Ansible Validator

Overview

Comprehensive toolkit for validating, linting, and testing Ansible playbooks, roles, and collections. This skill provides automated workflows for ensuring Ansible code quality, syntax validation, dry-run testing with check mode and molecule, and intelligent documentation lookup for custom modules and collections with version awareness.

Default behavior: When validating any Ansible role with a molecule/ directory, attempt Molecule automatically using bash scripts/test_role.sh <role-path> . If Molecule cannot run due to environment/runtime limits, mark Molecule as BLOCKED , report why, and continue all non-Molecule validation steps.

Trigger Guidance

Use this skill when the request is about validating or debugging existing Ansible code, not generating new code.

Common trigger phrases:

• "validate this playbook"

• "lint this role"

• "why is ansible-lint failing"

• "run check mode safely"

• "test this role with molecule"

• "find security issues in these Ansible files"

• "module not found in this collection"

When to Use This Skill

Apply this skill when encountering any of these scenarios:

• Working with Ansible files (.yml , .yaml playbooks, roles, inventories, vars)

• Validating Ansible playbook syntax and structure

• Linting and formatting Ansible code

• Performing dry-run testing with ansible-playbook --check

• Testing roles and playbooks with Molecule

• Debugging Ansible errors or misconfigurations

• Understanding custom Ansible modules, collections, or roles

• Ensuring infrastructure-as-code best practices

• Security validation of Ansible playbooks

• Version compatibility checks for collections and modules

Preflight (Run First)

Run preflight before validation to avoid dead ends:

bash scripts/setup_tools.sh

Command path assumption: run commands from this skill root (devops-skills-plugin/skills/ansible-validator ) or use absolute paths.

Preflight requirements:

• Baseline validation: ansible , ansible-playbook , ansible-lint (plus yamllint recommended)

• Molecule execution: molecule plus an available runtime (docker or podman )

• Security scanning: checkov (wrapper can bootstrap if missing)

Deterministic fallback rules:

• If baseline tools are missing but Python + pip are available, wrapper scripts bootstrap temporary environments automatically.

• If wrapper bootstrap fails (offline index, pip failure, missing Python), run direct commands for available tools, mark missing stages as BLOCKED , and continue.

• If Molecule runtime is unavailable (Docker/Podman missing or daemon not running), skip Molecule execution, mark as BLOCKED , and continue remaining stages.

Wrapper vs Direct Command Routing

Use wrappers by default for consistent behavior and fallback handling.

Validation scenario Default command Use direct command when Fallback if command cannot run

Playbook syntax/lint bash scripts/validate_playbook.sh <playbook.yml>

User asks for a single focused check only (ansible-playbook --syntax-check , ansible-lint , or yamllint ) Run any available direct checks and report skipped checks as BLOCKED

Role structural validation bash scripts/validate_role.sh <role-dir>

User asks only for specific sub-checks (for example, structure only) Run structure/YAML checks that are possible and report missing stages

Role Molecule execution bash scripts/test_role.sh <role-dir> [scenario]

User explicitly asks for manual stage-by-stage Molecule commands Mark Molecule BLOCKED with reason and continue non-Molecule role checks

Security scanning bash scripts/validate_playbook_security.sh <path> or bash scripts/validate_role_security.sh <path> plus bash scripts/scan_secrets.sh <path>

User requests raw Checkov output formatting or custom flags Run whichever scanner is available; if one is missing, run the other and report coverage gap

Module/collection discovery bash scripts/extract_ansible_info_wrapper.sh <path>

Python environment is already known-good and user wants direct parser output If extraction fails, manually inspect requirements.yml /galaxy.yml and continue with best-effort lookup

Validation Workflow

Follow this deterministic workflow and never stop at a missing dependency:

0. Preflight ├─> Run: bash scripts/setup_tools.sh ├─> Record tool/runtime readiness └─> Continue even when optional tools are missing

1. Identify scope ├─> Single playbook validation ├─> Role validation ├─> Collection validation └─> Multi-playbook/inventory validation

2. Syntax Validation ├─> Run ansible-playbook --syntax-check ├─> Run yamllint for YAML syntax └─> Report as PASS/FAIL/BLOCKED

3. Lint and Best Practices ├─> Run ansible-lint (comprehensive linting) ├─> Check for deprecated modules (see references/module_alternatives.md) ├─> DETECT NON-FQCN MODULE USAGE (apt vs ansible.builtin.apt) │ └─> Run bash scripts/check_fqcn.sh to identify short module names │ └─> Recommend FQCN alternatives from references/module_alternatives.md ├─> Verify role structure └─> Report linting issues

