Hello Rich,

On Wed, Jan 12, 2022 at 11:21:43AM -0500, Richard Megginson wrote:

we have this problem in system roles with several roles - for example, if you want to set selinux policy, ansible is probably not the entire source of truth e.g. if you just want to allow a port, you don't want to also provide the entire default policy for the system however, in some cases, you do want to replace everything with your specified policy we investigated how other ansible roles/modules do this and came up with https://linux-system-roles.github.io/documentation/incremental_settings.html

The ansible community has come up with an alternate approach that they are adopting for network related modules: https://github.com/ansible-community/community-topics/issues/33

basically, add additional values for `state` other than the usual "present", "absent", etc.

I was aware of the network modules convention and I have never liked it, because it overloads the meaning of "state" way beyond the original meaning in usual Ansible modules [*] (it is not used anymore for enforcing some state of the target resource, but for describing the "edit" operation to be made). From a quick look I see similar concerns raised in the discussion of the proposal, but it was adopted anyway (I should have been more active in promoting our alternative).

[*] with tiny exceptions like state: touch of the file module.

Regards, Pavel