Conventions, tips, and pitfalls
As you design and develop modules, follow these basic conventions and tips for clean, usable code:
Especially if you want to contribute your module(s) to an existing Ansible Collection, make sure each module includes enough logic and functionality, but not too much. If these guidelines seem confusing, consider whether you really need to write a module at all.
Each module should have a concise and well-defined functionality. Basically, follow the UNIX philosophy of doing one thing well.
Do not add
infostate options to an existing module - create a new
Modules should not require that a user know all the underlying options of an API/tool to be used. For example, if the legal values for a required module option cannot be documented, the module does not belong in Ansible Core.
Modules should encompass much of the logic for interacting with a resource. A lightweight wrapper around a complex API forces users to offload too much logic into their playbooks. If you want to connect Ansible to a complex API, create multiple modules that interact with smaller individual pieces of the API.
Avoid creating a module that does the work of other modules; this leads to code duplication and divergence, and makes things less uniform, unpredictable and harder to maintain. Modules should be the building blocks. If you are asking ‘how can I have a module execute other modules’ … you want to write a role.
If your module is addressing an object, the option for that object should be called
namewhenever possible, or accept
nameas an alias.
Modules accepting boolean status should accept
false, or anything else a user may likely throw at them. The AnsibleModule common code supports this with
command, they are imperative and not declarative, there are other ways to express the same thing.
Each module should be self-contained in one file, so it can be auto-transferred by
Module name MUST use underscores instead of hyphens or spaces as a word separator. Using hyphens and spaces will prevent
ansible-corefrom importing your module.
Always use the
hacking/test-module.pyscript when developing modules - it will warn you about common pitfalls.
If you have a local module that returns information specific to your installations, a good name for this module is
Eliminate or minimize dependencies. If your module has dependencies, document them at the top of the module file and raise JSON error messages when dependency import fails.
Don’t write to files directly; use a temporary file and then use the
ansible.module_utils.basicto move the updated temporary file into place. This prevents data corruption and ensures that the correct context for the file is kept.
Avoid creating caches. Ansible is designed without a central server or authority, so you cannot guarantee it will not run with different permissions, options or locations. If you need a central authority, have it on top of Ansible (for example, using bastion/cm/ci server, AWX, or the Red Hat Ansible Automation Platform); do not try to build it into modules.
If you package your module(s) in an RPM, install the modules on the control machine in
/usr/share/ansible. Packaging modules in RPMs is optional.
Each function should be concise and should describe a meaningful amount of work.
“Don’t repeat yourself” is generally a good philosophy.
Function names should use underscores:
The name of each function should describe what the function does.
Each function should have a docstring.
If your code is too nested, that’s usually a sign the loop body could benefit from being a function. Parts of our existing code are not the best examples of this at times.
mainfunction that wraps the normal execution.
mainfunction from a conditional so you can import it into unit tests - for example:
if __name__ == '__main__': main()
When your module fails, help users understand what went wrong. If you are using the
AnsibleModule common Python code, the
failed element will be included for you automatically when you call
fail_json. For polite module failure behavior:
Include a key of
failedalong with a string explanation in
msg. If you don’t do this, Ansible will use standard return codes: 0=success and non-zero=failure.
Don’t raise a traceback (stacktrace). Ansible can deal with stacktraces and automatically converts anything unparsable into a failed result, but raising a stacktrace on module failure is not user-friendly.
Do not use
fail_json()from the module object.
Validate upfront–fail fast and return useful and clear error messages.
Use defensive programming–use a simple design for your module, handle errors gracefully, and avoid direct stacktraces.
Fail predictably–if we must fail, do it in a way that is the most expected. Either mimic the underlying tool or the general way the system works.
Give out a useful message on what you were doing and add exception messages to that.
Avoid catchall exceptions, they are not very useful unless the underlying API gives very good error messages pertaining the attempted action.
