HI Julien,
I confess I've not used this module for ACL management for many of the reasons you note. Also, the idempotency works at the ACL level but the module at the ACE level and that always worried me. I can see myself checking for one ACE and basically turning my ACL into a one line ACL.
I tend to use the template module and then the xxxx-config module (ios or nxos).
I'd stay away from the include_vars and go with a group_vars file or a host_vars file depending on what you need.
For example, I have a standard NTP ACL for all the NXOS devices which I represent with a group called [nxos] in my host file.
So in my group_vars directory i have an nxos.yml file with something like this:
ntp_acl:
- src: any
dest: 1.1.1.123/24
- src: any
dest: 1.1.1.23/24
and in my template file I have
# ntp_acl.j2
no ip access-list NTP_ACL
ip access-list NTP_ACL
permit ip any 192.168.2.123/24
permit ip any 192.168.1.23/24
{% for ace in ntp_acl %}
# Additional Local NTP Servers
permit ip {{ ace.src }} {{ ace.dest }}
{% endfor %}
# End ntp_acl.j2
That builds the ACL I want using the template module and then I use the config module to apply it.
so i have a make_cfg.yml playbook with this task
- name: Create hostname config file from template
template:
src: templates/ntp_acl.j2
dest: src/{{ inventory_hostname }}.cfg
and then I have an apply_cfg.yml playbook with this task
- name: Configure Using nxos_config Module
nxos_config:
provider: "{{ cli }}"
backup: yes
match: none
timeout: 15
src: src/{{ inventory_hostname }}.cfg
intended_config: src/{{ inventory_hostname }}.cfg
diff_against: intended
I do this when I'm first setting up a site but these can certainly be in one playbook.
You can also use the config module to do diffs so thats how I check compliance.
Not sure if that helps...but that may be another way to tackle the problem...