---
# Unseal Vault using keys from vault_unseal_keys list.
# Submits keys one at a time until Vault reports unsealed.
# Requires vault_init_key_threshold keys in vault_unseal_keys.

- name: Submit unseal keys
  ansible.builtin.uri:
    url: "{{ vault_url }}/v1/sys/unseal"
    method: POST
    validate_certs: "{{ vault_validate_certs }}"
    body_format: json
    body:
      key: "{{ item }}"
    status_code: 200
  loop: "{{ vault_unseal_keys[:vault_init_key_threshold] }}"
  register: __vault_unseal_result
  no_log: true

- name: Check unseal status
  ansible.builtin.uri:
    url: "{{ vault_url }}/v1/sys/health"
    method: GET
    validate_certs: "{{ vault_validate_certs }}"
    status_code: [200, 429]
  register: __vault_health

- name: Assert Vault unsealed successfully
  ansible.builtin.assert:
    that:
      - not __vault_health.json.sealed | bool
    fail_msg: >-
      Vault is still sealed after submitting {{ vault_init_key_threshold }} keys.
      Check that vault_unseal_keys contains the correct keys and try again.

- name: Register unseal success
  ansible.builtin.set_fact:
    __vault_unsealed: true