Hi,
I think the patch that has been accepted (in context of https://github.com/ansible/ansible/pull/7818) doesn’t provide a way to selectively remove rules from ec2 security group. This pull request provides that functionality too. How do you plan to address that?
Ansible is all about modelling desired state versus imperatively adding or removing, so in this case, I would expect (and hope) folks would want to model
the list of all the rules that should be applied, and turn off the ones that they do not.
If you just have a playbook that removes some rules, you would miss removing the ones that got installed out of band, right?
I understand. But if you can remove specific instances from ec2, remove specific instances from ELB, remove specific packages from a system among various other things then why shouldn’t we have this?
Moreover, I am saying there should be support for both; modelling a security group and also being able manage it by selectively adding or removing rules.
It’s simple, when you have support for doing other things selectively, like I mentioned in earlier email, then I think we should have support for this too. Let say you have a setup where you autoscale your clusters in or out by removing or adding instances. Along with scaling instances, one needs to make sure they are added or removed from respective security groups.
What would be your proposal?
Well, the pull request mentioned in the subject of this thread is my proposal which handles all these cases. If the “exact” parameter name doesn’t make complete sense then we could come up with something better. “append” also would lead to confusion.
I think it’s important that options be state-driven where possible.
If there is a good way to fetch all the roles, they could be stored in a variable, we could then feed the desired list back in.
There’s the downside of having created another programming language construct (yay!) but I like this option better.
I want to make things about “nouns” rather than “verbs” as much as possible.
Hopefully we can find a nice middle ground.
Didn’t completely get the “fetch all roles, store away in var and feed desired list” part. How would it work, example? To me, it seems like you are proposing a way to get all the rules and then passing a filtered list to this module to get the desired effect. This sounds complicated to me unless supported by an intuitive (in context of Ansible) language construct.
I think “exact” approach is more about “nouns” as it specifies what exactly to operate on; the whole group or selective rules in the respective group. 
And in that case “state” specifies what should be done to the respective noun, which is the approach taken by all the modules in Ansible. For example, when working on specific rules, it will be made sure that those specific rules are present/absent, idempotently. This is similar to, for example, using user module to set the home directory of existing user to something specific, or may be even moving the home directory.
The patch that we have accepted also doesn’t follow the philosophy of “nouns” as it allows for selectively adding rules to existing group. I know, I said rules were nouns in above paragraph. I am just trying to make a point. 
I would suggest my patch be merged, as it’s no different (philosophically) from what’s accepted and is more complete, until we find and agree on a solution that exactly meets your philosophy of “nouns”.