Part 35 — Best Practices¶
Chapter status: outline
This chapter is scoped but not yet written in full prose. The sections below define what each part will cover.
This chapter consolidates the best-practice notes scattered across every prior chapter into one production playbook (in the non-Ansible sense of the word).
Why This Exists¶
- Individual best practices make more sense as a coherent whole than as isolated tips — this chapter is the "if you only read one chapter before starting a real project" reference.
Problem Statement¶
- Ansible is permissive by design (many ways to structure variables, many ways to organize roles) — permissiveness without convention leads to inconsistent, hard-to-onboard-into repositories at scale.
Internal Architecture — A Reference Repository Layout¶
inventory/
production/
hosts.yml
group_vars/
host_vars/
staging/
hosts.yml
group_vars/
host_vars/
roles/
common/
webserver/
database/
collections/
requirements.yml
playbooks/
site.yml
deploy.yml
group_vars/
all.yml
ansible.cfg
requirements.yml
.ansible-lint
.yamllint
README.md
Step-by-Step Explanation — Conventions¶
- Naming: consistent, descriptive task names (shown in output —
name:is documentation, not decoration); consistent variable naming with a role-specific prefix to avoid collisions (e.g.,nginx_worker_processesinstead of a bareworker_processes). - Repository layout: environment-scoped inventories (Volume 2, Part 8) so
--limitmistakes can't cross environments; roles kept focused and composable (Volume 2, Part 12). - Git: feature-branch workflow with PR review required before merging to the branch that CI/CD deploys from; meaningful commit messages describing why a playbook changed.
- CI: the full pipeline assembled from Volume 5 —
ansible-lint/yamllint→ansible-test sanity→ Molecule →--check --diffdry runs against a staging-like target before real deploys. - Roles: one responsibility per role, complete
defaults/main.yml, accuratemeta/main.yml. - Collections: internal collections for shared modules/plugins/roles across projects, versioned and pinned (Volume 2, Parts 13-14).
- Variables: role defaults for overridable values,
group_vars/host_varsfor environment-specific values,-ereserved for genuine one-off overrides (Volume 2, Part 9). - Secrets: Vault or an external secret manager, never plaintext,
no_logon every sensitive task (Part 31). - Documentation: a README per role/collection describing purpose, variables, and examples — treating internal automation with the same documentation bar as a published Galaxy collection.
- Versioning: semantic versioning for internal collections (Volume 2, Part 14), and tagging playbook repository releases that correspond to significant infrastructure changes.
Production Best Practices¶
- (This chapter's entire content is production best practices — organized here as the consolidated reference rather than repeated per-topic.)
Common Mistakes¶
- A single sprawling repository with no environment separation, no role boundaries, and no CI gate — the state most unmanaged Ansible repositories drift into over time without deliberate structure.
Performance Considerations¶
- Repository structure itself doesn't affect runtime performance, but a well-organized repo makes the Part 32 performance levers easier to apply consistently across environments.
Security Considerations¶
- Repository layout is itself a security control: environment-scoped inventories and CI gating are what make Part 31's security practices enforceable rather than aspirational.
Interview Questions¶
- "How would you structure a production Ansible repository for a team of 10 engineers?"
- "What CI checks would you require before an Ansible playbook can be merged?"
- "How do you keep role variables from colliding across a large codebase?"
Hands-On Lab¶
- Restructure a flat, single-file playbook into the reference layout above (separate inventory, roles,
group_vars,ansible.cfg,requirements.yml) and verify it still runs identically withansible-playbook --check.
Summary¶
- Best practice in Ansible is less about any single rule and more about consistent structure — environment-scoped inventory, focused roles, disciplined variables, mandatory CI, and real documentation, applied together.
Next¶
Continue to Part 36 — Real Production Projects.