Ansible CI/CD Lint & Test Pipeline Prompt
Build Ansible CI/CD pipelines — lint, syntax check, Molecule tests, vault validation, deploy stages.
- Target user
- Ansible engineers integrating with CI
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior automation engineer who has built CI/CD pipelines for Ansible — lint, syntax, tests, vault validation, deploy. I will provide: - The CI tool (GitLab, GitHub Actions, Jenkins) - Current pipeline (if any) - Symptom Your job: 1. **Pipeline stages**: - Lint (ansible-lint) - Syntax check (ansible-playbook --syntax-check) - Test (Molecule) - Vault validation - Deploy (sandbox → staging → prod) 2. **For ansible-lint**: - Best practice rules - YAML formatting - FQCN enforcement - Custom rules 3. **For syntax check**: - `--syntax-check` flag - Validates without running 4. **For Molecule in CI**: - Docker-in-Docker or similar - Per-role tests - Run on changed roles 5. **For vault validation**: - Verify files encrypted - Test decryption with CI password 6. **For deployment**: - SSH from CI runner - Limited blast radius (specific hosts) - Manual approval for prod 7. **For change-only**: - Detect changed roles - Run relevant tests only 8. **For drift / verification**: - Periodic --check runs - Alert on drift Mark DESTRUCTIVE: deploy without approval (production), CI without vault password protection, parallel deploys against same host. --- CI tool: [DESCRIBE] Current pipeline: [DESCRIBE] Symptom: [DESCRIBE]
Why this prompt works
CI/CD for Ansible needs design. This prompt walks pipeline.
How to use it
- Lint everything.
- Test changed roles.
- Vault checks.
- Approval for prod.
Useful commands
# Install tools
pip install ansible ansible-lint molecule molecule-docker
# Lint
ansible-lint roles/myrole/
# Syntax
ansible-playbook --syntax-check site.yml
# Vault check (verify encrypted)
ansible-vault view inventories/production/group_vars/all/vault.yml --vault-password-file ~/.vault/prod
# Run Molecule
cd roles/myrole
molecule test
# Test deploy
ansible-playbook --check --diff site.yml -i inventories/stagingPipeline pattern (GitLab CI)
stages: [lint, syntax, test, vault, deploy]
variables:
ANSIBLE_LINT_VERSION: "24.0.0"
.python-image: &python-image
image: python:3.12
lint:
<<: *python-image
stage: lint
before_script:
- pip install ansible ansible-lint
script:
- ansible-lint --strict roles/ playbooks/
syntax:
<<: *python-image
stage: syntax
before_script:
- pip install ansible
script:
- ansible-playbook --syntax-check site.yml
molecule:
<<: *python-image
stage: test
services:
- docker:dind
variables:
DOCKER_TLS_CERTDIR: ""
DOCKER_HOST: tcp://docker:2375
DOCKER_DRIVER: overlay2
before_script:
- pip install ansible molecule molecule-docker
script:
- cd roles/myrole
- molecule test
rules:
- changes:
- roles/myrole/**/*
vault-check:
<<: *python-image
stage: vault
before_script:
- pip install ansible
- echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault-pass
script:
- ansible-vault view inventories/production/group_vars/all/vault.yml --vault-password-file /tmp/vault-pass > /dev/null
after_script:
- rm -f /tmp/vault-pass
deploy-staging:
<<: *python-image
stage: deploy
before_script:
- pip install ansible
- echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault-pass
- eval "$(ssh-agent -s)"
- echo "$SSH_PRIVATE_KEY" | ssh-add -
script:
- ansible-playbook -i inventories/staging site.yml --vault-password-file /tmp/vault-pass
environment:
name: staging
rules:
- if: $CI_COMMIT_BRANCH == "main"
deploy-production:
<<: *python-image
stage: deploy
before_script:
- pip install ansible
- echo "$ANSIBLE_VAULT_PASSWORD_PROD" > /tmp/vault-pass
- eval "$(ssh-agent -s)"
- echo "$SSH_PRIVATE_KEY_PROD" | ssh-add -
script:
- ansible-playbook -i inventories/production site.yml --vault-password-file /tmp/vault-pass
environment:
name: production
rules:
- if: $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/
when: manualansible-lint config
# .ansible-lint
profile: production
exclude_paths:
- .cache/
- collections/
- tests/
skip_list:
- experimental
- yaml[line-length] # if intentionally long
use_default_rules: true
verbosity: 1Common findings this catches
- Lint failing on new strict rules → fix or accept.
- Molecule slow → only changed roles.
- Vault password in
.gitlab-ci.yml→ use masked CI variable. - Deploy without approval → add
when: manualfor prod. - CI runner can’t SSH → key setup.
- Inventory in CI hitting prod by mistake → explicit
-iper env. - Drift detection missing → add scheduled —check.
When to escalate
- Pipeline design across many repos — strategic.
- Self-hosted runner capacity — engineering.
- Production deploy automation — coordinated.
Related prompts
-
Ansible Molecule Testing Prompt
Test Ansible roles with Molecule — scenarios, drivers (Docker/Podman/Vagrant), verifiers (Ansible/Testinfra), idempotence.
-
Ansible Vault Secrets Management Prompt
Use Ansible Vault — encrypt secrets, vault IDs, multi-vault setups, integration with external secret managers.
-
GitLab CI/CD Pipeline Optimization Prompt
Speed up slow GitLab pipelines — DAG with `needs:`, cache vs artifacts, parallel jobs, image pre-builds, dependency proxy, and shallow clones.