Best Practices

First PublishedFeb 16, 2026ByAtif Alam

Idempotency

The most important principle in Ansible: running a playbook twice should produce the same result as running it once. No unintended side effects, no duplicate changes.

What Makes a Task Idempotent

Most built-in modules are idempotent by design:

1
# Idempotent — apt checks if nginx is already installed
2
- name: Install nginx
3
  apt:
4
    name: nginx
5
    state: present
6

7
# Idempotent — service checks if nginx is already running
8
- name: Start nginx
9
  service:
10
    name: nginx
11
    state: started

What Breaks Idempotency

command and shell modules are not idempotent — they always run and always report changed:

1
# NOT idempotent — runs every time
2
- name: Create database
3
  command: createdb myapp
4

5
# Fix: add a condition
6
- name: Check if database exists
7
  command: psql -lqt
8
  register: db_list
9
  changed_when: false
10

11
- name: Create database if missing
12
  command: createdb myapp
13
  when: "'myapp' not in db_list.stdout"

Idempotency Helpers

creates — Skip if a file already exists:

1
- name: Run initial setup
2
  command: /opt/myapp/setup.sh
3
  args:
4
    creates: /opt/myapp/.initialized

changed_when: false — For read-only commands that never change state.
state: present / state: absent — Most modules use state to be declarative.

Tagging Tasks

Tags let you run only specific parts of a playbook:

1
tasks:
2
  - name: Install packages
3
    apt:
4
      name:
5
        - nginx
6
        - curl
7
      state: present
8
    tags: [packages, setup]
9

10
  - name: Deploy application
11
    copy:
12
      src: app/
13
      dest: /opt/myapp/
14
    tags: [deploy]
15

16
  - name: Run database migrations
17
    command: /opt/myapp/migrate.sh
18
    tags: [deploy, database]

1
ansible-playbook site.yml --tags deploy           # only deploy tasks
2
ansible-playbook site.yml --tags "deploy,database" # deploy + database
3
ansible-playbook site.yml --skip-tags packages     # everything except packages
4
ansible-playbook site.yml --list-tags              # show all available tags

Special Tags

always — Task runs no matter what tags are selected.
never — Task only runs if explicitly included with --tags.

1
- name: Debug info (only when asked)
2
  debug:
3
    msg: "{{ ansible_facts }}"
4
  tags: [never, debug]
5

6
- name: Send notification (always runs)
7
  slack:
8
    msg: "Deploy complete"
9
  tags: [always]

Ansible Vault

Encrypt sensitive data (passwords, API keys, certificates) that lives alongside your playbooks.

Encrypting a File

1
ansible-vault encrypt group_vars/production/secrets.yml
2
ansible-vault decrypt group_vars/production/secrets.yml
3
ansible-vault edit group_vars/production/secrets.yml     # decrypt, edit, re-encrypt
4
ansible-vault view group_vars/production/secrets.yml     # view without decrypting to disk

Encrypted Variables File

1
# group_vars/production/secrets.yml (encrypted)
2
db_password: "s3cur3_p4ssw0rd"
3
api_key: "ak_live_abc123"
4
ssl_private_key: |
5
  -----BEGIN PRIVATE KEY-----
6
  ...
7
  -----END PRIVATE KEY-----

Inline Encrypted Variables

Encrypt a single value instead of an entire file:

1
ansible-vault encrypt_string 's3cur3_p4ssw0rd' --name 'db_password'

Output (paste into your vars file):

1
db_password: !vault |
2
  $ANSIBLE_VAULT;1.1;AES256
3
  3565396...

Using Vault in Playbook Runs

1
ansible-playbook site.yml --ask-vault-pass               # prompt for password
2
ansible-playbook site.yml --vault-password-file ~/.vault_pass  # read from file

In CI/CD, store the vault password as a secret and pass it via file or environment variable:

1
echo "$VAULT_PASSWORD" > /tmp/.vault_pass
2
ansible-playbook site.yml --vault-password-file /tmp/.vault_pass

Vault Best Practices

Separate secrets into their own file (secrets.yml) alongside non-sensitive vars — easier to manage.
Use vault IDs when you have different passwords for different environments:

1
ansible-vault encrypt --vault-id prod@prompt group_vars/production/secrets.yml
2
ansible-playbook site.yml --vault-id prod@~/.vault_pass_prod

Testing With Molecule

Molecule is the standard testing framework for Ansible roles. It creates ephemeral instances (Docker, Vagrant, cloud), runs your role, and verifies the result.

