Ansible

The Ansible analyzer failed to process this YAML file. It is possible that the file has syntax errors, or was not intended to be an Ansible file.

local_action is equivalent to delegate_to: localhost in terms of functionality, but it is not very readable, and does not match the style of typical Ansible tasks.

Task names are optional, but extremely useful. In its output, Ansible shows you the name of each task it runs. Choosing names that describe what each task does and why improves readability. It also enables the usage of --start-at-task.

Package installs should use state: present with or without a version. Use latest ONLY if they are supported by the underlying package module(s) executed.

become_user without become: yes will not actually change user. When become is set to yes but become_user is not set, user root is set.

Without the pipefail option set, a shell command that implements a pipeline can fail and still return 0. If any part of the pipeline other than the terminal command fails, the whole pipeline will still return 0, which may be considered a success by Ansible. Pipefail is available in the bash shell.

Use shell only when shell functionality is required. Shell should only be used when piping, redirecting or chaining commands (and Ansible would be preferred for some of those!)

All files referenced by by include or import_tasks must exist. The check excludes files with jinja2 templates in the filename. Example :

Tasks should tell Ansible when to return changed, unless the task only reads information. To do this, set changed_when, use the creates or removes argument, or use when to run the task only if another check has a particular result.

Executing a command when there are arguments to modules is not recommended. Using command module is a bad idea, since it’s not idempotent in nature, the developer is responsible for handling the idempotency of the task.

Command module does not accept setting environment variables inline. Use environment: to set environment variables or use shell module which accepts both.

Executing a command when there is an Ansible module is not recommended. Ansible has two generic ways of performing a task, using Ansible modules or using the command/shell module. Ansible modules are developed by the Ansible community and third party vendors like rpm , docker , kubernetes , yum , azure etc.

copy and template do not need to use relative path for src. This removes the need for knowing the location of the root directory.

All version control checkouts must point to an explicit commit or tag, not just latest. Relying on latest may lead to breakages in the application if the latest version is unstable or not meant for use with the current system.

If a task has a when: result.changed setting, it is effectively acting as a handler. Sometimes you want a task to run only when a change is made on a machine. For example, you may want to restart a service if a task updates the configuration of that service, but not if the configuration is unchanged. Ansible uses handlers to address this use case. Handlers are tasks that only run when notified. Each handler should have a globally unique name.

All version control checkouts must point to an explicit commit or tag, not just latest. Relying on latest may lead to breakages in the application if the latest version is unstable or not meant for use with the current system.

Avoid multiple entries with the same key in mappings.