saito-hideki
commented
2 years ago @garamirseokim thank you for the feature request for acl module!
The acl module uses the setfacl command on the backend to set acl. The recursive(recurse) option of the acl module is simply executed by specifying --recursive in the setfacl command.
BTW, as far as I know, the setfacl command doesn't have an option to exclude files and directories in combination with the --recursive option, so implementing this on the acl module side of Ansible will probably require major modifications and testing.
Having said that, your request is reasonable. Ideally, it would be better to wait for an option like exclude to be implemented on thesetfacl command side, but I think it is worth considering the implementation on the acl module side.
So, I'll set the verified, feature, and waiting_on_contributor labels to this request :)
donateur
SUMMARY
We would like the 'acl' module to cater for excluding files or directories when the "recurse: True" option is used.
ISSUE TYPE
COMPONENT NAME
ACL
ADDITIONAL INFORMATION
We add and enforce ACLs across /var/log on all systems. We do this to ensure that logs from the myriad of applications we use will always be readable by the service account. (The alternative would be to give the service user membership of the 'root' group but we don't want to do this for security reasons.) The problem is that files like /var/log/audit.log /var/log/wtmp /var/log/btmp must not have an ACL applied and service doesn't need to read them.
Right now we have a complex playbook which pre-sets ACLs on the files we don't want (with changed: False), runs the acl task across all of /var/log, then un-sets the ACLs on the files we don't want affected (also with changed: False).
We previously used a find module to find all files, with exclusions, and then looped the resulting variable through he 'acl' module, but this is far too slow. We use Ansible to enforce standardisation on our systems so it runs regularly which means the most efficient method of running matters to us.