diff --git a/tests/vault/env_cleanup.yml b/tests/vault/env_cleanup.yml
new file mode 100644
index 0000000000000000000000000000000000000000..081a9d96460e24db37d45d8ff535ef4006d7040a
--- /dev/null
+++ b/tests/vault/env_cleanup.yml
@@ -0,0 +1,64 @@
+# Tasks executed to clean up test environment for Vault module.
+
+  - name: Ensure user vaults are absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - stdvault
+      - symvault
+      - asymvault
+      username: "{{username}}"
+      state: absent
+    loop:
+      - admin
+      - user01
+    loop_control:
+      loop_var: username
+
+  - name: Ensure shared vaults are absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - sharedvault
+      - svcvault
+      state: absent
+
+  - name: Ensure test users do not exist.
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - user01
+      - user02
+      - user03
+      state: absent
+
+  - name: Ensure test groups do not exist.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: vaultgroup
+      state: absent
+
+  - name: Remove password file from target host.
+    file:
+      path: "{{ ansible_env.HOME }}/password.txt"
+      state: absent
+
+  - name: Remove public key file from target host.
+    file:
+      path: "{{ ansible_env.HOME }}/public.pem"
+      state: absent
+
+  - name: Remove private key file from target host.
+    file:
+      path: "{{ ansible_env.HOME }}/private.pem"
+      state: absent
+
+  - name: Remove output data file from target host.
+    file:
+      path: "{{ ansible_env.HOME }}/data.txt"
+      state: absent
+
+  - name: Remove input data file from target host.
+    file:
+      path: "{{ ansible_env.HOME }}/in.txt"
+      state: absent
diff --git a/tests/vault/env_setup.yml b/tests/vault/env_setup.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a8437b86053c1bec6e204ac64e60b58451c0b0d2
--- /dev/null
+++ b/tests/vault/env_setup.yml
@@ -0,0 +1,55 @@
+# Tasks executed to ensure a sane environment to test IPA Vault module.
+
+  - name: Create private key file.
+    shell:
+      cmd: openssl genrsa -out private.pem 2048
+    delegate_to: localhost
+    become: no
+
+  - name: Create public key file.
+    shell:
+      cmd: openssl rsa -in private.pem -outform PEM -pubout -out public.pem
+    delegate_to: localhost
+    become: no
+
+  - name: Ensure environment is clean.
+    import_tasks: env_cleanup.yml
+
+  - name: Copy password file to target host.
+    copy:
+      src: "{{ playbook_dir }}/password.txt"
+      dest: "{{ ansible_env.HOME }}/password.txt"
+
+  - name: Copy public key file to target host.
+    copy:
+      src: "{{ playbook_dir }}/public.pem"
+      dest: "{{ ansible_env.HOME }}/public.pem"
+
+  - name: Copy private key file to target host.
+    copy:
+      src: "{{ playbook_dir }}/private.pem"
+      dest: "{{ ansible_env.HOME }}/private.pem"
+
+  - name: Copy input data file to target host.
+    copy:
+      src: "{{ playbook_dir }}/in.txt"
+      dest: "{{ ansible_env.HOME }}/in.txt"
+
+  - name: Ensure vaultgroup exists.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: vaultgroup
+
+  - name: Ensure testing users exist.
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      users:
+      - name: user01
+        first: First
+        last: Start
+      - name: user02
+        first: Second
+        last: Middle
+      - name: user03
+        first: Third
+        last: Last
diff --git a/tests/vault/private.pem b/tests/vault/private.pem
deleted file mode 100644
index 0ac895b9252a4293d19fe59f7ac4764745188609..0000000000000000000000000000000000000000
--- a/tests/vault/private.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18
-HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY
-SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe
-DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd
-+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P
-qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J
-vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J
-7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf
-5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq
-1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp
-FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV
-vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk
-FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP
-Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg
-OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t
-1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB
-meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl
-w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f
-8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG
-qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj
-IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8
-1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN
-JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t
-pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4
-GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu
------END RSA PRIVATE KEY-----
diff --git a/tests/vault/public.pem b/tests/vault/public.pem
deleted file mode 100644
index d8a9f71bf194a0ce9ca48ca54d7cb9e8477e2434..0000000000000000000000000000000000000000
--- a/tests/vault/public.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT
-W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ
-eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs
-ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f
-h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ
-kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ
-dwIDAQAB
------END PUBLIC KEY-----
diff --git a/tests/vault/tasks_vault_members.yml b/tests/vault/tasks_vault_members.yml
new file mode 100644
index 0000000000000000000000000000000000000000..12332ff1897c2a21318e0fc69d0c67faef86ab76
--- /dev/null
+++ b/tests/vault/tasks_vault_members.yml
@@ -0,0 +1,318 @@
+---
+# Tasks to test member management for Vault module.
