feat: improve external infra support, ansible log parsing, and update dependencies

**Added:**

- Documented external infrastructure workflows and requirements for using DreadGOAD
  with externally managed EC2 instances in `docs/providers/external-infrastructure.md`
- Implemented `resolveReferenceInventory` in CLI to support flexible inventory
  reference resolution for environment generation
- Added regex and logic to detect unreachable hosts in Ansible log parsing,
  ensuring both failed and unreachable hosts are reported

**Changed:**

- Enhanced Ansible log parsing to include unreachable hosts when extracting failed
  hosts, and updated corresponding tests for better reliability
- Improved gMSA creation in Ansible role by ensuring KDS root key existence and
  verifying AD service account creation with retry logic
- Refactored MSSQL sysadmin configuration to handle single-user mode bootstrapping
  if neither Windows nor `sa` authentication is available, increasing robustness
  for locked-down SQL Server environments
- Updated SQL Server configuration templates to explicitly set `SECURITYMODE="SQL"`
  for both MSSQL 2019 and 2022, ensuring mixed-mode auth is enabled
- Bumped Go version in CLI to 1.26.2 for compatibility
- Updated Go module dependencies, including:
  - `github.com/cowdogmoo/warpgate/v3` to latest
  - Docker CLI to v29.4.0
  - `go-containerregistry` to v0.21.4
  - `mattn/go-isatty` to v0.0.21
  - `golang.org/x/sys` to v0.43.0

**Removed:**

- Deprecated hardcoded instance IDs from example inventory files, replacing them
  with `PENDING` placeholders to clarify expected workflow for external instance
  management and inventory sync
- Removed Docker distribution indirect dependency from `go.mod`/`go.sum` as part
  of dependency cleanup

Author: l50

.gitignore

@@ -17,6 +17,10 @@ dreadgoad
 ansible/roles/adcs_templates/files/ADCSTemplate.zip
 ansible/roles/vulns_adcs_templates/files/ADCSTemplate.zip
 
+# Root environment inventories are local runtime state.
+/*-inventory
+/*-inventory.bak.*
+
 # Scenario data (keep only tracked environments)
 ad/PURPLE
 ad/REDLAB

ansible/roles/gmsa/tasks/main.yml

@@ -24,7 +24,14 @@
       try {
           Import-Module ActiveDirectory
           Set-Location AD:
-          Add-KDSRootKey -EffectiveTime (Get-Date).AddHours(-10) -ErrorAction SilentlyContinue
+
+          # Ensure KDS root key exists and is effective
+          $kdsKey = Get-KdsRootKey -ErrorAction SilentlyContinue
+          if (-not $kdsKey) {
+              Add-KDSRootKey -EffectiveTime (Get-Date).AddHours(-10)
+              Start-Sleep -Seconds 5
+              Write-Output "Created KDS root key"
+          }
 
           $existing = Get-ADServiceAccount -Identity $gMSA_Name -ErrorAction SilentlyContinue
           if ($existing) {
@@ -37,8 +44,22 @@
 
           $gMSA_HostsGroup = $gMSA_HostNames | ForEach-Object { Get-ADComputer -Identity $_ }
           New-ADServiceAccount -Name $gMSA_Name -DNSHostName $gMSA_FQDN -PrincipalsAllowedToRetrieveManagedPassword $gMSA_HostsGroup -ServicePrincipalNames $gMSA_SPNs
+
+          # Verify the account was actually created in AD
+          Start-Sleep -Seconds 3
+          $verify = Get-ADServiceAccount -Identity $gMSA_Name -ErrorAction SilentlyContinue
+          if (-not $verify) {
+              # Retry once after waiting for AD replication
+              Write-Output "GMSA not found after creation, waiting for AD replication..."
+              Start-Sleep -Seconds 10
+              $verify = Get-ADServiceAccount -Identity $gMSA_Name -ErrorAction SilentlyContinue
+              if (-not $verify) {
+                  throw "GMSA account $gMSA_Name was not found after creation - possible KDS root key or replication issue"
+              }
+          }
+
           $Ansible.Changed = $true
-          Write-Output "Created GMSA account $gMSA_Name successfully"
+          Write-Output "Created and verified GMSA account $gMSA_Name"
       }
       catch {
           Write-Error "Failed to create GMSA account: $_"

