Menu
Ansible automation workflow guidelines. Activate when working with Ansible playbooks, ansible-playbook, inventory files (.yml, .ini), or Ansible-specific patterns.
| name | ansible-workflow |
| description | Ansible automation workflow guidelines. Activate when working with Ansible playbooks, ansible-playbook, inventory files (.yml, .ini), or Ansible-specific patterns. |
| location | user |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
| Task | Tool | Command |
|---|---|---|
| Lint | ansible-lint | ansible-lint |
| YAML lint | yamllint | yamllint . |
| Syntax check | ansible | ansible-playbook --syntax-check |
| Dry run | ansible | ansible-playbook --check |
| Run | ansible | ansible-playbook playbook.yml |
| Test roles | molecule | molecule test |
| Encrypt | sops | sops -e secrets.yml |
| Decrypt | sops | sops -d secrets.yml |
All module names MUST use Fully Qualified Collection Names (FQCN):
# CORRECT
- name: Copy configuration file
ansible.builtin.copy:
src: app.conf
dest: /etc/app/app.conf
# INCORRECT - DO NOT USE
- name: Copy configuration file
copy:
src: app.conf
dest: /etc/app/app.conf
All playbooks and roles MUST pass linting before commit:
# Run both linters
ansible-lint && yamllint .
Configuration templates available in assets/:
.ansible-lint.template - Production profile with strict mode.yamllint.template - YAML linting with 120 char linesTasks handling sensitive data MUST use no_log: true:
- name: Set database password
ansible.builtin.shell: |
mysql -u root -p'{{ db_root_password }}' -e "SET PASSWORD..."
no_log: true
- name: Create API token
ansible.builtin.uri:
url: "{{ api_endpoint }}/tokens"
headers:
Authorization: "Bearer {{ admin_token }}"
no_log: true
register: token_result
SOPS is RECOMMENDED over ansible-vault for GitOps workflows:
# .sops.yaml
creation_rules:
- path_regex: .*vars/secrets\.yml$
age: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Encrypt
sops -e vars/secrets.yml > vars/secrets.enc.yml
# Decrypt inline during playbook
sops -d vars/secrets.enc.yml | ansible-playbook -e @/dev/stdin playbook.yml
When ansible-vault is required:
# Encrypt variable file
ansible-vault encrypt group_vars/prod/vault.yml
# Run with vault
ansible-playbook --ask-vault-pass playbook.yml
inventories/
├── prod/
│ ├── hosts.yml
│ ├── group_vars/
│ │ ├── all.yml
│ │ ├── webservers.yml
│ │ └── databases.yml
│ └── host_vars/
├── staging/
│ ├── hosts.yml
│ └── group_vars/
└── dev/
├── hosts.yml
└── group_vars/
Organize group_vars by role name for clarity:
group_vars/
├── all/
│ ├── main.yml # Common variables
│ └── secrets.enc.yml # SOPS-encrypted secrets
├── webservers/
│ ├── nginx.yml # Role: nginx
│ └── ssl.yml # Role: ssl_certificates
└── databases/
├── postgresql.yml # Role: postgresql
└── backup.yml # Role: db_backup
Roles SHOULD be single-purpose:
roles/
├── nginx/ # Web server only
├── ssl_certificates/ # SSL management only
├── postgresql/ # Database only
└── app_deploy/ # Application deployment only
# inventories/aws/aws_ec2.yml
plugin: amazon.aws.aws_ec2
regions:
- us-east-1
- us-west-2
keyed_groups:
- key: tags.Environment
prefix: env
- key: tags.Role
prefix: role
filters:
instance-state-name: running
hostnames:
- private-ip-address
compose:
ansible_host: private_ip_address
# inventories/azure/azure_rm.yml
plugin: azure.azcollection.azure_rm
auth_source: auto
include_vm_resource_groups:
- production-rg
- staging-rg
keyed_groups:
- key: tags.Environment
prefix: env
hostnames:
- private_ipv4_addresses
# inventories/gcp/gcp_compute.yml
plugin: google.cloud.gcp_compute
projects:
- my-project-id
zones:
- us-central1-a
- us-central1-b
keyed_groups:
- key: labels.environment
prefix: env
hostnames:
- private_ip
# tasks/main.yml
- name: Update nginx configuration
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
notify: Restart nginx
- name: Update SSL certificate
ansible.builtin.copy:
src: "{{ ssl_cert_file }}"
dest: /etc/nginx/ssl/cert.pem
notify:
- Validate nginx config
- Reload nginx
# handlers/main.yml
- name: Validate nginx config
ansible.builtin.command: nginx -t
changed_when: false
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: Restart nginx
ansible.builtin.systemd:
name: nginx
state: restarted
Handlers execute in definition order, not notification order. Define handlers in logical sequence (validate -> reload -> restart).
