Parameters:
          {{ pipeline_params | from_json | to_nice_yaml }}
          
          Results:
          - Trigger Status: {{ 'SUCCESS' if pipeline_trigger_success else 'FAILED' }}
          {% if wait_for_completion | bool %}
          - Execution Status: {{ final_pipeline_status | default('unknown') }}
          - Execution Result: {{ final_pipeline_result | default('unknown') }}
          {% else %}
          - Execution Mode: Asynchronous
          {% endif %}
          
          Links:
          - Pipeline URL: https://dev.azure.com/{{ devops_organization }}/{{ devops_project }}/_build/results?buildId={{ pipeline_run_id }}
          - Project URL: https://dev.azure.com/{{ devops_organization }}/{{ devops_project }}
        dest: "/tmp/pipeline-execution-{{ ansible_date_time.epoch }}.log"
        mode: '0644'
        
    - name: Set execution facts for reporting
      set_fact:
        pipeline_execution_summary:
          pipeline_name: "{{ pipeline_name }}"
          run_id: "{{ pipeline_run_id }}"
          trigger_success: "{{ pipeline_trigger_success }}"
          execution_status: "{{ final_pipeline_status | default('triggered') }}"
          execution_result: "{{ final_pipeline_result | default('pending') }}"
          wait_for_completion: "{{ wait_for_completion }}"
          
    - name: Fail if pipeline trigger failed
      fail:
        msg: "Failed to trigger pipeline {{ pipeline_name }}"
      when: not pipeline_trigger_success
      
    - name: Fail if pipeline execution failed
      fail:
        msg: "Pipeline {{ pipeline_name }} execution failed: {{ final_pipeline_result }}"
      when:
        - wait_for_completion | bool
        - final_pipeline_result is defined
        - final_pipeline_result != 'succeeded'

216 lines · 8.2 KB

---
- name: Execute Terraform Plan and Apply
  hosts: localhost
  connection: local
  gather_facts: no
  
  vars:
    terraform_dir: "{{ terraform_dir | default('terraform/') }}"
    terraform_workspace: "{{ terraform_workspace | default('default') }}"
    terraform_action: "{{ terraform_action | default('plan') }}"
    auto_approve: "{{ auto_approve | default(false) }}"
    var_file: "{{ var_file | default('') }}"
    backend_config: "{{ backend_config | default('') }}"
    region: "{{ region | default('eastus2') }}"
    
  pre_tasks:
    - name: Display Terraform execution parameters
      debug:
        msg: |
          Terraform Execution Parameters:
          ================================
          Directory: {{ terraform_dir }}
          Workspace: {{ terraform_workspace }}
          Action: {{ terraform_action }}
          Region: {{ region }}
          Auto-Approve: {{ auto_approve }}
          Var File: {{ var_file | default('none') }}
    
    - name: Verify Terraform is installed
      command: terraform version
      register: tf_version
      changed_when: false
      
    - name: Display Terraform version
      debug:
        var: tf_version.stdout_lines
        
  tasks:
    - name: Initialize Terraform
      command: >
        terraform init
        {% if backend_config %}-backend-config={{ backend_config }}{% endif %}
        -no-color
      args:
        chdir: "{{ terraform_dir }}"
      register: tf_init
      
    - name: Select Terraform workspace
      command: "terraform workspace select {{ terraform_workspace }}"
      args:
        chdir: "{{ terraform_dir }}"
      register: tf_workspace_select
      ignore_errors: yes
      
    - name: Create workspace if it doesn't exist
      command: "terraform workspace new {{ terraform_workspace }}"
      args:
        chdir: "{{ terraform_dir }}"
      when: tf_workspace_select.rc != 0
      
    - name: Run Terraform validate
      command: terraform validate -no-color
      args:
        chdir: "{{ terraform_dir }}"
      register: tf_validate
      
    - name: Run Terraform plan
      command: >
        terraform plan
        {% if var_file %}-var-file={{ var_file }}{% endif %}
        -var="region={{ region }}"
        -out=tfplan
        -no-color
      args:
        chdir: "{{ terraform_dir }}"
      register: tf_plan
      
    - name: Display plan output
      debug:
        var: tf_plan.stdout_lines
        
    - name: Run Terraform apply
      command: >
        terraform apply
        {% if auto_approve %}-auto-approve{% endif %}
        -no-color
        tfplan
      args:
        chdir: "{{ terraform_dir }}"
      register: tf_apply
      when: terraform_action == 'apply'
      
