Just a quick update on my ansible journey. A few weeks ago I noted the difficulty I was having learning the file organization of Ansible. I was having trouble keeping track of what went where.
So, I decided to just make one giant playbook with 6 plays for different types of machines. Over the past couple of weeks, that playbook grew to 1500 lines. I navigated primarily by using the folding feature of the YAML extension for Visual Studio Code. It was pretty straightforward to learn the syntax and semantics of Ansible by cutting and pasting between plays and examples found on the internet. I got to the point where I could delete four of the machine and completely rebuild them via ansible.
Over time, natural patterns began to emerge. So, I split sections of the large playbook into āblocksā contained in their own .yml files which also lived in the main directory. I would task_import the blocks into the main playbook as necessary.
The third step was to add variables. After the basic patterns, emerged it was pretty clear when and where variables would improve the readability and reusability of the code.
Finally, I started moving the blocks with related functionality into roles.
The approach might not work for everyone, but it helped me get my head wrapped around ansible.
In the world of automation / development, there is no āone shoe fits allā. While in some cases there may be known best practices, more often than not, design patterns boil down to the team, their style and subject area knowledge.
Just curious, have you posted your solution anywhere?
Reading internet experts like geerlingguy was overwhelming me. Just too much coming at me at once to be able to isolate the important parts and focus on them.
I started to put my configuration on Githubā¦ But I took it off when I kept getting stuck sanitizing keys and passwords. My plan currently is to spend a few more weeks, on and off, cleaning things up. Then I will go through and sanitize the entire thing in one go.
Have you looked at the Ansible repo I shared some time ago? I donāt remember if I sent you the link or if you may have found it on your own. I kind of solved the problem in a similar way myself.
You are not alone in this one. Managing secrets is no easy task. There are many ways that it can be done, but, itās challenging, particularly when you have to do it at scale. Iāve been working on that aspect myself for a good while. At this point, I know just about enough to be dangerous. AWS KMS, Azure Key Vault, HashiCorp Vault, they all go from mild to wild in a hurry but itās an area that anyone doing web services needs to know (to some degree).
Many donāt realize, there are loads of bots that do noting but scan Git Service Providers (Github, Gitlab, Bitbucket, Sourceforge, etc) looking for passwords / keys. They are looking for somebody to make just one mistake to capitalize on. If they donāt realize the mistake, or forget to clear the Git revision history after finding it, itās a big security hole.