diff --git a/install_files/ansible-base/roles/app-test/tasks/main.yml b/install_files/ansible-base/roles/app-test/tasks/main.yml
index c94759719b..138936f908 100644
--- a/install_files/ansible-base/roles/app-test/tasks/main.yml
+++ b/install_files/ansible-base/roles/app-test/tasks/main.yml
@@ -1,10 +1,10 @@
 ---
-- include: staging_wsgi_files.yml
+- include_tasks: staging_wsgi_files.yml
   when: "'staging' in group_names"
   tags:
     - apache
 
-- include: modern_gettext.yml
+- include_tasks: modern_gettext.yml
   tags:
     - modern_gettext
 
diff --git a/install_files/ansible-base/roles/app/tasks/main.yml b/install_files/ansible-base/roles/app/tasks/main.yml
index e095c243de..d9ea952dbb 100644
--- a/install_files/ansible-base/roles/app/tasks/main.yml
+++ b/install_files/ansible-base/roles/app/tasks/main.yml
@@ -1,15 +1,15 @@
 ---
-- include: app_install_fpf_deb_pkgs.yml
+- include_tasks: app_install_fpf_deb_pkgs.yml
   when: securedrop_app_install_from_repo
 
-- include: initialize_securedrop_app.yml
+- include_tasks: initialize_securedrop_app.yml
 
-- include: copy_tor_url_info_to_app_dir.yml
+- include_tasks: copy_tor_url_info_to_app_dir.yml
 
 # If HTTPS is enabled, certs must land before Apache vhost configs
 # are written, otherwise the Apache enmod tasks will fail.
-- include: copy_ssl_certs.yml
+- include_tasks: copy_ssl_certs.yml
   when:
     - securedrop_app_https_on_source_interface
 
-- include: install_and_harden_apache.yml
+- include_tasks: install_and_harden_apache.yml
diff --git a/install_files/ansible-base/roles/backup/tasks/main.yml b/install_files/ansible-base/roles/backup/tasks/main.yml
index b0ee966e36..e1eb25bd20 100644
--- a/install_files/ansible-base/roles/backup/tasks/main.yml
+++ b/install_files/ansible-base/roles/backup/tasks/main.yml
@@ -1,2 +1,2 @@
 ---
-- include: backup.yml
+- include_tasks: backup.yml
diff --git a/install_files/ansible-base/roles/common/handlers/main.yml b/install_files/ansible-base/roles/common/handlers/main.yml
index 2c51998c84..c79be5c066 100644
--- a/install_files/ansible-base/roles/common/handlers/main.yml
+++ b/install_files/ansible-base/roles/common/handlers/main.yml
@@ -5,7 +5,7 @@
 # in order to reuse a single implementation of reboot logic
 # as necessary.
 - name: reboot
-  include: "{{ role_path }}/../../tasks/reboot.yml"
+  include_tasks: "{{ role_path }}/../../tasks/reboot.yml"
 
 - name: update apt cache
   apt:
diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
index 8800b9f3f0..c5a68f650d 100644
--- a/install_files/ansible-base/roles/common/tasks/main.yml
+++ b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -1,29 +1,29 @@
 ---
 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
 
-- include: apt_sources.yml
+- include_tasks: apt_sources.yml
 
-- include: apt_upgrade.yml
+- include_tasks: apt_upgrade.yml
 
-- include: install_packages.yml
+- include_tasks: install_packages.yml
 
-- include: post_ubuntu_install_checks.yml
+- include_tasks: post_ubuntu_install_checks.yml
 
-- include: create_users.yml
+- include_tasks: create_users.yml
 
-- include: setup_etc_hosts.yml
+- include_tasks: setup_etc_hosts.yml
 
-- include: harden_dns.yml
+- include_tasks: harden_dns.yml
 
-- include: unattended_upgrades.yml
+- include_tasks: unattended_upgrades.yml
   tags:
     - ua
     - reboot
 
-- include: remove_unused_packages.yml
+- include_tasks: remove_unused_packages.yml
 
-- include: sysctl.yml
+- include_tasks: sysctl.yml
 
-- include: disable_swap.yml
+- include_tasks: disable_swap.yml
 
-- include: remove_kernel_modules.yml
+- include_tasks: remove_kernel_modules.yml
diff --git a/install_files/ansible-base/roles/grsecurity/tasks/main.yml b/install_files/ansible-base/roles/grsecurity/tasks/main.yml
index 957a572b79..9b559ad079 100644
--- a/install_files/ansible-base/roles/grsecurity/tasks/main.yml
+++ b/install_files/ansible-base/roles/grsecurity/tasks/main.yml
@@ -1,17 +1,17 @@
 ---
   # Check whether grsecurity is already configured,
   # since that fact will be used in multiple includes.
-- include: check_installation.yml
+- include_tasks: check_installation.yml
 