4. Dry-Run Testing (check mode) ├─> Run ansible-playbook --check (if inventory available) ├─> Analyze what would change └─> Report potential issues

5. Molecule Testing (for roles with molecule/) - AUTOMATIC ATTEMPT ├─> Check if molecule/ directory exists in role ├─> If present, run: bash scripts/test_role.sh <role-path> [scenario] ├─> If script exits 2, mark Molecule as BLOCKED (environment/runtime issue) ├─> If script exits 1, mark Molecule as FAIL (role/test issue) └─> Continue remaining validation regardless of Molecule outcome

6. Custom Module/Collection Analysis (if detected) ├─> Extract module/collection information ├─> Identify versions ├─> Lookup documentation (Context7 first, then web.search_query fallback) └─> Provide version-specific guidance

7. Security and Best Practices Review - DUAL SCANNING DEFAULT ├─> Run bash scripts/validate_playbook_security.sh or validate_role_security.sh (Checkov) ├─> Run bash scripts/scan_secrets.sh for hardcoded secret detection │ └─> This catches secrets Checkov may miss (passwords, API keys, tokens) ├─> If one scanner is unavailable, run the other and report reduced coverage ├─> Validate privilege escalation ├─> Review file permissions └─> Identify common anti-patterns

8. Reference Routing ├─> Map each error/warning class to the matching reference file ├─> Extract concrete remediation from references (not file-name-only mention) └─> Include source section + fix guidance in final report

9. Final Report (required format) ├─> Summary counts: PASS / FAIL / BLOCKED / SKIPPED ├─> Findings grouped by severity ├─> Tool/runtime blockers with exact command that failed └─> Next actions to reach full validation coverage

Status contract: BLOCKED means validation could not run due to environment/runtime constraints; FAIL means the Ansible code or tests failed.

Error-Class Reference Routing

When issues are detected, consult the mapped reference and include a specific remediation excerpt in the report.

Error class Typical detector Required reference Required action

YAML parse/format errors yamllint , ansible-playbook --syntax-check

references/common_errors.md (Syntax Errors) Quote the matching syntax fix pattern and apply corrected YAML structure

Module/action resolution errors ansible-playbook , ansible-lint

references/common_errors.md (Module/Collection Errors) Provide install/version fix commands (ansible-galaxy collection install ... )

Deprecated or non-FQCN module usage ansible-lint , bash scripts/check_fqcn.sh

references/module_alternatives.md

Provide exact FQCN/module replacement per finding

Template/variable errors ansible-playbook , check mode references/common_errors.md (Template/Variable Errors), references/best_practices.md (Variable Management) Recommend default() , required() , or type conversion fixes

Connection/inventory/privilege errors ansible-playbook --check , runtime output references/common_errors.md (Connection, Inventory, Privilege sections) Provide corrected inventory/auth/become configuration

Security policy failures (CKV_) validate__security.sh / Checkov references/security_checklist.md

Map failed policy to a secure task rewrite

Hardcoded secrets bash scripts/scan_secrets.sh

references/security_checklist.md (Secrets Management) Replace with Vault/env/external secret manager approach

Role structure/idempotency warnings validate_role.sh , Molecule idempotence references/best_practices.md

Provide role layout or idempotency remediation steps

External documentation lookup trigger:

• If the issue involves a custom/private collection or unknown module parameters not covered locally, run module discovery + documentation lookup (see section 7).

Core Capabilities

1. YAML Syntax Validation

Purpose: Ensure YAML files are syntactically correct before Ansible parsing.

Tools:

• yamllint

• YAML linter for syntax and formatting

• ansible-playbook --syntax-check

• Ansible-specific syntax validation

Workflow:

Check YAML syntax with yamllint

yamllint playbook.yml

Or for entire directory

yamllint -c .yamllint .

Check Ansible playbook syntax

ansible-playbook playbook.yml --syntax-check

Common Issues Detected:

• Indentation errors

• Invalid YAML syntax

• Duplicate keys

• Trailing whitespace

• Line length violations

• Missing colons or quotes

Best Practices:

• Always run yamllint before ansible-lint

• Use 2-space indentation consistently

• Configure yamllint rules in .yamllint

• Fix YAML syntax errors first, then Ansible-specific issues

2. Ansible Lint

Purpose: Enforce Ansible best practices and catch common errors.

Workflow:

Lint a single playbook

ansible-lint playbook.yml

Lint all playbooks in directory

ansible-lint .

