---
# The Vault role is typically a two step process:
# 1. Bootstrap
#    This starts a temporary Vault to generate certs for Vault itself. This
#    includes a Root CA for the cluster, assuming one doesn't exist already.
#    The temporary instance will remain running after Bootstrap, to provide a
#    running Vault for the Etcd role to generate certs against.
# 2. Cluster
#    Once Etcd is started, then the Cluster tasks can start up a long-term
#    Vault cluster using Etcd as the backend. The same Root CA is mounted as
#    used during step 1, allowing all certs to have the same chain of trust.

- name: install hvac
  pip:
    name: "hvac"
    state: "present"

## Bootstrap
- include_tasks: bootstrap/main.yml
  when: cert_management == 'vault' and vault_bootstrap | d()

## Cluster
- include_tasks: cluster/main.yml
  when: cert_management == 'vault' and not vault_bootstrap | d()