--- - name: cluster/init | Initialize Vault uri: url: "https://localhost:{{ vault_port }}/v1/sys/init" headers: "{{ vault_client_headers }}" method: POST body_format: json body: secret_shares: "{{ vault_secret_shares }}" secret_threshold: "{{ vault_secret_threshold }}" validate_certs: false register: vault_init_result when: not vault_cluster_is_initialized and inventory_hostname == groups.vault|first - name: cluster/init | Set facts on the results of the initialization set_fact: vault_unseal_keys: "{{ vault_init_result.json['keys'] }}" vault_root_token: "{{ vault_init_result.json.root_token }}" vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_init_result.json.root_token}) }}" when: not vault_cluster_is_initialized and inventory_hostname == groups.vault|first - name: cluster/init | Ensure all hosts have these facts set_fact: vault_unseal_keys: "{{ hostvars[groups.vault|first]['vault_unseal_keys'] }}" vault_root_token: "{{ hostvars[groups.vault|first]['vault_root_token'] }}" when: not vault_cluster_is_initialized and inventory_hostname != groups.vault|first - name: cluster/init | Ensure the vault_secrets_dir exists file: mode: 0750 path: "{{ vault_secrets_dir }}" state: directory - name: cluster/init | Ensure all in groups.vault have the unseal_keys locally copy: content: "{{ vault_unseal_keys|join('\n') }}" dest: "{{ vault_secrets_dir }}/unseal_keys" mode: 0640 when: not vault_cluster_is_initialized - name: cluster/init | Ensure all in groups.vault have the root_token locally copy: content: "{{ vault_root_token }}" dest: "{{ vault_secrets_dir }}/root_token" mode: 0640 when: not vault_cluster_is_initialized - name: cluster/init | Ensure vault_headers and vault statuses are updated set_fact: vault_headers: "{{ vault_client_headers | combine({'X-Vault-Token': vault_root_token})}}" vault_cluster_is_initialized: true