Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From devops-skills
Validates syntax, lints, audits security, dry-runs with check mode, and tests with molecule Ansible playbooks, roles, inventories, FQCN, and tasks.
npx claudepluginhub akin-ozer/cc-devops-skills --plugin devops-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/devops-skills:ansible-validatorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Comprehensive toolkit for validating, linting, and testing Ansible playbooks, roles, and collections. This skill provides automated workflows for ensuring Ansible code quality, syntax validation, dry-run testing with check mode and molecule, and intelligent documentation lookup for custom modules and collections with version awareness.
assets/molecule.yml.templatereferences/best_practices.mdreferences/common_errors.mdreferences/module_alternatives.mdreferences/security_checklist.mdscripts/check_fqcn.shscripts/extract_ansible_info.pyscripts/extract_ansible_info_wrapper.shscripts/scan_secrets.shscripts/setup_tools.shscripts/test_role.shscripts/validate_inventory.shscripts/validate_playbook.shscripts/validate_playbook_security.shscripts/validate_role.shscripts/validate_role_security.shtest/README.mdtest/inventory/localhost-nested.ymltest/playbooks/bad-playbook.ymltest/playbooks/good-playbook.ymlGuides running ansible-lint, configuring linting rules and profiles, fixing common issues, testing Ansible playbooks, and validating syntax with ansible-playbook.
Ansible automation conventions, patterns, and toolchain: playbook design, roles, inventory, vault, collections, execution environments, Event-Driven Ansible, testing, and performance tuning. Invoke whenever task involves any interaction with Ansible — writing playbooks, creating roles, managing inventory, reviewing automation code, debugging runs, upgrading ansible-core, or working with AAP.
Guides Ansible playbook creation, roles, inventories, project structure, modules, handlers, error handling, and debugging YAML syntax, module failures, variable precedence.
Share bugs, ideas, or general feedback.
Comprehensive toolkit for validating, linting, and testing Ansible playbooks, roles, and collections. This skill provides automated workflows for ensuring Ansible code quality, syntax validation, dry-run testing with check mode and molecule, and intelligent documentation lookup for custom modules and collections with version awareness.
Default behavior: When validating any Ansible role with a molecule/ directory, attempt Molecule automatically using bash scripts/test_role.sh <role-path>. If Molecule cannot run due to environment/runtime limits, mark Molecule as BLOCKED, report why, and continue all non-Molecule validation steps.
Use this skill when the request is about validating or debugging existing Ansible code, not generating new code.
Common trigger phrases:
Apply this skill when encountering any of these scenarios:
.yml, .yaml playbooks, roles, inventories, vars)ansible-playbook --checkRun preflight before validation to avoid dead ends:
bash scripts/setup_tools.sh
Command path assumption: run commands from this skill root (devops-skills-plugin/skills/ansible-validator) or use absolute paths.
Preflight requirements:
ansible, ansible-playbook, ansible-lint (plus yamllint recommended)molecule plus an available runtime (docker or podman)checkov (wrapper can bootstrap if missing)Deterministic fallback rules:
BLOCKED, and continue.BLOCKED, and continue remaining stages.Use wrappers by default for consistent behavior and fallback handling.