Ansible variable precedence (highest to lowest):
-e "var=value")# Use role defaults for safe defaults
# roles/nginx/defaults/main.yml
nginx_worker_processes: auto
nginx_worker_connections: 1024
# Use group_vars for environment-specific overrides
# group_vars/prod/nginx.yml
nginx_worker_connections: 4096
# Use extra vars for one-time overrides only
ansible-playbook playbook.yml -e "nginx_worker_connections=8192"
# roles/nginx/molecule/default/molecule.yml
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible
pre_build_image: true
privileged: true
command: /usr/sbin/init
provisioner:
name: ansible
verifier:
name: ansible
molecule test # Full test cycle
molecule converge # Apply role
molecule verify # Run verification
molecule destroy # Cleanup
Use the template at assets/ansible.cfg.template:
forks = 20 - Parallel executionpipelining = True - Reduce SSH operationsgathering = smart - Cache factsfact_caching = jsonfile - Persist facts# Use async for long-running tasks
- name: Upgrade all packages
ansible.builtin.dnf:
name: "*"
state: latest
async: 600
poll: 10
# Use free strategy for independent tasks
- hosts: all
strategy: free
tasks:
- name: Independent task 1
ansible.builtin.command: /opt/script1.sh
- name: Independent task 2
ansible.builtin.command: /opt/script2.sh
Before committing Ansible code:
ansible-lint passes with no warningsyamllint . passesansible-playbook --syntax-check passesno_log: trueActivate when user needs multi-URL scraping, browser automation pipelines, or efficient tool orchestration to reduce API round-trips and context usage.
Language-agnostic API design patterns covering REST and GraphQL, including resource naming, HTTP methods, status codes, versioning, pagination, filtering, authentication, error handling, and schema design. Activate when working with APIs, REST endpoints, GraphQL schemas, API documentation, OpenAPI/Swagger, JWT, OAuth2, endpoint design, API versioning, rate limiting, or GraphQL resolvers.
Git workflow and commit guidelines. Trigger keywords: git, commit, push, .git, version control. MUST be activated before ANY git commit, push, or version control operation. Includes security scanning for secrets (API keys, tokens, .env files), commit message formatting with HEREDOC, logical commit grouping (docs, test, feat, fix, refactor, chore, build, deps), push behavior rules, safety rules for hooks and force pushes, and CRITICAL safeguards for destructive operations (filter-branch, gc --prune, reset --hard). Activate when user requests committing changes, pushing code, creating commits, rewriting history, or performing any git operations including analyzing uncommitted changes.
Testing workflow patterns and quality standards. Activate when working with tests, test files, test directories, code quality tools, coverage reports, or testing tasks. Includes zero-warnings policy, targeted testing during development, mocking patterns, and best practices across languages.
Claude Code AI-assisted development workflow. Activate when discussing Claude Code usage, AI-assisted coding, prompting strategies, or Claude Code-specific patterns.
Guidelines for containerized projects using Docker, Dockerfile, docker-compose, container, and containerization. Covers multi-stage builds, security, signal handling, entrypoint scripts, and deployment workflows.