    - name: Display apply output
      debug:
        var: tf_apply.stdout_lines
      when: terraform_action == 'apply'
      
    - name: Capture Terraform output values
      command: terraform output -json
      args:
        chdir: "{{ terraform_dir }}"
      register: tf_outputs
      when: terraform_action == 'apply'
      
  post_tasks:
    - name: Generate Terraform execution report
      copy:
        content: |
          Terraform Execution Report
          ==========================
          Date: {{ ansible_date_time.iso8601 | default(lookup('pipe', 'date -Iseconds')) }}
          Region: {{ region }}
          Workspace: {{ terraform_workspace }}
          Action: {{ terraform_action }}
          
          Init Status: {{ tf_init.rc | default('N/A') }}
          Validate Status: {{ tf_validate.rc | default('N/A') }}
          Plan Status: {{ tf_plan.rc | default('N/A') }}
          Apply Status: {{ tf_apply.rc | default('N/A') }}
          
          Outputs:
          {{ tf_outputs.stdout | default('No outputs captured') }}
        dest: "/var/log/terraform-report-{{ lookup('pipe', 'date +%s') }}.txt"
        mode: '0644'
      ignore_errors: yes

126 lines · 3.8 KB

---
- name: Security Compliance Scan
  hosts: "{{ region }}_{{ target_group | default('all') }}"
  become: yes
  gather_facts: yes
  
  vars:
    scan_type: "{{ scan_type | default('basic') }}"
    compliance_framework: "{{ framework | default('cis') }}"
    report_dir: "{{ report_directory | default('/var/log/security') }}"
    
  pre_tasks:
    - name: Display scan parameters
      debug:
        msg: |
          Security Scan for {{ region }}
          Type: {{ scan_type }}
          Framework: {{ compliance_framework }}
          Target: {{ inventory_hostname }}
          
    - name: Create report directory
      file:
        path: "{{ report_dir }}"
        state: directory
        mode: '0700'
        
  tasks:
    - name: Check for unauthorized SUID files
      shell: "find / -perm -4000 -type f 2>/dev/null"
      register: suid_files
      changed_when: false
      
    - name: Check SSH configuration
      command: sshd -T
      register: ssh_config
      changed_when: false
      
    - name: Verify firewall status
      command: "firewall-cmd --state"
      register: firewall_status
      ignore_errors: yes
      changed_when: false
      
    - name: Check for pending security updates
      yum:
        list: security
        update_only: yes
      register: security_updates
      when: ansible_os_family == "RedHat"
      changed_when: false
      
    - name: Check password policy
      command: "grep -E '^PASS_' /etc/login.defs"
      register: password_policy
      changed_when: false
      
    - name: Check open ports
      shell: "ss -tlnp"
      register: open_ports
      changed_when: false
      
  post_tasks:
    - name: Generate security report
      copy:
        content: |
          Security Scan Report
          ====================
          Host: {{ inventory_hostname }}
          Region: {{ region }}
          Date: {{ ansible_date_time.iso8601 }}
          Framework: {{ compliance_framework }}
          
          SUID Files Found: {{ suid_files.stdout_lines | length }}
          Firewall Active: {{ firewall_status.rc | default(1) == 0 }}
          Open Ports: {{ open_ports.stdout_lines | length - 1 }}
          Pending Security Updates: {{ security_updates.results | default([]) | length }}
        dest: "{{ report_dir }}/scan-{{ ansible_date_time.epoch }}.txt"
        mode: '0600'

79 lines · 2.3 KB

---
- name: Service Restart Operations
  hosts: "{{ region }}_{{ target_group | default('web') }}"
  become: yes
  gather_facts: yes
  serial: "{{ batch_size | default('25%') }}"
  
  vars:
    services: "{{ service_list | default(['httpd']) }}"
    pre_check_url: "{{ health_check_url | default('') }}"
    graceful: "{{ graceful_restart | default(true) }}"
    drain_timeout: "{{ drain_timeout_seconds | default(30) }}"
    
  pre_tasks:
    - name: Display restart parameters
      debug:
        msg: |
          Service Restart for {{ region }}
          Services: {{ services | join(', ') }}
          Graceful: {{ graceful }}
          Drain Timeout: {{ drain_timeout }}s
          Batch Size: {{ batch_size | default('25%') }}
    