| Validation scenario | Default command | Use direct command when | Fallback if command cannot run |
|---|---|---|---|
| Playbook syntax/lint | bash scripts/validate_playbook.sh <playbook.yml> | User asks for a single focused check only (ansible-playbook --syntax-check, ansible-lint, or yamllint) | Run any available direct checks and report skipped checks as BLOCKED |
| Role structural validation | bash scripts/validate_role.sh <role-dir> | User asks only for specific sub-checks (for example, structure only) | Run structure/YAML checks that are possible and report missing stages |
| Role Molecule execution | bash scripts/test_role.sh <role-dir> [scenario] | User explicitly asks for manual stage-by-stage Molecule commands | Mark Molecule BLOCKED with reason and continue non-Molecule role checks |
| Security scanning | bash scripts/validate_playbook_security.sh <path> or bash scripts/validate_role_security.sh <path> plus bash scripts/scan_secrets.sh <path> | User requests raw Checkov output formatting or custom flags | Run whichever scanner is available; if one is missing, run the other and report coverage gap |
| Module/collection discovery | bash scripts/extract_ansible_info_wrapper.sh <path> | Python environment is already known-good and user wants direct parser output | If extraction fails, manually inspect requirements.yml/galaxy.yml and continue with best-effort lookup |
Follow this deterministic workflow and never stop at a missing dependency:
0. Preflight
├─> Run: bash scripts/setup_tools.sh
├─> Record tool/runtime readiness
└─> Continue even when optional tools are missing
1. Identify scope
├─> Single playbook validation
├─> Role validation
├─> Collection validation
└─> Multi-playbook/inventory validation
2. Syntax Validation
├─> Run ansible-playbook --syntax-check
├─> Run yamllint for YAML syntax
└─> Report as PASS/FAIL/BLOCKED
3. Lint and Best Practices
├─> Run ansible-lint (comprehensive linting)
├─> Check for deprecated modules (see references/module_alternatives.md)
├─> **DETECT NON-FQCN MODULE USAGE** (apt vs ansible.builtin.apt)
│ └─> Run bash scripts/check_fqcn.sh to identify short module names
│ └─> Recommend FQCN alternatives from references/module_alternatives.md
├─> Verify role structure
└─> Report linting issues
4. Dry-Run Testing (check mode)
├─> Run ansible-playbook --check (if inventory available)
├─> Analyze what would change
└─> Report potential issues
5. Molecule Testing (for roles with molecule/) - AUTOMATIC ATTEMPT
├─> Check if molecule/ directory exists in role
├─> If present, run: bash scripts/test_role.sh <role-path> [scenario]
├─> If script exits 2, mark Molecule as BLOCKED (environment/runtime issue)
├─> If script exits 1, mark Molecule as FAIL (role/test issue)
└─> Continue remaining validation regardless of Molecule outcome
6. Custom Module/Collection Analysis (if detected)
├─> Extract module/collection information
├─> Identify versions
├─> Lookup documentation (Context7 first, then web.search_query fallback)
└─> Provide version-specific guidance
7. Security and Best Practices Review - DUAL SCANNING DEFAULT
├─> Run bash scripts/validate_playbook_security.sh or validate_role_security.sh (Checkov)
├─> Run bash scripts/scan_secrets.sh for hardcoded secret detection
│ └─> This catches secrets Checkov may miss (passwords, API keys, tokens)
├─> If one scanner is unavailable, run the other and report reduced coverage
├─> Validate privilege escalation
├─> Review file permissions
└─> Identify common anti-patterns
8. Reference Routing
├─> Map each error/warning class to the matching reference file
├─> Extract concrete remediation from references (not file-name-only mention)
└─> Include source section + fix guidance in final report
9. Final Report (required format)
├─> Summary counts: PASS / FAIL / BLOCKED / SKIPPED
├─> Findings grouped by severity
├─> Tool/runtime blockers with exact command that failed
└─> Next actions to reach full validation coverage
Status contract: BLOCKED means validation could not run due to environment/runtime constraints; FAIL means the Ansible code or tests failed.
When issues are detected, consult the mapped reference and include a specific remediation excerpt in the report.