   # Install the grsec kernel prior to running unattended-upgrades to avoid
   # reboots
-- include: from_fpf_repo_install_grsec.yml
+- include_tasks: from_fpf_repo_install_grsec.yml
   tags:
     - grsec
 
-- include: clean_packages.yml
+- include_tasks: clean_packages.yml
 
-- include: apply_grsec_lock.yml
+- include_tasks: apply_grsec_lock.yml
   tags:
     - reboot
     - grsec
diff --git a/install_files/ansible-base/roles/install-local-packages/tasks/main.yml b/install_files/ansible-base/roles/install-local-packages/tasks/main.yml
index 23f572f2a9..c4c62ac533 100644
--- a/install_files/ansible-base/roles/install-local-packages/tasks/main.yml
+++ b/install_files/ansible-base/roles/install-local-packages/tasks/main.yml
@@ -7,6 +7,6 @@
   register: apt_mark_showhold_result
   changed_when: false
 
-- include: install_debs.yml
+- include_tasks: install_debs.yml
 
-- include: hold_debs.yml
+- include_tasks: hold_debs.yml
diff --git a/install_files/ansible-base/roles/ossec/tasks/main.yml b/install_files/ansible-base/roles/ossec/tasks/main.yml
index 271b2de169..f283ed02fb 100644
--- a/install_files/ansible-base/roles/ossec/tasks/main.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
-- include: configure_client.yml
+- include_tasks: configure_client.yml
   when: ossec_is_client
 
-- include: configure_server.yml
+- include_tasks: configure_server.yml
   when: ossec_is_server
 
-- include: register.yml
+- include_tasks: register.yml
diff --git a/install_files/ansible-base/roles/postfix/tasks/main.yml b/install_files/ansible-base/roles/postfix/tasks/main.yml
index 4a613aed9f..6cf960d034 100644
--- a/install_files/ansible-base/roles/postfix/tasks/main.yml
+++ b/install_files/ansible-base/roles/postfix/tasks/main.yml
@@ -1,9 +1,9 @@
 ---
-- include: install_postfix.yml
+- include_tasks: install_postfix.yml
 
-- include: install_procmail.yml
+- include_tasks: install_procmail.yml
 
   # Configure SSL certificates for SMTP relay if manual
   # overrides are declared. See default vars
   # `smtp_relay_cert_override_file` and `smtp_relay_cert_override_dir`.
-- include: configure_custom_cert.yml
+- include_tasks: configure_custom_cert.yml
diff --git a/install_files/ansible-base/roles/reboot-if-first-install/tasks/main.yml b/install_files/ansible-base/roles/reboot-if-first-install/tasks/main.yml
index 4736f798d6..399ef6ea1f 100644
--- a/install_files/ansible-base/roles/reboot-if-first-install/tasks/main.yml
+++ b/install_files/ansible-base/roles/reboot-if-first-install/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
-- include: check_whether_reboot_needed.yml
+- include_tasks: check_whether_reboot_needed.yml
 
-- include: reboot-no-check.yml
+- include_tasks: reboot-no-check.yml
   # The conditional vars below are defined via set_fact
   # in the `check_whether_reboot_needed` task list.
   when: securedrop_initial_installation or securedrop_conditional_reboot
diff --git a/install_files/ansible-base/roles/reset-ssh-key/tasks/main.yml b/install_files/ansible-base/roles/reset-ssh-key/tasks/main.yml
index ba37b229c0..5494c00278 100644
--- a/install_files/ansible-base/roles/reset-ssh-key/tasks/main.yml
+++ b/install_files/ansible-base/roles/reset-ssh-key/tasks/main.yml
@@ -1,2 +1,2 @@
 ---
-- include: reset-ssh-key.yml
+- include_tasks: reset-ssh-key.yml
diff --git a/install_files/ansible-base/roles/restore/tasks/main.yml b/install_files/ansible-base/roles/restore/tasks/main.yml
index a6e3eb89fe..3d11d53427 100644
--- a/install_files/ansible-base/roles/restore/tasks/main.yml
+++ b/install_files/ansible-base/roles/restore/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 - name: Apply backup to Application Server
-  include: perform_restore.yml
+  include_tasks: perform_restore.yml
 
 - name: Remove deprecated v2 onion service configuration
-  include: cleanup_v2.yml
+  include_tasks: cleanup_v2.yml
   when: not restore_skip_tor
 
 - name: Restart Tor
-  include: update_tor.yml
+  include_tasks: update_tor.yml
   when: not restore_skip_tor
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
index af075ecbbf..175bc07551 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
@@ -1,14 +1,14 @@
 ---
 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
 