+  - name: Setup testing environment.
+    import_tasks: env_setup.yml
+
+  - name: Ensure vault is present
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      vault_type: "{{vault.vault_type}}"
+    register: result
+    failed_when: not result.changed
+    when: vault.vault_type == 'standard'
+
+  - name: Ensure vault is present
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      vault_password: SomeVAULTpassword
+      vault_type: "{{vault.vault_type}}"
+    register: result
+    failed_when: not result.changed
+    when: vault.vault_type == 'symmetric'
+
+  - name: Ensure vault is present
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      vault_type: "{{vault.vault_type}}"
+      public_key: "{{lookup('file', 'private.pem') | b64encode}}"
+    register: result
+    failed_when: not result.changed
+    when: vault.vault_type == 'asymmetric'
+
+  - name: Ensure vault member user is present.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - user02
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault member user is present, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - user02
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure more vault member users are present.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - admin
+      - user02
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault member user is still present.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - user02
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vault users are absent.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - admin
+      - user02
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault users are absent, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - admin
+      - user02
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vault user is absent, once more.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      users:
+      - admin
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vault member group is present.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      groups: vaultgroup
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault member group is present, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      groups: vaultgroup
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vault member group is absent.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      groups: vaultgroup
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault member group is absent, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      groups: vaultgroup
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vault member service is present.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      services: "HTTP/{{ groups.ipaserver[0] }}"
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault member service is present, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      services: "HTTP/{{ groups.ipaserver[0] }}"
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vault member service is absent.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      services: "HTTP/{{ groups.ipaserver[0] }}"
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vault member service is absent, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      action: member
+      services: "HTTP/{{ groups.ipaserver[0] }}"
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure user03 is an owner of vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      owners: user03
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure user03 is an owner of vault, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      owners: user03
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure user03 is not owner of vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      owners: user03
+      state: absent
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure user03 is not owner of vault, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      owners: user03
+      state: absent
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vaultgroup is an ownergroup of vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownergroups: vaultgroup
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vaultgroup is an ownergroup of vault, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownergroups: vaultgroup
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure vaultgroup is not ownergroup of vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownergroups: vaultgroup
+      state: absent
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure vaultgroup is not ownergroup of vault, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownergroups: vaultgroup
+      state: absent
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure service is an owner of vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure service is an owner of vault, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure service is not owner of vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+      state: absent
+      action: member
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure service is not owner of vault, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+      state: absent
+      action: member
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure {{vault.vault_type}} vault is absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure {{vault.vault_type}} vault is absent, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{vault.name}}"
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Cleanup testing environment.
+    import_tasks: env_cleanup.yml
diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml
deleted file mode 100644
index 2e2c03e3fce0d3503dcccec36a26ac20b3bca232..0000000000000000000000000000000000000000
--- a/tests/vault/test_vault.yml
+++ /dev/null
@@ -1,925 +0,0 @@
----
-- name: Test vault
-  hosts: ipaserver
-  become: true
-  # Need to gather facts for ansible_env.
-  gather_facts: true
-
-  tasks:
-
-  - name: Copy password file to target host.
-    copy:
-      src: "{{ playbook_dir }}/password.txt"
-      dest: "{{ ansible_env.HOME }}/password.txt"
-
-  - name: Copy public key file to target host.
-    copy:
-      src: "{{ playbook_dir }}/public.pem"
-      dest: "{{ ansible_env.HOME }}/public.pem"
-
-  - name: Copy private key file to target host.
-    copy:
-      src: "{{ playbook_dir }}/private.pem"
-      dest: "{{ ansible_env.HOME }}/private.pem"
-
-  - name: Copy input data file to target host.
