Pattern for "assemble"ing fragments across roles?

[rrau...@gmail.com]

I'm trying to come up with some roles for configuring hashicorp vault agent.  In the end I'd like to build up then agent's config file to pull different secrets from a vault and then call scripts in response.  

I have a role,, for example, that creates a perforce authentication token using a vault secret and has a cron job to keep it up to date every hour.  I might have another role that pulls down a password and updates a kerberos keytab on a system. 

So far I've broken this up into something like these roles:

• vault-agent-init
  • clears the fragments assemble directory
  • makes misc directories
• vault-agent-perforce-auth
  • parms: user, secret path, ...
  • drops a fragment into the fragments directory to add to config
  • adds a cron job that creates and keeps up to date a perforce ticket/token file for a specific user
• vault-agent-keytab-auth 
  • parms: user, secret path, ...
  • drops a fragment into the fragments directory to add to config 
  • adds a cron job that updates keytab for a specific user
• vault-agent
  • assembles fragments, finishes configuring the agent.

Right now I put these together within a machine's role by placing these in order using include_role -- not using dependency roles.  Roles that depend on the the init role causes the fragments dir to be cleared for each parent role because init runs more than once.

Here's an example of what is included in a machine/service's role:

-  include_role:

    name: vault_agent_init

 

- include_role:

    name: vault_agent_keytab_auth

  vars:

    vault_approle: "xxx"

    vault_agent_keytab_user: "yyy"

    vault_agent_secret_path: "secret/user/yyy"

-  include_role:

    name: vault_agent_perforce_auth

  vars:

    vault_approle: "xxxx"

    [...]

    vault_agent_secret_path: "yyyy"

- include_role:   # assemble final config

    name: vault_agent

  

The idea is that I can build up the fragments, and then when done, include the final role to build up the fragments.

Is there a better way to pattern this?  I could try parameterizing everything into a single vault agent role.. but... I'd like other roles to be able to add other fragments without having to keep parameterizing the agent's role.   It feels like keeping these as smaller components would be better -- more maintainable.

One of the challenges I'm having with this now is I would like apply a role to all machines that is dependent on one of these secrets - the vault-agent-perforce-auth role... This role would use the perforce authentication to pull down a repository and sync it every hour.  But now I've designed myself into a corner where I have to add these includes manually to every machine's role list and can't just apply it to my list of common roles applied to all machines.

I learned puppet first long ago, but have been using ansible now for quite a few years -- but I fear that I am only seeing this design problem through a puppet "lens."

Thanks!

Rich