diff --git a/nomad/setup-cluster.yml b/nomad/setup-cluster.yml
index 613cc72..29afbb6 100644
--- a/nomad/setup-cluster.yml
+++ b/nomad/setup-cluster.yml
@@ -172,6 +172,9 @@
             name: hvac
             extra_args: --index-url https://pypi.org/simple
 
+        # TODO: This fails on first run because `root_token` isn't found
+        # Fails after taht too because the kv/ space has not been created yet either! Oh noes!
+        # Maybe move data bootstrapping to after the cluster is bootstrapped
         - name: Write values
           community.hashi_vault.vault_write:
             url: "http://{{ inventory_hostname }}:8200"
@@ -337,6 +340,9 @@
         nomad_acl_enabled: true
 
         # Enable vault integration
+        # TODO: This fails on first run because the Nomad-Vault integration can't be set up
+        # until Nomad has started. Could maybe figure out if ACLs have been set up and leave
+        # these out until the later play
         nomad_vault_address: "http://vault.service.consul:8200"
         nomad_vault_create_from_role: "nomad-cluster"
         nomad_vault_enabled: "{{ root_token is defined }}"
@@ -365,6 +371,7 @@
   hosts: nomad_instances
 
   tasks:
+    # Need to wait until nomad is running
     - name: Bootstrap ACLs
       command:
         argv:
@@ -430,3 +437,14 @@
       when: policies.stdout == "No policies found" or anon_policy.changed
       delegate_to: "{{ play_hosts[0] }}"
       run_once: true
+
+    - name: Set up Nomad backend and roles in Vault
+      community.general.terraform:
+        project_path: ./acls
+        force_init: true
+        variables:
+          consul_address: "{{ play_hosts[0] }}:8500"
+          vault_token: "{{ root_token }}"
+          nomad_secret_id: "{{ read_secretid.stdout }}"
+      delegate_to: localhost
+      run_once: true