-    copy:
-      src: "{{ playbook_dir }}/in.txt"
-      dest: "{{ ansible_env.HOME }}/in.txt"
-
-  - name: Ensure user vaults are absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - stdvault
-      - symvault
-      - asymvault
-      username: user01
-      state: absent
-
-  - name: Ensure test users do not exist.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - user01
-      - user02
-      - user03
-      state: absent
-
-  - name: Ensure test groups do not exist.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: vaultgroup
-      state: absent
-
-  - name: Ensure vaultgroup exists.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: vaultgroup
-
-  - name: Ensure user01 exists.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user01
-      first: First
-      last: Start
-
-  - name: Ensure user02 exists.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user02
-      first: Second
-      last: Middle
-
-  - name: Ensure user03 exists.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name: user03
-      first: Third
-      last: Last
-
-  - name: Ensure shared vaults are absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: sharedvault
-      shared: True
-      state: absent
-
-  - name: Ensure standard vault is absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      state: absent
-
-  - name: Ensure service vault is absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: svcvault
-      service: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-
-  # tests
-  - name: Ensure standard vault is present
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      vault_type: standard
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure standard vault is present, again
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      vault_type: standard
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure standard vault is absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure standard vault is absent, again
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure symmetric vault is present
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password: SomeVAULTpassword
-      vault_type: symmetric
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure symmetric vault is present, again
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password: SomeVAULTpassword
-      vault_type: symmetric
-    register: result
-    failed_when: result.changed
-
-  - name: Archive data to symmetric vault
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password: SomeVAULTpassword
-      vault_data: Hello World.
-    register: result
-    failed_when: not result.changed
-
-  - name: Archive data with non-ASCII characters to symmetric vault
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password: SomeVAULTpassword
-      vault_data: The world of π is half rounded.
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure symmetric vault is absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure symmetric vault is absent, again
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure symmetric vault is present
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password: SomeVAULTpassword
-      vault_type: symmetric
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure symmetric vault is present, with a different password
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password: SomeOtherVAULTpassword
-      vault_type: symmetric
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure symmetric vault is absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure symmetric vault is present, with password from file.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password_file: "{{ ansible_env.HOME }}/password.txt"
-      vault_type: symmetric
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure symmetric vault is present, with password from file, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      username: user01
-      vault_password_file: password.txt
-      vault_type: symmetric
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure asymmetric vault is present, with public key file.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: admin
-      description: An asymmetric private vault.
-      public_key_file: "{{ ansible_env.HOME }}/public.pem"
-      vault_type: asymmetric
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure asymmetric vault is present, with public key file, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: admin
-      description: An asymmetric private vault.
-      public_key_file: "{{ ansible_env.HOME }}/public.pem"
-      vault_type: asymmetric
-    register: result
-    failed_when: result.changed
-
-  - name: Archive data in asymmetric vault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: admin
-      vault_data: Hello World.
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure asymmetric vault is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: admin
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure asymmetric vault is absent, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: admin
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure asymmetric vault is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      description: An asymmetric private vault.
-      vault_public_key:
-        LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
-      vault_type: asymmetric
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure asymmetric vault is present, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      description: An asymmetric private vault.
-      vault_public_key:
-        LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
-      vault_type: asymmetric
-    register: result
-    failed_when: result.changed
-
-  - name: Archive data in asymmetric vault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      vault_data: Hello World.
-    register: result
-    failed_when: not result.changed
-
-  - name: Retrieve data from asymmetric vault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      vault_type: asymmetric
-      private_key:
-        LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
-      state: retrieved
-    register: result
-    failed_when: result.changed or result.failed or result['data'] != 'Hello World.'
-
-  - name: Retrieve data from asymmetric vault, with private key file.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      vault_type: asymmetric
-      private_key_file: "{{ ansible_env.HOME }}/private.pem"
-      state: retrieved
-    register: result
-    failed_when: result.failed or result.changed or result['data'] != 'Hello World.'
-
-  - name: Ensure asymmetric vault is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure asymmetric vault is absent, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: asymvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure standard vault is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      vault_type: standard
-      username: user01
-      description: A standard private vault.
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure standard vault is present, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      vault_type: standard
-      description: A standard private vault.
-    register: result
-    failed_when: result.changed
-
-  - name: Archive data in standard vault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      vault_data: Hello World.
-    register: result
-    failed_when: not result.changed
-
-  - name: Retrieve data from standard vault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      out: "{{ ansible_env.HOME }}/data.txt"
-      state: retrieved
-    register: result
-    failed_when: result.changed
-
-  - name: Verify retrieved data.
