Query Ansible Playbooks

Mondoo's ansible provider lets you use cnquery to query and analyze Ansible playbooks. You can explore plays, tasks, roles, handlers, and variables within your infrastructure-as-code configurations.

Requirements

To analyze Ansible playbooks with cnquery, you must have:

cnquery installed on your workstation
An Ansible playbook file or directory

Connect to an Ansible playbook

To open a cnquery shell and query an Ansible playbook:

cnquery shell ansible PATH

For...	Substitute...
PATH	The path to the Ansible playbook or directory

For example:

cnquery shell ansible ./playbooks/site.yml

To scan a directory containing playbooks:

cnquery shell ansible ./playbooks/

Example queries

Plays

List all plays in the playbook:

cnquery> ansible.plays
ansible.plays: [
  0: ansible.play name="Configure web servers"
  1: ansible.play name="Configure database servers"
  ...
]

Retrieve details about a specific play, including hosts, roles, and privilege escalation settings:

cnquery> ansible.plays { name hosts roles become becomeUser strategy }
ansible.plays: [
  0: {
    name: "Configure web servers"
    hosts: "webservers"
    roles: ["nginx", "certbot"]
    become: 1
    becomeUser: "root"
    strategy: "linear"
  }
  ...
]

Play variables

Retrieve variables defined in a play:

cnquery> ansible.plays { name vars }
ansible.plays: [
  0: {
    name: "Configure web servers"
    vars: {
      http_port: "80"
      max_clients: "200"
    }
  }
  ...
]

Tasks

List all tasks within each play:

cnquery> ansible.plays { name tasks }
ansible.plays: [
  0: {
    name: "Configure web servers"
    tasks: [
      0: ansible.task name="Install nginx"
      1: ansible.task name="Copy nginx config"
      2: ansible.task name="Start nginx service"
    ]
  }
  ...
]

Retrieve task details, including the action and conditions:

cnquery> ansible.plays { tasks { name action when notify } }
ansible.plays: [
  0: {
    tasks: [
      0: {
        name: "Install nginx"
        action: {
          module: "apt"
          args: {
            name: "nginx"
            state: "present"
          }
        }
        when: ""
        notify: ["restart nginx"]
      }
      ...
    ]
  }
  ...
]

Find tasks that use conditional execution:

cnquery> ansible.plays { tasks.where(when != "") { name when } }
ansible.plays: [
  0: {
    tasks.where: [
      0: {
        name: "Install nginx"
        when: "ansible_os_family == 'Debian'"
      }
    ]
  }
]

Block and rescue tasks

Retrieve tasks that use block/rescue error handling:

cnquery> ansible.plays { tasks { name block rescue } }
ansible.plays: [
  0: {
    tasks: [
      0: {
        name: "Deploy application"
        block: [
          0: ansible.task name="Pull latest code"
          1: ansible.task name="Run migrations"
        ]
        rescue: [
          0: ansible.task name="Rollback deployment"
        ]
      }
    ]
  }
  ...
]

Handlers

List handlers within each play:

cnquery> ansible.plays { name handlers }
ansible.plays: [
  0: {
    name: "Configure web servers"
    handlers: [
      0: ansible.handler name="restart nginx"
      1: ansible.handler name="reload nginx"
    ]
  }
  ...
]

Retrieve handler actions:

cnquery> ansible.plays { handlers { name action } }
ansible.plays: [
  0: {
    handlers: [
      0: {
        name: "restart nginx"
        action: {
          module: "service"
          args: {
            name: "nginx"
            state: "restarted"
          }
        }
      }
      ...
    ]
  }
  ...
]

Request full details

For a detailed report on all plays, specify that you want all fields:

cnquery> ansible.plays { * }

Learn more

To learn more about how the MQL query language works, read Write Effective MQL.
For a list of all the Ansible resources and fields you can query, read the Ansible Resource Pack Reference.

Query Ansible Playbooks

On this page