Vault pki followup (#31)

* Fix vault_pki_write_certificates_host

* Followup fixes

* Make meta/main.yml the similar in all three roles

Author: mnasiadka

roles/vault/meta/main.yml

@@ -1,3 +1,6 @@
 ---
+# WORKAROUND: Without this, we see the following in some setups:
+# ERROR! couldn't resolve module/action 'hashivault_unseal'. This often indicates a misspelling, missing collection, or incorrect module path.
+# Seen using Kayobe on Ansible 2.10.17, running modules on a remote host.
 collections:
   - community.docker

roles/vault_pki/README.md

@@ -25,21 +25,21 @@ Role variables
     * `vault_pki_root_default_lease_ttl`: The default time in hours before expiry of the root CA certificate (default: "43830h")
     * `vault_pki_root_max_lease_ttl`: The max time in hours that is allowed before expiry of the root CA certificate (default: "43830h")
     * `vault_pki_root_ttl`: The time in hours before the root CA certificate expires (default: "43830h")
-    * `vault_pki_root_key_bits`: The key bits for the root RSA private key (default: "4096")
+    * `vault_pki_root_key_bits`: The key bits for the root RSA private key (default: 4096)
 ---
 * Vault Create Intermediate
     * `vault_pki_intermediate_create`: whether to create an intermediate CA or not (default: `true`)
     * `vault_pki_intermediate_import`: whether to import a pre-existing intermediate pem bundle (default: `false`)
     * `vault_pki_intermediate_export`: whether to export the generated intermediate pem bundle (default: `false`)
         * Mandatory if `vault_pki_intermediate_create` equals `true`
             * `vault_pki_intermediate_ca_name`: The name of the Intermediate CA to create
-            * `vault_pki_intermediate_ca_common_name`:  The common name of the RootCA (default: `vault_pki_intermediate_ca_name`)
+            * `vault_pki_intermediate_ca_common_name`:  The common name of the Intermediate CA (default: `vault_pki_intermediate_ca_name`)
         * Mandatory if `vault_pki_intermediate_import`: equals `true`
             * `vault_pki_intermediate_ca_bundle`: Concatenated certificate, intermediate and private key
     * `vault_pki_intermediate_default_lease_ttl`: The default time in hours before expiry of the intermediate CA certificate (default: "43830h")
     * `vault_pki_intermediate_max_lease_ttl`: The max time in hours that is allowed before expiry of the intermediate CA certificate (default: "43830h")
     * `vault_pki_intermediate_ttl`: The time in hours before the intermediate CA certificate expires (default: "43830h")
-    * `vault_pki_intermediate_key_bits`: The key bits for the intermediate RSA private key (default: "4096")
+    * `vault_pki_intermediate_key_bits`: The key bits for the intermediate RSA private key (default: 4096)
     * `vault_pki_intermediate_roles`: Certificate Roles to create for the intermediate CA. List of Dicts containing `{name: <role_name>, config: { <pki_option>: <value> ...}`
 ---
 * Certificate Output

roles/vault_pki/meta/main.yml

@@ -0,0 +1,6 @@
+---
+# WORKAROUND: Without this, we see the following in some setups:
+# ERROR! couldn't resolve module/action 'hashivault_unseal'. This often indicates a misspelling, missing collection, or incorrect module path.
+# Seen using Kayobe on Ansible 2.10.17, running modules on a remote host.
+collections:
+  - community.general

roles/vault_pki/tasks/create_cert.yml

@@ -18,6 +18,6 @@
       {{ item.data.private_key }}
     dest: "{{ vault_pki_certificates_directory }}/{{ item.item.common_name | replace(' ', '-') }}.pem"
     mode: 0600
-  delegate_to: "{{ vault_pki_certificates_host }}"
+  delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ certificate_data.results }}"
   when: vault_pki_write_certificate_files | bool

roles/vault_pki/tasks/intermediate.yml

@@ -66,7 +66,7 @@
           {{ intermediate_ca_csr.data.private_key }}
         dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name |replace(' ', '-') }}.pem"
         mode: 0600
-      delegate_to: "{{ vault_pki_certificates_host }}"
+      delegate_to: "{{ vault_pki_write_certificates_host }}"
       when:
         - vault_pki_intermediate_export | bool
 

roles/vault_pki/tasks/prechecks.yml

@@ -6,5 +6,7 @@
     - vars[item.name] | length == 0
     - item.when
   loop:
+    - { "name": "vault_api_addr", "when": true }
+    - { "name": "vault_token", when: true }
     - { "name": "vault_pki_root_ca_name", "when": "vault_pki_root_create | bool" }
     - { "name": "vault_pki_intermediate_ca_name", "when": "vault_pki_intermediate_create | bool" }

roles/vault_pki/tasks/root.yml

@@ -29,6 +29,6 @@
       {{ root_ca_data.data.certificate }}
     dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_root_ca_name | replace(' ', '-') }}.pem"
     mode: 0600
-  delegate_to: "{{ vault_pki_certificates_host }}"
+  delegate_to: "{{ vault_pki_write_certificates_host }}"
   when:
     - vault_pki_write_root_ca_to_file | bool

roles/vault_unseal/tasks/main.yml

@@ -20,7 +20,6 @@
     url: "{{ vault_api_addr }}"
     username: "{{ vault_unseal_username | default(omit) }}"
     verify: "{{ vault_unseal_verify | default(omit) }}"
-  register: vault_unseal_status
 
 - name: Fail if vault is sealed (something went wrong)
   uri: