This is how I got this around so if there is no need for a change the command/shell won't run.
You have to add a previous task that will query the state of what you want to check and store the results in a variable
- name: Check rsh permissions
shell: ls -ld /usr/bin/rsh | awk '{print $1}' | grep -E 'r|w|x'
register: rsh
ignore_errors: yes
changed_when: false
Then you add the task that will implement the change and use the when statement.
Adding the rsh.rc == 0 means that this task will only run when the previous command is successful, that is when /usr/bin/rsh has some permissions assigned
- name: Disable rsh
command: chmod ugo= /usr/bin/rsh
args:
warn: no
when: "rsh.rc == 0"
You can use this same structure to make idempotent the shell/command module
