Ansible Playbook Tags

As playbooks grow larger and more complex, running the entire playbook every time becomes slow and risky. Tags give you surgical control over which tasks run on any given execution. This is essential for day-to-day operations: re-deploy the application config without reinstalling packages, run only the security hardening tasks, or skip long-running tasks during rapid iteration.

Adding Tags to Tasks

tasks:
  - name: Install Nginx
    apt:
      name: nginx
      state: present
    tags:
      - install
      - nginx
      - packages
  
  - name: Deploy Nginx config
    template:
      src: nginx.conf.j2
      dest: /etc/nginx/nginx.conf
    tags:
      - configure
      - nginx
      - config
  
  - name: Start Nginx
    service:
      name: nginx
      state: started
      enabled: true
    tags:
      - nginx
      - services
      - start

Running Tasks by Tag

ansible-playbook site.yml -i inventory.ini --tags install
ansible-playbook site.yml -i inventory.ini --tags "configure,nginx"
ansible-playbook site.yml -i inventory.ini --skip-tags packages

With --tags install, only tasks tagged install run. With --tags "configure,nginx", tasks tagged with either configure OR nginx run (union, not intersection). With --skip-tags packages, all tasks run except those tagged packages.

Tagging Entire Plays

- name: Install base packages
  hosts: all
  tags: base
  tasks:
    - name: Install curl
      apt:
        name: curl
        state: present

- name: Configure web servers
  hosts: webservers
  tags: web
  tasks: ...

Tags on a play apply to all tasks in that play. Running --tags base executes only the first play.

Special Built-In Tags

Ansible has four special tags with specific meanings:

  • always — The task always runs, even when specific tags are requested and this tag is not among them
  • never — The task never runs unless this tag is explicitly requested with --tags never
  • tagged — Matches all tasks that have at least one tag
  • untagged — Matches all tasks with no tags
- name: Print debug information (runs only when explicitly requested)
  debug:
    var: hostvars
  tags: never

- name: Ensure monitoring agent is running (always runs)
  service:
    name: datadog-agent
    state: started
  tags: always

Tag Strategy for Large Playbooks

Good tag taxonomy is an investment that pays off as playbooks grow. A practical tagging strategy for a web application playbook:

  • Phase tags: install, configure, deploy, verify
  • Component tags: nginx, postgresql, redis, app
  • Concern tags: security, monitoring, backup
  • Environment tags: production, staging (used with skip-tags)

This taxonomy lets operators select tasks precisely: --tags "configure,nginx" reconfigures only Nginx without touching the application or database.

Listing Available Tags

ansible-playbook site.yml --list-tags

This outputs all tags defined in the playbook without running anything. Use it to discover available tags when working with a playbook you did not write.

Try This: Add Tags to Your Web Server Playbook

Return to the Nginx playbook from Topic 15. Add appropriate tags to every task using the phase and component taxonomy above. Then run the playbook three times: once with --tags install, once with --tags configure, and once with --skip-tags install. Observe which tasks run in each scenario. This exercise builds the muscle memory for tag-based execution that becomes essential when working with large production playbooks.

Summary

Tags provide selective execution control in playbooks. Tasks can have multiple tags; running with --tags executes the union of all tasks matching any specified tag. --skip-tags excludes matching tasks. The special always tag forces a task to run regardless of tag selection; never excludes a task from normal runs. A consistent tag taxonomy is a key maintainability practice for large playbooks.

Previous lessons
Back to courses
Next lessons

Leave a Comment