Install

1
pip install molecule molecule-docker

Initialize

1
cd roles/nginx
2
molecule init scenario --driver-name docker

Creates:

1
molecule/
2
  default/
3
    molecule.yml       # test config
4
    converge.yml       # playbook that applies the role
5
    verify.yml         # assertions

molecule.yml

1
driver:
2
  name: docker
3
platforms:
4
  - name: instance
5
    image: ubuntu:22.04
6
    pre_build_image: true
7
provisioner:
8
  name: ansible
9
verifier:
10
  name: ansible

converge.yml

1
---
2
- name: Converge
3
  hosts: all
4
  become: true
5
  roles:
6
    - role: nginx
7
      vars:
8
        nginx_port: 8080

verify.yml

1
---
2
- name: Verify
3
  hosts: all
4
  tasks:
5
    - name: Check nginx is installed
6
      command: nginx -v
7
      register: result
8
      changed_when: false
9
      failed_when: result.rc != 0
10

11
    - name: Check nginx is running
12
      service_facts:
13

14
    - name: Assert nginx is active
15
      assert:
16
        that:
17
          - "'nginx.service' in ansible_facts.services"
18
          - "ansible_facts.services['nginx.service'].state == 'running'"

Running Tests

1
molecule test          # full cycle: create → converge → verify → destroy
2
molecule converge      # just run the role (keep the instance)
3
molecule verify        # run verification only
4
molecule login         # SSH into the test instance for debugging
5
molecule destroy       # tear down

Molecule in CI

1
# GitHub Actions
2
- name: Run Molecule tests
3
  run: |
4
    pip install molecule molecule-docker
5
    cd roles/nginx
6
    molecule test

Project Layout

Small Project

1
ansible/
2
  inventory/
3
    hosts.yml
4
    group_vars/
5
      all.yml
6
      webservers.yml
7
    host_vars/
8
      web1.example.com.yml
9
  playbooks/
10
    site.yml
11
    webservers.yml
12
    dbservers.yml
13
  roles/
14
    nginx/
15
    postgresql/
16
    myapp/
17
  files/
18
  templates/
19
  ansible.cfg
20
  requirements.yml

Large Project (Multi-Environment)

1
ansible/
2
  inventories/
3
    dev/
4
      hosts.yml
5
      group_vars/
6
        all.yml
7
        all/
8
          secrets.yml    # vault encrypted
9
      host_vars/
10
    staging/
11
      hosts.yml
12
      group_vars/
13
    production/
14
      hosts.yml
15
      group_vars/
16
  playbooks/
17
    site.yml
18
    deploy.yml
19
    rollback.yml
20
  roles/
21
    requirements.yml     # Galaxy roles
22
    internal/
23
      nginx/
24
      myapp/
25
  ansible.cfg

Run per environment:

1
ansible-playbook -i inventories/production/hosts.yml playbooks/site.yml
2
ansible-playbook -i inventories/dev/hosts.yml playbooks/deploy.yml

ansible.cfg

Set project-wide defaults:

1
# ansible.cfg
2
[defaults]
3
inventory = ./inventory/hosts.yml
4
roles_path = ./roles
5
retry_files_enabled = false
6
stdout_callback = yaml            # readable output format
7
timeout = 30
8
forks = 20                        # parallel connections
9

10
[privilege_escalation]
11
become = true
12
become_method = sudo
13
become_user = root
14

15
[ssh_connection]
16
pipelining = true                 # faster execution
17
control_path_dir = /tmp/.ansible/cp

Place ansible.cfg in your project root. Ansible finds it automatically.

CI/CD Integration

1
# GitHub Actions
2
name: Ansible Deploy
3
on:
4
  push:
5
    branches: [main]
6
    paths: ["ansible/**"]
7

8
jobs:
9
  deploy:
10
    runs-on: ubuntu-latest
11
    steps:
12
      - uses: actions/checkout@v4
13
      - name: Install Ansible
14
        run: pip install ansible
15

16
      - name: Install Galaxy roles
17
        run: ansible-galaxy install -r ansible/roles/requirements.yml
18

19
      - name: Run playbook
20
        env:
21
          ANSIBLE_VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }}
22
        run: |
23
          echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/.vault_pass
24
          ansible-playbook \
25
            -i ansible/inventories/production/hosts.yml \
26
            ansible/playbooks/deploy.yml \
27
            --vault-password-file /tmp/.vault_pass
28
          rm /tmp/.vault_pass

Troubleshooting and Debugging

Verbosity Levels

1
ansible-playbook site.yml -v       # task results
2
ansible-playbook site.yml -vv      # task input parameters
3
ansible-playbook site.yml -vvv     # SSH connection details
4
ansible-playbook site.yml -vvvv    # full connection + plugin debugging

Start with -v, increase only if needed. -vvv is usually enough to diagnose SSH and permission issues.

