41 lines
1.2 KiB
Markdown
41 lines
1.2 KiB
Markdown
# Ansible profile
|
|
|
|
Enable this profile for repositories containing Ansible playbooks, roles, inventories, or automation scripts.
|
|
|
|
## Rules
|
|
|
|
Codex MUST:
|
|
|
|
- prefer idempotent tasks;
|
|
- use Ansible builtin modules instead of `shell` or `command` when possible;
|
|
- use `service_facts` when checking service availability or service state;
|
|
- use `become` explicitly when privilege escalation is needed;
|
|
- avoid `ignore_errors` unless explicitly justified;
|
|
- avoid `changed_when: false` unless semantically correct;
|
|
- avoid storing secrets in plain YAML;
|
|
- keep roles and tasks modular;
|
|
- write comments in English;
|
|
- preserve compatibility requirements stated in the repository.
|
|
|
|
## Validation examples
|
|
|
|
Use Docker-based validation commands configured for the project, for example:
|
|
|
|
```bash
|
|
docker compose run --rm ansible ansible-playbook --syntax-check playbook.yml
|
|
```
|
|
|
|
```bash
|
|
docker compose run --rm ansible ansible-lint
|
|
```
|
|
|
|
## Shell and command usage
|
|
|
|
`shell` and `command` are allowed only when there is no suitable module or when interacting with legacy tools.
|
|
|
|
When using `shell` or `command`, Codex SHOULD:
|
|
|
|
- make the task idempotent;
|
|
- define `changed_when` and `failed_when` where needed;
|
|
- explain why a module is not used.
|