AHMED ZBYR

AHMED ZBYR

Biker, EV Enthusiast

Introduction to Event-Driven Automation with Ansible

Traditional Ansible excels at configuration management and orchestration, executing predefined playbooks in a procedural manner. However, modern IT environments demand more agility and responsiveness. This is where event-driven automation comes into play. Instead of relying solely on scheduled runs or manual triggers, event-driven Ansible allows you to automate responses to real-time events, enabling faster remediation, improved efficiency, and reduced human intervention.

This blog post will provide a deeper dive into event-driven automation using Ansible, focusing on how to set up Ansible Rulebooks to listen for events (such as webhooks from monitoring tools like Prometheus) and automatically trigger remediation playbooks. We’ll explore the components involved, provide a practical example with detailed explanations, and discuss the benefits and advanced use cases of this powerful approach.

What is Event-Driven Ansible?

Event-Driven Ansible extends the capabilities of traditional Ansible by enabling it to react to events in real-time. It involves:

  • Events: These are occurrences or signals that indicate a change in the state of your infrastructure or applications. Events are the triggers for your automated responses. Examples include:
    • Alerts from Monitoring Systems: CPU utilization exceeding a threshold, disk space running low, application errors.
    • Notifications from Cloud Providers: Instance creation, deletion, auto-scaling events.
    • Security Events: Intrusion detection alerts, failed login attempts.
    • Ticketing Systems: New ticket creation, ticket status updates.
    • Custom Applications or Services: Application-specific metrics, API responses.
    • Infrastructure Changes: Network device status changes, server reboots.
  • Rules: Define the logic that determines how Ansible should respond to specific events. These rules are defined in Ansible Rulebooks. Rules specify the conditions that must be met for an action to be triggered. They act as decision points, ensuring that the right actions are taken in response to the right events.
  • Actions: The tasks that Ansible executes when a rule is triggered by an event. These actions are typically Ansible playbooks designed to remediate issues, scale resources, perform other automated tasks, or notify relevant personnel. Actions are the automated responses to the events.

Setting Up Event-Driven Automation with Ansible

Here’s a step-by-step guide to setting up event-driven automation with Ansible:

1. Install Required Packages

Ensure you have Ansible and the necessary Python packages installed. This usually involves installing the ansible-core package, ansible-rulebook, and ansible-runner. For demonstration, we’ll assume you’re working with a systemd service alert. You’ll need to install any modules necessary to interact with your event source. For this example, we won’t need additional modules beyond what’s included with ansible.eda. We will also install openjdk-17-jdk for drools.

python -m venv .venv
source .venv/bin/activate
pip install ansible ansible-core ansible-rulebook ansible-runner
sudo apt-get install openjdk-17-jdk
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
export PATH=$PATH:~/.local/bin

After installation of ansible, ansible-runner and ansible-rulebook, we have to install the required collection so we can execute the rulebook successfully. To install the following collection by using ansible-galaxy:

​​​​​​​ansible-galaxy collection install ansible.eda

2. Define Your Event Source

Identify the source of events you want to react to. Common event sources include:

  • Monitoring Tools: Prometheus, Nagios, Zabbix
  • Cloud Providers: AWS CloudWatch, Azure Monitor, Google Cloud Monitoring
  • Ticketing Systems: Jira, ServiceNow
  • Webhooks: Custom applications or services

For our example, let’s imagine a Prometheus alert that triggers a webhook when a systemd service fails. The webhook will send a JSON payload containing information about the service that failed, such as its name and status.

3. Create an Ansible Rulebook

The Rulebook is the heart of event-driven Ansible. It defines the rules that determine how Ansible responds to specific events. Rulebooks are written in YAML and consist of one or more rules. Each rule specifies:

  • Event Filters: Criteria that the event must match for the rule to be triggered. This can include checking the event type, the source of the event, and the data contained within the event.
  • Actions: The Ansible playbooks or tasks to execute when the rule is triggered.

Here’s an example of a simple Rulebook (systemd_rulebook.yml) that reacts to a webhook from a monitoring system indicating a failed systemd service:

---
- name: Restart Failed Systemd Service
  hosts: all
  sources:
    - ansible.eda.webhook:
        host: 0.0.0.0
        port: 5000
  rules:
    - name: Restart Service on Failure
      condition: event.payload.service_name is defined and event.payload.status == "failed"
      action:
        run_playbook: 
          name: restart_service.yml

Explanation:

  • name: A descriptive name for the ruleset. This is useful for logging and debugging.
  • hosts: Specifies the target hosts for the actions defined in the ruleset. all means that the playbook defined in the action will be executed against all hosts in your inventory.
  • sources: Defines how Ansible will listen for events. In this case, it’s listening for webhooks on port 5000 of all interfaces. ansible.eda.webhook is a built-in event source plugin.
    • host: The IP address to listen on. 0.0.0.0 means listen on all interfaces.
    • port: The port number to listen on.
  • rules: Defines the rules to evaluate against incoming events.
    • name: A descriptive name for the rule.
    • condition: This is a Jinja2 expression that checks if the service_name is defined in the payload and the status is “failed”. The event variable contains the data from the webhook. Jinja2 allows you to access the event data and perform logical comparisons.
    • action: Specifies what to do when the condition is met. In this case, it runs the restart_service.yml playbook.
      • run_playbook: Specifies the playbook to run. This playbook should be located in the same directory as the rulebook, or in a location that Ansible can find.
    • debug: This prints the event data and decision-making process to the console for debugging. Setting this to true is helpful for troubleshooting and understanding how the rulebook is working.

Important Considerations for Rulebook Design:

  • Specificity: Design your rules to be as specific as possible to avoid unintended actions. Use precise event filters to target only the events you want to react to.
  • Idempotency: Ensure that your actions are idempotent, meaning that they can be executed multiple times without causing unintended side effects. This is important because events can sometimes be triggered multiple times.
  • Error Handling: Implement error handling in your playbooks to gracefully handle unexpected situations. This could include logging errors, sending notifications, or attempting alternative remediation steps.
  • Security: Secure your webhook endpoints to prevent unauthorized access. Use authentication and authorization mechanisms to ensure that only authorized sources can trigger actions.

4. Create the Remediation Playbook

Create the Ansible playbook that will be executed when the rule is triggered. This playbook should contain the tasks required to remediate the issue.

Here’s an example restart_service.yml playbook:

---
- name: Restart Systemd Service
  hosts: all
  become: true
  tasks:
    - name: Restart the service
      systemd:
        name: ""
        state: restarted

Explanation:

  • name: A descriptive name for the playbook.
  • hosts: Specifies the target hosts for the playbook. all means that the playbook will be executed against all hosts in your inventory.
  • become: true: Specifies that the tasks in the playbook should be executed with elevated privileges (e.g., using sudo). This is typically required for tasks that modify system configurations or manage services.
  • tasks: A list of tasks to be executed.
    • name: A descriptive name for the task.
    • systemd: Uses the systemd module to manage systemd services.
      • name: Specifies the name of the systemd service to manage. The value is retrieved from the event.payload.service_name variable, which comes from the webhook’s JSON payload.
      • state: Specifies the desired state of the service. restarted means that the service should be restarted.

Create a inventory file inventory.yml. This is a minimal inventory for testing on localhost.

ungrouped:
  hosts:
    localhost:

5. Run the Ansible Event-Driven Controller

To start the Event-Driven Ansible controller and listen for events, use the ansible-rulebook command:

ansible-rulebook --rulebook systemd_rulebook.yml -i inventory.yml

Example output:

┌─(.venv)[ahmedzbyr][ahmedzbyr-VirtualBox][±][main U:1 ?:5 ✗][~/projects/ansible_event_driven]
└─▪ ansible-rulebook --rulebook systemd_rulebook.yml -i inventory.yml --verbose
2025-10-11 09:54:57,221 - ansible_rulebook.app - INFO - Starting sources
2025-10-11 09:54:57,221 - ansible_rulebook.app - INFO - Starting rules
2025-10-11 09:54:57,221 - drools.ruleset - INFO - Using jar: /home/ahmedzbyr/projects/.venv/lib/python3.13/site-packages/drools/jars/drools-ansible-rulebook-integration-runtime-1.0.11-SNAPSHOT.jar
2025-10-11 09:54:58 011 [main] INFO org.drools.ansible.rulebook.integration.api.rulesengine.MemoryMonitorUtil - Memory occupation threshold set to 90%
2025-10-11 09:54:58 017 [main] INFO org.drools.ansible.rulebook.integration.api.rulesengine.MemoryMonitorUtil - Memory check event count threshold set to 64
2025-10-11 09:54:58 017 [main] INFO org.drools.ansible.rulebook.integration.api.rulesengine.MemoryMonitorUtil - Exit above memory occupation threshold set to false
2025-10-11 09:54:58 043 [main] INFO org.drools.ansible.rulebook.integration.api.rulesengine.AbstractRulesEvaluator - Start automatic pseudo clock with a tick every 100 milliseconds
2025-10-11 09:54:58,064 - ansible_rulebook.engine - INFO - load source ansible.eda.webhook
2025-10-11 09:54:58,476 - ansible_rulebook.engine - INFO - loading source filter eda.builtin.insert_meta_info
2025-10-11 09:54:58,871 - ansible_rulebook.engine - INFO - Waiting for all ruleset tasks to end
2025-10-11 09:54:58,871 - ansible_rulebook.rule_set_runner - INFO - Waiting for actions on events from Restart Failed Systemd Service
2025-10-11 09:54:58,871 - ansible_rulebook.rule_set_runner - INFO - Waiting for events, ruleset: Restart Failed Systemd Service
2025-10-11 09:54:58 872 [drools-async-evaluator-thread] INFO org.drools.ansible.rulebook.integration.api.io.RuleExecutorChannel - Async channel connected
2025-10-11 09:54:58 946 [Thread-0] WARN org.drools.ansible.rulebook.integration.api.rulesengine.AutomaticPseudoClock - Pseudo clock is diverged, the difference is 217 ms. Going to sync with the real clock.
2025-10-11 09:55:47 534 [Thread-0] WARN org.drools.ansible.rulebook.integration.api.rulesengine.AutomaticPseudoClock - Pseudo clock is diverged, the difference is 207 ms. Going to sync with the real clock.
2025-10-11 09:55:48 075 [Thread-0] WARN org.drools.ansible.rulebook.integration.api.rulesengine.AutomaticPseudoClock - Pseudo clock is diverged, the difference is 348 ms. Going to sync with the real clock.
2025-10-11 09:55:56,622 - aiohttp.access - INFO - 127.0.0.1 [11/Oct/2025:08:55:56 +0000] "POST / HTTP/1.1" 200 153 "-" "curl/8.12.1"