Lint with specific rules

ansible-lint -t yaml,syntax playbook.yml

Skip specific rules

ansible-lint -x yaml[line-length] playbook.yml

Output parseable format

ansible-lint -f pep8 playbook.yml

Show rule details

ansible-lint -L

Common Issues Detected:

• Deprecated modules or syntax

• Missing task names

• Improper use of command vs shell

• Unquoted template expressions

• Hard-coded values that should be variables

• Missing become directives

• Inefficient task patterns

• Jinja2 template errors

• Incorrect variable usage

• Role dependencies issues

Severity Levels:

• Error: Must fix - will cause failures

• Warning: Should fix - potential issues

• Info: Consider fixing - best practice violations

Auto-fix approach:

• ansible-lint supports --fix for auto-fixable issues

• Always review changes before applying

• Some issues require manual intervention

3. Security Scanning (Checkov)

Purpose: Identify security vulnerabilities and compliance violations in Ansible code using Checkov, a static code analysis tool for infrastructure-as-code.

What Checkov Provides Beyond ansible-lint:

While ansible-lint focuses on code quality and best practices, Checkov specifically targets security policies and compliance:

• SSL/TLS Security: Certificate validation enforcement

• HTTPS Enforcement: Ensures secure protocols for downloads

• Package Security: GPG signature verification for packages

• Cloud Security: AWS, Azure, GCP misconfiguration detection

• Compliance Frameworks: Maps to security standards

• Network Security: Firewall and network policy validation

Workflow:

Scan playbook for security issues

bash scripts/validate_playbook_security.sh playbook.yml

Scan entire directory

bash scripts/validate_playbook_security.sh /path/to/playbooks/

Scan role for security issues

bash scripts/validate_role_security.sh roles/webserver/

Direct checkov usage

checkov -d . --framework ansible

Scan with specific output format

checkov -d . --framework ansible --output json

Scan and skip specific checks

checkov -d . --framework ansible --skip-check CKV_ANSIBLE_1

Common Security Issues Detected:

Certificate Validation:

• CKV_ANSIBLE_1: URI module disabling certificate validation

• CKV_ANSIBLE_2: get_url disabling certificate validation

• CKV_ANSIBLE_3: yum disabling certificate validation

• CKV_ANSIBLE_4: yum disabling SSL verification

HTTPS Enforcement:

• CKV2_ANSIBLE_1: URI module using HTTP instead of HTTPS

• CKV2_ANSIBLE_2: get_url using HTTP instead of HTTPS

Package Security:

• CKV_ANSIBLE_5: apt installing packages without GPG signature

• CKV_ANSIBLE_6: apt using force parameter bypassing signatures

• CKV2_ANSIBLE_4:* dnf installing packages without GPG signature

• CKV2_ANSIBLE_5: dnf disabling SSL verification

• CKV2_ANSIBLE_6: dnf disabling certificate validation

Error Handling:

• CKV2_ANSIBLE_3: Block missing error handling

Cloud Security (when managing cloud resources):

• CKV_AWS_88: EC2 instances with public IPs

• CKV_AWS_135: EC2 instances without EBS optimization

Example Violation:

BAD - Disables certificate validation

• name: Download file get_url: url: https://example.com/file.tar.gz dest: /tmp/file.tar.gz validate_certs: false # Security issue!

GOOD - Certificate validation enabled

• name: Download file get_url: url: https://example.com/file.tar.gz dest: /tmp/file.tar.gz validate_certs: true # Or omit (true by default)

Integration with Validation Workflow:

Checkov complements ansible-lint:

• ansible-lint catches code quality issues, deprecated modules, best practices

• Checkov catches security vulnerabilities, compliance violations, cryptographic issues

Best Practice: Run both tools for comprehensive validation:

Complete validation workflow

bash scripts/validate_playbook.sh playbook.yml # Syntax + Lint bash scripts/validate_playbook_security.sh playbook.yml # Security

Output Format:

Checkov provides clear security scan results:

Security Scan Results: Passed: 15 checks Failed: 2 checks Skipped: 0 checks

Failed Checks: Check: CKV_ANSIBLE_2 - "Ensure that certificate validation isn't disabled with get_url" FAILED for resource: tasks/main.yml:download_file File: /roles/webserver/tasks/main.yml:10-15

Remediation Resources:

• Checkov Policy Index: https://www.checkov.io/5.Policy%20Index/ansible.html

• Ansible Security Checklist: references/security_checklist.md

• Ansible Best Practices: references/best_practices.md

Installation:

Checkov is automatically installed in a temporary environment if not available system-wide. For permanent installation:

pip3 install checkov

When to Use:

• Before deploying to production

• In CI/CD pipelines for automated security checks

• When working with sensitive infrastructure

• For compliance audits and security reviews

• When downloading files or installing packages

• When managing cloud resources with Ansible

4. Playbook Syntax Check

Purpose: Validate playbook syntax without executing tasks.

