From 4e0fdb757f88c0ac4ac7b64ab210b6da3f5f1442 Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Sun, 3 May 2026 21:39:58 +0200
Subject: [PATCH] [PR #11933/c4fc0ff4 backport][stable-12] ipa_group: fix
 idempotency when `external: false` on existing non-external group (#11987)

ipa_group: fix idempotency when `external: false` on existing non-external group (#11933)

* fix(ipa_group): skip group_mod when external flag matches IPA state

When external=false (the default), get_group_diff() left the external
key in the diff even though the group was already non-external, causing
a spurious group_mod call that IPA rejected with "no modifications to
be performed". The fix checks equality in both directions.

Fixes #5061

* fix(ipa_group): add changelog fragment for PR 11933

* add quoting to fragment

(cherry picked from commit c4fc0ff4e14cac6740b56fc7ec07717a75720f49)

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---
 changelogs/fragments/11933-ipa-group-external-no-fix.yml | 2 ++
 plugins/modules/ipa_group.py                             | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/11933-ipa-group-external-no-fix.yml

diff --git a/changelogs/fragments/11933-ipa-group-external-no-fix.yml b/changelogs/fragments/11933-ipa-group-external-no-fix.yml
new file mode 100644
index 0000000000..dfeabcdbff
--- /dev/null
+++ b/changelogs/fragments/11933-ipa-group-external-no-fix.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "ipa_group - fix idempotency when ``external: false`` on an existing non-external group (https://github.com/ansible-collections/community.general/issues/5061, https://github.com/ansible-collections/community.general/pull/11933)."
diff --git a/plugins/modules/ipa_group.py b/plugins/modules/ipa_group.py
index 5d9c5d2aba..d3b84e0a90 100644
--- a/plugins/modules/ipa_group.py
+++ b/plugins/modules/ipa_group.py
@@ -238,7 +238,8 @@ def get_group_diff(client, ipa_group, module_group):
         del module_group["nonposix"]
 
     if "external" in module_group:
-        if module_group["external"] and "ipaexternalgroup" in ipa_group.get("objectclass"):
+        is_external_in_ipa = "ipaexternalgroup" in ipa_group.get("objectclass", [])
+        if module_group["external"] == is_external_in_ipa:
             del module_group["external"]
 
     return client.get_diff(ipa_data=ipa_group, module_data=module_group)