On Wed, Jan 12, 2022 at 11:21:43AM -0500, Richard Megginson wrote:
we have this problem in system roles with several roles - for
you want to set selinux policy, ansible is probably not the entire source
of truth e.g. if you just want to allow a port, you don't want to also
provide the entire default policy for the system
however, in some cases, you do want to replace everything with your
we investigated how other ansible roles/modules do this and came up with
The ansible community has come up with an alternate approach that they are
adopting for network related modules:
basically, add additional values for `state` other than the usual
"present", "absent", etc.
I was aware of the network modules convention and I have never liked it,
because it overloads the meaning of "state" way beyond the original
meaning in usual Ansible modules [*] (it is not used anymore for enforcing
some state of the target resource, but for describing the "edit"
operation to be made). From a quick look I see similar concerns raised
in the discussion of the proposal, but it was adopted anyway (I should
have been more active in promoting our alternative).
[*] with tiny exceptions like state: touch of the file module.