DevOps Cheat Sheet ansible  ·  azure policy  ·  azure arc Ansible Azure Policy Azure ARC
A
Ansible
agentless automation engine
Core concepts
inventoryhosts/groups to manage (static or dynamic)
playbookYAML list of plays mapped to hosts
playset of tasks run on a group of hosts
tasksingle module call (e.g. copy, apt, service)
rolereusable package: tasks + vars + handlers
handlertask triggered by notify:, runs once at end
factauto-collected host vars via setup module
vaultencrypted secrets storage
Playbook skeleton
---
- name: Deploy web app
  hosts: webservers
  become: true
  vars:
    app_port: 8080

  tasks:
    - name: Install nginx
      ansible.builtin.apt:
        name: nginx
        state: present
      notify: restart nginx

  handlers:
    - name: restart nginx
      ansible.builtin.service:
        name: nginx
        state: restarted
Essential CLI
$ansible-playbook site.yml -i hostsrun playbook
$ansible-playbook site.yml --checkdry run
$ansible-playbook site.yml --diffshow changes
$ansible all -m pingconnectivity test
$ansible-vault encrypt vars.ymlencrypt file
$ansible-galaxy role install geerlingguy.nginxinstall role
$ansible-lint site.ymllint check
Common modules
ansible.builtin.copy ansible.builtin.template ansible.builtin.apt / yum ansible.builtin.service ansible.builtin.user ansible.builtin.file ansible.builtin.command ansible.builtin.shell ansible.builtin.uri ansible.builtin.debug ansible.builtin.set_fact ansible.builtin.include_tasks azure.azcollection.*
Role directory structure 
roles/myrole/
├── tasks/main.yml
├── handlers/main.yml
├── templates/app.conf.j2
├── files/
├── vars/main.yml
├── defaults/main.yml
└── meta/main.yml
P
Azure Policy
governance & compliance at scale
Core concepts
definitionJSON rule specifying a condition + effect
initiativegrouped set of policy definitions (policy set)
assignmentdefinition/initiative applied to a scope
scopeMG / subscription / resource group / resource
exclusionexempt child scope from an assignment
remediationtask to fix non-compliant existing resources
compliance% resources meeting policy conditions
Policy effects
AuditLog non-compliant, don't block
DenyBlock the request entirely
AppendAdd fields to the resource
ModifyAdd/replace/remove tags & properties
DeployIfNotExistsDeploy related resource if absent
AuditIfNotExistsAudit if related resource missing
DisabledPolicy turned off (testing)
Policy definition (JSON)
{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        { "field": "type",
          "equals": "Microsoft.Storage/storageAccounts" },
        { "field": "tags['env']",
          "exists": "false" }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}
AZ CLI
$az policy definition create --name ... --rules rules.json
$az policy assignment create --name ... --policy ... --scope /subscriptions/<id>
$az policy state list --filter "complianceState eq 'NonCompliant'"
$az policy remediation create --name ... --policy-assignment ...
$az policy set-definition create --name ... --definitions defs.json
Key built-in initiatives
Azure Security Benchmark CIS Microsoft Azure 2.0 NIST SP 800-53 R5 ISO 27001:2013 PCI DSS 4.0 HIPAA / HITRUST GDPR FedRAMP High
Condition operators
equals / notEquals like / notLike match / notMatch contains / notContains in / notIn exists greater / less allOf / anyOf / not
Azure ARC
extend azure to any infrastructure
Core concepts
Arc-enabled serveron-prem / other-cloud VM managed via Arc agent
Arc-enabled k8sany CNCF cluster connected to Azure
Arc-enabled SQLSQL Server outside Azure, managed centrally
Arc data servicesAzure SQL MI / PostgreSQL on any infra
HIMDS agentHybrid Instance Metadata Service on each host
Connected clusterArc agent running in azure-arc namespace
GitOps (Flux)declarative config sync from git to cluster
Custom locationsdeploy Azure services onto Arc infra
Onboard a server (Linux)
# Generate install script in portal or via CLI
az connectedmachine generate-install-script \
  --resource-group myRG \
  --location eastus \
  --os linux

# Run generated script on the target machine
sudo bash install_linux_azcmagent.sh \
  --resource-group "myRG" \
  --tenant-id     "<tid>" \
  --subscription-id "<sid>" \
  --location      "eastus"
Connect a k8s cluster
# Prerequisites: kubectl + az CLI
az extension add --name connectedk8s
az connectedk8s connect \
  --name    myCluster \
  --resource-group myRG \
  --location eastus

# Verify agent pods in azure-arc namespace
kubectl get pods -n azure-arc
GitOps — deploy Flux config
az k8s-configuration flux create \
  --name       my-app-config \
  --cluster-name myCluster \
  --cluster-type connectedClusters \
  --resource-group myRG \
  --url        https://github.com/org/repo \
  --branch     main \
  --kustomization name=apps path=./clusters/prod
ARC + Azure Policy
Arc-enabled resources appear as Azure resource objects — assign policies the same way as native Azure resources.
Arc Server/k8s
Azure RP
Policy Eval
Compliance
Auditassess guest OS settings via machine config
DINEauto-deploy MMA / Defender agents via policy
k8s policyAzure Policy Add-on for Arc-enabled k8s (OPA/Gatekeeper)
What you get on Arc resources
Azure RBAC Azure Policy Microsoft Defender Azure Monitor Update Manager Inventory & Tags Extensions (MMA, OMS, AMA) SSH & Run Command Managed Identity GitOps / Flux Confidential compute
ansible docs: docs.ansible.com
azure policy: aka.ms/azurepolicydocs
azure arc: aka.ms/azurearcoverview
rev. 2026