| Error class | Typical detector | Required reference | Required action |
|---|---|---|---|
| YAML parse/format errors | yamllint, ansible-playbook --syntax-check | references/common_errors.md (Syntax Errors) | Quote the matching syntax fix pattern and apply corrected YAML structure |
| Module/action resolution errors | ansible-playbook, ansible-lint | references/common_errors.md (Module/Collection Errors) | Provide install/version fix commands (ansible-galaxy collection install ...) |
| Deprecated or non-FQCN module usage | ansible-lint, bash scripts/check_fqcn.sh | references/module_alternatives.md | Provide exact FQCN/module replacement per finding |
| Template/variable errors | ansible-playbook, check mode | references/common_errors.md (Template/Variable Errors), references/best_practices.md (Variable Management) | Recommend default(), required(), or type conversion fixes |
| Connection/inventory/privilege errors | ansible-playbook --check, runtime output | references/common_errors.md (Connection, Inventory, Privilege sections) | Provide corrected inventory/auth/become configuration |
| Security policy failures (CKV_*) | validate_*_security.sh / Checkov | references/security_checklist.md | Map failed policy to a secure task rewrite |
| Hardcoded secrets | bash scripts/scan_secrets.sh | references/security_checklist.md (Secrets Management) | Replace with Vault/env/external secret manager approach |
| Role structure/idempotency warnings | validate_role.sh, Molecule idempotence | references/best_practices.md | Provide role layout or idempotency remediation steps |
External documentation lookup trigger:
Purpose: Ensure YAML files are syntactically correct before Ansible parsing.
Tools:
yamllint - YAML linter for syntax and formattingansible-playbook --syntax-check - Ansible-specific syntax validationWorkflow:
# Check YAML syntax with yamllint
yamllint playbook.yml
# Or for entire directory
yamllint -c .yamllint .
# Check Ansible playbook syntax
ansible-playbook playbook.yml --syntax-check
Common Issues Detected:
Best Practices:
.yamllintPurpose: Enforce Ansible best practices and catch common errors.
Workflow:
# Lint a single playbook
ansible-lint playbook.yml
# Lint all playbooks in directory
ansible-lint .
# Lint with specific rules
ansible-lint -t yaml,syntax playbook.yml
# Skip specific rules
ansible-lint -x yaml[line-length] playbook.yml
# Output parseable format
ansible-lint -f pep8 playbook.yml
# Show rule details
ansible-lint -L
Common Issues Detected:
command vs shellbecome directivesSeverity Levels:
Auto-fix approach:
--fix for auto-fixable issuesPurpose: Identify security vulnerabilities and compliance violations in Ansible code using Checkov, a static code analysis tool for infrastructure-as-code.
What Checkov Provides Beyond ansible-lint:
While ansible-lint focuses on code quality and best practices, Checkov specifically targets security policies and compliance:
Workflow:
# Scan playbook for security issues
bash scripts/validate_playbook_security.sh playbook.yml
# Scan entire directory
bash scripts/validate_playbook_security.sh /path/to/playbooks/
# Scan role for security issues
bash scripts/validate_role_security.sh roles/webserver/
# Direct checkov usage
checkov -d . --framework ansible
# Scan with specific output format
checkov -d . --framework ansible --output json
# Scan and skip specific checks
checkov -d . --framework ansible --skip-check CKV_ANSIBLE_1
Common Security Issues Detected:
Certificate Validation:
HTTPS Enforcement:
Package Security:
Error Handling:
Cloud Security (when managing cloud resources):
Example Violation:
# BAD - Disables certificate validation
- name: Download file
get_url:
url: https://example.com/file.tar.gz
dest: /tmp/file.tar.gz
validate_certs: false # Security issue!
# GOOD - Certificate validation enabled
- name: Download file
get_url:
url: https://example.com/file.tar.gz
dest: /tmp/file.tar.gz
validate_certs: true # Or omit (true by default)
Integration with Validation Workflow:
Checkov complements ansible-lint:
Best Practice: Run both tools for comprehensive validation:
# Complete validation workflow
bash scripts/validate_playbook.sh playbook.yml # Syntax + Lint
bash scripts/validate_playbook_security.sh playbook.yml # Security
Output Format:
Checkov provides clear security scan results:
Security Scan Results:
Passed: 15 checks
Failed: 2 checks
Skipped: 0 checks
Failed Checks:
Check: CKV_ANSIBLE_2 - "Ensure that certificate validation isn't disabled with get_url"
FAILED for resource: tasks/main.yml:download_file
File: /roles/webserver/tasks/main.yml:10-15
Remediation Resources:
references/security_checklist.mdreferences/best_practices.mdInstallation:
Checkov is automatically installed in a temporary environment if not available system-wide. For permanent installation:
pip3 install checkov
When to Use:
Purpose: Validate playbook syntax without executing tasks.
