---
- name: Vault API reachable?
  ansible.builtin.uri:
    url: "{{ vault_api_addr }}/v1/sys/health"
    method: GET
# 200 if initialized, unsealed, and active
# 429 if unsealed and standby
# 472 if data recovery mode replication secondary and active
# 473 if performance standby
# 501 if not initialized
# 503 if sealed
# See: https://www.vaultproject.io/api/system/health.html
    status_code: 200, 429, 472, 473, 501, 503
    body_format: json
  register: check_result
  retries: 6
  until: check_result is succeeded
  delay: 10
  changed_when: false

- name: Debug
  ansible.builtin.debug:
    var: check_result.status
- name: Create unseal directories
  ansible.builtin.file:
    path: "{{ vault_unseal_keys_dir_output }}"
    state: directory
  delegate_to: localhost
  become: false
  run_once: true
  when: check_result.status == 501

- name: Initialise Vault operator
  ansible.builtin.shell: vault operator init -key-shares=1 -key-threshold=1 -format json
  environment:
    VAULT_ADDR: "{{ vault_api_addr }}"
  register: vault_init_results
  run_once: true
  when: check_result.status == 501

- name: Parse output of vault init
  ansible.builtin.set_fact:
    vault_init_parsed: "{{ vault_init_results.stdout | from_json }}"
  delegate_to: localhost
  run_once: true
  when: check_result.status == 501

- name: Write unseal keys to files
  ansible.builtin.copy:
    dest: "{{ vault_unseal_keys_dir_output }}/unseal_key_{{ item.0 }}"
    content: "{{ item.1 }}"
    force: true
  with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}"
  delegate_to: localhost
  run_once: true
  register: sealkey_set
  become: false
  when: check_result.status == 501

- name: Write root token to file
  ansible.builtin.copy:
    content: "{{ vault_init_parsed.root_token }}"
    dest: "{{ vault_unseal_keys_dir_output }}/rootkey"
    force: true
  delegate_to: localhost
  run_once: true
  become: false
  when: check_result.status == 501