Workflow:

Basic syntax check

ansible-playbook playbook.yml --syntax-check

Syntax check with inventory

ansible-playbook -i inventory playbook.yml --syntax-check

Syntax check with extra vars

ansible-playbook playbook.yml --syntax-check -e @vars.yml

Check all playbooks

for file in *.yml; do ansible-playbook "$file" --syntax-check done

Validation Checks:

• YAML parsing

• Playbook structure

• Task definitions

• Variable references

• Module parameter syntax

• Jinja2 template syntax

• Include/import statements

Error Handling:

• Parse error messages for specific issues

• Check for typos in module names

• Verify variable definitions

• Ensure proper indentation

• Check file paths for includes/imports

5. Dry-Run Testing (Check Mode)

Purpose: Preview changes that would be made without actually applying them.

Workflow:

Run in check mode (dry-run)

ansible-playbook -i inventory playbook.yml --check

Check mode with diff

ansible-playbook -i inventory playbook.yml --check --diff

Check mode with verbose output

ansible-playbook -i inventory playbook.yml --check -v

Check mode for specific hosts

ansible-playbook -i inventory playbook.yml --check --limit webservers

Check mode with tags

ansible-playbook -i inventory playbook.yml --check --tags deploy

Step through tasks

ansible-playbook -i inventory playbook.yml --check --step

Check Mode Analysis:

When reviewing check mode output, focus on:

Task Changes:

• ok : No changes needed

• changed : Would make changes

• failed : Would fail (check for check_mode support)

• skipped : Conditional skip

Diff Output:

• Shows exact changes to files

• Helps identify unintended modifications

• Useful for reviewing template changes

Handlers:

• Which handlers would be notified

• Service restarts that would occur

• Potential downtime

Failed Tasks:

• Some modules don't support check mode

• May need check_mode: no override

• Identify tasks that would fail

Limitations:

• Not all modules support check mode

• Some tasks depend on previous changes

• May not accurately reflect all changes

• Stateful operations may show unexpected results

Safety Considerations:

• Always run check mode before real execution

• Review diff output carefully

• Test in non-production first

• Validate changes make sense

• Check for unintended side effects

6. Molecule Testing

Purpose: Test Ansible roles in isolated environments with multiple scenarios.

Automatic attempt policy: When validating any Ansible role with a molecule/ directory, automatically attempt Molecule tests using bash scripts/test_role.sh <role-path> [scenario] .

When to Use:

• Automatically triggered when validating roles with molecule/ directory

• Testing roles before deployment

• Validating role compatibility across different OS versions

• Integration testing for complex roles

• CI/CD pipeline validation

Workflow:

Initialize molecule for a role

cd roles/myrole molecule init scenario --driver-name docker

List scenarios

molecule list

Run full test sequence

molecule test

Individual test stages

molecule create # Create test instances molecule converge # Run Ansible against instances molecule verify # Run verification tests molecule destroy # Destroy test instances

Test with specific scenario

molecule test -s alternative

Debug mode

molecule --debug test

Keep instances for debugging

molecule converge molecule login # SSH into test instance

Test Sequence:

• dependency

• Install role dependencies

• lint

• Run yamllint and ansible-lint

• cleanup

• Clean up before testing

• destroy

• Destroy existing instances

• syntax

• Run syntax check

• create

• Create test instances

• prepare

• Prepare instances (install requirements)

• converge

• Run the role

• idempotence

• Run again, verify no changes

• side_effect

• Optional side effect playbook

• verify

• Run verification tests (Testinfra, etc.)

• cleanup

• Final cleanup

• destroy

• Destroy test instances

Molecule Configuration:

Check molecule/default/molecule.yml :

dependency: name: galaxy driver: name: docker platforms:

• name: instance image: ubuntu:22.04 provisioner: name: ansible verifier: name: ansible

Verification Tests:

Molecule supports multiple verifiers:

• Ansible (built-in): Use Ansible tasks to verify

• Testinfra: Python-based infrastructure tests

• Goss: YAML-based server validation

Example Ansible verifier (molecule/default/verify.yml ):

• name: Verify hosts: all tasks:
  • name: Check service is running service: name: nginx state: started check_mode: true register: result failed_when: result.changed

Common Molecule Errors:

• Driver not installed (docker, podman, vagrant)

• Missing Python dependencies

• Platform image not available

• Network connectivity issues

• Insufficient permissions for driver

Molecule Skip/Fallback Policy (Required):

• If molecule/ does not exist: mark Molecule as SKIPPED and continue.