This command starts the controller, which listens for webhooks on port 5000.

Command-line Options:

  • --rulebook: Specifies the path to the Ansible Rulebook file.
  • -i or --inventory: Specifies the path to the Ansible inventory file.
  • --verbose: Increases the verbosity of the output, providing more detailed information about the execution process. This is helpful for debugging.
  • --log-level: Sets the logging level (e.g., DEBUG, INFO, WARNING, ERROR).
  • --controller: Specifies the controller to use. (Defaults to local execution)

6. Simulate an Event

To test the setup, you can simulate an event by sending a webhook to the specified port using curl or a similar tool.

curl -X POST -H "Content-Type: application/json" -d '{"service_name": "my_service", "status": "failed"}' http://localhost:5000/

This will show up as below event on the rulebook side.

2025-10-11 09:55:56,622 - aiohttp.access - INFO - 127.0.0.1 [11/Oct/2025:08:55:56 +0000] "POST / HTTP/1.1" 200 153 "-" "curl/8.12.1"

This command sends a JSON payload to the webhook endpoint, simulating a failed systemd service. If everything is configured correctly, the restart_service.yml playbook should be executed, restarting the specified service. You will see the rulebook processing the event in the terminal where you ran the ansible-rulebook command. The output will show the rule being triggered and the playbook being executed. You can also check the status of the service on the target host to confirm that it has been restarted.

Benefits of Event-Driven Ansible

  • Faster Remediation: Automated responses to events reduce the time to resolve issues, minimizing downtime and improving service availability.
  • Improved Efficiency: Automating repetitive tasks frees up IT staff to focus on more strategic initiatives, such as planning, innovation, and complex problem-solving.
  • Reduced Human Error: Automation eliminates the risk of human error in critical tasks, ensuring consistent and reliable execution of remediation procedures.
  • Increased Agility: Respond quickly to changing conditions and scale resources dynamically, adapting to evolving business needs and unforeseen circumstances.
  • Proactive Problem Solving: Identify and address issues before they impact users, improving the overall user experience and preventing escalations.
  • Improved Security Posture: Automate security incident response, such as isolating infected systems or blocking malicious traffic, to reduce the impact of security breaches.

Advanced Use Cases

  • Auto-Scaling: Automatically scale resources up or down based on real-time demand, optimizing resource utilization and reducing costs.
  • Security Incident Response: Automate the detection and response to security incidents, such as isolating infected systems or blocking malicious traffic.
  • Configuration Drift Detection and Correction: Detect and correct configuration drift, ensuring that systems remain in a consistent and compliant state.
  • Predictive Maintenance: Use machine learning to predict potential failures and proactively take corrective actions.
  • Integration with ChatOps: Trigger Ansible actions from chat platforms, such as Slack or Microsoft Teams, enabling collaboration and faster response times.

Conclusion

Event-driven Ansible is a powerful tool for automating responses to real-time events. By combining Ansible’s automation capabilities with event-driven architecture, you can build more resilient, efficient, and responsive IT environments. This blog post provided a basic example; real-world scenarios can be far more complex, involving multiple event sources, intricate rule conditions, and sophisticated remediation playbooks. Experiment with different event sources and actions to explore the full potential of event-driven Ansible. As you gain experience, you can create increasingly sophisticated automation solutions that address a wide range of IT challenges.

You May Also Enjoy