---
# Configures a running, initialized HashiCorp Vault instance.
#
# Expects Vault to already be initialized (run --tags vault_init first).
# Unseals if sealed and vault_unseal_keys is defined.
# Then configures OIDC authentication with Keycloak.

- name: Validate required variables
  ansible.builtin.assert:
    that:
      - vault_url | length > 0
      - vault_vault_root_token | default('') | length > 0
      - vault_oidc_issuer | default('') | length > 0
      - vault_vault_oidc_client_secret | default('') | length > 0
    fail_msg: >-
      vault_vault_root_token, vault_oidc_issuer, and vault_vault_oidc_client_secret
      are required. Run --tags vault_init first, save credentials to 1Password,
      then run --tags vault_configure_keycloak,vault_configure_oidc or default play.

- name: Check Vault status
  ansible.builtin.uri:
    url: "{{ vault_url }}/v1/sys/health"
    method: GET
    validate_certs: "{{ vault_validate_certs }}"
    status_code: [200, 429, 472, 473, 501, 503]
  register: __vault_health

- name: Assert Vault is initialized
  ansible.builtin.assert:
    that:
      - __vault_health.json.initialized | bool
    fail_msg: >-
      Vault is not initialized. Run:
        ansible-navigator run playbooks/deploy_vault.yml --tags vault_init

- name: Unseal Vault if sealed
  ansible.builtin.include_tasks: unseal.yml
  when:
    - __vault_health.json.sealed | bool
    - vault_unseal_keys | default([]) | length > 0

- name: Assert Vault is unsealed
  ansible.builtin.assert:
    that:
      - not __vault_health.json.sealed | bool or __vault_unsealed | default(false) | bool
    fail_msg: >-
      Vault is sealed. Provide vault_unseal_keys (list of unseal key strings) or
      unseal manually via the Vault UI, then rerun.

- name: Configure OIDC authentication
  ansible.builtin.include_tasks: configure_oidc.yml