- Command and shell and raw module execution risks
- Keep Projects in Version Control System
- Ssh keys
Command and shell and raw module execution risks: Changed state is important and an already existing state can’t be changed. Use explicit declarations (eg: state or overwrite actions)
Ansible used to be idempotent
The above modules is not having any code to maintain changed state
Try to use default modules present in ansible. Think about additional/collections/custom modules if no suitable modules are found.
Use block and rescue, a feature in ansible. Block – unite tasks logically unite and kept in one block Rescue – if any of above blocks failed ansible need to perform rescue steps
Ansible is having not only tasks but pre-tasks and post-tasks.
Not put everything in a single task but we can split and divide the tasks. Each of these tasks can be performed based on handlers
Try to avoid command, shell and raw modules whenever possible. Use available modules rather than raw commands
Create groups for hosts in the inventory files and keep it in a well organized manner. Split the inventory for each environment like production, QA, staging etc.. We can do this by using separate folders or else separate files. This will help us to run the same playbooks for different groups of hosts using these separate inventory files. Don’t use plain text passwords in inventory or group vars or host vars files. Encrypt passwords using ansible vault. Inventory file formats can be ini or yaml files. For cloud we can use dynamic inventory scripts to manage hosts. Use an identifiable name for the hosts in the inventory . So when we run playbooks using ansible_host, ip address and other arguments, it will help us to track playbook changes for the host, its logs, actions performed etc.. Yaml inventories will process faster and it will be a good option for large numbers of hosts than ini.
Keep Projects in Version Control System
Playbooks, Configurations, Variables, Roles and Collections
Opportunity for Collaboration
Less worry on the old version of playbooks and configurations
Make Auditing possible
Create project specific repositories
Try to use ssh key based authentication always.
Always use a separate user to run ansible playbooks on remote hosts.
Never disable ssl validation and ssl certificates for ansible and hosts.
Don’t use hardcoded values too much, but use variables for repetitive values as much as possible.
Ansible playbook execution happens in control node and module execution happens in target nodes. Ansible will only work with python 2.7 .
Gathered_tasks: Ansible will collect facts from remote nodes using tasks
Tags: will help us to sort and group tasks during execution
Started task: Ansible property to show started or running playbooks
Accelerator mode and pipeline in ansible: To help in ansible playbooks execution