node_exporter "Create textfile collector dir" task - Consistent "change" state

[fitz123]

Description
The "Create textfile collector dir" task in the node_exporter role for the Prometheus Ansible collection is consistently reporting a "changed" state upon every run. The task in question

Other system services generate their own metrics and place the corresponding metric files in the "{{ node_exporter_textfile_dir }}" directory. These services belong to the "{{ node_exporter_system_group }}" group, enabling them to change the group ownership of created metric files to the desired "{{ node_exporter_system_group }}". The node-exporter can read from these metric files, but the services are unable to change the ownership to the "{{ node_exporter_system_user }}". This results in a "changed" state for the "Create textfile collector dir" task after every run, as long as there are new or updated metric files within the "{{ node_exporter_textfile_dir }}" directory.

Problem
This issue is problematic because I monitor Ansible changes for security reasons and to detect any unexpected changes. Constant changes are undesirable and should not occur under normal circumstances.

Expected Outcome:
When all files and directories within the node_exporter_textfile_dir directory have the correct group set, no Ansible changes should be reported. The role should neither alter the "user" for files nor report any changes regarding this.

Solution Proposal
I have tried to come up with a suitable solution but have been unsuccessful. Unfortunately, there is no associated PR. Possible solutions could include:

1. Setting recurse: false - This would set the desired ownership for the directory itself, allowing the user to manage and verify that text metric files have the correct group, which node-exporter can read from.
2. Using changed: false - This option is also not ideal.

I am unsure how to address this issue and welcome any suggestions or proposals for a resolution.

[mikelsid]

imo the solution with setting recurse: false should work, since, according to the source, collector only scrapes files in this directory, excluding subdirectories and g+rwX,o=rX guarantees, that all files created in the directory will have the desired group

[gardar]

I suspect that the recursive option was set as a safety precaution to ensure that node_exporter can read the files in the directory.
But as you are experiencing there are different scenarios where node_exporter can very well read the directory contents, without enforcing the user/group/mode that the task sets.

A better solution would be to confirm that the user can read the contents, with the ansible.builtin.stat module and become and then only change the permissions if the node exporter user can't access the files.

But to avoid over complicating the role we can just simply drop the recurse option.

The role isn't installing anything in that directory and if it were, then we would just make sure that those files were installed with the correct permissions.