#How to remove CIFS ACLs that are not explicitly declared?

Hi folks. I am using the netapp.ontap.na_ontap_cifs_acl module to set desired CIFS share ACLs. I have a loop to populate the desired permissions. Is there an elegant way to remove any ACLs that are not explicitly declared in my loop variable list?

Here is the ADD code:

cifs_permissions_list:
  - { user_or_group: "Group1", permission: "full_control" }
  - { user_or_group: "Group2", permission: "change" }
  - { user_or_group: "Group3", permission: "read" }
- name: Set desired CIFS Share Permissions
  netapp.ontap.na_ontap_cifs_acl:
    state: present
    share_name: "{{ cifsshare }}"
    vserver: "{{ vserver }}"
    hostname: "{{ netapp_hostname }}"
    username: "{{ netapp_username }}"
    password: "{{ netapp_password }}"
    user_or_group: "{{ item.user_or_group }}"
    permission: "{{ item.permission }}"
    https: true
    validate_certs: "{{ validate_certs }}"
  loop: "{{ cifs_permissions_list }}"
  register: result

It appears netapp.ontap.na_ontap_cifs_acl only supports modification, but not display of cifs acls, so I need another method.

1. netapp.ontap.na_ontap_info depends on ZAPI which is phased out.
2. netap.ontap.command is rather non-ansible-like.

Thanks!

@river cliff All the Ansible modules, except a few, utilize GET calls internally.
For your scenario, you can make use of module na_ontap_restit for fetching CIFS share ACLs like below:

    - name: Get CIFS share ACLs
      tags: fetch
      netapp.ontap.na_ontap_restit:
        api: "protocols/cifs/shares/{{ svm_uuid }}/{{ share_name }}/acls"
        method: GET
        query:
          fields: "user_or_group,type,permission"
      register: result

Also, you can try something like below for deleting CIFS ACL:

    - name: Delete CIFS ACL of type unix_group
      netapp.ontap.na_ontap_cifs_acl:
        state: absent
        user_or_group: unix_user_group
        permission: change
        type: unix_group
      register: result