Table: ansible_task - Query Ansible Tasks using SQL

Ansible is an open-source software provisioning, configuration management, and application-deployment tool. It provides large productivity gains to a wide variety of automation challenges. A key component of Ansible is its Tasks, which are units of action in Ansible.

Table Usage Guide

The ansible_task table provides insights into tasks within Ansible. As a DevOps engineer, explore task-specific details through this table, including the task name, host, status, and associated metadata. Utilize it to uncover information about tasks, such as their execution status, the hosts they are associated with, and the specific details of each task.

Examples

Retrieve all tasks in a playbook

Explore which tasks within a playbook require escalated privileges. This can help identify areas where potential security risks may exist, allowing for a more secure configuration of your playbook.

select
  name as task_name,
  tags,
  become,
  become_user path
from
  ansible_task
where
  playbook_name = 'Playbook';

select
  name as task_name,
  tags,
  become,
  become_user,
  path
from
  ansible_task
where
  playbook_name = 'Playbook';

List tasks that use privilege escalation

Discover the segments that use privilege escalation in Ansible tasks. This is beneficial to identify areas where elevated permissions are granted, allowing for a review of security practices.

select
  name as task_name,
  tags,
  become,
  become_user path
from
  ansible_task
where
  become;

select
  name as task_name,
  tags,
  become,
  become_user,
  path
from
  ansible_task
where
  become = 1;

Lists tasks with a specific tag

Explore which tasks are associated with a specific tag in Ansible to better manage and organize your automation scripts.

select
  name as task_name,
  tags,
  become,
  become_user path
from
  ansible_task
where
  tags ?| array [ 'create_user' ];

Error: SQLite does not support array functions
and the '?' operator used in PostgreSQL for querying JSONB data.

Lists tasks with a specific connection type

Explore which tasks within your Ansible setup are utilizing SSH as their connection type. This can be useful in identifying potential security vulnerabilities or for routine auditing of your network connections.

select
  name as task_name,
  tags,
  become,
  become_user path
from
  ansible_task
where
  connection = 'ssh';

select
  name as task_name,
  tags,
  become,
  become_user,
  path
from
  ansible_task
where
  connection = 'ssh';

List tasks that use `root` privilege

Identify instances where tasks are using elevated privileges, such as 'root', within Ansible. This can help in assessing security risks and ensuring adherence to best practices.

select
  name as task_name,
  tags,
  become,
  become_user path
from
  ansible_task
where
  become
  and (
    become_user is null
    or become_user = 'root'
  );

select
  name as task_name,
  tags,
  become,
  become_user,
  path
from
  ansible_task
where
  become = 1
  and (
    become_user is null
    or become_user = 'root'
  );

Schema for ansible_task

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
any_errors_fatal	text		Force any un-handled task errors on any host to propagate to all hosts and end the play.
async	bigint		Run a task asynchronously if the C(action) supports this; value is maximum runtime in seconds.
become	boolean		Controls if privilege escalation is used or not on task execution. If true, privilege escalation is activated.
become_flags	text		A string of flag(s) to pass to the privilege escalation program when become is true.
become_method	text		Specifies which method of privilege escalation to use (such as sudo or su).
become_user	text		User that you 'become' after using privilege escalation.
changed_when	text		Conditional expression that overrides the task's normal 'changed' status.
check_mode	boolean		A boolean that controls if a task is executed in 'check' mode.
collections	jsonb		A section with tasks that are treated as handlers, these won't get executed normally, only when notified after each section of tasks is complete.
connection	text		Allows you to change the connection plugin used for tasks to execute on the target.
debugger	text		Enable debugging tasks based on state of the task result. Allowed values are: always, never, on_failed, on_unreachable, on_skipped.
delay	bigint		Number of seconds to delay between retries.
delegate_facts	boolean		Boolean that allows you to apply facts to a delegated host instead of inventory_hostname.
delegate_to	text		Host to execute task instead of the target (inventory_hostname). Connection vars from the delegated host will also be used for the task.
diff	boolean		Toggle to make tasks return 'diff' information or not.
failed_when	text		Conditional expression that overrides the task's normal 'failed' status.
ignore_errors	boolean		Boolean that allows you to ignore task failures and continue with play.
ignore_unreachable	boolean		Boolean that allows you to ignore task failures due to an unreachable host and continue with the play.
loop	text		Takes a list for the task to iterate over, saving each list element into the item variable (configurable via loop_control)
loop_action	text		Same as action but also implies delegate_to: localhost
loop_control	jsonb		Several keys here allow you to modify/set loop behaviour in a task.
module_defaults	jsonb		Specifies default parameter values for modules.
name	text		The name of the playbook.
no_log	boolean		Boolean that controls information disclosure.
notify	jsonb		A list of handlers to notify when the task returns a 'changed=True' status.
path	text	=	Path to the file.
playbook_name	text		The name of the playbook where the task is defined.
poll	bigint		Sets the polling interval in seconds for async tasks (default 10s).
port	bigint		Used to override the default port used in a connection.
register	text		Name of variable that will contain task status and module return data.
remote_user	text		User used to log into the target via the connection plugin.
retries	bigint		Number of retries before giving up in a until loop.
run_once	boolean		Boolean that will bypass the host loop, forcing the task to attempt to execute on the first host available and afterwards apply any results and facts to all active hosts in the same batch.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A list of tags applied to the task or included tasks.
task_group	jsonb		Specifies the group ownership of the task.
task_user	jsonb		Specifies the the user ownership for the task.
throttle	bigint		Limit number of concurrent task runs on task, block and playbook level.
timeout	bigint		Time limit for task to execute in, if exceeded Ansible will interrupt and fail the task.
until	text		This keyword implies a 'retries loop' that will go on until the condition supplied here is met or we hit the retries limit.
vars	jsonb		The dictionary/map of variables.
when	text		Conditional expression, determines if an iteration of a task is run or not.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ansible

You can pass the configuration to the command with the --config argument:

steampipe_export_ansible --config '<your_config>' ansible_task