-    slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
-    register: slurpfile
-    failed_when: slurpfile['content'] | b64decode != 'Hello World.'
-
-  - name: Archive data in standard vault, from file.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      in: "{{ ansible_env.HOME }}/in.txt"
-    register: result
-    failed_when: not result.changed
-
-  - name: Retrieve data from standard vault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      vault_type: standard
-      state: retrieved
-    register: result
-    failed_when: result.data != 'Another World.' or result.changed
-
-  - name: Ensure standard vault member user is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user02
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure standard vault member user is present, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user02
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure more vault member users are present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user01
-      - user02
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault member user is still present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user02
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault users are absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user01
-      - user02
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault users are absent, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user01
-      - user02
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault user is absent, once more.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      users:
-      - user01
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault member group is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      groups: vaultgroup
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault member group is present, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      groups: vaultgroup
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault member group is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      groups: vaultgroup
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault member group is absent, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      groups: vaultgroup
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault member service is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      services: "HTTP/{{ groups.ipaserver[0] }}"
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault member service is present, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      services: "HTTP/{{ groups.ipaserver[0] }}"
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault member service is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      services: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault member service is absent, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      action: member
-      services: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault is absent, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      state: absent
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure shared vault is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: sharedvault
-      shared: True
-      ipavaultpassword: SomeVAULTpassword
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure shared vault is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: sharedvault
-      shared: True
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure service vault is present.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: svcvault
-      ipavaultpassword: SomeVAULTpassword
-      service: "HTTP/{{ groups.ipaserver[0] }}"
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure service vault is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: svcvault
-      service: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault is present, with members.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      vault_type: standard
-      users:
-      - user02
-      - user03
-      groups:
-      - vaultgroup
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault is present, with members, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      vault_type: standard
-      users:
-      - user02
-      - user03
-      groups:
-      - vaultgroup
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure user02 is not a member of vault stdvault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      users: user02
-      state: absent
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure user02 is not a member of vault stdvault, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      users: user02
-      state: absent
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure user02 is a member of vault stdvault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      users: user02
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure user02 is a member of vault stdvault, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      users: user03
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure user03 owns vault stdvault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      owners: user03
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure user03 owns vault stdvault, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      owners: user03
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure user03 is not owner of stdvault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      owners: user03
-      state: absent
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure user03 is not owner of stdvault, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      owners: user03
-      state: absent
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vaultgroup is owner of stdvault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownergroups: vaultgroup
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vaultgroup is owner of stdvault, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownergroups: vaultgroup
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vaultgroup is not owner of stdvault.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownergroups: vaultgroup
-      state: absent
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vaultgroup is not owner of stdvault, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownergroups: vaultgroup
-      state: absent
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault is owned by HTTP service.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault is owned by HTTP service, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault is not owned by HTTP service.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-      action: member
-    register: result
-    failed_when: not result.changed
-
-  - name: Ensure vault is not owned by HTTP service, again.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-      action: member
-    register: result
-    failed_when: result.changed
-
-  - name: Ensure vault is absent.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: stdvault
-      username: user01
-      state: absent
-
-  # cleaup
-  - name: Ensure user01 vaults are absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - stdvault
-      - symvault
-      - asymvault
-      username: user01
-      state: absent
-
-  - name: Ensure test vaults are absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - stdvault
-      - symvault
-      - asymvault
-      username: admin
-      state: absent
-
-  - name: Ensure shared vaults are absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: sharedvault
-      shared: True
-      state: absent
-
-  - name: Ensure service vaults are absent
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: svcvault
-      service: "HTTP/{{ groups.ipaserver[0] }}"
-      state: absent
-
-  - name: Ensure test users do not exist.
-    ipauser:
-      ipaadmin_password: SomeADMINpassword
-      name:
-      - user01
-      - user02
-      - user03
-      state: absent
-
-  - name: Ensure test groups do not exist.
-    ipagroup:
-      ipaadmin_password: SomeADMINpassword
-      name: vaultgroup
-      state: absent
-
-  - name: Remove password file from target host.
-    file:
-      path: "{{ ansible_env.HOME }}/password.txt"
-      state: absent
-
-  - name: Remove public key file from target host.
-    file:
-      path: "{{ ansible_env.HOME }}/public.pem"
-      state: absent
-
-  - name: Remove private key file from target host.