    - name: Pre-restart health check
      uri:
        url: "{{ pre_check_url }}"
        method: GET
        status_code: 200
        timeout: 10
      register: pre_health
      when: pre_check_url | length > 0
      ignore_errors: yes
      
  tasks:
    - name: Drain connections (if graceful)
      command: "sleep {{ drain_timeout }}"
      when: graceful | bool
      
    - name: Restart services
      systemd:
        name: "{{ item }}"
        state: restarted
      loop: "{{ services }}"
      register: restart_results
      
    - name: Wait for services to stabilize
      wait_for:
        port: "{{ service_port | default(80) }}"
        delay: 5
        timeout: 60
      
    - name: Post-restart health check
      uri:
        url: "{{ pre_check_url }}"
        method: GET
        status_code: 200
        timeout: 10
      register: post_health
      when: pre_check_url | length > 0
      retries: 3
      delay: 10
      
  post_tasks:
    - name: Generate restart report
      debug:
        msg: |
          Restart completed for {{ inventory_hostname }}
          Services restarted: {{ services | join(', ') }}
          All services running: {{ restart_results.results | map(attribute='changed') | list | unique }}

70 lines · 1.9 KB

patch-linux medium 30 min 1 playbook(s), 2 validation(s)

Playbooks

patch_linux.yml

agent-upgrade medium 45 min 3 playbook(s), 3 validation(s)

Playbooks

edit_yaml.yml

commit_to_git.yml

run_manual_pipeline.yml

pipeline-only low 15 min 1 playbook(s), 2 validation(s)

Playbooks

run_manual_pipeline.yml

git-ops low 20 min 2 playbook(s), 1 validation(s)

Playbooks

edit_yaml.yml

commit_to_git.yml

infrastructure high 60 min 3 playbook(s), 4 validation(s)

Playbooks

edit_yaml.yml

commit_to_git.yml

run_manual_pipeline.yml

terraform high 45 min 1 playbook(s), 3 validation(s)

Playbooks

run_terraform.yml

cert-rotation medium 30 min 1 playbook(s), 2 validation(s)

Playbooks

cert_rotation.yml

service-restart medium 20 min 1 playbook(s), 2 validation(s)

Playbooks

service_restart.yml

db-maintenance high 60 min 1 playbook(s), 3 validation(s)

Playbooks

db_maintenance.yml

security-scan low 15 min 1 playbook(s), 1 validation(s)

Playbooks

security_scan.yml

multi-region-patch high 120 min 1 playbook(s), 2 validation(s)

Playbooks

patch_linux.yml

multi-region-deploy critical 180 min 3 playbook(s), 4 validation(s)

Playbooks

edit_yaml.yml

commit_to_git.yml

run_manual_pipeline.yml

patch-linux 2 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Wait for services to restart after patching automated pod_health

10 min

Runs after patch_linux.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify patch level applied automated cli_command

2 min

Runs after patch_linux.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

agent-upgrade 3 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Wait for pipeline to trigger deployment automated wait_delay

5 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify agent pods are running new version automated pod_health

10 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Confirm agent version in monitoring dashboard manual human_approval

10 min

Runs at end of step

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

pipeline-only 2 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Wait for pipeline execution automated wait_delay

5 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Check pipeline completion status automated cli_command

2 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

git-ops 1 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Verify git commit pushed successfully automated cli_command

2 min

Runs after commit_to_git.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

infrastructure 4 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Wait for deployment to propagate automated wait_delay

5 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify services healthy after deployment automated pod_health

10 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Validate Azure resources in expected state automated azure_resource_check

5 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Operator verifies infrastructure change manual human_approval

15 min

Runs at end of step

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

terraform 3 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Verify Terraform state is clean automated cli_command

3 min

Runs after run_terraform.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify provisioned Azure resources automated azure_resource_check

5 min

Runs after run_terraform.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Review Terraform changes in Azure Portal manual human_approval

15 min

Runs at end of step

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

cert-rotation 2 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Verify HTTPS endpoints with new certificate automated http_health_check

5 min

Runs after cert_rotation.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Check certificate expiry date automated cli_command

2 min

Runs after cert_rotation.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

service-restart 2 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Wait for all pods to reach Running state automated pod_health

10 min

Runs after service_restart.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify service health endpoint automated http_health_check

5 min

Runs after service_restart.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

db-maintenance 3 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Verify database connectivity automated cli_command

