diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py
index 83f37538..30b8d42b 100644
--- a/roles/ipaclient/module_utils/ansible_ipa_client.py
+++ b/roles/ipaclient/module_utils/ansible_ipa_client.py
@@ -22,6 +22,29 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+__all__ = ["gssapi", "version", "ipadiscovery", "api", "errors", "x509",
+           "constants", "sysrestore", "certmonger", "certstore",
+           "delete_persistent_client_session_data", "ScriptError",
+           "CheckedIPAddress", "validate_domain_name", "normalize_hostname",
+           "validate_hostname", "services", "tasks", "CalledProcessError",
+           "write_tmp_file", "ipa_generate_password", "DN", "kinit_keytab",
+           "kinit_password", "GSSError", "CLIENT_INSTALL_ERROR",
+           "is_ipa_client_installed", "CLIENT_ALREADY_CONFIGURED",
+           "nssldap_exists", "remove_file", "check_ip_addresses",
+           "print_port_conf_info", "configure_ipa_conf", "purge_host_keytab",
+           "configure_sssd_conf", "realm_to_suffix", "run", "timeconf",
+           "serialization", "configure_krb5_conf", "get_ca_certs",
+           "SECURE_PATH", "get_server_connection_interface",
+           "configure_nsswitch_database", "disable_ra", "client_dns",
+           "configure_certmonger", "update_ssh_keys",
+           "configure_openldap_conf", "hardcode_ldap_server",
+           "get_certs_from_ldap", "save_state", "create_ipa_nssdb",
+           "configure_nisdomain", "configure_ldap_conf",
+           "configure_nslcd_conf", "nosssd_files", "configure_ssh_config",
+           "configure_sshd_config", "configure_automount",
+           "configure_firefox", "sync_time", "check_ldap_conf",
+           "sssd_enable_ifp"]
+
 from ipapython.version import NUM_VERSION, VERSION
 
 if NUM_VERSION < 30201:
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index d6f6c272..c2664209 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -22,10 +22,31 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
+__all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
+           "parse_version", "IPAChangeConf",
+           "certstore", "sysrestore", "ipa_generate_password", "kinit_keytab",
+           "IPA_CA_TRUST_FLAGS", "EXTERNAL_CA_TRUST_FLAGS", "DN",
+           "ScriptError", "services", "tasks", "constants", "errors", "rpc",
+           "x509", "validate_domain_name",
+           "no_matching_interface_for_ip_address_warning",
+           "configure_krb5_conf", "purge_host_keytab", "adtrust",
+           "bindinstance", "ca", "certs", "dns", "httpinstance", "kra",
+           "otpdinstance", "custodiainstance", "service", "upgradeinstance",
+           "find_providing_servers", "find_providing_server", "load_pkcs12",
+           "is_ipa_configured", "ReplicationManager", "replica_conn_check",
+           "install_replica_ds", "install_krb", "install_ca_cert",
+           "install_http", "install_dns_records", "create_ipa_conf",
+           "check_dirsrv", "check_dns_resolution", "configure_certmonger",
+           "remove_replica_info_dir", "preserve_enrollment_state",
+           "uninstall_client", "promote_sssd", "promote_openldap_conf",
+           "rpc_client", "check_remote_fips_mode", "check_remote_version",
+           "common_check", "current_domain_level",
+           "check_domain_level_is_supported", "promotion_check_ipa_domain",
+           "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
+           "dnsname", "kernel_keyring", "krbinstance"]
+
 import sys
 import logging
-import inspect
 from contextlib import contextmanager as contextlib_contextmanager
 
 
@@ -48,11 +69,6 @@ if NUM_VERSION >= 40600:
     import dns.name as dnsname
     import dns.resolver as dnsresolver
     import dns.reversename as dnsreversename
-    import os
-    import shutil
-    import socket
-    import tempfile
-    import traceback
 
     from pkg_resources import parse_version
 
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 15fba1b4..1d30ccde 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -48,6 +48,7 @@ import os
 import sys
 import six
 import inspect
+import random
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index bca91731..4c22c463 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -22,11 +22,25 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
+__all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
+           "ipa_generate_password", "run", "ScriptError", "services",
+           "tasks", "errors", "x509", "DOMAIN_LEVEL_0", "MIN_DOMAIN_LEVEL",
+           "validate_domain_name",
+           "no_matching_interface_for_ip_address_warning",
+           "check_zone_overlap", "timeconf", "ntpinstance", "adtrust",
+           "bindinstance", "ca", "dns", "httpinstance", "installutils",
+           "kra", "krbinstance", "otpdinstance", "custodiainstance",
+           "replication", "service", "sysupgrade", "IPA_MODULES",
+           "BadHostError", "get_fqdn", "get_server_ip_address",
+           "is_ipa_configured", "load_pkcs12", "read_password", "verify_fqdn",
+           "update_hosts_file", "check_dirsrv", "validate_admin_password",
+           "validate_dm_password", "read_cache", "write_cache",
+           "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
+           "default_subject_base", "default_ca_subject_dn",
+           "check_ldap_conf"]
+
 import sys
 import logging
-#import fcntl
-import inspect
 from contextlib import contextmanager as contextlib_contextmanager
 
 
@@ -43,20 +57,14 @@ else:
 if NUM_VERSION >= 40500:
     # IPA version >= 4.5
 
-    import errno
-    import pickle
-    import shutil
-    import tempfile
-    import textwrap
-    import random
-
-    if NUM_VERSION >= 40690:
-        from ipaclient.install.ipachangeconf import IPAChangeConf
+    from ipaclient.install.ipachangeconf import IPAChangeConf
     from ipalib.install import certmonger, sysrestore
     from ipapython import ipautil
     from ipapython.ipa_log_manager import standard_logging_setup
-    if NUM_VERSION < 40600:
+    try:
         from ipapython.ipa_log_manager import root_logger
+    except ImportError:
+        root_logger = None
     from ipapython.ipautil import (
         ipa_generate_password, run)
     from ipapython.admintool import ScriptError