Modules must output valid JSON only. Follow these guidelines for creating correct, useful module output:
Module return data must be encoded as strict UTF-8. Modules that cannot return UTF-8 encoded data should return the data encoded by something such as base64. Optionally modules can make the determination if they can encode as UTF-8 and utilize
errors='replace'to replace non UTF-8 characters making the return values lossy.
Make your top-level return type a hash (dictionary).
Nest complex return values within the top-level hash.
Incorporate any lists or simple scalar values within the top-level return hash.
Do not send module output to standard error, because the system will merge standard out with standard error and prevent the JSON from parsing.
Capture standard error and return it as a variable in the JSON on standard out. This is how the command module is implemented.
print("some status message")in a module, because it will not produce valid JSON output.
Always return useful data, even when there is no change.
Be consistent about returns (some modules are too random), unless it is detrimental to the state/action.
Make returns reusable–most of the time you don’t want to read it, but you do want to process it and re-purpose it.
Return diff if in diff mode. This is not required for all modules, as it won’t make sense for certain ones, but please include it when applicable.
Enable your return values to be serialized as JSON with Python’s standard JSON encoder and decoder library. Basic python types (strings, int, dicts, lists, and so on) are serializable.
Do not return an object using exit_json(). Instead, convert the fields you need from the object into the fields of a dictionary and return the dictionary.
Results from many hosts will be aggregated at once, so your module should return only relevant output. Returning the entire contents of a log file is generally bad form.
If a module returns stderr or otherwise fails to produce valid JSON, the actual output will still be shown in Ansible, but the command will not succeed.
Ansible conventions offer a predictable user interface across all modules, playbooks, and roles. To follow Ansible conventions in your module development:
Use consistent names across modules (yes, we have many legacy deviations - don’t make the problem worse!).
Use consistent options (arguments) within your module(s).
Do not use ‘message’ or ‘syslog_facility’ as an option name, because this is used internally by Ansible.
Normalize options with other modules - if Ansible and the API your module connects to use different names for the same option, add aliases to your options so the user can choose which names to use in tasks and playbooks.
Return facts from
*_factsmodules in the
ansible_factsfield of the result dictionary so other modules can access them.
*_factsmodules. Playbooks which conditionalize based on fact information will only conditionalize correctly in
check_modeif the facts are returned in
check_mode. Usually you can add
Use module-specific environment variables. For example, if you use the helpers in
module_utils.apifor basic authentication with
module_utils.urls.fetch_url()and you fall back on environment variables for default values, use a module-specific environment variable like
API_<MODULENAME>_USERNAMEto avoid conflicts between modules.
Keep module options simple and focused - if you’re loading a lot of choices/states on an existing option, consider adding a new, simple option instead.
Keep options small when possible. Passing a large data structure to an option might save us a few tasks, but it adds a complex requirement that we cannot easily validate before passing on to the module.
If you want to pass complex data to an option, write an expert module that allows this, along with several smaller modules that provide a more ‘atomic’ operation against the underlying APIs and services. Complex operations require complex data. Let the user choose whether to reflect that complexity in tasks and plays or in vars files.
Implement declarative operations (not CRUD) so the user can ignore existing state and focus on final state. For example, use
Strive for a consistent final state (aka idempotency). If running your module twice in a row against the same system would result in two different states, see if you can redesign or rewrite to achieve consistent final state. If you can’t, document the behavior and the reasons for it.
Provide consistent return values within the standard Ansible return structure, even if NA/None are used for keys normally returned under other options.
Avoid passing user input from the shell.
Always check return codes.
You must always use
Avoid using the shell unless absolutely necessary.
If you must use the shell, you must pass
If any variables in your module can come from user input with
use_unsafe_shell=True, you must wrap them with
When fetching URLs, use
ansible.module_utils.urls. Do not use
urllib2, which does not natively verify TLS certificates and so is insecure for https.
Sensitive values marked with
no_log=Truewill automatically have that value stripped from module return values. If your module could return these sensitive values as part of a dictionary key name, you should call the
ansible.module_utils.basic.sanitize_keys()function to strip the values from the keys. See the
urimodule for an example.