Found out the elegant solution after all! First of all the privileges should be defined somewhere as a list:
$ cat group_vars/dbservers
mysql_privileges:
- 'somedatabase.*:ALL'
- 'someotherdatabase.*:ALL'
- '*.*:SUPER,RELOAD,SHOW\ DATABASES'
then the mysql_user
plugin does not need to append the privileges, simply use the privileges string mentioned in the documentation in following format: mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL
.
The only trick is how to convert list to the string:
- name: Set user privileges
mysql_user:
user={{ mysql_user }}
password={{ mysql_password }}
state=present
priv={{ mysql_privileges|join('/') }}
The repeatable run of the task does not say changed anymore:
TASK: [db | Set user privileges]
**********************************************
ok: [dbuser]