Ansible Automation Playbook Collection

Ansible Automation Playbook Collection

Ansible playbooks running from a developer's laptop are one SSH connection failure away from a half-configured server. I watched this happen at an energy sector client: the playbook was configuring a 12-node cluster, got to node 7, lost the VPN connection, and left 5 nodes in a partially configured state that did not match the other 7. The team spent a day figuring out which tasks had run on which nodes. This template wraps Ansible in a CI pipeline with idempotency verification, diff mode for change preview, and per-environment inventory management.

Pipeline Stages

• lint — ansible-lint with custom rules. Catches deprecated modules, missing become directives, and tasks without names.
• syntax-check — ansible-playbook --syntax-check against all playbooks. Verifies variable references, role dependencies, and task structure.
• molecule-test — molecule test runs playbooks against Docker or Vagrant instances. Verifies idempotency: second run produces zero changes. Tests both Debian and RHEL family targets.
• diff-plan — ansible-playbook --diff --check against staging. Shows exactly what would change without applying. Output posted as PR comment for review.
• deploy-staging — Full playbook run against staging inventory. Post-run verification playbook validates service health, port connectivity, and configuration file contents.
• deploy-prod — Manual approval gate. Serial execution: serial: 1 for rolling updates. Health check between each host. Automatic stop on first failure to prevent cascading bad configuration.

Security Gates

• Ansible Vault for secrets — All credentials encrypted with ansible-vault encrypt. Vault password injected from CI secret store at runtime, never committed to the repository.
• SSH key rotation — Pipeline uses short-lived SSH certificates from HashiCorp Vault instead of static SSH keys. Certificate TTL: 1 hour.
• Least-privilege become — Tasks specify become_user per task, not globally. Only the tasks that need root run as root.

What Breaks First

• SSH connection timeout to bastions — Long playbook runs exceed the SSH session timeout on jump hosts. Fix: configure ServerAliveInterval 60 and ServerAliveCountMax 10 in the pipeline's SSH config.
• Idempotency failure from shell tasks — shell: and command: modules always report "changed" even if the command is idempotent. Fix: use creates: or when: conditions to make shell tasks conditional.
• Inventory group variable precedence — A variable defined in group_vars/all is overridden by group_vars/webservers in staging but not production because the host group membership differs. Fix: use explicit host_vars for environment-specific values and reserve group_vars for truly global defaults.