• If test_role.sh exits 2 : mark Molecule as BLOCKED (missing/unavailable runtime dependency) and continue.

• If test_role.sh exits 1 : mark Molecule as FAIL (role/test issue) and continue.

• Never stop the full validation report because Molecule is blocked.

Use this reporting language for blocked Molecule runs:

Molecule Status: BLOCKED Reason: <missing dependency/runtime and failing command> Fallback Applied: Completed syntax, lint, check-mode, and security validation without Molecule runtime tests. Next Action: <install/start dependency>; rerun bash scripts/test_role.sh <role-path> [scenario]

7. Custom Module and Collection Documentation Lookup

Purpose: Automatically discover and retrieve version-specific documentation for custom modules and collections using web search and Context7 MCP.

When to Trigger:

• Encountering unfamiliar module usage

• Working with custom/private collections

• Debugging module-specific errors

• Understanding new module parameters

• Checking version compatibility

• Deprecated module alternatives

Detection Workflow:

Extract Module Information:

• Use scripts/extract_ansible_info_wrapper.sh to parse playbooks and roles

• Identify module usage and collections

• Extract version constraints from requirements.yml

Extract Collection Information:

• Identify collection namespaces (e.g., community.general , ansible.posix )

• Determine collection versions from requirements.yml or galaxy.yml

• Detect custom/private vs. public collections

Documentation Lookup Strategy:

Use this deterministic lookup order:

• For public collections/modules:

• Resolve library: mcp__context7__resolve-library-id

• Query docs: mcp__context7__query-docs

• If Context7 has no suitable result:

• Use web search via web.search_query with versioned queries

• Prioritize official docs (docs.ansible.com, galaxy.ansible.com, vendor docs)

• For custom/private modules:

• Prefer in-repo docs (README , module docs, role docs) first

• Then use targeted web search with collection/module/version terms

• Always report source + version context used in final guidance

Search Query Templates:

For custom modules

"[module-name] ansible module version [version] documentation" "[module-name] ansible [module-type] example" "ansible [collection-name].[module-name] parameters"

For custom collections

"ansible collection [collection-name] version [version]" "[collection-namespace].[collection-name] ansible documentation" "ansible galaxy [collection-name] modules"

For specific errors

"ansible [module-name] error: [error-message]" "ansible [collection-name] module failed"

Example Workflow:

User working with: community.docker.docker_container version 3.0.0

1. Extract module info from playbook: tasks:

   • name: Start container community.docker.docker_container: name: myapp image: nginx:latest

2. Detect collection: community.docker

3. Search for documentation:

   • Try Context7: mcp__context7__resolve-library-id("ansible community.docker")
   • Fallback to web.search_query("ansible community.docker collection version 3.0 docker_container module documentation")

4. If official docs found:

   • Parse module parameters (required vs optional)
   • Identify return values
   • Find usage examples
   • Check version compatibility

5. Provide version-specific guidance to user

Version Compatibility Checks:

• Compare required collection versions with available versions

• Identify deprecated modules or parameters

• Suggest upgrade paths if using outdated versions

• Warn about breaking changes between versions

• Check Ansible core version compatibility

Common Collection Sources:

• Ansible Galaxy: Official community collections

• Red Hat Automation Hub: Certified collections

• GitHub: Custom/private collections

• Internal repositories: Company-specific collections

8. Security and Best Practices Validation

Purpose: Identify security vulnerabilities and anti-patterns in Ansible playbooks.