-    file:
-      path: "{{ ansible_env.HOME }}/private.pem"
-      state: absent
-
-  - name: Remove output data file from target host.
-    file:
-      path: "{{ ansible_env.HOME }}/data.txt"
-      state: absent
-
-  - name: Remove input data file from target host.
-    file:
-      path: "{{ ansible_env.HOME }}/in.txt"
-      state: absent
diff --git a/tests/vault/test_vault_asymmetric.yml b/tests/vault/test_vault_asymmetric.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1a1d3dcab5ca1d6248c27ace0d8a928c015733aa
--- /dev/null
+++ b/tests/vault/test_vault_asymmetric.yml
@@ -0,0 +1,192 @@
+---
+- name: Test vault
+  hosts: ipaserver
+  become: true
+  # Need to gather facts for ansible_env.
+  gather_facts: true
+
+  tasks:
+  - name: Setup testing environment.
+    import_tasks: env_setup.yml
+
+  - name: Ensure asymmetric vault is present
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      vault_type: asymmetric
+      public_key: "{{ lookup('file', 'public.pem') | b64encode }}"
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure asymmetric vault is present, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      vault_type: asymmetric
+      public_key: "{{ lookup('file', 'public.pem') | b64encode }}"
+    register: result
+    failed_when: result.changed
+
+  - name: Archive data to asymmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      data: Hello World.
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from asymmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      out: "{{ ansible_env.HOME }}/data.txt"
+      private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+      state: retrieved
+    register: result
+    failed_when: result.changed
+
+  - name: Verify retrieved data.
+    slurp:
+      src: "{{ ansible_env.HOME }}/data.txt"
+    register: slurpfile
+    failed_when: slurpfile['content'] | b64decode != 'Hello World.'
+
+  - name: Archive data with non-ASCII characters to asymmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      data: The world of π is half rounded.
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from asymmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'The world of π is half rounded.' or result.changed
+
+  - name: Archive data in asymmetric vault, from file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      vault_type: asymmetric
+      in: "{{ ansible_env.HOME }}/in.txt"
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from asymmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Another World.' or result.changed
+
+  - name: Archive data with single character to asymmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      data: c
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from asymmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'c' or result.changed
+
+  - name: Ensure asymmetric vault is absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure asymmetric vault is absent, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure asymmetric vault is present, with public key from file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      public_key_file: "{{ ansible_env.HOME }}/public.pem"
+      vault_type: asymmetric
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure asymmetric vault is present, with password from file, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      public_key_file: "{{ ansible_env.HOME }}/public.pem"
+      vault_type: asymmetric
+    register: result
+    failed_when: result.changed
+
+  - name: Archive data to asymmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      data: Hello World.
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from asymmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      private_key: "{{ lookup('file', 'private.pem') | b64encode }}"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Retrieve data from asymmetric vault, with password file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      private_key_file: "{{ ansible_env.HOME }}/private.pem"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Ensure asymmetric vault is absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure asymmetric vault is absent, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: asymvault
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Cleanup testing environment.
+    import_tasks: env_setup.yml
diff --git a/tests/vault/test_vault_members.yml b/tests/vault/test_vault_members.yml
new file mode 100644
index 0000000000000000000000000000000000000000..219236aef176b86732f3a501b17172e0e5415da5
--- /dev/null
+++ b/tests/vault/test_vault_members.yml
@@ -0,0 +1,20 @@
+---
+- name: Test vault
+  hosts: ipaserver
+  become: true
+  # Need to gather facts for ansible_env.
+  gather_facts: true
+
+  tasks:
+  - name: Test vault module member operations.
+    include_tasks:
+      file: tasks_vault_members.yml
+      apply:
+        tags:
+          - "{{ vault.vault_type }}"
+    loop_control:
+        loop_var: vault
+    loop:
+      - { name: "stdvault", vault_type: "standard" }
+      - { name: "symvault", vault_type: "symmetric" }
+      - { name: "asymvault", vault_type: "asymmetric" }
diff --git a/tests/vault/test_vault_standard.yml b/tests/vault/test_vault_standard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5e0da98e647c9eda079a40cae7098bae137795e1
--- /dev/null
+++ b/tests/vault/test_vault_standard.yml
@@ -0,0 +1,125 @@
+---
+- name: Test vault
+  hosts: ipaserver
+  become: true
+  # Need to gather facts for ansible_env.
