Filtering Ansible drift detection notifications to exclude non-changes

Last updated: September 16, 2025

When using notification policies for Ansible drift detection, you may notice that notifications are triggered even when no actual infrastructure changes are detected. This happens because Spacelift includes all executed Ansible tasks in the run.changes array, regardless of their status (including "ok", "skipped", "rescued", and "ignored" tasks).

Why this happens

Spacelift treats any executed task as part of the run delta to ensure consistent visibility and enable policy evaluation to work for Ansible stacks. This includes tasks that result in no infrastructure changes, as it can be difficult to determine whether an "ok" status truly indicates no change at the infrastructure level or is due to Ansible's interpretation.

Solution: Filter out non-change tasks

To create notification policies that only trigger when actual infrastructure changes are detected, you can filter out tasks with statuses that don't represent real changes. Here's an example of how to modify your notification policy:

# Run state changes with filtered Ansible tasks
webhook[{"endpoint_id": endpoint_id, "payload": run_payload}] {
    # Send the webhook to any endpoint labeled as "msteams"
    endpoint := input.webhook_endpoints[_]
    endpoint.labels[_] == "msteams"
    endpoint_id := endpoint.id

    # Only send the webhook if both the run state and type are interesting
    interesting_run_states[run_state]
    input.run_updated.run.drift_detection
    changes_detected_or_failed
}

changes_detected_or_failed {
    count([a | a := input.run_updated.run.changes[_].action; a != "ok"; a != "skipped"; a != "ignored"; a != "rescued"]) != 0
}

This policy logic:

  • Filters out tasks with "ok", "skipped", "ignored", and "rescued" statuses

  • Only triggers notifications when tasks with meaningful change statuses (like "changed" or "failed") are present

  • Ensures you only receive notifications for actual infrastructure drift

By implementing this filter, your notification policy will only trigger when Ansible tasks indicate real infrastructure changes, reducing noise from routine drift detection runs that find no actual drift.