Ansible Automation Platform provides powerful tools for orchestrating and scaling automation across teams and environments. As automation grows, maintaining consistency and preventing misconfiguration becomes increasingly important.
In some cases, teams adopt naming conventions to clearly separate resources, for example, using prefixes like prod_ or dev_ in job templates, inventories, credentials, and projects. These naming patterns help reinforce environment boundaries and reduce the chance of accidental misuse.
With Policy Enforcement, organizations can take this one step further by ensuring these naming conventions exist at execution time.
Example Policy aap_policy_examples/mismatch_prefix_allowed_false.rego
The policy below inspects the job template's name prefix and compares it with the prefix of:
- The job template name
- The inventory name
- The project name
- Each credential used
If any of them don't match the job template's prefix, the job is blocked.
package aap_policy_examples
prefix_delimiter := "_"
# job_template_prefix extracts the substring before the first prefix_delimiter in `input.job_template.name`.
job_template_prefix := jtp if {
parts := split(input.job_template.name, prefix_delimiter)
jtp := parts[0]
}
# inventory_prefix extracts the substring before the first prefix_delimiter in `input.inventory.name`.
inventory_prefix := inv_pref if {
parts := split(input.inventory.name, prefix_delimiter)
inv_pref := parts[0]
}
# project_prefix extracts the substring before the first prefix_delimiter in `input.project.name`.
project_prefix := proj_pref if {
parts := split(input.project.name, prefix_delimiter)
proj_pref := parts[0]
}
# credentials_prefixes is a list of prefix values from each credential's name.
credentials_prefixes := [cprefix |
cred := input.credentials[_] # iterate over credentials
parts := split(cred.name, prefix_delimiter) # split name
cprefix := parts[0] # grab the first part
]
# mismatch is true if either:
# 1. The project prefix != job template prefix, OR
# 2. The inventory prefix != job template prefix OR
# 3. Any credential's prefix != job template prefix.
mismatch if {
project_prefix != job_template_prefix
}
mismatch if {
inventory_prefix != job_template_prefix
}
mismatch if {
some cp in credentials_prefixes
cp != job_template_prefix
}
default mismatch_prefix_allowed_false := {
"allowed": true,
"violations": [],
}
mismatch_prefix_allowed_false := {
"allowed": false,
"violations": ["Mismatch prefix between Inventory, Credentials and Project detected."],
} if {
mismatch
}{
"id": 785,
"name": "demo_Job Template",
"credentials": [
{
"name": "demo_Credential",
"description": "",
"organization": null,
"credential_type": 1,
"managed": false,
"inputs": {
"username": "admin"
},
"kind": "ssh",
"cloud": false,
"kubernetes": false
}
],
"project": {
"id": 6,
"name": "demo_Project",
"status": "successful",
"scm_type": "git",
"scm_url": "https://github.com/ansible/ansible-tower-samples",
"scm_branch": "",
"scm_refspec": "",
"scm_clean": false,
"scm_track_submodules": false,
"scm_delete_on_update": false
},
"inventory": {
"name": "prod_Inventory",
"description": "",
"has_active_failures": false,
"total_hosts": 1,
"hosts_with_active_failures": 0,
"total_groups": 0,
"has_inventory_sources": false,
"total_inventory_sources": 0,
"kind": ""
},
}{
"allowed": false,
"violations": [
"Mismatch prefix between Inventory, Credentials and Project detected."
]
}When this policy is enforced, the job will ERROR if any of the following are true:
- The inventory name prefix does not match the job template name prefix
- The project name prefix does not match the job template name prefix
- One or more credentials have a name prefix that doesn't match
This policy is applied within the Job Template, ensuring that every job execution strictly follows naming conventions.
A platform team manages automation across different environments — prod, dev, and qa — within the same Ansible Automation Platform instance. Each job template, inventory, project, and credential is named using a prefix (e.g., prod_, dev_) to denote its environment.
During a production incident, a developer accidentally launched a job template using a dev_ project with a prod_ inventory and credential. The automation went through — but made unintended changes to a live system.
To prevent this from happening again, the team enforced a policy that checks for naming consistency across job resources. Any job that combines mismatching prefixes is now automatically blocked before execution.
With the policy in place:
- 🚫 Mismatched environments are blocked – accidental combinations of unrelated resource sets are caught at execution time.
- ✅ Consistent naming is enforced – only resources with the same prefix can be used together.
- ✅ Clear violation messages help users self-correct – reducing support overhead and errors.
- Prevent Human Error – Automate the guardrails to reduce human errors.
- Enforce Standards – Naming conventions become enforceable, not just suggested.
- Reduce Risk – Ensure production inventories are only used with production-configured jobs.
With Policy Enforcement at Runtime in Ansible Automation Platform, you can go beyond access control and enforce context aware policies protecting your infrastructure with smart, simple rules.