ansible/roles/mssql/files/sql_conf.ini.MSSQL_2019.j2

@@ -45,6 +45,7 @@ SQLSVCACCOUNT="{{ SQLSVCACCOUNT }}"
 {% if SQLSVCPASSWORD != "" %}
 SQLSVCPASSWORD="{{ SQLSVCPASSWORD }}"
 {% endif %}
+SECURITYMODE="SQL"
 SAPWD="{{ sa_password }}"
 SQLSYSADMINACCOUNTS="{{ SQLSYSADMIN }}"
 ADDCURRENTUSERASSQLADMIN="True"

ansible/roles/mssql/files/sql_conf.ini.MSSQL_2022.j2

@@ -45,6 +45,7 @@ SQLSVCACCOUNT="{{ SQLSVCACCOUNT }}"
 {% if SQLSVCPASSWORD != "" %}
 SQLSVCPASSWORD="{{ SQLSVCPASSWORD }}"
 {% endif %}
+SECURITYMODE="SQL"
 SAPWD="{{ sa_password }}"
 SQLSYSADMINACCOUNTS="{{ SQLSYSADMIN }}"
 ;ADDCURRENTUSERASSQLADMIN="True"

ansible/roles/mssql/tasks/config.yml

@@ -18,21 +18,54 @@
 - name: Ensure BUILTIN\Administrators has SQL sysadmin
   ansible.windows.win_shell: |
     $ErrorActionPreference = "Continue"
+    $instanceName = "{{ sql_instance_name }}"
+    $serviceName = "{{ mssql_service_name }}"
+    $saPassword = "{{ sa_password }}"
 
     # Test if current session already has SQL sysadmin via Windows auth
     $test = SqlCmd {{ connection_type }} -Q "SET NOCOUNT ON; SELECT CASE WHEN IS_SRVROLEMEMBER('sysadmin')=1 THEN 'HAS_SYSADMIN' ELSE 'NO_SYSADMIN' END" 2>&1
     $hasSysadmin = ($LASTEXITCODE -eq 0) -and ($test -match 'HAS_SYSADMIN')
 
