Ansible-Lint Rule Analysis and Best Practices
By Luca Berton · Published 2024-01-01 · Category: troubleshooting
A comprehensive guide to navigate Ansible-Lint rule categories and best practices for efficient and error-free automation.

Introduction
Ansible-Lint is a powerful tool that helps Ansible users identify and correct issues in their playbooks and roles. It not only improves code quality but also ensures best practices are followed, making your automation processes more reliable and predictable.
In this article, we will explore various Ansible-Lint rules and provide insights into best practices to address the common issues flagged by these rules. We’ll cover rules related to module arguments, playbook structure, variable naming, and much more. We can list all the rules in Ansible Linter using the command ansible-lint -L.
See also: Ansible-Lint: Complete Guide to Linting Playbooks & Roles
Rule Categories
Ansible-Lint rules are organized into various categories, each addressing different aspects of the Ansible playbook and role development. Let’s dive into some of the most commonly encountered rule categories and explore them in detail.Args
- Rule Name:
args - Purpose: Validating module arguments. (syntax, experimental)
Idioms
- Rule Name:
avoid-implicit - Purpose: Avoid implicit behaviors (unpredictability)
- Rule Name:
command-instead-of-module - Purpose: Using command rather than module. (command-shell, idiom)
- Rule Name:
command-instead-of-shell - Purpose: Use shell only when shell functionality is required. (autofix, command-shell, idiom)
- Rule Name:
partial-become - Purpose: become_user should have a corresponding become at the play or task level. (autofix, unpredictability)
Deprecated
- Rule Name:
deprecated-bare-vars - Purpose: Using bare variables is deprecated. (deprecations)
- Rule Name:
deprecated-local-action - Purpose: Do not use ‘
local_action,’ use ‘delegate_to: localhost’ (autofix, deprecations)
local_action” and use “delegate_to: localhost” for better clarity and consistency in your playbooks.
- Rule Name: deprecated-module
- Purpose: Deprecated module. (deprecations)
Syntax and Formatting
- Rule Name:
no-tabs - Purpose: Most files should not contain tabs. (formatting)
-Rule Name: playbook-extension
- Purpose: Use “.yml” or “.yaml” playbook extension. (formatting)
Security
- Rule Name:
no-log-password - Purpose: Password should not be logged. (autofix, opt-in, security, experimental)
- Rule Name:
no-prompting - Purpose: Disallow prompting. (opt-in)
Best Practices
- Rule Name:
no-changed-when - Purpose: Commands should not change things if nothing needs doing. (command-shell, idempotency)
- Rule Name:
no-free-form - Purpose: Rule for detecting discouraged free-form syntax for action modules. (autofix, syntax, risk)
- Rule Name:
no-handler - Purpose: Tasks that run when changed should likely be handlers. (idiom)
Metadata
- Rule Name:
role-name - Purpose: Role name
{0}does not match^*$pattern. (deprecations, metadata)
Unpredictability
- Rule Name:
ignore-errors - Purpose: Use
failed_whenand specify error conditions instead of using ignore_errors. (unpredictability)
“failed_when” to specify error conditions rather than using “ignore_errors” for better predictability in your playbooks.
- Rule Name:
no-same-owner - Purpose: Do not preserve the owner and group when transferring files across hosts. (opt-in)
Internal
- Rule Name:
internal-error - Purpose: Unexpected internal error (core)
Experimental
- Rule Name:
syntax-check - Purpose: Ansible syntax check failed. (core, unskippable)
- Rule Name:
warning - Purpose: Other warnings detected during run. (core, experimental)
Best Practices for Ansible-Lint Rules
- Stay Updated: Regularly update Ansible-Lint to benefit from the latest rule improvements and bug fixes.
- Integrate into CI/CD: Incorporate Ansible-Lint into your CI/CD pipelines to catch issues early in the development process.
- Use Autofix: Take advantage of autofixable rules to automatically correct issues in your playbooks.
- Check for Deprecated Features: Regularly check for deprecated features and modules in your playbooks and update them to use supported alternatives.
- Follow Naming Conventions: Adhere to role naming conventions and playbook file extensions to ensure consistency and readability.
- Prioritize Security: Pay close attention to security-related rules, such as “no-log-password,” to safeguard sensitive data.
- Adopt Best Practices: Embrace best practices for playbook structure and module
Conclusion
Ansible-Lint, a powerful tool for Ansible users, enforces best practices and identifies potential issues in playbooks and roles. It covers a wide array of rule categories, from syntax and formatting to security, predictability, and deprecated features. Following its recommendations, such as avoiding deprecated modules, adhering to role naming conventions, and prioritizing security rules, ensures cleaner, more reliable automation code. By integrating Ansible-Lint into your CI/CD pipeline and staying updated with the latest rule improvements, you can maintain a high quality, consistency, and security standard in your Ansible automation, ultimately leading to more efficient and dependable processes.
Related Articles
Category: troubleshooting
Watch the video: Ansible-Lint Rule Analysis and Best Practices — Video Tutorial