Workflow:
# Basic syntax check
ansible-playbook playbook.yml --syntax-check
# Syntax check with inventory
ansible-playbook -i inventory playbook.yml --syntax-check
# Syntax check with extra vars
ansible-playbook playbook.yml --syntax-check -e @vars.yml
# Check all playbooks
for file in *.yml; do
ansible-playbook "$file" --syntax-check
done
Validation Checks:
Error Handling:
Purpose: Preview changes that would be made without actually applying them.
Workflow:
# Run in check mode (dry-run)
ansible-playbook -i inventory playbook.yml --check
# Check mode with diff
ansible-playbook -i inventory playbook.yml --check --diff
# Check mode with verbose output
ansible-playbook -i inventory playbook.yml --check -v
# Check mode for specific hosts
ansible-playbook -i inventory playbook.yml --check --limit webservers
# Check mode with tags
ansible-playbook -i inventory playbook.yml --check --tags deploy
# Step through tasks
ansible-playbook -i inventory playbook.yml --check --step
Check Mode Analysis:
When reviewing check mode output, focus on:
Task Changes:
ok: No changes neededchanged: Would make changesfailed: Would fail (check for check_mode support)skipped: Conditional skipDiff Output:
Handlers:
Failed Tasks:
check_mode: no overrideLimitations:
Safety Considerations:
Purpose: Test Ansible roles in isolated environments with multiple scenarios.
Automatic attempt policy: When validating any Ansible role with a molecule/ directory, automatically attempt Molecule tests using bash scripts/test_role.sh <role-path> [scenario].
When to Use:
Workflow:
# Initialize molecule for a role
cd roles/myrole
molecule init scenario --driver-name docker
# List scenarios
molecule list
# Run full test sequence
molecule test
# Individual test stages
molecule create # Create test instances
molecule converge # Run Ansible against instances
molecule verify # Run verification tests
molecule destroy # Destroy test instances
# Test with specific scenario
molecule test -s alternative
# Debug mode
molecule --debug test
# Keep instances for debugging
molecule converge
molecule login # SSH into test instance
Test Sequence:
dependency - Install role dependencieslint - Run yamllint and ansible-lintcleanup - Clean up before testingdestroy - Destroy existing instancessyntax - Run syntax checkcreate - Create test instancesprepare - Prepare instances (install requirements)converge - Run the roleidempotence - Run again, verify no changesside_effect - Optional side effect playbookverify - Run verification tests (Testinfra, etc.)cleanup - Final cleanupdestroy - Destroy test instancesMolecule Configuration:
Check molecule/default/molecule.yml:
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: ubuntu:22.04
provisioner:
name: ansible
verifier:
name: ansible
Verification Tests:
Molecule supports multiple verifiers:
Example Ansible verifier (molecule/default/verify.yml):
---
- name: Verify
hosts: all
tasks:
- name: Check service is running
service:
name: nginx
state: started
check_mode: true
register: result
failed_when: result.changed
Common Molecule Errors:
Molecule Skip/Fallback Policy (Required):
molecule/ does not exist: mark Molecule as SKIPPED and continue.test_role.sh exits 2: mark Molecule as BLOCKED (missing/unavailable runtime dependency) and continue.test_role.sh exits 1: mark Molecule as FAIL (role/test issue) and continue.Use this reporting language for blocked Molecule runs:
Molecule Status: BLOCKED
Reason: <missing dependency/runtime and failing command>
Fallback Applied: Completed syntax, lint, check-mode, and security validation without Molecule runtime tests.
Next Action: <install/start dependency>; rerun `bash scripts/test_role.sh <role-path> [scenario]`
Purpose: Automatically discover and retrieve version-specific documentation for custom modules and collections using web search and Context7 MCP.
