--- argument_specs: main: short_description: Configure a running HashiCorp Vault instance description: - Unseals Vault if sealed and unseal keys are provided. - Enables and configures OIDC authentication using Keycloak. - Creates an admin policy and maps a Keycloak group to it. - Requires Vault to already be initialized (use vault_init tag first). options: vault_url: description: Base URL of the Vault API. type: str default: "http://nas.lan.toal.ca:8200" vault_validate_certs: description: Whether to validate TLS certificates for Vault API calls. type: bool default: false vault_vault_root_token: description: Vault root token for API authentication. Required. type: str required: true vault_oidc_issuer: description: OIDC discovery URL base (Keycloak realm URL). Required. type: str required: true vault_vault_oidc_client_secret: description: OIDC client secret from Keycloak. Required. type: str required: true vault_oidc_client_id: description: OIDC client ID registered in Keycloak. type: str default: vault vault_oidc_admin_group: description: Keycloak group name to map to the Vault admin policy. type: str default: vault-admins vault_oidc_default_ttl: description: Default token TTL for OIDC-authenticated tokens. type: str default: 1h vault_oidc_max_ttl: description: Maximum token TTL for OIDC-authenticated tokens. type: str default: 8h vault_unseal_keys: description: >- List of unseal key strings. If provided and Vault is sealed, the role will attempt to unseal using these keys. type: list elements: str default: [] vault_init_key_shares: description: Number of key shares for vault operator init. type: int default: 5 vault_init_key_threshold: description: Number of key shares required to unseal. type: int default: 3