Adding insights compliance policy

Hi all,

I have written a role that converts our current Alma Linux VMs to RHEL. As the last step I wanted to add CIS Compliance policy to the role. However, it seems to be failing.

fatal: [TESTHOST01]: FAILED! => {
    "changed": true,
    "cmd": [
        "insights-client",
        "--compliance-assign",
        "<ID>"
    ],
    "delta": "0:00:00.604603",
    "end": "2026-02-27 16:01:55.984529",
    "invocation": {
        "module_args": {
            "_raw_params": "insights-client --compliance-assign <ID>",
            "_uses_shell": false,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true
        }
    },
    "msg": "non-zero return code",
    "rc": 2,
    "start": "2026-02-27 16:01:55.379926",
    "stderr": "usage: insights-client [-h] [--ansible-host ANSIBLE_HOST] [--checkin]\n                       [--collector APP] [--manifest MANIFEST]\n                       [--build-packagecache] [--compliance] [--conf CONF]\n                       [--disable-schedule] [--display-name DISPLAY_NAME]\n                       [--enable-schedule] [--group GROUP] [--keep-archive]\n                       [--list-specs] [--logging-file LOGGING_FILE]\n                       [--net-debug] [--no-upload] [--offline]\n                       [--output-dir OUTPUT_DIR] [--output-file OUTPUT_FILE]\n                       [--quiet] [--register] [--retry RETRIES]\n                       [--show-results] [--silent] [--status] [--support]\n                       [--test-connection] [--unregister] [--validate]\n                       [--verbose] [--version] [--payload PAYLOAD]\n                       [--content-type CONTENT_TYPE] [--diagnosis [DIAGNOSIS]]\ninsights-client: error: unrecognized arguments: --compliance-assign 476229ee-d27b-4e0d-8f75-77bd4b40e43c",
    "stderr_lines": [
        "usage: insights-client [-h] [--ansible-host ANSIBLE_HOST] [--checkin]",
        "                       [--collector APP] [--manifest MANIFEST]",
        "                       [--build-packagecache] [--compliance] [--conf CONF]",
        "                       [--disable-schedule] [--display-name DISPLAY_NAME]",
        "                       [--enable-schedule] [--group GROUP] [--keep-archive]",
        "                       [--list-specs] [--logging-file LOGGING_FILE]",
        "                       [--net-debug] [--no-upload] [--offline]",
        "                       [--output-dir OUTPUT_DIR] [--output-file OUTPUT_FILE]",
        "                       [--quiet] [--register] [--retry RETRIES]",
        "                       [--show-results] [--silent] [--status] [--support]",
        "                       [--test-connection] [--unregister] [--validate]",
        "                       [--verbose] [--version] [--payload PAYLOAD]",
        "                       [--content-type CONTENT_TYPE] [--diagnosis [DIAGNOSIS]]",
        "insights-client: error: unrecognized arguments: --compliance-assign <ID>"
    ],
    "stdout": "",
    "stdout_lines": []
}

The actual ID was reducted

I’ve already tried using the shell module and command module with cmd. However, I still get the same results.

Strangely enough when I write a separate play to apply just the policy, it works.

The playbook is executed with become and --compliance-assign only works with the elevated privledges when you try to execute it manually on a VM.

Thanks in advance