Security Checks:

Secrets Detection:

Check for hardcoded credentials

grep -r "password:" *.yml grep -r "secret:" *.yml grep -r "api_key:" *.yml grep -r "token:" *.yml

Remediation: Use Ansible Vault, environment variables, or external secret management

Privilege Escalation:

• Unnecessary use of become: yes

• Missing become_user specification

• Over-permissive sudo rules

• Running entire playbooks as root

File Permissions:

• World-readable sensitive files

• Missing mode parameter on file/template tasks

• Incorrect ownership settings

• Sensitive files not encrypted with vault

Command Injection:

• Unvalidated variables in shell/command modules

• Missing quote filter for user input

• Direct use of {{ var }} in command strings

Network Security:

• Unencrypted protocols (HTTP instead of HTTPS)

• Missing SSL/TLS validation

• Exposing services on 0.0.0.0

• Insecure default ports

Best Practices:

Playbook Organization:

• Logical task separation

• Reusable roles for common patterns

• Clear directory structure

• Meaningful playbook names

Variable Management:

• Vault encryption for sensitive data

• Clear variable naming conventions

• Variable precedence awareness

• Group/host vars organization

• Default values using default() filter

Task Naming:

• Descriptive task names

• Consistent naming convention

• Action-oriented descriptions

• Include changed resource in name

Idempotency:

• All tasks should be idempotent

• Use proper modules instead of command/shell

• Check mode compatibility

• Proper use of creates , removes for command tasks

• Avoid changed_when: false unless necessary

Error Handling:

• Use failed_when for custom failure conditions

• Implement block/rescue/always for error recovery

• Set appropriate any_errors_fatal

• Use ignore_errors sparingly

Documentation:

• README for each role

• Variable documentation in defaults/main.yml

• Role metadata in meta/main.yml

• Playbook header comments

Reference Documentation:

For detailed security guidelines and best practices, refer to:

• references/security_checklist.md

• Common security vulnerabilities

• references/best_practices.md

• Ansible coding standards

• references/common_errors.md

• Common errors and solutions

Tool Prerequisites

Run this preflight before validation:

Preferred one-shot preflight

bash scripts/setup_tools.sh

Check Ansible installation

ansible --version ansible-playbook --version

Check ansible-lint installation

ansible-lint --version

Check yamllint installation

yamllint --version

Check molecule installation (for role testing with molecule/)

molecule --version

Check container runtime for Molecule

docker --version docker info

or

podman --version podman info

Install missing tools (example for pip)

pip install ansible ansible-lint yamllint ansible-compat

Install molecule with docker driver

pip install molecule molecule-docker

Install molecule with podman driver (alternative)

pip install molecule molecule-podman

Minimum Versions:

• Ansible: >= 2.9 (recommend >= 2.12)

• ansible-lint: >= 6.0.0

• yamllint: >= 1.26.0

• molecule: >= 3.4.0 (if testing roles)

Execution policy when tools are missing:

• If ansible /ansible-lint are missing, wrappers (validate_playbook.sh , validate_role.sh ) attempt temporary venv bootstrap.

• If Molecule runtime (docker info or podman info ) is unavailable, Molecule is BLOCKED and non-Molecule checks continue.

• If checkov is missing, security wrappers bootstrap it when possible; otherwise run scan_secrets.sh and report reduced security coverage.

Optional Tools:

• ansible-inventory

• Inventory validation and graphing

• ansible-doc

• Module documentation lookup

• jq

• JSON parsing for structured output

Error Troubleshooting

Common Errors and Solutions

Error: Module Not Found

Solution: Install required collection with ansible-galaxy Check collections/requirements.yml Verify collection namespace and name

Error: Undefined Variable

Solution: Define variable in vars, defaults, or group_vars Check variable precedence Use default() filter for optional variables Verify variable file is included

Error: Template Syntax Error

Solution: Check Jinja2 template syntax Verify variable types match filters Ensure proper quote escaping Test template rendering separately

Error: Connection Failed

Solution: Verify inventory host accessibility Check SSH configuration and keys Verify ansible_host and ansible_port Test with ansible -m ping

Error: Permission Denied

Solution: Add become: yes for privilege escalation Verify sudo/su configuration Check file permissions Verify user has necessary privileges

Error: Deprecated Module

Solution: Check ansible-lint output for replacement Consult module documentation for alternatives Update to recommended module Test functionality with new module

Resources

scripts/

setup_tools.sh - Preflight checker for Ansible validator dependencies. Verifies baseline tools (ansible , ansible-playbook , ansible-lint , yamllint ) and Molecule runtime readiness (docker /podman ) and provides installation guidance.

Usage:

bash scripts/setup_tools.sh

extract_ansible_info_wrapper.sh - Bash wrapper for extract_ansible_info.py that automatically handles PyYAML dependencies. Creates a temporary venv if PyYAML is not available in system Python.

