diff --git a/roles/vault/tasks/bootstrap/main.yml b/roles/vault/tasks/bootstrap/main.yml
index 88e5c205020d77bcbb7a6a5aa49208bbc850bb69..e061028b765b62017fccf40d7374ad4ad236c0d4 100644
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -38,6 +38,7 @@
- "{{ vault_pki_mounts.etcd }}"
loop_control:
loop_var: mount
+ when: inventory_hostname in groups.vault
- include: ../shared/gen_ca.yml
vars:
diff --git a/roles/vault/tasks/cluster/main.yml b/roles/vault/tasks/cluster/main.yml
index bca6da5be54ce45bd965f838cac60fdecbd6e299..9c7c83aaf5acc5487b294f5006e09004e2288d6f 100644
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@@ -42,3 +42,4 @@
when: inventory_hostname == groups.vault|first
- include: create_roles.yml
+ when: inventory_hostname in groups.vault
diff --git a/roles/vault/tasks/shared/create_role.yml b/roles/vault/tasks/shared/create_role.yml
index dc9b5e1c6c6056a0cb4f835fafaf5da0ade57719..d76e73f13aa6512b3c91244db1db5a6fc73d3f7c 100644
--- a/roles/vault/tasks/shared/create_role.yml
+++ b/roles/vault/tasks/shared/create_role.yml
@@ -19,7 +19,8 @@
{{ create_role_policy_rules | to_json + '\n' }}
{%- endif -%}
status_code: 204
- when: inventory_hostname == groups[create_role_group]|first
+ delegate_to: "{{ groups.vault|first }}"
+ run_once: true
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
uri:
@@ -34,15 +35,14 @@
{{ create_role_options }}
{%- endif -%}
status_code: 204
- when: inventory_hostname == groups[create_role_group]|first
+ delegate_to: "{{ groups.vault|first }}"
+ run_once: true
## Userpass based auth method
- include: gen_userpass.yml
vars:
- gen_userpass_group: "{{ create_role_group }}"
gen_userpass_password: "{{ create_role_password }}"
gen_userpass_policies: "{{ create_role_name }}"
gen_userpass_role: "{{ create_role_name }}"
gen_userpass_username: "{{ create_role_name }}"
- when: inventory_hostname in groups[create_role_group]
diff --git a/roles/vault/tasks/shared/gen_userpass.yml b/roles/vault/tasks/shared/gen_userpass.yml
index 2bc0c98f135c5deed67fd50cec222e6fb411ab10..5def39d0e468a1bdbc5f45b7eebde543cd19b9d4 100644
--- a/roles/vault/tasks/shared/gen_userpass.yml
+++ b/roles/vault/tasks/shared/gen_userpass.yml
@@ -10,13 +10,13 @@
password: "{{ gen_userpass_password }}"
policies: "{{ gen_userpass_role }}"
status_code: 204
- when: inventory_hostname == groups[gen_userpass_group]|first
+ delegate_to: "{{ groups.vault|first }}"
+ run_once: true
- name: shared/gen_userpass | Ensure destination directory exists
file:
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
state: directory
- when: inventory_hostname in groups[gen_userpass_group]
- name: shared/gen_userpass | Copy credentials to all hosts in the group
copy:
@@ -26,4 +26,3 @@
'password': gen_userpass_password} | to_nice_json(indent=4)
}}
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
- when: inventory_hostname in groups[gen_userpass_group]
diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml
index 51b969f4eb663420615ca5d34892f8d1d83ecd97..24db599573121f7cf6b20c9689756349b182599b 100644
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -29,13 +29,13 @@
- name: "issue_cert | Read in the local credentials"
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
register: vault_creds_cat
- delegate_to: "{{ issue_cert_hosts|first }}"
+ delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Set facts for read Vault Creds
set_fact:
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
- delegate_to: "{{ issue_cert_hosts|first }}"
+ delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Log into Vault and obtain an token
@@ -49,7 +49,7 @@
body:
password: "{{ user_vault_creds.password }}"
register: vault_login_result
- delegate_to: "{{ issue_cert_hosts|first }}"
+ delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Set fact for vault_client_token