When to Trigger:
Detection Workflow:
Extract Module Information:
scripts/extract_ansible_info_wrapper.sh to parse playbooks and rolesrequirements.ymlExtract Collection Information:
community.general, ansible.posix)requirements.yml or galaxy.ymlDocumentation Lookup Strategy:
Use this deterministic lookup order:
mcp__context7__resolve-library-idmcp__context7__query-docsweb.search_query with versioned queriesREADME, module docs, role docs) firstSearch Query Templates:
# For custom modules
"[module-name] ansible module version [version] documentation"
"[module-name] ansible [module-type] example"
"ansible [collection-name].[module-name] parameters"
# For custom collections
"ansible collection [collection-name] version [version]"
"[collection-namespace].[collection-name] ansible documentation"
"ansible galaxy [collection-name] modules"
# For specific errors
"ansible [module-name] error: [error-message]"
"ansible [collection-name] module failed"
Example Workflow:
User working with: community.docker.docker_container version 3.0.0
1. Extract module info from playbook:
tasks:
- name: Start container
community.docker.docker_container:
name: myapp
image: nginx:latest
2. Detect collection: community.docker
3. Search for documentation:
- Try Context7: mcp__context7__resolve-library-id("ansible community.docker")
- Fallback to web.search_query("ansible community.docker collection version 3.0 docker_container module documentation")
4. If official docs found:
- Parse module parameters (required vs optional)
- Identify return values
- Find usage examples
- Check version compatibility
5. Provide version-specific guidance to user
Version Compatibility Checks:
Common Collection Sources:
Purpose: Identify security vulnerabilities and anti-patterns in Ansible playbooks.
Security Checks:
Secrets Detection:
# Check for hardcoded credentials
grep -r "password:" *.yml
grep -r "secret:" *.yml
grep -r "api_key:" *.yml
grep -r "token:" *.yml
Remediation: Use Ansible Vault, environment variables, or external secret management
Privilege Escalation:
become: yesbecome_user specificationFile Permissions:
Command Injection:
quote filter for user inputNetwork Security:
Best Practices:
Playbook Organization:
Variable Management:
default() filterTask Naming:
Idempotency:
creates, removes for command taskschanged_when: false unless necessaryError Handling:
failed_when for custom failure conditionsblock/rescue/always for error recoveryany_errors_fatalignore_errors sparinglyDocumentation:
Reference Documentation:
For detailed security guidelines and best practices, refer to:
references/security_checklist.md - Common security vulnerabilitiesreferences/best_practices.md - Ansible coding standardsreferences/common_errors.md - Common errors and solutionsRun this preflight before validation:
# Preferred one-shot preflight
bash scripts/setup_tools.sh
# Check Ansible installation
ansible --version
ansible-playbook --version
# Check ansible-lint installation
ansible-lint --version
# Check yamllint installation
yamllint --version
# Check molecule installation (for role testing with molecule/)
molecule --version
# Check container runtime for Molecule
docker --version
docker info
# or
podman --version
podman info
# Install missing tools (example for pip)
pip install ansible ansible-lint yamllint ansible-compat
# Install molecule with docker driver
pip install molecule molecule-docker
# Install molecule with podman driver (alternative)
pip install molecule molecule-podman
Minimum Versions:
Execution policy when tools are missing:
ansible/ansible-lint are missing, wrappers (validate_playbook.sh, validate_role.sh) attempt temporary venv bootstrap.docker info or podman info) is unavailable, Molecule is BLOCKED and non-Molecule checks continue.checkov is missing, security wrappers bootstrap it when possible; otherwise run scan_secrets.sh and report reduced security coverage.Optional Tools:
ansible-inventory - Inventory validation and graphingansible-doc - Module documentation lookupjq - JSON parsing for structured outputError: Module Not Found
Solution: Install required collection with ansible-galaxy
Check collections/requirements.yml
Verify collection namespace and name
Error: Undefined Variable
Solution: Define variable in vars, defaults, or group_vars
Check variable precedence
Use default() filter for optional variables
Verify variable file is included
Error: Template Syntax Error
Solution: Check Jinja2 template syntax
Verify variable types match filters
Ensure proper quote escaping
Test template rendering separately
Error: Connection Failed
Solution: Verify inventory host accessibility
Check SSH configuration and keys
Verify ansible_host and ansible_port
Test with ansible -m ping
Error: Permission Denied
Solution: Add become: yes for privilege escalation
Verify sudo/su configuration
Check file permissions
Verify user has necessary privileges
Error: Deprecated Module
Solution: Check ansible-lint output for replacement
Consult module documentation for alternatives
Update to recommended module
Test functionality with new module
setup_tools.sh - Preflight checker for Ansible validator dependencies. Verifies baseline tools (ansible, ansible-playbook, ansible-lint, yamllint) and Molecule runtime readiness (docker/podman) and provides installation guidance.