     if (-not $hasSysadmin) {
-      # Current session lacks sysadmin - bootstrap via sa auth (enabled by prior provision).
-      # Grant sysadmin to BUILTIN\Administrators so any admin user (ssm-user, ansible, etc.) works.
-      $saArgs = @("-b", "-U", "sa", "-P", "{{ sa_password }}", "-S", "localhost\{{ sql_instance_name }}")
-      $r1 = & SqlCmd @saArgs -Q "IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE name = 'BUILTIN\Administrators') CREATE LOGIN [BUILTIN\Administrators] FROM WINDOWS WITH DEFAULT_DATABASE=[master]" 2>&1
-      if ($LASTEXITCODE -ne 0) { Write-Error "CREATE LOGIN BUILTIN\Administrators failed: $r1"; exit 1 }
-      $r2 = & SqlCmd @saArgs -Q "IF IS_SRVROLEMEMBER('sysadmin', 'BUILTIN\Administrators') = 0 EXEC sp_addsrvrolemember 'BUILTIN\Administrators', 'sysadmin'" 2>&1
-      if ($LASTEXITCODE -ne 0) { Write-Error "sp_addsrvrolemember failed: $r2"; exit 1 }
+      # Try sa auth first (available after prior provision or if SECURITYMODE=SQL was used at install)
+      $saArgs = @("-b", "-U", "sa", "-P", $saPassword, "-S", "localhost\$instanceName")
+      $r1 = & SqlCmd @saArgs -Q "SELECT 1" 2>&1
+      $saWorks = ($LASTEXITCODE -eq 0)
+
+      if (-not $saWorks) {
+        # Neither Windows auth nor sa auth works - bootstrap via single-user mode
+        Write-Output "Bootstrapping SQL Server via single-user mode..."
+        Stop-Service $serviceName -Force
+        Start-Sleep -Seconds 3
+
+        # Find sqlservr.exe path
+        $sqlVer = if ($instanceName -eq "SQLEXPRESS") { (Get-ChildItem "C:\Program Files\Microsoft SQL Server" -Directory | Where-Object { $_.Name -match "^MSSQL\d+" } | Sort-Object Name -Descending | Select-Object -First 1).Name } else { "MSSQL15.$instanceName" }
+        $sqlServerExe = "C:\Program Files\Microsoft SQL Server\$sqlVer\MSSQL\Binn\sqlservr.exe"
+
+        $proc = Start-Process -FilePath $sqlServerExe -ArgumentList "-s$instanceName", "-m" -PassThru -NoNewWindow
+        Start-Sleep -Seconds 12
+
+        # In single-user mode, current user gets sysadmin
+        & SqlCmd -E -S "localhost\$instanceName" -Q "EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'SOFTWARE\Microsoft\Microsoft SQL Server\$sqlVer\MSSQLServer', N'LoginMode', REG_DWORD, 2" 2>&1 | Out-Null
+        & SqlCmd -E -S "localhost\$instanceName" -Q "ALTER LOGIN sa ENABLE; ALTER LOGIN sa WITH PASSWORD = N'$saPassword', CHECK_POLICY=OFF" 2>&1 | Out-Null
+        & SqlCmd -E -S "localhost\$instanceName" -Q "IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE name = 'BUILTIN\Administrators') CREATE LOGIN [BUILTIN\Administrators] FROM WINDOWS; IF IS_SRVROLEMEMBER('sysadmin', 'BUILTIN\Administrators') = 0 EXEC sp_addsrvrolemember 'BUILTIN\Administrators', 'sysadmin'" 2>&1 | Out-Null
+
+        Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
+        Start-Sleep -Seconds 5
+        Start-Service $serviceName
+        Start-Sleep -Seconds 5
+        Write-Output "SQL Server bootstrapped via single-user mode"
+      } else {
+        # sa auth works - use it to grant BUILTIN\Administrators sysadmin
+        $r2 = & SqlCmd @saArgs -Q "IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE name = 'BUILTIN\Administrators') CREATE LOGIN [BUILTIN\Administrators] FROM WINDOWS WITH DEFAULT_DATABASE=[master]" 2>&1
+        if ($LASTEXITCODE -ne 0) { Write-Error "CREATE LOGIN BUILTIN\Administrators failed: $r2"; exit 1 }
+        $r3 = & SqlCmd @saArgs -Q "IF IS_SRVROLEMEMBER('sysadmin', 'BUILTIN\Administrators') = 0 EXEC sp_addsrvrolemember 'BUILTIN\Administrators', 'sysadmin'" 2>&1
+        if ($LASTEXITCODE -ne 0) { Write-Error "sp_addsrvrolemember failed: $r3"; exit 1 }
+        Write-Output "SQL sysadmin bootstrapped via sa auth"
+      }
+    } else {
+      Write-Output "SQL sysadmin access already available via Windows auth"
     }
-    Write-Output "SQL sysadmin access verified (had_sysadmin=$hasSysadmin)"
 
