---
- name: create_role | Create a policy for the new role
  hashivault_policy_set:
    url: "{{ vault_leader_url }}"
    token: "{{ vault_root_token }}"
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    name: "{{ create_role_name }}"
    rules: >-
            {%- if create_role_policy_rules|d("default") == "default" -%}
            {{
            { 'path': {
                create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
                create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
            }} | to_json + '\n'
            }}
            {%- else -%}
            {{ create_role_policy_rules | to_json + '\n' }}
            {%- endif -%}

- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
  hashivault_write:
    url: "{{ vault_leader_url }}"
    token: "{{ vault_root_token }}"
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    secret: "{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    data: |
      {%- if create_role_options|d("default") == "default" -%}
      {
      allow_any_name: true
      }
      {%- else -%}
      {{ create_role_options | to_json }}
      {%- endif -%}

## Userpass based auth method

- include_tasks: gen_userpass.yml
  vars:
    gen_userpass_password: "{{ create_role_password }}"
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"