Ansible Tips Part 1: When in Doubt, Be Explicit

When copying files, using templates, or creating just about anything on a target machine via Ansible, make sure that you are as explicit as possible. Don't assume that a file will be created with a specific owner unless you specify that owner in the Ansible task.

For example, you are providing your own SSH configuration file, overridding whatever is on the system, your task will look like this:

---
# roles/ssh/tasks/main.yml
- name: configure ssh client configuration
  template: src=ssh_config.j2 dest=/etc/ssh/ssh_config
  sudo: yes
  notify: Restart ssh

In this situation, you are running the task with sudo privileges, so you are assuming that this file will be owned by root:root. Looking at an Ubuntu machine confirms that this file, by default, is also owned by root:root:

$ ls -l /etc/ssh/ssh_config
-rw-r--r-- 1 root root 1668 Jun  5 22:07 /etc/ssh/ssh_config

That's all well and good. But are you certain that this will always be the case? Are you certain that the file will always grant read permissions to everyone? Any of those questions will have a minute chance of being answered "no", so it's best to explicitly tell Ansible what you want. That makes you 100% certain that it is correct.

---
# roles/ssh/tasks/main.yml
- name: configure ssh client configuration
  template: src=ssh_config.j2 dest=/etc/ssh/ssh_config owner=root group=root mode=644
  sudo: yes
  notify: Restart ssh

I agree that this sounds like repeating yourself, especially in the context of the ssh_config file. However, it may be more useful when creating files in user's home directories. For example, files within the users' .ssh directories can require strict user-only permissions, and Ansible may apply less restrictive permissions by accident. It's best to get into the habit of being repetitive and explicit, than accidentally making a system less secure.