 - name: Add MSSQL admin
   ansible.windows.win_shell: |

cli/cmd/env_cmd.go

@@ -316,7 +316,10 @@ func copyBaseConfig(projectRoot, envName string) error {
 }
 
 func generateInventory(projectRoot, envName, region, reference string) error {
-	refInvPath := filepath.Join(projectRoot, reference+"-inventory")
+	refInvPath, err := resolveReferenceInventory(projectRoot, reference)
+	if err != nil {
+		return err
+	}
 	dstInvPath := filepath.Join(projectRoot, envName+"-inventory")
 
 	data, err := os.ReadFile(refInvPath)
@@ -365,6 +368,26 @@ func generateInventory(projectRoot, envName, region, reference string) error {
 	return os.WriteFile(dstInvPath, []byte(content), 0o644)
 }
 
+func resolveReferenceInventory(projectRoot, reference string) (string, error) {
+	candidates := []string{
+		filepath.Join(projectRoot, reference+"-inventory"),
+		filepath.Join(projectRoot, reference+"-inventory.example"),
+	}
+
+	for _, candidate := range candidates {
+		if _, err := os.Stat(candidate); err == nil {
+			return candidate, nil
+		}
+	}
+
+	return "", fmt.Errorf(
+		"reference inventory %q not found; expected %s or %s",
+		reference,
+		filepath.Base(candidates[0]),
+		filepath.Base(candidates[1]),
+	)
+}
+
 func generateVariantConfig(projectRoot, envName string) error {
 	source := filepath.Join(projectRoot, "ad", "GOAD")
 	target := filepath.Join(projectRoot, "ad", "GOAD-"+envName)

cli/go.mod

@@ -1,14 +1,14 @@
 module github.com/dreadnode/dreadgoad
 
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.41.5
 	github.com/aws/aws-sdk-go-v2/config v1.32.14
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.297.0
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.68.4
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
-	github.com/cowdogmoo/warpgate/v3 v3.2.1-0.20260407202430-8248494ac086
+	github.com/cowdogmoo/warpgate/v3 v3.2.1-0.20260409025702-2b5a62b7131a
 	github.com/fatih/color v1.19.0
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
@@ -33,16 +33,15 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 // indirect
 	github.com/aws/smithy-go v1.24.3 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
-	github.com/docker/cli v29.3.1+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/cli v29.4.0+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.5 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/google/go-containerregistry v0.21.3 // indirect
+	github.com/google/go-containerregistry v0.21.4 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-isatty v0.0.21 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
@@ -55,7 +54,7 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/vbatts/tar-split v0.12.2 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.41.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect

cli/go.sum

@@ -40,15 +40,13 @@ github.com/aws/smithy-go v1.24.3 h1:XgOAaUgx+HhVBoP4v8n6HCQoTRDhoMghKqw4LNHsDNg=
 github.com/aws/smithy-go v1.24.3/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw=
 github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=
-github.com/cowdogmoo/warpgate/v3 v3.2.1-0.20260407202430-8248494ac086 h1:FnZ1mwfkEK44bk9ijXR4SfpEyejp5205xfFbJNaSegE=
-github.com/cowdogmoo/warpgate/v3 v3.2.1-0.20260407202430-8248494ac086/go.mod h1:a6SUrGZAU4RWqVttY0ZZkD8E8GFwUco4JlFv/HM9Vl0=
+github.com/cowdogmoo/warpgate/v3 v3.2.1-0.20260409025702-2b5a62b7131a h1:c2Pa8BlXoxejvUyNA8XuNjjWXtMec0dnCvv4TujehQ0=
+github.com/cowdogmoo/warpgate/v3 v3.2.1-0.20260409025702-2b5a62b7131a/go.mod h1:1WLaPoaqiTGyvvIJAtLWKPyxtTenmxXIWXSDlJympXM=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v29.3.1+incompatible h1:M04FDj2TRehDacrosh7Vlkgc7AuQoWloQkf1PA5hmoI=
-github.com/docker/cli v29.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
-github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/cli v29.4.0+incompatible h1:+IjXULMetlvWJiuSI0Nbor36lcJ5BTcVpUmB21KBoVM=
+github.com/docker/cli v29.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
 github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
 github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
@@ -61,8 +59,8 @@ github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPE
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.21.3 h1:Xr+yt3VvwOOn/5nJzd7UoOhwPGiPkYW0zWDLLUXqAi4=
-github.com/google/go-containerregistry v0.21.3/go.mod h1:D5ZrJF1e6dMzvInpBPuMCX0FxURz7GLq2rV3Us9aPkc=
+github.com/google/go-containerregistry v0.21.4 h1:VrhlIQtdhE6riZW//MjPrcJ1snAjPoCCpPHqGOygrv8=
+github.com/google/go-containerregistry v0.21.4/go.mod h1:kxgc23zQ2qMY/hAKt0wCbB/7tkeovAP2mE2ienynJUw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
@@ -73,8 +71,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -115,9 +113,8 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
 golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=

