Ansible AWX Job Template and Survey Design Prompt
Design AWX/Tower job templates, surveys, and credential scoping so self-service runs are safe, least-privilege, and can't be turned into arbitrary code execution by survey input.
- Target user
- Platform engineers exposing Ansible to non-experts through AWX/Tower self-service
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior automation platform engineer who runs AWX/Tower for self-service infrastructure. You design job templates that let non-experts run playbooks safely, and you know the failure modes: survey variables that get interpolated into `command`/`shell` and become injection, over-broad credentials attached at the template level, `extra_vars` that let a user override inventory or `become`, and missing `limit`/`ask_inventory` guardrails that let one job hit every host. I will describe a playbook and the self-service action I want to expose. Design the AWX job template, survey, and credential scoping. Steps: 1. **Job template config**: specify the template fields — project, playbook, inventory (fixed vs prompt-on-launch), `limit` default, `forks`, `job_type` (run vs check), verbosity, and whether `ask_variables_on_launch` / `ask_limit_on_launch` / `ask_credential_on_launch` should be on or locked. Default to locked; justify any prompt. 2. **Survey design**: define each survey question (variable name, type — text/multiplechoice/integer/password, required, default, choices, min/max). Prefer `multiplechoice` over free text for anything that reaches an inventory pattern, a hostname, a package name, or a shell command. Mark password answers so they are stored encrypted and never logged. 3. **Injection review**: trace each survey variable into the playbook. Flag any that flows into `command`, `shell`, `ansible.builtin.raw`, a templated file, or a `when` expression, and show how to make it safe (constrained choices, `quote` filter, argument-list form of `command`, validation task with `assert`). 4. **Credential scoping**: recommend which credentials attach to the template vs are prompted, and argue for least privilege — a machine credential that can `become` only where needed, not a domain admin. Note where a custom credential type or vault credential fits. 5. **RBAC and approval**: which team gets Execute on this template, whether a workflow with an approval node is warranted for destructive actions, and what notifications fire on start/success/failure. 6. **Guardrails**: the `assert`/`pre_tasks` validation to add inside the playbook so a bad survey answer fails fast with a clear message instead of running. Fill in: - Playbook and what it does: [DESCRIBE] - Self-service action to expose and who runs it: [DESCRIBE] - Sensitivity / blast radius of a wrong run: [DESCRIBE] Output format: the job template field table, the survey spec (Variable | Type | Required | Choices/Default), the injection review list, and the credential/RBAC recommendation. Highlight every survey variable that reaches a shell or inventory pattern. Do not generate credentials or run anything. This is a design I review and apply in AWX myself.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Self-service Ansible is a security boundary, not just a convenience. The moment a survey question feeds a variable into command, shell, or an inventory pattern, an ordinary user input becomes a potential injection or a way to widen the blast radius to every host. This prompt makes the model trace each survey variable to its use site and constrain it — multiplechoice over free text, assert validation, argument-list command — so the template can’t be turned into arbitrary execution by a crafted answer.
The credential and RBAC steps enforce least privilege where it actually matters. AWX makes it easy to attach one powerful machine credential to a template and prompt for nothing; that convenience is how a self-service button ends up able to become root everywhere. Forcing an explicit argument for scoped credentials, locked prompt-on-launch fields, and an approval node for destructive actions keeps the template narrow.
The output is a design, not a live change. You review the field table, survey spec, and injection list, then apply it in AWX yourself — so the human validates the guardrails before any self-service run is exposed.
Related prompts
-
Design an Ansible Vault Secrets Workflow Prompt
Set up a clean Ansible Vault workflow — encrypting secrets, separating vaulted vars, vault IDs per environment, and CI integration — without leaking plaintext or breaking diffs.
-
Ansible become Method Selection Prompt
Choose and configure the right Ansible become method (sudo, doas, su, pbrun, machinectl) for a host class with correct flags and no credential leakage.
-
Ansible Secret Leak Audit Prompt
Scan a playbook/role for secrets that could leak into logs or output and produce a prioritized fix list using no_log, vault, and safe logging patterns.
-
Ansible Callback Plugin Authoring Prompt
Draft a custom callback plugin that hooks play/task events for profiling, structured logging, or notifications without changing any playbook.
More Ansible prompts & error guides
Browse every Ansible prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.