Usage:
bash scripts/setup_tools.sh
extract_ansible_info_wrapper.sh - Bash wrapper for extract_ansible_info.py that automatically handles PyYAML dependencies. Creates a temporary venv if PyYAML is not available in system Python.
Usage:
bash scripts/extract_ansible_info_wrapper.sh <path-to-playbook-or-role>
Output: JSON structure with modules, collections, and versions
extract_ansible_info.py - Python script (called by wrapper) to parse Ansible playbooks and roles to extract module usage, collection dependencies, and version information. The wrapper script handles dependency management automatically.
validate_playbook.sh - Comprehensive validation script that runs syntax check, yamllint, and ansible-lint on playbooks. Automatically installs ansible and ansible-lint in a temporary venv if not available on the system (prefers system versions when available).
Usage:
bash scripts/validate_playbook.sh <playbook.yml>
validate_playbook_security.sh - Security validation script that scans playbooks for security vulnerabilities using Checkov. Automatically installs checkov in a temporary venv if not available. Complements validate_playbook.sh by focusing on security-specific checks like SSL/TLS validation, HTTPS enforcement, and package signature verification.
Usage:
bash scripts/validate_playbook_security.sh <playbook.yml>
# Or scan entire directory
bash scripts/validate_playbook_security.sh /path/to/playbooks/
validate_role.sh - Comprehensive role validation script that checks role structure, YAML syntax, Ansible syntax, linting, and molecule configuration.
Usage:
bash scripts/validate_role.sh <role-directory>
Validates:
validate_role_security.sh - Security validation script for Ansible roles using Checkov. Scans entire role directory for security issues. Automatically installs checkov in a temporary venv if not available. Complements validate_role.sh with security-focused checks.
Usage:
bash scripts/validate_role_security.sh <role-directory>
test_role.sh - Wrapper script for Molecule testing with automatic dependency installation. If molecule is missing, it creates a temporary venv and installs dependencies. Returns exit code 2 for environment/runtime blockers (for example missing Docker/Podman runtime) and exit code 1 for role/test failures.
Usage:
bash scripts/test_role.sh <role-directory> [scenario]
scan_secrets.sh - Comprehensive secret scanner that uses grep-based pattern matching to detect hardcoded secrets in Ansible files. Complements Checkov security scanning by catching secrets that static analysis may miss, including passwords, API keys, tokens, AWS credentials, and private keys.
Usage:
bash scripts/scan_secrets.sh <playbook.yml|role-directory|directory>
Detects:
IMPORTANT: This script should ALWAYS be run alongside Checkov (validate_*_security.sh) for comprehensive security scanning. Checkov catches SSL/TLS and protocol issues; this script catches hardcoded secrets.
check_fqcn.sh - Scans Ansible files to identify modules using short names instead of Fully Qualified Collection Names (FQCN). Recommends migration to ansible.builtin.* or appropriate collection namespace for better clarity and future compatibility.
Usage:
bash scripts/check_fqcn.sh <playbook.yml|role-directory|directory>
Detects:
Provides specific migration recommendations with FQCN alternatives.
validate_inventory.sh - Validates Ansible inventory files and directories. Checks YAML syntax, resolves host/group hierarchy, and flags common structural issues such as plaintext credentials and missing ansible_connection=local for localhost entries. Automatically installs ansible in a temporary venv if not available.
