From 5eaa22b067726156a6b1b57f4fe32d2beeaf7321 Mon Sep 17 00:00:00 2001
From: quasd <quasd@users.noreply.github.com>
Date: Sun, 12 Apr 2026 14:08:28 +0300
Subject: [PATCH] ipa_host: fix errors when disabling host (#11487)

* fix errors when disabling host

- Fix the logic to actually allow disabling hosts
- Fix the dict != string error when error does happen
- Add has_keytab to returned dicts to allow users see if host is disabled or not

* Add changelog-fragments

* Run formatters

* More formatting

* Remove feature, only fix the logic

* Update changelogs/fragments/11487-ipa-host-fix-disable.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update changelogs/fragments/11487-ipa-host-fix-disable.yml

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>

* Back to fstring

* Update plugins/modules/ipa_host.py

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>

* Use more Pythonic way to for if

* Nox

* Revert back to working if

* Simplify if

* Remove extra get

---------

Co-authored-by: quasd <1747330+quasd@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---
 .../fragments/11487-ipa-host-fix-disable.yml  |  2 ++
 plugins/modules/ipa_host.py                   | 20 +++++++++++--------
 2 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 changelogs/fragments/11487-ipa-host-fix-disable.yml

diff --git a/changelogs/fragments/11487-ipa-host-fix-disable.yml b/changelogs/fragments/11487-ipa-host-fix-disable.yml
new file mode 100644
index 0000000000..416f5e7f09
--- /dev/null
+++ b/changelogs/fragments/11487-ipa-host-fix-disable.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ipa_host - fix logic to disable existing hosts (https://github.com/ansible-collections/community.general/issues/11483, https://github.com/ansible-collections/community.general/pull/11487).
diff --git a/plugins/modules/ipa_host.py b/plugins/modules/ipa_host.py
index 6a120167dd..aeaeeef4cd 100644
--- a/plugins/modules/ipa_host.py
+++ b/plugins/modules/ipa_host.py
@@ -289,11 +289,15 @@ def ensure(module, client):
                 # so, return directly from here.
                 return changed, client.host_add(name=name, host=module_host)
         else:
-            if state in ["disabled", "enabled"]:
-                module.fail_json(msg=f"No host with name {ipa_host} found")
+            if not ipa_host and state in ["disabled", "enabled"]:
+                module.fail_json(msg=f"No host with name {name} found")
 
             diff = get_host_diff(client, ipa_host, module_host)
-            if len(diff) > 0:
+            ipa_host_show = client.host_show(name=name)
+            host_needs_to_be_disabled = ipa_host_show.get("has_keytab", True) and (
+                module.params["random_password"] or state == "disabled"
+            )
+            if diff or host_needs_to_be_disabled:
                 changed = True
                 if not module.check_mode:
                     data = {}
@@ -301,12 +305,12 @@ def ensure(module, client):
                         data[key] = module_host.get(key)
                     if "usercertificate" not in data:
                         data["usercertificate"] = [cert["__base64__"] for cert in ipa_host.get("usercertificate", [])]
-                    ipa_host_show = client.host_show(name=name)
-                    if ipa_host_show.get("has_keytab", True) and (
-                        state == "disabled" or module.params.get("random_password")
-                    ):
+                    if host_needs_to_be_disabled:
                         client.host_disable(name=name)
-                    return changed, client.host_mod(name=name, host=data)
+                    if diff:
+                        return changed, client.host_mod(name=name, host=data)
+                    else:
+                        return changed, client.host_find(name=name)
     elif state == "absent":
         if ipa_host:
             changed = True