we have this problem in system roles with several roles - for example, if you want to set selinux policy, ansible is probably not the entire source of truth e.g. if you just want to allow a port, you don't want to also provide the entire default policy for the system however, in some cases, you do want to replace everything with your specified policy we investigated how other ansible roles/modules do this and came up with https://linux-system-roles.github.io/documentation/incremental_settings.html The ansible community has come up with an alternate approach that they are adopting for network related modules: https://github.com/ansible-community/community-topics/issues/33 basically, add additional values for `state` other than the usual "present", "absent", etc.