Place vault role credentials only to vault group hosts

roles/vault/tasks/bootstrap/main.yml

@@ -38,6 +38,7 @@
     - "{{ vault_pki_mounts.etcd }}"
   loop_control:
     loop_var: mount
+  when: inventory_hostname in groups.vault
 
 - include: ../shared/gen_ca.yml
   vars:

roles/vault/tasks/cluster/main.yml

@@ -42,3 +42,4 @@
   when: inventory_hostname == groups.vault|first
 
 - include: create_roles.yml
+  when: inventory_hostname in groups.vault

roles/vault/tasks/shared/create_role.yml

@@ -19,7 +19,8 @@
              {{ create_role_policy_rules | to_json + '\n' }}
              {%- endif -%}
     status_code: 204
-  when: inventory_hostname == groups[create_role_group]|first
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
 
 - name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
   uri:
@@ -34,15 +35,14 @@
           {{ create_role_options }}
           {%- endif -%}
     status_code: 204
-  when: inventory_hostname == groups[create_role_group]|first
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
 
 ## Userpass based auth method
 
 - include: gen_userpass.yml
   vars:
-    gen_userpass_group: "{{ create_role_group }}"
     gen_userpass_password: "{{ create_role_password }}"
     gen_userpass_policies: "{{ create_role_name }}"
     gen_userpass_role: "{{ create_role_name }}"
     gen_userpass_username: "{{ create_role_name }}"
-  when: inventory_hostname in groups[create_role_group]

roles/vault/tasks/shared/gen_userpass.yml

@@ -10,13 +10,13 @@
       password: "{{ gen_userpass_password }}"
       policies: "{{ gen_userpass_role }}"
     status_code: 204
-  when: inventory_hostname == groups[gen_userpass_group]|first
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true
 
 - name: shared/gen_userpass | Ensure destination directory exists
   file:
     path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
     state: directory
-  when: inventory_hostname in groups[gen_userpass_group]
 
 - name: shared/gen_userpass | Copy credentials to all hosts in the group
   copy:
@@ -26,4 +26,3 @@
               'password': gen_userpass_password} | to_nice_json(indent=4)
              }}
     dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
-  when: inventory_hostname in groups[gen_userpass_group]

roles/vault/tasks/shared/issue_cert.yml

@@ -29,13 +29,13 @@
 - name: "issue_cert | Read in the local credentials"
   command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
   register: vault_creds_cat
-  delegate_to: "{{ issue_cert_hosts|first }}"
+  delegate_to: "{{  groups.vault|first }}"
   run_once: true
 
 - name: gen_certs_vault | Set facts for read Vault Creds
   set_fact:
     user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
-  delegate_to: "{{ issue_cert_hosts|first }}"
+  delegate_to: "{{ groups.vault|first }}"
   run_once: true
 
 - name: gen_certs_vault | Log into Vault and obtain an token
@@ -49,7 +49,7 @@
     body:
       password: "{{ user_vault_creds.password }}"
   register: vault_login_result
-  delegate_to: "{{ issue_cert_hosts|first }}"
+  delegate_to: "{{ groups.vault|first }}"
   run_once: true
 
 - name: gen_certs_vault | Set fact for vault_client_token