2 min

Runs after db_maintenance.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Check maintenance logs for errors automated log_check

3 min

Runs after db_maintenance.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

DBA verifies database health manual human_approval

15 min

Runs at end of step

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

security-scan 1 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Review scan results for critical findings automated log_check

3 min

Runs after security_scan.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

multi-region-patch 2 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Verify services restarted in region automated pod_health

10 min

Runs after patch_linux.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Confirm region patching complete before next region manual human_approval

10 min

Runs at end of step

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

multi-region-deploy 4 validation(s) assigned

Validation Type

Label

After Playbook

Est. Minutes

Parameters (JSON, optional)

Wait for deployment rollout automated wait_delay

5 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify all pods healthy in region automated pod_health

10 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Verify service endpoints responding automated http_health_check

5 min

Runs after run_manual_pipeline.yml

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

Confirm region deployment before next region manual human_approval

15 min

Runs at end of step

Type

Label

After Playbook

Est. Minutes

Parameters (JSON)

These are the available validation module types. When adding a validation to a category, choose from these types. Each provides default parameters that you can customize.

Wait for Pods/Services pod_health

automated

Monitor Kubernetes pods and services until they reach a healthy running state

Default: 10 min

Default Parameters

{
  "check_command": "kubectl get pods -n {namespace} -l {label_selector} -o json",
  "expected_ready_count": null,
  "label_selector": "",
  "namespace": "",
  "poll_interval_seconds": 15,
  "timeout_seconds": 600
}

Run CLI/Azure Command cli_command

automated

Execute a custom CLI or Azure CLI command and validate the output matches expectations

Default: 5 min

Default Parameters

{
  "command": "",
  "expected_output": "",
  "fail_on_stderr": false,
  "match_type": "contains",
  "retry_count": 3,
  "retry_delay_seconds": 10,
  "timeout_seconds": 120
}

Azure Resource Validation azure_resource_check

automated

Verify an Azure resource exists and is in the expected provisioning or running state

Default: 5 min

Default Parameters

{
  "az_command": "",
  "expected_state": "Running",
  "poll_interval_seconds": 15,
  "resource_group": "",
  "resource_name": "",
  "resource_type": "",
  "timeout_seconds": 300
}

Human Verification human_approval

manual

Pause execution and wait for a human operator to verify a condition and approve continuation

Default: 15 min

Default Parameters

{
  "checklist": [],
  "escalation_after_minutes": 30,
  "instructions": "",
  "notify_channels": [],
  "required_approvers": 1,
  "timeout_minutes": 60
}

Timed Wait wait_delay

automated

Wait a fixed duration before proceeding, allowing services to stabilize

Default: 5 min

Default Parameters

{
  "reason": "",
  "wait_seconds": 300
}

HTTP Health Check http_health_check

automated

Poll an HTTP endpoint repeatedly until it returns the expected status code

Default: 5 min

Default Parameters

{
  "expected_body_contains": "",
  "expected_status": 200,
  "headers": {},
  "method": "GET",
  "poll_interval_seconds": 10,
  "timeout_seconds": 300,
  "url": ""
}

Log/Output Inspection log_check

automated

Inspect log files or command output for expected patterns or absence of errors

Default: 3 min

Default Parameters

{
  "error_patterns": [],
  "log_path": "",
  "must_contain": [],
  "must_not_contain": [],
  "search_pattern": "",
  "tail_lines": 100,
  "timeout_seconds": 60
}

Continue to Step 10: Playbook Mapping

Step 9: Analyze & Edit Playbook Library

How This Step Works

Legend

cert_rotation.yml Certificate Rotation cert-rotation 87 lines

commit_to_git.yml Commit Configuration Changes to Git agent-upgrade git-ops infrastructure multi-region-deploy 150 lines

db_maintenance.yml Database Maintenance Operations db-maintenance 77 lines

edit_yaml.yml Edit YAML Configuration Files agent-upgrade git-ops infrastructure multi-region-deploy 138 lines

patch_linux.yml Patch Linux Systems patch-linux multi-region-patch 112 lines

run_manual_pipeline.yml Trigger Azure DevOps Pipeline agent-upgrade pipeline-only infrastructure multi-region-deploy 216 lines

run_terraform.yml Execute Terraform Plan and Apply terraform 126 lines

security_scan.yml Security Compliance Scan security-scan 79 lines

service_restart.yml Service Restart Operations service-restart 70 lines