Skip to content

Ansible Conventions and Best Practices

Conventions and best practices for authoring maintainable Ansible playbooks and roles.

experimental
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:epic-platform-sre
ansible
iac
style
playbook
devops

Ansible Conventions and Best Practices

CRITICAL: General Rules

REQUIRED PracticePROHIBITED Practice
Use version control for ALL configsUntracked playbooks
Use FQCN for modulesShort module names
Use idempotent modulesRaw shell commands
Give every task a nameAnonymous tasks
Use dynamic inventoryStatic host lists

REQUIRED: Task Naming Conventions

You MUST follow these naming rules:

RuleExampleNEVER Do
Start with action verb"Install nginx""nginx installation"
Capitalize first letter"Configure firewall""configure firewall"
Omit trailing periods"Copy config file""Copy config file."
Omit role name from role tasks"Start service""nginx : Start service"

REQUIRED: Module Selection

ScenarioMUST UseNEVER Use
Package managementansible.builtin.packageshell: apt install
Service managementansible.builtin.servicecommand: systemctl
File operationsansible.builtin.copy/templateshell: cp
User managementansible.builtin.usercommand: useradd

When shell/command is unavoidable, you MUST:

- name: Build application from source
  ansible.builtin.command:
    cmd: make install
    chdir: /opt/app
    creates: /opt/app/bin/app # REQUIRED for idempotency

REQUIRED: Privilege Escalation Rules

ContextMUST DoNEVER Do
Most tasks need rootSet become: true at play levelSet on every task
Few tasks need rootSet become: true per taskSet at play level
No root neededOmit become entirelySet become: false

REQUIRED: Secret Management

Ansible Vault Workflow

You MUST follow this exact process:

StepActionFile
1Create group subdirectorygroup_vars/<group>/
2Define all variablesgroup_vars/<group>/vars
3Copy sensitive vars with prefixgroup_vars/<group>/vault
4Reference vault vars in vars filedb_password: "{{ vault_db_password }}"
5Encrypt vault fileansible-vault encrypt vault

PROHIBITED Secret Practices

NEVER Do ThisALWAYS Do This Instead
Commit plaintext secretsUse Ansible Vault
Hardcode credentialsUse variable references
Share vault passwordsUse password files
Skip encryptionEncrypt ALL sensitive data

REQUIRED: Style Rules

Formatting Requirements

ElementREQUIRED FormatPROHIBITED
Indentation2 spacesTabs or 4 spaces
Variable namessnake_casecamelCase, kebab-case
QuotesSingle quotesDouble quotes (except when nested)
MapsMulti-line ALWAYSSingle-line maps
VariablesAlphabetically sortedRandom order

Play Structure

You MUST order play elements as follows:

OrderElement
1hosts
2Host options (alphabetical)
3pre_tasks
4roles
5tasks

Task Structure

You MUST order task elements as follows:

OrderElement
1name
2Module declaration
3Module parameters
4Loop operators
5Task options (alphabetical)
6tags

REQUIRED: State Declaration

You MUST explicitly set state for ALL modules that support it:

# CORRECT - explicit state
- name: Ensure nginx is installed
  ansible.builtin.package:
    name: nginx
    state: present

# PROHIBITED - implicit state
- name: Install nginx
  ansible.builtin.package:
    name: nginx

REQUIRED: Linting Validation

BEFORE committing, you MUST run:

ToolCommandPurpose
ansible-lintansible-lint playbook.ymlStyle and best practices
yamllintyamllint playbook.ymlYAML syntax
syntax-checkansible-playbook --syntax-checkPlaybook syntax
dry-runansible-playbook --check --diffExecution preview

Validation Checklist

BEFORE deployment, VERIFY:

  • All tasks have descriptive names
  • FQCN used for all modules
  • No shell/command without creates/removes
  • Secrets encrypted with Ansible Vault
  • ansible-lint passes with no errors
  • dry-run completes successfully

Related Assets

Ansible Playbook Creation Assistant

experimental

Interactive guide for creating new Ansible playbooks that execute in AWX, following Epic on Azure patterns for role integration, vault secrets, and testing workflows.

claude
codex
vscode
ansible
playbook
creation
epic
awx
+1

Owner: epic-platform-sre

Ansible Playbook Validator

active

Goal-oriented Ansible specialist that validates playbooks for syntax, idempotency, best practices, and compliance. Autonomously checks collections, roles, and AWX inventory sources. Use for comprehensive playbook validation before deployment.

vscode
ansible
playbook
validation
lint
best-practices
+2

Owner: platform-automation

Ansible Development Lifecycle for Epic on Azure

experimental

Complete development patterns for creating playbooks and roles that execute in AWX, including local development, requirements.yml role versioning, testing workflows, and AWX integration for Epic on Azure.

claude
codex
vscode
ansible
playbook
role
development
epic
+2

Owner: epic-platform-sre

AWX Configuration as Code (CaC) Style and Safety

experimental

Standard patterns and safety rules for AWX operations using the ansible_role_awx_cac Configuration as Code model in Epic on Azure at Optum.

claude
codex
vscode
awx
ansible
cac
style
safety
+2

Owner: epic-platform-sre

Terraform Conventions

experimental

Terraform conventions and guardrails for safe, maintainable Infrastructure as Code.

claude
codex
vscode
terraform
iac
style
safety
tflint
+3

Owner: epic-platform-sre

Terraform Style and Safety for TFE-Backed Workspaces

experimental

Terraform coding conventions, safety rules, and best practices for Terraform Enterprise (TFE) backed workspaces in Optum environments.

claude
codex
vscode
terraform
tfe
style
safety
iac

Owner: epic-platform-sre