The debug Module

Print variables and expressions mid-play:

1
- name: Show all facts
2
  debug:
3
    var: ansible_facts
4

5
- name: Show a specific variable
6
  debug:
7
    msg: "App port is {{ app_port }}, host is {{ ansible_host }}"
8

9
- name: Show registered output
10
  debug:
11
    var: deploy_result.stdout_lines

Common Errors and Fixes

Error	Cause	Fix
`Unreachable`	SSH can’t connect	Check IP, port, SSH key, security groups, firewall
`Permission denied`	Wrong SSH user or key	Set `ansible_user` and `ansible_ssh_private_key_file`
`Missing sudo password`	`become: true` but no password	Add `--ask-become-pass` or configure passwordless sudo
`module not found`	Module not installed	Install the collection: `ansible-galaxy collection install ...`
`/usr/bin/python: not found`	Python missing on target	Set `ansible_python_interpreter: /usr/bin/python3` or install Python
`Shared connection closed`	SSH timeout on slow tasks	Increase `timeout` in `ansible.cfg` or use `async`
`variable undefined`	Typo or missing var	Check spelling, check `group_vars/`/`host_vars/`, use `

Testing Connectivity

1
ansible all -m ping                            # test SSH to all hosts
2
ansible web1.example.com -m ping -vvv          # detailed connection info
3
ansible all -m setup -a "filter=ansible_distribution"  # test facts gathering

Step Mode

Run tasks one at a time, confirming each:

1
ansible-playbook site.yml --step

Ansible prompts before each task: (N)o/(y)es/(c)ontinue.

Start at a Specific Task

Resume from a specific task (e.g. after fixing an error):

1
ansible-playbook site.yml --start-at-task="Deploy application"

Checking Syntax

1
ansible-playbook site.yml --syntax-check       # parse without running
2
ansible-lint site.yml                           # lint for best practices

ansible-lint catches style issues, deprecated syntax, and risky patterns.

Performance Tuning

Forks (Parallelism)

By default, Ansible runs tasks on 5 hosts in parallel. Increase for larger inventories:

1
# ansible.cfg
2
[defaults]
3
forks = 20

Or per-run:

1
ansible-playbook site.yml -f 50

More forks = more parallel SSH connections = faster execution. Limit by your control node’s CPU/memory and target network capacity.

Pipelining

Reduces SSH operations by executing modules without copying them to a temp file:

1
# ansible.cfg
2
[ssh_connection]
3
pipelining = true

Requires requiretty to be disabled in /etc/sudoers on the targets (most modern systems don’t set it). Gives a significant speedup.

SSH Multiplexing

Ansible uses SSH ControlPersist by default — one SSH connection is reused for multiple tasks on the same host. Make sure it’s enabled:

1
# ansible.cfg
2
[ssh_connection]
3
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
4
control_path_dir = /tmp/.ansible/cp

Fact Caching

Fact gathering runs at the start of every play and can be slow with many hosts. Cache facts between runs:

1
# ansible.cfg
2
[defaults]
3
gathering = smart              # only gather if cache is expired
4
fact_caching = jsonfile
5
fact_caching_connection = /tmp/ansible_fact_cache
6
fact_caching_timeout = 3600    # cache for 1 hour

Or use Redis for shared caching across CI jobs:

1
fact_caching = redis
2
fact_caching_connection = localhost:6379:0
3
fact_caching_timeout = 3600

Selective Fact Gathering

Gather only what you need:

1
- name: Quick play
2
  hosts: webservers
3
  gather_facts: true
4
  gather_subset:
5
    - network
6
    - hardware
7
  # skip: distribution, virtual, ohai, facter

Or disable entirely with gather_facts: false if you don’t use any facts.

Mitogen Strategy Plugin

Mitogen is a third-party strategy plugin that dramatically speeds up Ansible by replacing SSH with a more efficient transport:

1
# ansible.cfg
2
[defaults]
3
strategy_plugins = /path/to/mitogen/ansible_mitogen/plugins/strategy
4
strategy = mitogen_linear

Reported speedups of 1.25x–7x depending on the workload. Drop-in replacement — no playbook changes needed.

Performance Checklist

Setting	Default	Recommended
`forks`	5	20–50 (match your infra size)
`pipelining`	false	`true`
`gathering`	implicit	`smart` (with caching)
`fact_caching`	memory	`jsonfile` or `redis`
`ControlPersist`	60s	60s (already good)
Strategy	linear	`mitogen_linear` (if available)

Key Takeaways

Idempotency first — Prefer declarative modules over command/shell. Use creates, changed_when, and conditional checks.
Tag tasks so you can run subsets of a playbook (--tags deploy, --skip-tags debug).
Encrypt secrets with Ansible Vault. Store the vault password in CI/CD secrets, never in code.
Test roles with Molecule — create, converge, verify, destroy. Run in CI.
Organize by environment — separate inventories with their own group_vars/ and secrets.
Set sane defaults in ansible.cfg (pipelining, forks, yaml output).
Debug with -v/-vv/-vvv, debug module, --step, and --start-at-task.
Tune performance with higher forks, pipelining, fact caching, and Mitogen.