-- include: fetch_tor_config.yml
+- include_tasks: fetch_tor_config.yml
   when: fetch_tor_client_auth_configs
 
-- include: dh_moduli.yml
+- include_tasks: dh_moduli.yml
 
-- include: ssh.yml
+- include_tasks: ssh.yml
 
-- include: iptables.yml
+- include_tasks: iptables.yml
   tags:
     - iptables
     - permissions
diff --git a/install_files/ansible-base/roles/restrict_direct_access_app/tasks/main.yml b/install_files/ansible-base/roles/restrict_direct_access_app/tasks/main.yml
index 35fa7e27e4..f24d3f545f 100644
--- a/install_files/ansible-base/roles/restrict_direct_access_app/tasks/main.yml
+++ b/install_files/ansible-base/roles/restrict_direct_access_app/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
-- include: app_display_onions.yml
+- include_tasks: app_display_onions.yml
   tags: backup
 
-- include: ssh.yml
+- include_tasks: ssh.yml
 
-- include: app_iptables.yml
+- include_tasks: app_iptables.yml
diff --git a/install_files/ansible-base/roles/restrict_direct_access_mon/tasks/main.yml b/install_files/ansible-base/roles/restrict_direct_access_mon/tasks/main.yml
index f67f0944ab..5d13d48f49 100644
--- a/install_files/ansible-base/roles/restrict_direct_access_mon/tasks/main.yml
+++ b/install_files/ansible-base/roles/restrict_direct_access_mon/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
-- include: mon_display_onions.yml
+- include_tasks: mon_display_onions.yml
   tags: backup
 
-- include: ssh.yml
+- include_tasks: ssh.yml
 
-- include: mon_iptables.yml
+- include_tasks: mon_iptables.yml
diff --git a/install_files/ansible-base/roles/tails-config/tasks/main.yml b/install_files/ansible-base/roles/tails-config/tasks/main.yml
index 542ca910e3..8f92103b88 100644
--- a/install_files/ansible-base/roles/tails-config/tasks/main.yml
+++ b/install_files/ansible-base/roles/tails-config/tasks/main.yml
@@ -1,21 +1,21 @@
 ---
 # Reuse validation logic.
-- include: "{{ role_path }}/../validate/tasks/validate_tails_environment.yml"
+- include_tasks: "{{ role_path }}/../validate/tasks/validate_tails_environment.yml"
 
-- include: copy_dotfiles.yml
+- include_tasks: copy_dotfiles.yml
 
-- include: configure_torrc_additions.yml
+- include_tasks: configure_torrc_additions.yml
 
-- include: create_desktop_shortcuts.yml
+- include_tasks: create_desktop_shortcuts.yml
 
-- include: install_shell_extension.yml
+- include_tasks: install_shell_extension.yml
 
-- include: configure_network_hook.yml
+- include_tasks: configure_network_hook.yml
 
 - name: Check that we are on an admin workstation
   stat:
     path: group_vars/all/site-specific
   register: site_specific_result
 
-- include: create_ssh_aliases.yml
+- include_tasks: create_ssh_aliases.yml
   when: site_specific_result.stat.exists
diff --git a/install_files/ansible-base/roles/tor-hidden-services/tasks/main.yml b/install_files/ansible-base/roles/tor-hidden-services/tasks/main.yml
index 3e24b6a0ff..5078910ae3 100644
--- a/install_files/ansible-base/roles/tor-hidden-services/tasks/main.yml
+++ b/install_files/ansible-base/roles/tor-hidden-services/tasks/main.yml
@@ -1,4 +1,4 @@
 ---
-- include: install_tor.yml
+- include_tasks: install_tor.yml
 
-- include: configure_tor_hidden_services.yml
+- include_tasks: configure_tor_hidden_services.yml
diff --git a/install_files/ansible-base/roles/validate/tasks/main.yml b/install_files/ansible-base/roles/validate/tasks/main.yml
index 426d6a6088..012f2c9654 100644
--- a/install_files/ansible-base/roles/validate/tasks/main.yml
+++ b/install_files/ansible-base/roles/validate/tasks/main.yml
@@ -1,3 +1,3 @@
 ---
-- include: validate_tails_environment.yml
+- include_tasks: validate_tails_environment.yml
   when: securedrop_validate_tails_environment
diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 45296777cd..6d80361c63 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -44,7 +44,7 @@
         - not enable_ssh_over_tor
         - sd_dir_check.stat.exists
 
-    - include: tasks/transition_ssh_local.yml
+    - include_tasks: tasks/transition_ssh_local.yml
       when:
         - not enable_ssh_over_tor
         - sd_dir_check.stat.exists