Usage:
bash scripts/validate_inventory.sh <inventory-file|inventory-directory>
Validation stages:
ansible-inventory --list to verify host/group resolutionansible-inventory --graph to display group hierarchysecurity_checklist.md - Comprehensive security validation checklist for Ansible playbooks covering secrets management, privilege escalation, file permissions, and command injection.
best_practices.md - Ansible coding standards and best practices for playbook organization, variable handling, task naming, idempotency, and documentation.
common_errors.md - Database of common Ansible errors with detailed solutions and prevention strategies.
module_alternatives.md - Guide for replacing deprecated modules with current alternatives.
.yamllint - Pre-configured yamllint rules for Ansible YAML files.
.ansible-lint - Pre-configured ansible-lint configuration with reasonable rule settings.
molecule.yml.template - Template molecule configuration for role testing.
User: "Check if this playbook.yml file is valid"
Steps:
1. Run preflight: `bash scripts/setup_tools.sh`
2. Run wrapper: `bash scripts/validate_playbook.sh playbook.yml`
3. If inventory is provided, run check mode: `ansible-playbook -i <inventory> playbook.yml --check --diff`
4. Run security wrappers:
- `bash scripts/validate_playbook_security.sh playbook.yml`
- `bash scripts/scan_secrets.sh playbook.yml`
5. If custom modules are detected, run docs lookup workflow (Context7 first, web fallback)
6. Report results with PASS/FAIL/BLOCKED/SKIPPED counts and remediation steps
User: "Validate my ansible role in ./roles/webserver/"
Steps:
1. Run preflight: `bash scripts/setup_tools.sh`
2. Run role wrapper: `bash scripts/validate_role.sh ./roles/webserver/`
3. This checks:
- Role directory structure (tasks/, defaults/, handlers/, meta/, etc.)
- Required main.yml files
- YAML syntax with yamllint
- Ansible syntax with ansible-playbook
- Best practices with ansible-lint
- Molecule configuration (if present)
4. If `molecule/` exists, attempt Molecule automatically:
- `bash scripts/test_role.sh ./roles/webserver/`
- Exit `2`: report `Molecule Status: BLOCKED` with reason, continue remaining checks
- Exit `1`: report `Molecule Status: FAIL` with debugging guidance
5. Run role security checks:
- `bash scripts/validate_role_security.sh ./roles/webserver/`
- `bash scripts/scan_secrets.sh ./roles/webserver/`
6. If custom modules detected, run documentation lookup workflow
7. Provide final report with severity, blockers, and rerun actions
User: "Run playbook in check mode for production servers"
Steps:
1. Verify inventory file exists
2. Run ansible-playbook --check --diff -i production
3. Analyze check mode output
4. Highlight tasks that would change
5. Review handler notifications
6. Flag any security concerns
7. Provide recommendation on safety of applying
User: "I'm using community.postgresql.postgresql_db version 2.3.0, what parameters are available?"
Steps:
1. Try Context7 MCP: `mcp__context7__resolve-library-id("ansible community.postgresql")`
2. If found, query docs with `mcp__context7__query-docs` for `postgresql_db`
3. If not found, use `web.search_query`: "ansible community.postgresql version 2.3.0 postgresql_db module documentation"
4. Extract module parameters (required vs optional)
5. Provide examples of common usage patterns
6. Note any version-specific considerations
User: "Test my nginx role with molecule"
Steps:
1. Check if molecule is configured in role
2. Run preflight (`bash scripts/setup_tools.sh`) and confirm Docker/Podman runtime availability
3. Run `bash scripts/test_role.sh <role-path> [scenario]`
4. If exit code is `2`, mark Molecule `BLOCKED`, report reason, and continue non-Molecule checks
5. If exit code is `1`, inspect converge/verify output and report role issues
6. Analyze idempotency, syntax, and verification outcomes
7. Suggest improvements and exact rerun command
This skill works well in combination with:
BLOCKED (not silent skip), and continue with remaining stages.common_errors, best_practices, module_alternatives, security_checklist).This skill execution is complete when:
ansible, ansible-lint, and Molecule runtime status when role tests are in scope).PASS, FAIL, BLOCKED, and SKIPPED.