+  gather_facts: true
+
+  tasks:
+  - name: Setup testing environment.
+    import_tasks: env_setup.yml
+
+  - name: Ensure standard vault is present
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      vault_type: standard
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure standard vault is present, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      vault_type: standard
+    register: result
+    failed_when: result.changed
+
+  - name: Archive data to standard vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      vault_data: Hello World.
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from standard vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      out: "{{ ansible_env.HOME }}/data.txt"
+      state: retrieved
+    register: result
+    failed_when: result.changed
+
+  - name: Verify retrieved data.
+    slurp:
+      src: "{{ ansible_env.HOME }}/data.txt"
+    register: slurpfile
+    failed_when: slurpfile['content'] | b64decode != 'Hello World.'
+
+  - name: Archive data with non-ASCII characters to standard vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      vault_data: The world of π is half rounded.
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from standard vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      state: retrieved
+    register: result
+    failed_when: result.data != 'The world of π is half rounded.' or result.changed
+
+  - name: Archive data in standard vault, from file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      vault_type: standard
+      in: "{{ ansible_env.HOME }}/in.txt"
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from standard vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Another World.' or result.changed
+
+  - name: Archive data with single character to standard vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      vault_data: c
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from standard vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      state: retrieved
+    register: result
+    failed_when: result.data != 'c' or result.changed
+
+  - name: Ensure standard vault is absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure standard vault is absent, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: stdvault
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Cleanup testing environment.
+    import_tasks: env_setup.yml
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c9429f4f6d3264c25296003c3f93d16c2d3ab686
--- /dev/null
+++ b/tests/vault/test_vault_symmetric.yml
@@ -0,0 +1,198 @@
+---
+- name: Test vault
+  hosts: ipaserver
+  become: true
+  # Need to gather facts for ansible_env.
+  gather_facts: true
+
+  tasks:
+  - name: Setup testing environment.
+    import_tasks: env_setup.yml
+
+  - name: Ensure symmetric vault is present
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      vault_type: symmetric
+      password: SomeVAULTpassword
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure symmetric vault is present, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      vault_type: symmetric
+      password: SomeVAULTpassword
+    register: result
+    failed_when: result.changed
+
+  - name: Archive data to symmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      vault_data: Hello World.
+      password: SomeVAULTpassword
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from symmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      out: "{{ ansible_env.HOME }}/data.txt"
+      state: retrieved
+    register: result
+    failed_when: result.changed
+
+  - name: Verify retrieved data.
+    slurp:
+      src: "{{ ansible_env.HOME }}/data.txt"
+    register: slurpfile
+    failed_when: slurpfile['content'] | b64decode != 'Hello World.'
+
+  - name: Archive data with non-ASCII characters to symmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      vault_data: The world of π is half rounded.
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from symmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      state: retrieved
+    register: result
+    failed_when: result.data != 'The world of π is half rounded.' or result.changed
+
+  - name: Archive data in symmetric vault, from file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      in: "{{ ansible_env.HOME }}/in.txt"
+      password: SomeVAULTpassword
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from symmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Another World.' or result.changed
+
+  - name: Archive data with single character to symmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      vault_data: c
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from symmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      state: retrieved
+    register: result
+    failed_when: result.data != 'c' or result.changed
+
+  - name: Ensure symmetric vault is absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure symmetric vault is absent, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Ensure symmetric vault is present, with password from file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: user01
+      password_file: "{{ ansible_env.HOME }}/password.txt"
+      vault_type: symmetric
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure symmetric vault is present, with password from file, again.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: user01
+      password_file: "{{ ansible_env.HOME }}/password.txt"
+      vault_type: symmetric
+    register: result
+    failed_when: result.changed
+
+  - name: Archive data to symmetric vault
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      vault_data: Hello World.
+      password: SomeVAULTpassword
+    register: result
+    failed_when: not result.changed
+
+  - name: Retrieve data from symmetric vault.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeVAULTpassword
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Retrieve data from symmetric vault, with password file.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password_file: "{{ ansible_env.HOME }}/password.txt"
+      state: retrieved
+    register: result
+    failed_when: result.data != 'Hello World.' or result.changed
+
+  - name: Ensure symmetric vault is absent
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      state: absent
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure symmetric vault is absent, again
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      state: absent
+    register: result
+    failed_when: result.changed
+
+  - name: Cleanup testing environment.
+    import_tasks: env_cleanup.yml