cli/internal/ansible/logparser.go

@@ -6,9 +6,10 @@ import (
 )
 
 var (
-	failedRe      = regexp.MustCompile(`failed=[1-9][0-9]*`)
-	unreachableRe = regexp.MustCompile(`unreachable=[1-9][0-9]*`)
-	failedHostRe  = regexp.MustCompile(`(?m)^([a-zA-Z0-9_-]+)\s+:.*failed=[1-9]`)
+	failedRe          = regexp.MustCompile(`failed=[1-9][0-9]*`)
+	unreachableRe     = regexp.MustCompile(`unreachable=[1-9][0-9]*`)
+	failedHostRe      = regexp.MustCompile(`(?m)^([a-zA-Z0-9_-]+)\s+:.*failed=[1-9]`)
+	unreachableHostRe = regexp.MustCompile(`(?m)^([a-zA-Z0-9_-]+)\s+:.*unreachable=[1-9]`)
 )
 
 // CheckAnsibleSuccess analyzes Ansible output to determine if the run succeeded.
@@ -46,16 +47,18 @@ func CheckAnsibleSuccess(output string) bool {
 	return true
 }
 
-// ExtractFailedHosts parses PLAY RECAP to find hosts with failures.
+// ExtractFailedHosts parses PLAY RECAP to find hosts with failures or unreachable status.
 func ExtractFailedHosts(output string) []string {
-	matches := failedHostRe.FindAllStringSubmatch(output, -1)
-	var hosts []string
 	seen := make(map[string]bool)
-	for _, m := range matches {
-		host := m[1]
-		if !seen[host] {
-			seen[host] = true
-			hosts = append(hosts, host)
+	var hosts []string
+
+	for _, re := range []*regexp.Regexp{failedHostRe, unreachableHostRe} {
+		for _, m := range re.FindAllStringSubmatch(output, -1) {
+			host := m[1]
+			if !seen[host] {
+				seen[host] = true
+				hosts = append(hosts, host)
+			}
 		}
 	}
 	return hosts

cli/internal/ansible/logparser_test.go

@@ -124,6 +124,20 @@ DC01                       : ok=10   changed=2    unreachable=0    failed=0    s
 DC01                       : ok=5    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0`,
 			want: []string{"DC01"},
 		},
+		{
+			name: "unreachable host included",
+			output: `PLAY RECAP *********************************************************************
+dc01                       : ok=4    changed=2    unreachable=0    failed=1    skipped=3    rescued=0    ignored=0
+dc02                       : ok=3    changed=1    unreachable=1    failed=0    skipped=3    rescued=0    ignored=0
+dc03                       : ok=10   changed=6    unreachable=0    failed=0    skipped=4    rescued=0    ignored=0`,
+			want: []string{"dc01", "dc02"},
+		},
+		{
+			name: "only unreachable no failed",
+			output: `PLAY RECAP *********************************************************************
+dc02                       : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0`,
+			want: []string{"dc02"},
+		},
 	}
 
 	for _, tt := range tests {