site/profiles/manifests/vault/server.pp

@@ -1,7 +1,10 @@
 # profiles::vault::server
 class profiles::vault::server (
   Boolean   $members_lookup = false,
-  String    $members_role   = undef,
+  Variant[
+    String,
+    Undef
+  ]         $members_role   = undef,
   Array     $vault_servers  = [],
   Enum[
     'archive',
@@ -22,12 +25,7 @@ class profiles::vault::server (
   $vault_cluster = "${::facts['country']}-${::facts['region']}"
 
   # if lookup is enabled, find all the hosts in the specified role and create the servers_array
-  if $members_lookup {
-
-    # check that the role is also set
-    unless !($members_role == undef) {
-      fail("members_role must be provided for ${title} when members_lookup is True")
-    }
+  if $members_lookup and $members_role != undef {
 
     # if it is, find hosts, sort them so they dont cause changes every run
     $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
@@ -37,6 +35,9 @@ class profiles::vault::server (
     $servers_array = $vault_servers
   }
 
+  # configure vault if servers_array isnt empty
+  if ! $servers_array.empty() {
+
     # set http scheme
     $http_scheme = $tls_disable ? {
       true    => 'http',
@@ -87,4 +88,8 @@ class profiles::vault::server (
         }
       ]
     }
+
+    # include unseal class
+    include profiles::vault::unseal
+  }
 }

site/roles/manifests/infra/storage/vault.pp

@@ -4,5 +4,4 @@ class roles::infra::storage::vault {
   include profiles::base
   include profiles::base::datavol
   include profiles::vault::server
-  include profiles::vault::unseal
 }