|
| 1 | +--- |
| 2 | +description: 'Ansible conventions and best practices' |
| 3 | +applyTo: '**/*.yaml, **/*.yml' |
| 4 | +--- |
| 5 | + |
| 6 | +# Ansible Conventions and Best Practices |
| 7 | + |
| 8 | +## General Instructions |
| 9 | + |
| 10 | +- Use Ansible to configure and manage infrastructure. |
| 11 | +- Use version control for your Ansible configurations. |
| 12 | +- Keep things simple; only use advanced features when necessary |
| 13 | +- Give every play, block, and task a concise but descriptive `name` |
| 14 | + - Start names with an action verb that indicates the operation being performed, such as "Install," "Configure," or "Copy" |
| 15 | + - Capitalize the first letter of the task name |
| 16 | + - Omit periods from the end of task names for brevity |
| 17 | + - Omit the role name from role tasks; Ansible will automatically display the role name when running a role |
| 18 | + - When including tasks from a separate file, you may include the filename in each task name to make tasks easier to locate (e.g., `<TASK_FILENAME> : <TASK_NAME>`) |
| 19 | +- Use comments to provide additional context about **what**, **how**, and/or **why** something is being done |
| 20 | + - Don't include redundant comments |
| 21 | +- Use dynamic inventory for cloud resources |
| 22 | + - Use tags to dynamically create groups based on environment, function, location, etc. |
| 23 | + - Use `group_vars` to set variables based on these attributes |
| 24 | +- Use idempotent Ansible modules whenever possible; avoid `shell`, `command`, and `raw`, as they break idempotency |
| 25 | + - If you have to use `shell` or `command`, use the `creates:` or `removes:` parameter, where feasible, to prevent unnecessary execution |
| 26 | +- Use [fully qualified collection names (FQCN)](https://docs.ansible.com/ansible/latest/reference_appendices/glossary.html#term-Fully-Qualified-Collection-Name-FQCN) to ensure the correct module or plugin is selected |
| 27 | + - Use the `ansible.builtin` collection for [builtin modules and plugins](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/index.html#plugin-index) |
| 28 | +- Group related tasks together to improve readability and modularity |
| 29 | +- For modules where `state` is optional, explicitly set `state: present` or `state: absent` to improve clarity and consistency |
| 30 | +- Use the lowest privileges necessary to perform a task |
| 31 | + - Only set `become: true` at the play level or on an `include:` statement, if all included tasks require super user privileges; otherwise, specify `become: true` at the task level |
| 32 | + - Only set `become: true` on a task if it requires super user privileges |
| 33 | + |
| 34 | +## Secret Management |
| 35 | + |
| 36 | +- When using Ansible alone, store secrets using Ansible Vault |
| 37 | + - Use the following process to make it easy to find where vaulted variables are defined |
| 38 | + 1. Create a `group_vars/` subdirectory named after the group |
| 39 | + 2. Inside this subdirectory, create two files named `vars` and `vault` |
| 40 | + 3. In the `vars` file, define all of the variables needed, including any sensitive ones |
| 41 | + 4. Copy all of the sensitive variables over to the `vault` file and prefix these variables with `vault_` |
| 42 | + 5. Adjust the variables in the `vars` file to point to the matching `vault_` variables using Jinja2 syntax: `db_password: "{{ vault_db_password }}"` |
| 43 | + 6. Encrypt the `vault` file to protect its contents |
| 44 | + 7. Use the variable name from the `vars` file in your playbooks |
| 45 | +- When using other tools with Ansible (e.g., Terraform), store secrets in a third-party secrets management tool (e.g., Hashicorp Vault, AWS Secrets Manager, etc.) |
| 46 | + - This allows all tools to reference a single source of truth for secrets and prevents configurations from getting out of sync |
| 47 | + |
| 48 | +## Style |
| 49 | + |
| 50 | +- Use 2-space indentation and always indent lists |
| 51 | +- Separate each of the following with a single blank line: |
| 52 | + - Two host blocks |
| 53 | + - Two task blocks |
| 54 | + - Host and include blocks |
| 55 | +- Use `snake_case` for variable names |
| 56 | +- Sort variables alphabetically when defining them in `vars:` maps or variable files |
| 57 | +- Always use multi-line map syntax, regardless of how many pairs exist in the map |
| 58 | + - It improves readability and reduces changeset collisions for version control |
| 59 | +- Prefer single quotes over double quotes |
| 60 | + - The only time you should use double quotes is when they are nested within single quotes (e.g. Jinja map reference), or when your string requires escaping characters (e.g., using "\n" to represent a newline) |
| 61 | + - If you must write a long string, use folded block scalar syntax (i.e., `>`) to replace newlines with spaces or literal block scalar syntax (i.e., `|`) to preserve newlines; omit all special quoting |
| 62 | +- The `host` section of a play should follow this general order: |
| 63 | + - `hosts` declaration |
| 64 | + - Host options in alphabetical order (e.g., `become`, `remote_user`, `vars`) |
| 65 | + - `pre_tasks` |
| 66 | + - `roles` |
| 67 | + - `tasks` |
| 68 | +- Each task should follow this general order: |
| 69 | + - `name` |
| 70 | + - Task declaration (e.g., `service:`, `package:`) |
| 71 | + - Task parameters (using multi-line map syntax) |
| 72 | + - Loop operators (e.g., `loop`) |
| 73 | + - Task options in alphabetical order (e.g. `become`, `ignore_errors`, `register`) |
| 74 | + - `tags` |
| 75 | +- For `include` statements, quote filenames and only use blank lines between `include` statements if they are multi-line (e.g., they have tags) |
| 76 | + |
| 77 | +## Linting |
| 78 | + |
| 79 | +- Use `ansible-lint` and `yamllint` to check syntax and enforce project standards |
| 80 | +- Use `ansible-playbook --syntax-check` to check for syntax errors |
| 81 | +- Use `ansible-playbook --check --diff` to perform a dry-run of playbook execution |
| 82 | + |
| 83 | +<!-- |
| 84 | +These guidelines were based on, or copied from, the following sources: |
| 85 | +
|
| 86 | +- [Ansible Documentation - Tips and Tricks](https://docs.ansible.com/ansible/latest/tips_tricks/index.html) |
| 87 | +- [Whitecloud Ansible Styleguide](https://github.com/whitecloud/ansible-styleguide) |
| 88 | +--> |
0 commit comments