Ansible Playbook
Write and review Ansible playbooks, roles, and tasks following best practices.
Instructions
When writing:
- •Understand the target configuration goal
- •Check existing playbooks/roles for patterns to follow
- •Write idempotent tasks with proper error handling
- •Include appropriate tags and handlers
When reviewing:
- •Read the playbook/role
- •Check for issues listed below
- •Suggest improvements
Playbook structure
yaml
---
- name: Configure web servers
hosts: webservers
become: true
vars_files:
- vars/main.yml
handlers:
- name: Restart nginx
ansible.builtin.service:
name: nginx
state: restarted
tasks:
- name: Install nginx
ansible.builtin.apt:
name: nginx
state: present
update_cache: true
notify: Restart nginx
tags: [nginx, packages]
Best practices
- •MUST use FQCNs:
ansible.builtin.copynotcopy - •MUST use
name:for every task - •MUST use
become:explicitly, not assuming root - •Use handlers for service restarts
- •Use
block/rescue/alwaysfor error handling - •Use
ansible-vaultfor secrets - •Use variables for anything environment-specific
- •Use
--checkmode compatible tasks where possible
Security checks
- •No plaintext passwords in playbooks
- •Secrets in vault-encrypted files
- •
no_log: trueon tasks with sensitive data - •File permissions explicitly set
- •SSH keys not hardcoded
Common patterns
yaml
# Idempotent file content
- name: Configure app
ansible.builtin.template:
src: app.conf.j2
dest: /etc/app/config
mode: "0644"
owner: app
group: app
validate: "/usr/bin/app --check %s"
notify: Restart app
# Package installation
- name: Install packages
ansible.builtin.apt:
name: "{{ packages }}"
state: present
vars:
packages:
- nginx
- certbot
Rules
- •MUST use fully qualified collection names (FQCNs)
- •MUST include task names
- •Never hardcode secrets in playbooks
- •Never use
shell:when a module exists - •Always make tasks idempotent