Usage:

bash scripts/extract_ansible_info_wrapper.sh <path-to-playbook-or-role>

Output: JSON structure with modules, collections, and versions

extract_ansible_info.py - Python script (called by wrapper) to parse Ansible playbooks and roles to extract module usage, collection dependencies, and version information. The wrapper script handles dependency management automatically.

validate_playbook.sh - Comprehensive validation script that runs syntax check, yamllint, and ansible-lint on playbooks. Automatically installs ansible and ansible-lint in a temporary venv if not available on the system (prefers system versions when available).

Usage:

bash scripts/validate_playbook.sh <playbook.yml>

validate_playbook_security.sh - Security validation script that scans playbooks for security vulnerabilities using Checkov. Automatically installs checkov in a temporary venv if not available. Complements validate_playbook.sh by focusing on security-specific checks like SSL/TLS validation, HTTPS enforcement, and package signature verification.

Usage:

bash scripts/validate_playbook_security.sh <playbook.yml>

Or scan entire directory

bash scripts/validate_playbook_security.sh /path/to/playbooks/

validate_role.sh - Comprehensive role validation script that checks role structure, YAML syntax, Ansible syntax, linting, and molecule configuration.

Usage:

bash scripts/validate_role.sh <role-directory>

Validates:

• Role directory structure (required and recommended directories)

• Presence of main.yml files in each directory

• YAML syntax across all role files

• Ansible syntax using a test playbook

• Best practices with ansible-lint

• Molecule test configuration

validate_role_security.sh - Security validation script for Ansible roles using Checkov. Scans entire role directory for security issues. Automatically installs checkov in a temporary venv if not available. Complements validate_role.sh with security-focused checks.

Usage:

bash scripts/validate_role_security.sh <role-directory>

test_role.sh - Wrapper script for Molecule testing with automatic dependency installation. If molecule is missing, it creates a temporary venv and installs dependencies. Returns exit code 2 for environment/runtime blockers (for example missing Docker/Podman runtime) and exit code 1 for role/test failures.

Usage:

bash scripts/test_role.sh <role-directory> [scenario]

scan_secrets.sh - Comprehensive secret scanner that uses grep-based pattern matching to detect hardcoded secrets in Ansible files. Complements Checkov security scanning by catching secrets that static analysis may miss, including passwords, API keys, tokens, AWS credentials, and private keys.

Usage:

bash scripts/scan_secrets.sh <playbook.yml|role-directory|directory>

Detects:

• Hardcoded passwords and credentials

• API keys and tokens

• AWS access keys and secret keys

• Database connection strings with embedded credentials

• Private key content (RSA, OpenSSH, EC, DSA)

IMPORTANT: This script should ALWAYS be run alongside Checkov (validate_*_security.sh ) for comprehensive security scanning. Checkov catches SSL/TLS and protocol issues; this script catches hardcoded secrets.

check_fqcn.sh - Scans Ansible files to identify modules using short names instead of Fully Qualified Collection Names (FQCN). Recommends migration to ansible.builtin.* or appropriate collection namespace for better clarity and future compatibility.

Usage:

bash scripts/check_fqcn.sh <playbook.yml|role-directory|directory>

Detects:

• ansible.builtin modules (apt, yum, copy, file, template, service, etc.)

• community.general modules (ufw, docker_container, timezone, etc.)

• ansible.posix modules (synchronize, acl, firewalld, etc.)

Provides specific migration recommendations with FQCN alternatives.

validate_inventory.sh - Validates Ansible inventory files and directories. Checks YAML syntax, resolves host/group hierarchy, and flags common structural issues such as plaintext credentials and missing ansible_connection=local for localhost entries. Automatically installs ansible in a temporary venv if not available.

Usage:

bash scripts/validate_inventory.sh <inventory-file|inventory-directory>

Validation stages:

• YAML syntax check (yamllint) on all inventory YAML files

• Inventory parse — ansible-inventory --list to verify host/group resolution

• Host graph — ansible-inventory --graph to display group hierarchy

• Structural checks — plaintext passwords, localhost connection settings, group_vars/host_vars presence

references/

security_checklist.md - Comprehensive security validation checklist for Ansible playbooks covering secrets management, privilege escalation, file permissions, and command injection.

best_practices.md - Ansible coding standards and best practices for playbook organization, variable handling, task naming, idempotency, and documentation.

common_errors.md - Database of common Ansible errors with detailed solutions and prevention strategies.

module_alternatives.md - Guide for replacing deprecated modules with current alternatives.

assets/

.yamllint - Pre-configured yamllint rules for Ansible YAML files.

.ansible-lint - Pre-configured ansible-lint configuration with reasonable rule settings.

molecule.yml.template - Template molecule configuration for role testing.

