system-config/playbooks/roles/configure_vault/tasks/auth.yaml

---
- name: Read Auth {{ auth.type }} at {{ auth.path }}
  check_mode: "no"
  ansible.builtin.uri:
    url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}"
    headers:
      X-Vault-Token: "{{ vault_token }}"
    method: "GET"
    return_content: "yes"
  register: current_auth
  failed_when: false

- name: Mount auth {{ auth.type }} at {{ auth.path }}
  ansible.builtin.uri:
    url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}"
    headers:
      X-Vault-Token: "{{ vault_token }}"
    method: "POST"
    body_format: "json"
    body:
      type: "{{ auth.type }}"
      description: "{{ auth.description | default(omit) }}"
      config:
        default_lease_ttl: "{{ auth.default_lease_ttl | default(omit) }}"
        max_lease_ttl: "{{ auth.max_lease_ttl | default(omit) }}"
        audit_non_hmac_request_keys: "{{ auth.audit_non_hmac_request_keys | default(omit) }}"
        audit_non_hmac_response_keys: "{{ auth.audit_non_hmac_response_keys | default(omit) }}"
        listing_visibility: "{{ auth.listing_visibility | default(omit) }}"
        passthrough_request_headers: "{{ auth.passthrough_request_headers | default(omit) }}"
        allowed_response_headers: "{{ auth.allowed_response_headers | default(omit) }}"
      options: "{{ auth.options | default(omit) }}"
    status_code: [200, 201, 202, 204]
  when:
    - "current_auth is not defined or current_auth.status != 200"
    - "vault_auth_create is defined and vault_auth_create|bool"

- name: Tune auth {{ auth.type }} at {{ auth.path }}
  ansible.builtin.uri:
    url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}/tune"
    headers:
      X-Vault-Token: "{{ vault_token }}"
    method: "POST"
    body_format: "json"
    body:
      description: "{{ auth.description | default(omit) }}"
      config:
        default_lease_ttl: "{{ auth.default_lease_ttl | default(omit) }}"
        max_lease_ttl: "{{ auth.max_lease_ttl | default(omit) }}"
        audit_non_hmac_request_keys: "{{ auth.audit_non_hmac_request_keys | default(omit) }}"
        audit_non_hmac_response_keys: "{{ auth.audit_non_hmac_response_keys | default(omit) }}"
        listing_visibility: "{{ auth.listing_visibility | default(omit) }}"
        passthrough_request_headers: "{{ auth.passthrough_request_headers | default(omit) }}"
        allowed_response_headers: "{{ auth.allowed_response_headers | default(omit) }}"
      options: "{{ auth.options | default(omit) }}"
    status_code: [200, 201, 202, 204]
  when:
    - "current_auth.status == 200"
    - "current_auth is defined and current_auth.json is defined"
    - "auth.description is defined and current_auth.json.description != auth.description"
    # - "current_auth.json.default_lease_ttl != auth.default_lease_ttl"
    # - "current_auth.json.max_lease_ttl != auth.max_lease_ttl"
    # - "auth.force_no_cache is defined and current_auth.json.force_no_cache != auth.force_no_cache"
    # - "auth.auditcurrent_auth.json.audit_non_hmac_request_keys != auth.audit_non_hmac_request_keys"
    # - "current_auth.json.audit_non_hmac_response_keys != auth.audit_non_hmac_response_keys"

    # - "current_auth.json.listing_visibility != auth.listing_visibility"
    # - "current_auth.json.passthrough_request_headers != auth.passthrough_request_headers"
    # - "current_auth.json.allowed_response_headers != auth.allowed_response_headers"