.yml
{{ var }}
not $var
{{ var }}
not {{var}}
EDXAPP_FOO
my_role
) not dashes (my-role
).my_path: /foo
not my_path: /foo/
. When concatenating paths, follow the same convention (e.g. {{ my_path }}/bar
not {{ my_path }}bar
)when:
for conditionals - To check if a variable is defined when: my_var is defined
or when: my_var is not defined
To verify return status (see conditionals)
- command: /bin/false register: my_result ignore_errors: True - debug: msg="task failed" when: my_result|failed |
Use yaml-style blocks.
Good:
- file: dest: "{{ test }}" src: "./foo.txt" mode: 0770 state: present user: "root" group: "wheel" |
Bad:
- file: > dest={{ test }} src=./foo.txt mode=0770 state=present user=root group=wheel |
Break long lines using yaml line continuation.
Reference: http://docs.ansible.com/playbooks_intro.html
- shell: > python a very long command --with=very --long-options=foo --and-even=more_options --like-these |
Every role should have a standard set of role directories, example that includes a python and ruby virtualenv:
edxapp_data_dir: "{{ COMMON_DATA_DIR }}/edxapp" edxapp_app_dir: "{{ COMMON_APP_DIR }}/edxapp" edxapp_log_dir: "{{ COMMON_LOG_DIR }}/edxapp" edxapp_venvs_dir: "{{ edxapp_app_dir }}/venvs" edxapp_venv_dir: "{{ edxapp_venvs_dir }}/edxapp" edxapp_venv_bin: "{{ edxapp_venv_dir }}/bin" edxapp_rbenv_dir: "{{ edxapp_app_dir }}" edxapp_rbenv_root: "{{ edxapp_rbenv_dir }}/.rbenv" edxapp_rbenv_shims: "{{ edxapp_rbenv_root }}/shims" edxapp_rbenv_bin: "{{ edxapp_rbenv_root }}/bin" edxapp_gem_root: "{{ edxapp_rbenv_dir }}/.gem" edxapp_gem_bin: "{{ edxapp_gem_root }}/bin" |
As a general policy we want to protect the following data:
Directory structure for the secure repository:
ansible
├── files
├── keys
└── vars
Secure vars are set in files under the 'ansible/vars' directory. These files will be passed in when the relevant ansible-playbook commands are run. If you need a secure variable defined, give it a name and use it in your playbooks like any other variable. The value should be set in the secure vars files of the relevant deployment(edx, edge, etc.). If you don't have access to this repository, you'll need to submit a ticket to the devops team to make the secure change.