Workflow Examples

Example 1: Validate a Single Playbook

User: "Check if this playbook.yml file is valid"

Steps:

1. Run preflight: bash scripts/setup_tools.sh
2. Run wrapper: bash scripts/validate_playbook.sh playbook.yml
3. If inventory is provided, run check mode: ansible-playbook -i <inventory> playbook.yml --check --diff
4. Run security wrappers:
   • bash scripts/validate_playbook_security.sh playbook.yml
   • bash scripts/scan_secrets.sh playbook.yml
5. If custom modules are detected, run docs lookup workflow (Context7 first, web fallback)
6. Report results with PASS/FAIL/BLOCKED/SKIPPED counts and remediation steps

Example 2: Validate an Ansible Role

User: "Validate my ansible role in ./roles/webserver/"

Steps:

1. Run preflight: bash scripts/setup_tools.sh
2. Run role wrapper: bash scripts/validate_role.sh ./roles/webserver/
3. This checks:
   • Role directory structure (tasks/, defaults/, handlers/, meta/, etc.)
   • Required main.yml files
   • YAML syntax with yamllint
   • Ansible syntax with ansible-playbook
   • Best practices with ansible-lint
   • Molecule configuration (if present)
4. If molecule/ exists, attempt Molecule automatically:
   • bash scripts/test_role.sh ./roles/webserver/
   • Exit 2: report Molecule Status: BLOCKED with reason, continue remaining checks
   • Exit 1: report Molecule Status: FAIL with debugging guidance
5. Run role security checks:
   • bash scripts/validate_role_security.sh ./roles/webserver/
   • bash scripts/scan_secrets.sh ./roles/webserver/
6. If custom modules detected, run documentation lookup workflow
7. Provide final report with severity, blockers, and rerun actions

Example 3: Dry-Run Testing for Production

User: "Run playbook in check mode for production servers"

Steps:

1. Verify inventory file exists
2. Run ansible-playbook --check --diff -i production
3. Analyze check mode output
4. Highlight tasks that would change
5. Review handler notifications
6. Flag any security concerns
7. Provide recommendation on safety of applying

Example 4: Understanding Custom Collection Module

User: "I'm using community.postgresql.postgresql_db version 2.3.0, what parameters are available?"

Steps:

1. Try Context7 MCP: mcp__context7__resolve-library-id("ansible community.postgresql")
2. If found, query docs with mcp__context7__query-docs for postgresql_db
3. If not found, use web.search_query: "ansible community.postgresql version 2.3.0 postgresql_db module documentation"
4. Extract module parameters (required vs optional)
5. Provide examples of common usage patterns
6. Note any version-specific considerations

Example 5: Testing Role with Molecule

User: "Test my nginx role with molecule"

Steps:

1. Check if molecule is configured in role
2. Run preflight (bash scripts/setup_tools.sh) and confirm Docker/Podman runtime availability
3. Run bash scripts/test_role.sh <role-path> [scenario]
4. If exit code is 2, mark Molecule BLOCKED, report reason, and continue non-Molecule checks
5. If exit code is 1, inspect converge/verify output and report role issues
6. Analyze idempotency, syntax, and verification outcomes
7. Suggest improvements and exact rerun command

Integration with Other Skills

This skill works well in combination with:

• k8s-yaml-validator - When Ansible manages Kubernetes resources

• terraform-validator - When Ansible and Terraform are used together

• k8s-debug - For debugging infrastructure managed by Ansible

Notes

• Run stages in order: preflight -> syntax -> lint/FQCN -> check mode -> Molecule (when applicable) -> security -> reference routing -> final report.

• Use wrapper scripts as default execution path; switch to direct commands only when user asks or when wrapper bootstrapping is blocked.

• Treat missing dependencies/runtime as BLOCKED (not silent skip), and continue with remaining stages.

• For every detected issue class, include mapped reference guidance (common_errors , best_practices , module_alternatives , security_checklist ).

• Always include explicit rerun commands for failed or blocked stages.

Done Criteria

This skill execution is complete when:

• Preflight status for required tools is reported (ansible , ansible-lint , and Molecule runtime status when role tests are in scope).

• Validation produces deterministic stage outcomes using PASS , FAIL , BLOCKED , and SKIPPED .

• Molecule never dead-ends the full validation flow; blocked runtime conditions are reported with fallback language.

• Wrapper-vs-direct command choice is explicit and justified.

• Reference lookups are tied to the actual error classes found, with concrete remediation guidance.